https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833506#M99 <P>I test WSA with tools pxytest.pl (from: <A href="http://www.unicom.com/sw/pxytest/pxytest)" target="_blank">http://www.unicom.com/sw/pxytest/pxytest)</A> and found that WSA is open proxy which mean it's vurnerable to be used by spammer to send junk mail.<BR /><BR />Result:<BR /><BR />&gt;&gt;&gt; (smtp dialog with probe email)<BR />&lt;&lt;&lt; 220 smtp.cbn.net.id ESMTP\r\n<BR />*** ALERT - open proxy detected<BR />Mail message has been sent to &lt;yahya&gt;<BR />Test complete - identified open proxy proxy-new.cbn.net.id:8080/http-post<BR /><BR />How to block this Open Proxy? <BR /><BR />TIA.</P> Thu, 27 Sep 2007 11:05:34 GMT kisanak_ironport 2007-09-27T11:05:34Z https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833506#M99 <P>I test WSA with tools pxytest.pl (from: <A href="http://www.unicom.com/sw/pxytest/pxytest)" target="_blank">http://www.unicom.com/sw/pxytest/pxytest)</A> and found that WSA is open proxy which mean it's vurnerable to be used by spammer to send junk mail.<BR /><BR />Result:<BR /><BR />&gt;&gt;&gt; (smtp dialog with probe email)<BR />&lt;&lt;&lt; 220 smtp.cbn.net.id ESMTP\r\n<BR />*** ALERT - open proxy detected<BR />Mail message has been sent to &lt;yahya&gt;<BR />Test complete - identified open proxy proxy-new.cbn.net.id:8080/http-post<BR /><BR />How to block this Open Proxy? <BR /><BR />TIA.</P> Thu, 27 Sep 2007 11:05:34 GMT https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833506#M99 kisanak_ironport 2007-09-27T11:05:34Z https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833507#M100 <HTML><HEAD></HEAD><BODY><P>Sounds like you allow HTTP connect to port 25 correct? That means somebody can use telnet to throw a<BR />CONNECT mail.server.com:25 at the proxy and then talk SMTP through the so created HTTP Tunnel.<BR /><BR />You can specify what ports are supposed to be 'open' in that sense in the Web Access Policies. There you have the field 'Allow CONNECT on Ports:'<BR /><BR />It is important here that a blank field used to result in a 'allow all' in Versions pre 5.2.0. As this was confusing we changed the behavior and as of AsyncOS 5.2 you'll have to enter 1-65536 to allow all ports while leaving the field blank blocks all ports.<BR /><BR />Please let me know if I misunderstood your question - some more info would be handy then. Thanks a lot.<BR /><BR />Jakob</P></BODY></HTML> Thu, 27 Sep 2007 21:14:04 GMT https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833507#M100 jdohrman 2007-09-27T21:14:04Z https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833508#M101 <HTML><HEAD></HEAD><BODY><P>FYI<BR /><BR />This information is now published in the IronPort Knowledgebase:<BR /><A href="http://tinyurl.com/2zmmej" target="_blank">http://tinyurl.com/2zmmej</A><BR /><BR />Cheers,<BR />Jakob</P></BODY></HTML> Wed, 10 Oct 2007 15:05:36 GMT https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833508#M101 jdohrman 2007-10-10T15:05:36Z https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833509#M102 <HTML><HEAD></HEAD><BODY><P>Hi,<BR /><BR />I've just installed an S650 for an ISP for testing and it seems that it's acting as an open proxy.<BR /><BR />Currently, it's in explicit proxy for testing purposes on port 8080.<BR />Apart from allowing the specific ports to connect, can we specify a specific range of IP(which is internal for the ISP) , which can use the proxy?<BR /><BR />We are running version 5.1.2 for Web build 001<BR /><BR /><BR />thanks</P></BODY></HTML> Sun, 13 Jan 2008 16:04:51 GMT https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833509#M102 Vinesh_ironport 2008-01-13T16:04:51Z https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833510#M103 <HTML><HEAD></HEAD><BODY><P>Mauritius,<BR /><BR />You would need to create a policy group that applies to the subnets you want to be able to proxy. This is your allowed access group.<BR /><BR />Change the default policy so that it denies everything (Under 'Applications', just check the boxes to deny HTTP, HTTPS, FTP).</P></BODY></HTML> Mon, 14 Jan 2008 23:25:35 GMT https://community.cisco.com/t5/web-security/how-to-block-open-proxy-within-wsa/m-p/833510#M103 jowolfer 2008-01-14T23:25:35Z