Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2052
Views
0
Helpful
4
Replies

How to block Open Proxy within WSA

kisanak_ironport
Level 1
Level 1

‎09-27-2007 04:05 AM

I test WSA with tools pxytest.pl (from: http://www.unicom.com/sw/pxytest/pxytest) and found that WSA is open proxy which mean it's vurnerable to be used by spammer to send junk mail.

Result:

>>> (smtp dialog with probe email)
<<< 220 smtp.cbn.net.id ESMTP\r\n
*** ALERT - open proxy detected
Mail message has been sent to <yahya>
Test complete - identified open proxy proxy-new.cbn.net.id:8080/http-post

How to block this Open Proxy?

TIA.

Labels:
0 Helpful
4 Replies 4

jdohrman
Cisco Employee
Cisco Employee

‎09-27-2007 02:14 PM

Sounds like you allow HTTP connect to port 25 correct? That means somebody can use telnet to throw a
CONNECT mail.server.com:25 at the proxy and then talk SMTP through the so created HTTP Tunnel.

You can specify what ports are supposed to be 'open' in that sense in the Web Access Policies. There you have the field 'Allow CONNECT on Ports:'

It is important here that a blank field used to result in a 'allow all' in Versions pre 5.2.0. As this was confusing we changed the behavior and as of AsyncOS 5.2 you'll have to enter 1-65536 to allow all ports while leaving the field blank blocks all ports.

Please let me know if I misunderstood your question - some more info would be handy then. Thanks a lot.

Jakob

0 Helpful

jdohrman
Cisco Employee
Cisco Employee

‎10-10-2007 08:05 AM

FYI

This information is now published in the IronPort Knowledgebase:
http://tinyurl.com/2zmmej

Cheers,
Jakob

0 Helpful

Vinesh_ironport
Level 1
Level 1

‎01-13-2008 08:04 AM

Hi,

I've just installed an S650 for an ISP for testing and it seems that it's acting as an open proxy.

Currently, it's in explicit proxy for testing purposes on port 8080.
Apart from allowing the specific ports to connect, can we specify a specific range of IP(which is internal for the ISP) , which can use the proxy?

We are running version 5.1.2 for Web build 001


thanks

0 Helpful

jowolfer
Level 1
Level 1

‎01-14-2008 03:25 PM

Mauritius,

You would need to create a policy group that applies to the subnets you want to be able to proxy. This is your allowed access group.

Change the default policy so that it denies everything (Under 'Applications', just check the boxes to deny HTTP, HTTPS, FTP).

0 Helpful
Customers Also Viewed These Support Documents