From owner-freebsd-isp@FreeBSD.ORG Mon May 19 11:40:00 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A984337B401 for ; Mon, 19 May 2003 11:40:00 -0700 (PDT) Received: from seattlefenix.net (seattlefenix.net [216.231.34.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1228743FAF for ; Mon, 19 May 2003 11:40:00 -0700 (PDT) (envelope-from roo@seattlefenix.net) Received: by seattlefenix.net (Postfix, from userid 1001) id 4F81AB25E; Mon, 19 May 2003 11:33:24 -0700 (PDT) Date: Mon, 19 May 2003 11:33:24 -0700 From: Benjamin Krueger To: Bryan Vyhmeister Message-ID: <20030519183324.GH233@surreal.seattlefenix.net> References: <523443F2-8A26-11D7-A0BC-003065BA9B36@titania.net> <501EEBD0-8A27-11D7-8061-000393D5E5DA@hub3.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <501EEBD0-8A27-11D7-8061-000393D5E5DA@hub3.net> User-Agent: Mutt/1.4i cc: freebsd-isp@freebsd.org Subject: Re: Illegal use of my server?? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Benjamin Krueger List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2003 18:40:00 -0000 * Bryan Vyhmeister (bsd@hub3.net) [030519 11:19]: > I don't quite understand what happened. How was Squid used to relay > mail? I'm glad this thread came up because I am just about to deploy a > Squid cache. > > Bryan It happened because somebody just dropped a proxy server on their network without fully considering the consequences of their action. They didn't bother to properly design an access control list, and because it is available on the public internet, a spammer found it and began to use it for their spamming ventures. Technically, a proxy server can proxy many different TCP services. This includes SMTP, IRC, Messaging services, and others. Now somebody is very upset at his mistake, and is looking to "pursue each ISP in atempts to track down the guilty parties". Unfortunately, he is ignoring the person who had the most power to prevent this situation. Himself. Live, learn, realize that you made a mistake configuring your proxy server, and get back to working. Unless your business is that of hunting spammers, it really will not be worth your while to waste money and time chasing ISPs and shadows of spam fiends. > > >The Squid package and port should have a *big* warning sign on them > >about this. > >I know of at least one network that was blacklisted due to the lack of > >tight > >ACLs on Squid. > > > >On Monday, May 19, 2003, at 01:09 PM, Tony Saign wrote: > > > >>Any legal gurus out there?? > >> > >>Long story, but I'll summarize; > >> > >>On Friday 05/16 my T1 went down. > >>In troubleshooting attempts it was discovered that a machine, on my > >>network was being used maliciously. > >>Not hacked, but Squid was being used to relay mail (i.e. SPAM). > >>The machine was immediately brought down, and Squid was disabled. > >> > >>I received a call from my ISP, and they are NOT happy. > >>Looking @ the logs, it appears that several thousand SPAM emails may > >>have been sent. > >> > >>What should I do? Can I pursue each ISP in attempts to track down the > >>guilty parties? > >>Can I take any legal action against them? > >>This is the last straw! I'm so frickin' sick of SPAM, and now people > >>potentially got some w/ my IP address! > >>Grrr!!! > >> > >>Any suggestions, advice would be greatly appreciated. Lock down your proxy server, live and let live. Make things right with your ISP, assure them that you won't be making a proxy server mistake again. Be certain that you fully consider the consequences of deploying public services to your network in the future. -- Benjamin Krueger