.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== .de Sh \" Subsection heading .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. | will give a .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' .\" expand to `' in nroff, nothing in troff, for use with C<>. .tr \(*W-|\(bv\*(Tr .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .\" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .hy 0 .if n .na .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "PXYTEST 1" .TH PXYTEST 1 "2008-01-14" "perl v5.8.8" "User Contributed Perl Documentation" .SH "NAME" pxytest \- test proxy server for unsecured mail relay .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBpxytest\fR [ \fB\-a\fR ] [ \fB\-h\fR ] [ \fB\-M\fR \fImail_server\fR ] [ \fB\-m\fR \fImail_addr\fR ] [ \fB\-S\fR \fIsmtp_banner\fR ] [ \fB\-T\fR \fImail_tag\fR ] [ \fB\-t\fR \fInum_threads\fR ] [ \fB\-v\fR \fIverbosity\fR ] \&\fItarget_host\fR [ \fIport_spec\fR ... ] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBpxytest\fR utility performs a test on \fItarget_host\fR (given as a host name or address) to locate an unsecured proxy that allows allow connections to a mail server. Spammers use such hosts to distribute vast amounts of junk email. .PP Normally, \fBpxytest\fR will not actually attempt to relay mail through the proxy, only verify that an open proxy exists and can connect to a mail server. If the test runs to completion without encountering an unsecured proxy, the program terminates with a message: .PP \&\& Test complete \- no proxies found .PP Normally, as soon as the program encounters an open proxy, it terminates with a message: .PP \&\& Test complete \- identified open proxy \fIaddr\fR:\fIport\fR/\fIprotocol\fR .PP The following options are available. .IP "\fB\-a\fR" 4 .IX Item "-a" Find all open proxies. Instead of terminating as soon as an open proxy is detected, \fBpxytest\fR will continue on to perform the full set of tests. At completion, it will indicate the number of open proxies detected. .IP "\fB\-h\fR" 4 .IX Item "-h" Display a help message and then exit. The help message provides information on defaults and definitions that may have been modified by your local administrator. .IP "\fB\-M\fR \fImail_server\fR" 4 .IX Item "-M mail_server" Specifies a target \fImail_server\fR, given as a name or number. \fBpxytest\fR will attempt to connect to this server through the proxy. See \fBMail Server Selection\fR for more information. .IP "\fB\-m\fR \fImail_addr\fR" 4 .IX Item "-m mail_addr" A probe email message is transmitted to \fImail_addr\fR. Normally, \&\fBpxytest\fR stops as soon as it verifies connection to the \s-1SMTP\s0 server. When this option is given it continues on to send an email to the indicated recipient. .IP "\fB\-S\fR \fIsmtp_banner\fR" 4 .IX Item "-S smtp_banner" Specifies string that identifies the \s-1SMTP\s0 banner from the mail server. See the \fBMail Server Selection\fR section for more information. .IP "\fB\-T\fR \fImail_tag\fR" 4 .IX Item "-T mail_tag" An arbitrary \fImail_tag\fR is added to the probe email headers. This tag may be used, for example, to serialize the email so it may be correlated with a particular incident. This option has no effect unless \fB\-m\fR was specified. .IP "\fB\-t\fR \fInum_threads\fR" 4 .IX Item "-t num_threads" \&\fBThis option is experimental.\fR The test is accelerated by running up to \fInum_threads\fR probes in parallel. Under best-to-normal case conditions, this will actually \&\fBslow down\fR the test, taking it longer to complete. In the worst case situation, however, where certain tests are pausing for long times waiting for server responses, this can greatly reduce the total test time. .IP "\fB\-v\fR \fIverbosity\fR" 4 .IX Item "-v verbosity" Controls the amount of output messages produced. The verbosity levels are: .Sp .Vb 5 \& 0 - Display nothing but program errors. \& 1 - Display final test result. \& 2 - Display individual test results. \& 3 - Display details of individual tests. \& 4 - Display thread management information. .Ve .Sp The default verbosity level is 3. .Sh "The \fIport_spec\fP Arguments" .IX Subsection "The port_spec Arguments" Exhaustive testing for open proxies is impractical. Proxies may appear on any of 65,536 \s-1TCP\s0 ports. Also, there are a number of different forms of proxies, each requiring its own test. At 50msec/test, it could take over 6 hours to test a single host. .PP The user must direct the \fBpxytest\fR test sequence. This is done with \&\fIport_spec\fR arguments. These may be simply a tag name (discussed shortly) or a specification in the form: .PP \&\& \fImin\fR[\-\fImax\fR][/\fIproto\fR] .PP where \fImin\fR is the starting port number of the scan, \fImax\fR is the ending port number of the scan, and \fIproto\fR is the proxy mechanism to test. If \fImax\fR is not specified (it usually isn't), then a single-port scan is done. The possible \fIproto\fR values are: \fBhttp-connect\fR, \fBhttp-post\fR, \&\fBhttp\fR, \fBsocks4\fR, \fBsocks5\fR, \fBtelnet\fR, \fBcisco\fR, \fBwingate\fR, and \&\fBall\fR. If \fIproto\fR is not specified then it defaults to \fBhttp-connect\fR. (The next section describes what these proxy mechanisms mean.) .PP The \fIport_spec\fR may also be a mnemonic tags. As distributed, there are three tags defined: .IP "\fBbasic\fR" 4 .IX Item "basic" A basic set of tests that covers most common cases. If no \fIport_spec\fR argument is given on the command line, the default is to do a \fBbasic\fR scan. .IP "\fBfull\fR" 4 .IX Item "full" All of the basic tests plus several more that have been reported in less common instances. .IP "\fBsocks\fR" 4 .IX Item "socks" A shortcut for: 1080/socks4 1080/socks5 .PP Your local administrator may have modified this script to change the definition of these tags or added additional tags. Run \fBpxytest\fR with the \fB\-h\fR option to get a list of all the tags and their exact definitions. .Sh "Proxy Mechanisms" .IX Subsection "Proxy Mechanisms" There are a number of different proxy mechanisms that can be abused for mail relay. The mechanisms supported by this utility include: .IP "\fBhttp-connect\fR" 4 .IX Item "http-connect" A web proxy or cache that supports the \f(CW\*(C`HTTP CONNECT\*(C'\fR mechanism. See \fI\s-1CERT\s0 Vulnerability Note VU#150227\fR (http://www.kb.cert.org/vuls/id/150227) for further information. .Sp This is the most common type of unsecured proxy. It may appear on any \&\s-1TCP\s0 port. Some of the common locations are port 3128 (the well known port for \fIsquid\fR), port 8080 (the well known port for \fIwebcache\fR), and port 8081 (the well known port for \fItproxy\fR). Unsecured or misconfigured web servers can often act as proxies, so these are often found on port 80 (the well known port for \fIhttp\fR). The \fIAnalogX Proxy\fR uses port 6588. .Sp If no \fIproto\fR is specified in a \fIport_spec\fR, it defaults to \&\fBhttp-connect\fR. .IP "\fBhttp\fR" 4 .IX Item "http" An alias for \fBhttp-connect\fR. .IP "\fBhttp-post\fR" 4 .IX Item "http-post" A web proxy or cache that supports access to a \s-1URL\s0 via the \f(CW\*(C`HTTP POST\*(C'\fR mechanism. This vulnerability is not well documented, but according to the \s-1OPM\s0 stats it's the second most prevalent type. .IP "\fBsocks4\fR" 4 .IX Item "socks4" \&\s-1SOCKS\s0 version 4 proxy. See the \fI\s-1SOCKS\s0 Version 4 Overview\fR for further information on this service. \s-1TCP\s0 port 1080 is the well known port allocated to \fIsocks\fR. .IP "\fBsocks5\fR" 4 .IX Item "socks5" \&\s-1SOCKS\s0 version 5 proxy. See the \fI\s-1SOCKS\s0 Version 5 Overview\fR for further information on this service. \s-1TCP\s0 port 1080 is the well known port allocated to \fIsocks\fR. .IP "\fBtelnet\fR" 4 .IX Item "telnet" A proxy that accepts a command in the form: .Sp \&\& \fBtelnet\fR \fIdstaddr\fR \fIdstport\fR .Sp and establishes a connection to the indicated destination. .IP "\fBcisco\fR" 4 .IX Item "cisco" An unsecured Cisco router that allows login with the factory default values. Once a user is logged into the router, they can use it as a telnet proxy. .IP "\fBwingate\fR" 4 .IX Item "wingate" The \fBWinGate\fR Internet Sharing/Proxy Server by Deerfield.com. See their corporate web site for further information on this product. Such a proxy accepts a specification in the form: .Sp \&\& \fIdstaddr\fR:\fIdstport\fR .Sp and establishes a connection to the indicated destination. This proxy typically appears on \s-1TCP\s0 port 23, which, confusingly enough, is the well known port reserved for the \fItelnet\fR service. .IP "\fBall\fR" 4 .IX Item "all" This value is expanded out to all the available test mechanisms. .Sh "Mail Server Selection" .IX Subsection "Mail Server Selection" The \fBpxytest\fR utility attempts connection to a target mail server, and declares a proxy as open if it succeeds. The target mail server is selected by the following process: .IP "o" 4 If the \fB\-M\fR command line option is given, the \fImail_server\fR value it specifies (host name or address) is used. .IP "o" 4 Otherwise, if the \fB$DEFAULT_MAIL_SERVER\fR parameter is defined in the script, that is selected. Typically that parameter is left undefined, although the local administrator may choose to modify the script to set a value. .IP "o" 4 Otherwise, if the \fIperl\fR Net::DNS module is installed, the utility will attempt to determine the mail server (\s-1MX\s0) for the local host and use that. .PP If none of these methods may be used, the utility terminates with an error. .PP The utility will attempt to recognize the mail server by its \s-1SMTP\s0 welcome banner, which typically looks something like: .PP .Vb 1 \& 220 mail.soaustin.net ESMTP Postfix [NO UCE C=US L=TX] .Ve .PP By default, it declares success when it sees a line beginning with \*(L"220 \*(R" (two\-two\-oh\-space). In certain conditions, this may be a problem. .PP Some rare mail servers do not use the 220 code. If, for example, the mail server does not want to accept incoming mail, it may use some other code. Such a server can be used by \fBpxytest\fR, although the \fB\-m\fR option won't work. .PP Some proxies are actually honeypots that are used to trap spammers and crackers. These honeypots may redirect \s-1SMTP\s0 connections. So \fBpxytest\fR will declare success when it sees the \s-1SMTP\s0 welcome banner generated by the honeypot. .PP In these cases, the \fB\-S\fR option may be used to specify a more specific match for the \s-1SMTP\s0 banner. The \fIsmtp_banner\fR argument will specify a fixed string that appears at the start of the banner. For example, .PP .Vb 1 \& -S "220 mail.soaustin.net" .Ve .PP might be a good way to ensure \fBpxytest\fR has connected back to the server that gives the \s-1SMTP\s0 banner shown above. .Sh "Probe Email" .IX Subsection "Probe Email" When the \fB\-m\fR option is specified, the utility attempts to send a probe email message through the target mail server. Here is the header from a sample probe message: .PP .Vb 5 \& To: chip+pxytest@unicom.com \& From: chip+pxytest@unicom.com \& Subject: open proxy test \& X-Mailer: pxytest v1.17 \& X-Proxy-Spec: 192.108.105.34:1080/socks4 ID-000034 .Ve .PP The \f(CW\*(C`To\*(C'\fR and \f(CW\*(C`From\*(C'\fR headers were specified with the \fB\-m\fR option. The \f(CW\*(C`X\-Mailer\*(C'\fR header may be used to simplify recognition and sorting of incoming test probes. The \f(CW\*(C`X\-Proxy\-Spec\*(C'\fR header identifies the proxy, plus any tag that may have been given with the \fB\-T\fR option. .SH "EXIT STATUS" .IX Header "EXIT STATUS" An exit status of 0 means the test ran to completion without finding any open proxies. An exit status of 2 means that an open proxy was detected. Any other non-zero exit status indicates some sort of error. .SH "DIAGNOSTICS" .IX Header "DIAGNOSTICS" This section provides additional explanation for selected error messages: .IP "unknown host \fItarget_host\fR" 4 .IX Item "unknown host target_host" .PD 0 .IP "unknown proxy type \fIproto\fR" 4 .IX Item "unknown proxy type proto" .IP "bad port specification \fInum\fR" 4 .IX Item "bad port specification num" .PD These all indicate a problem with the \fIport_spec\fR given on the command line. .IP "error setting \s-1SIGALRM\s0 handler" 4 .IX Item "error setting SIGALRM handler" This utility uses the \s-1POSIX\s0 interface to set timeout alarms. This error likely indicates you are running on a non-POSIX system. If you run into this, please contact the author. .ie n .IP "cannot locate mailserver for ""\fIhostname\fR""" 4 .el .IP "cannot locate mailserver for ``\fIhostname\fR''" 4 .IX Item "cannot locate mailserver for ""hostname""" Was unable to locate a mail exchanger (\s-1MX\s0) for your host or your domain. This would happen if there is no \s-1MX\s0 for your host or your domain. It also could happen if there are \s-1DNS\s0 problems. This can be worked around by either using the \fB\-M\fR option or modifying the script to define a \fB$DEFAULT_MAIL_SERVER\fR value. .IP "you must define a mail server (Net::DNS unavailable)" 4 .IX Item "you must define a mail server (Net::DNS unavailable)" The automatic mail server lookup cannot run, because your system does not have the \fIperl\fR Net::DNS module installed. If you do not want to install this module, then you will need to specify the target mail server. Either use the \fB\-M\fR option or modify the script to define define a \&\fB$DEFAULT_MAIL_SERVER\fR value. .IP "host lookup for \fIhostname\fR failed" 4 .IX Item "host lookup for hostname failed" The indicated host was identified as the target mail server to use, but \&\fBpxytest\fR was unable to determine the \s-1IP\s0 address of that host. This typically results from \s-1DNS\s0 problems. Either resolve the \s-1DNS\s0 problems, or specify the target mail host as an address rather than a name. .IP "Cannot get host name of local machine" 4 .IX Item "Cannot get host name of local machine" This diagnostic is produced by the \fIperl\fR Sys::Hostname module. See the documentation on that module for information. .IP "cannot determine your username" 4 .IX Item "cannot determine your username" A number of methods were attempted to determine your username, none of which worked. Please contact the author if you get this message. .SH "BUGS" .IX Header "BUGS" Proxies may appear on any \s-1TCP\s0 port. A complete test would require an exhaustive scan of all available ports, which is infeasible. Instead, the \&\fBbasic\fR and \fBfull\fR scans cover ports that (based on past observation) are mostly likely to be bound to a proxy service. The author welcomes feedback on the ports definitions for the \fBbasic\fR and \fBfull\fR scans. The author also welcomes information on additional proxy mechanisms that may be used for email abuse (spam). .PP Ideally, the \fB\-S\fR option should not be required. We ought be able to probe the target mail server to get the \s-1SMTP\s0 banner. We don't do this automatically, because in some cases (e.g. running the test from a host on a network that blocks outbound port 25) it won't work. .PP The threading is an ugly hack to address the inordinately long test times against a proxy that is not responding. Hell, it isn't even real threading. It's a lame facsimile implemented with \fI\fIfork()\fI\fR. .PP The port 23 tests can be troublesome. If there is something listening at that port, these tests frequently will hang until timeout occurs. I ought to investigate whether there is some way they all can be combined into some smarter, optimized test. .PP Severely overloaded proxies are prone to false negatives. That is, \&\fBpxytest\fR might fail to connect because the proxy is throttled or dropping connections or otherwise busy puking its guts out. So it will declare this proxy as closed, even though a repeated attempt might prove otherwise. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIservices\fR\|(5), \&\fIhttpd\fR\|(8), \&\fIsockd\fR\|(8) .SH "ACKNOWLEDGMENTS" .IX Header "ACKNOWLEDGMENTS" I found the following programs helpful in developing this utility. .IP "\fIBlitzed Open Proxy Monitor\fR" 4 .IX Item "Blitzed Open Proxy Monitor" .IP "\fIProxy Stress Tester\fR" 4 .IX Item "Proxy Stress Tester" .SH "AUTHOR" .IX Header "AUTHOR" .Vb 3 \& Chip Rosenthal \& Unicom Systems Development \& .Ve .PP .Vb 2 \& $Id: pxytest,v 1.36 2002/12/28 20:56:55 chip Exp $ \& See for latest version. .Ve