#!/usr/bin/perl # # $Id: pxytest,v 1.19 2002/11/20 20:14:36 chip Exp $ # # rlytest - test remote system for unsecured mail proxies # see POD documentation at end; view with: perldoc pxytest # # Chip Rosenthal # Unicom Systems Development # # my $VERSION = '$Revision: 1.19 $'; $VERSION =~ s/.* (\d+(\.\d+)+) .*/$1/; use strict; eval 'use warnings'; # this pragma not avail in ver < 5.6.0 use Sys::Hostname; use Time::gmtime; use IO::Socket; use Net::hostent; use Getopt::Std; my $USAGE = "usage: $0 [-M mail_server] [-m mail_addr] [-T mail_tag] target_host [port_spec ...]\n"; ##### # # You may choose to (or may need to) adjust some of the following definitions. # # # $DEFAULT_MAIL_SERVER specifies the mail server you want to use. This test # will attempt to connect to this server through the proxy. # # Normally, this should be set to "undef" and we will try to calculate # an appropriate mail server. If that doesn't work, then you'll need to # set this to a specific mail server name or address. Can be overriden # by -M option. # my $DEFAULT_MAIL_SERVER = undef; # # $DEFAULT_SCAN is a "port_spec" that is used if none are specified on # the command line. # my $DEFAULT_SCAN = "basic"; # # %TAGS_SCANLISTS associates mnemonic tags (like "basic") with a list of # port_specs. You may wish to tailor this to your preferences. Feedback # on these lists welcomed to . # my %TAGS_SCANLISTS = ( # # port rationale # ---- --------- # 80 Web server with unsecured/misconfigured proxy function. # 3128 Well known port for the "squid" web cache. # 8080 Well known port for the "webcache" service. # 8081 Well known port for the "tproxy" transparent proxy service. # 1080 Well known port for the "socks" proxy service. # 23 Well known port for the "telnet" service. # "basic" => [qw(80 3128 8080 8081 1080/socks4 1080/socks5 23/telnet 23/cisco 23/wingate)], # # port rationale # ---- --------- # 6588 The AnalogX product sets up an HTTP-CONNECT proxy here. # However, the basic scan catches AnalogX with 1080/socks4. # # The other ports listed are just numbers other people have reported # to have seen proxies sitting upon. # "full" => [qw(basic 81 85 1182 1282 4480 6588 7033 8000 8085 8090 8095 8100 8105 8110 8888)], "socks" => [qw(1080/socks4 1080/socks5)], ); # # $MAIL_MESSAGE_TEMPLATE is the template to generate a mail message # we can send through an open proxy. See the generate_mail_message() # routine for information on the %VARIABLES% that can be used. # my $MAIL_MESSAGE_TEMPLATE = q[To: %TO_ADDR% From: %FROM_ADDR% Date: %HDR_DATE% Message-Id: %HDR_MSSGID% Sender: %ORIG_SENDER% Subject: open proxy test X-Mailer: pxytest v%VERSION% X-Proxy-Spec: %PROXY_ADDR%:%PROXY_PORT%/%PROXY_PROTOCOL% %MAIL_TAG% This message is a test probe, passed through what appears to be an open proxy. This proxy test was initiated by <%ORIG_SENDER%>. Please contact that user if you have any questions about this test. Proxy parameters: Address: %PROXY_ADDR% Port: %PROXY_PORT% Type: %PROXY_PROTOCOL% This test was performed with the "pxytest" program. For further information see . ]; my $TIMEOUT_CONNECT = 30; my $TIMEOUT_DATA = 60; # # no user-servicable parts below this line # ##### # # %TEST_BY_PROXY_TYPE associates proxy protocols with a test procedure. # my %TEST_BY_PROXY_TYPE = ( "http" => \&proxy_test_http, "socks4" => \&proxy_test_socks4, "socks5" => \&proxy_test_socks5, "wingate" => \&proxy_test_wingate, "telnet" => \&proxy_test_telnet, "cisco" => \&proxy_test_cisco, ); # # Crack command line options. # my %opts; getopts('M:m:T:', \%opts) or die $USAGE; my $Mail_addr = $opts{'m'}; my $Mail_tag = $opts{'T'}; die $USAGE if (@ARGV == 0); # # Locate the mail server we will relay to. # my $MAIL_SERVER = locate_mailserver($opts{'M'} || $DEFAULT_MAIL_SERVER); my $MAIL_PORT = 25; # # This ugliness is necessary on system that have restartable system calls. # Not on a POSIX system? Ha ha ... you lose. # # Actually, on such a system the usual $SIG{} mechanism may work. # If you run into such a thing, let me know. # use POSIX ':signal_h'; my $Alarm_timeout = 0; sub alarm_handler { $Alarm_timeout = 1; } sigaction SIGALRM, new POSIX::SigAction "alarm_handler" or die "error setting SIGALRM handler: $!\n"; ##### # # usage: main($target_addr, [$port_spec, ...]) # function: Main program procedure. # returns: Nothing. # # Does an exit(2) as soon as an open proxy is detected. A successful # return indicates no open proxies were found. # sub main { my $target_addr = shift; my @portslist = (@_ > 0 ? @_ : $DEFAULT_SCAN); my $portspec; $target_addr =~ /^\d+\.\d+\.\d+\.\d+$/ || gethostbyname($target_addr) or die "$0: unknown host \"$target_addr\"\n"; # # Treat the args as a queue ... keep pulling from the end until done. # while (@portslist > 0) { # # Pull the first entry out of the list. # $portspec = shift(@portslist); # # If this entry is a tag, expand it out and push # the values onto the front of the list. # if (defined($TAGS_SCANLISTS{$portspec})) { unshift(@portslist, @{$TAGS_SCANLISTS{$portspec}}); next; } # # Parse the port specification in form: num[-num][/proto] # my($minport, $maxport, $proto) = parse_portspec($portspec); my $test_function = $TEST_BY_PROXY_TYPE{$proto} or die "$0: unknown proxy type \"$proto\"\n"; # # Go through the range of ports specified. # foreach my $port ($minport .. $maxport) { if (perform_proxy_test($target_addr, $port, $proto, $test_function)) { print "Test complete - identified open proxy ${target_addr}:${port}/${proto}\n"; exit(2); } } } print "Test complete - no proxies found\n"; } ##### # # usage: locate_mailserver($mail_server) # function: Locate mail server for this host. # returns: Mail server address, in a text string, as a dotted quad. # # If a server (name or address) is handed to this procedure, then use that. # Otherwise, we will try to locate an MX for the local host. # sub locate_mailserver { my $mail_server = shift; if (!defined($mail_server)) { eval 'use Net::DNS'; die "$0: you must define a mail server (Net::DNS unavailable)\n" if ($@); my $hostname = hostname or die "$0: cannot determine your hostname\n"; my @mx; while (! (@mx = mx($hostname))) { # Trim back to domain, hoping we can find an MX there. $hostname =~ s/^[^\.]+\.// or die "$0: cannot locate mail server for \"$hostname\"\n"; } $mail_server = $mx[0]->exchange; } my $mail_server_addr; if ($mail_server =~ /^\d+\.\d+\.\d+\.\d+$/) { $mail_server_addr = $mail_server; print "Using mail server: $mail_server_addr\n"; } else { my $h = gethostbyname($mail_server) or die "$0: host lookup for \"$mail_server\" failed\n"; $mail_server_addr = inet_ntoa($h->addr); print "Using mail server: $mail_server_addr ($mail_server)\n"; } return $mail_server_addr; } ##### # # usage: parse_portspec($port_spec) # function: Parse port specification in the form: num[-num][/proto] # returns: ($min, $max, $proto) # sub parse_portspec { $_ = shift; m!^(\d+)(-(\d+))?(/(\w+))?$! or die "$0: bad port specification \"$_\"\n"; return ($1, $3 || $1, $5 || "http"); } ##### # # usage: perform_proxy_test($addr, $port, $proto, $test_function) # function: Perform the specified proxy test. # returns: TRUE if an open proxy is encountered. # sub perform_proxy_test { my($proxy_addr, $proxy_port, $proxy_proto, $test_function) = @_; # # Connect to the remote host on the specified port. # print qq[Trying addr "$proxy_addr" port "$proxy_port" proto "$proxy_proto" ... ]; my $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $proxy_addr, PeerPort => $proxy_port, Timeout => $TIMEOUT_CONNECT); if (!$sock) { #print "FAILED: $@\n"; print "cannot connect\n"; return 0; } print "connected\n"; $sock->autoflush(1); # # Execute the proxy test. # if (!&$test_function($sock)) { $sock->close(); return 0; } print "*** ALERT - open proxy detected\n"; # # If an email address was given, transmit a probe message. # if ($Mail_addr) { my $mssg = generate_mail_message($proxy_addr, $proxy_port, $proxy_proto); if (transmit_mail_message($sock, $mssg)) { print "Mail message has been sent to <$Mail_addr>\n"; } else { print "Warning - failed to transmit email message to <$Mail_addr>\n"; } } $sock->close(); return 1; } ##### # # usage: proxy_test_http($sock) # function: Test for an open proxy using the "HTTP CONNECT" method. # returns: Return TRUE if open proxy detected. # sub proxy_test_http { my $sock = shift; wrsock($sock, "CONNECT ${MAIL_SERVER}:${MAIL_PORT} HTTP/1.0\r\n\r\n"); $_ = rdsock($sock) or return 0; # should see something like: HTTP/1.0 200 Connection established m!^HTTP/\S+\s+(200)\s+! or return 0; # Wierd ... I'm finding some servers give a 200 to the CONNECT # request, but then serve up a document rather than making a # proxy connection. They'll fail here. return found_smtp_banner($sock) } ##### # # usage: proxy_test_socks4($sock) # function: Test for an unsecured SOCKS4 proxy. # returns: Return TRUE if open proxy detected. # # reference: http://www.socks.nec.com/protocol/socks4.protocol # my %SOCKS4_CONNECT_RESPONSES = ( 90 => "request granted", 91 => "request rejected or failed", 92 => "request rejected, ident required", 93 => "request rejected, ident mismatch", ); sub proxy_test_socks4 { my $sock = shift; my($mssg, $repcode, $repmssg); # # CONNECT request: # VN 1 byte socks version (4) # CD 1 byte command code (1 = connect) # DSTPORT 2 bytes destination port # DSTIP 4 bytes destination address # USERID variable (not used here) # NULL 1 byte # $mssg = pack("CCnA4x", 4, 1, $MAIL_PORT, inet_aton($MAIL_SERVER)); wrsock($sock, $mssg); # # CONNECT reply: # VN 1 byte version of the reply code (should be 0) # CD 1 byte command code (the result) # DSTPORT 2 bytes # DSTIP 4 bytes # $mssg = rdsock($sock, -nbytes => 8) or return 0; $repcode = (unpack("C*", $mssg))[1]; $repmssg = $SOCKS4_CONNECT_RESPONSES{$repcode} || "unknown reply code"; print "socks reply code = $repcode ($repmssg)\n"; return 0 unless ($repcode == 90); # grab the SMTP banner, but return TRUE even if that chokes found_smtp_banner($sock); return 1; } ##### # # usage: proxy_test_socks5($sock) # function: Test for an unsecured SOCKS5 proxy. # returns: Return TRUE if open proxy detected. # # reference: http://www.socks.nec.com/rfc/rfc1928.txt # # WARNING!!! This is not tested. I haven't found access to an open SOCKS5 # server yet. If you can test this, please let me know. # my %SOCKS5_METHODS = ( 0 => "no authentication required", 1 => "GSSAPI", 2 => "username/password", 255 => "no acceptable methods", ); my %SOCKS5_CONNECT_RESPONSES = ( 0 => "succeeded", 1 => "general SOCKS server failure", 2 => "connection not allowed by ruleset", 3 => "Network unreachable", 4 => "Host unreachable", 5 => "Connection refused", 6 => "TTL expired", 7 => "Command not supported", 8 => "Address type not supported", ); sub proxy_test_socks5 { my $sock = shift; my($mssg, $repcode, $repmssg); # # METHOD SELECT message: # VER 1 byte socks version (5) # NMETHODS 1 byte number of method identifies # METHODS var list of methods (0 = no auth) # $mssg = pack("CCC", 5, 1, 0); wrsock($sock, $mssg); # # METHOD SELECT reply: # VER 1 byte socks version (5) # METHOD 1 byte method to use # $mssg = rdsock($sock, -nbytes => 2) or return 0; $repcode = (unpack("C*", $mssg))[1]; $repmssg = $SOCKS5_METHODS{$repcode} || "unknown or reserved method type"; print "socks reply code = $repcode ($repmssg)\n"; return 0 unless ($repcode == 0); # # CONNECT request: # VER 1 byte socks version (5) # CMD 1 byte command code (1 = connect) # RSV 1 byte reserved # ATYP 1 byte address type (1 = IPv4) # DST.ADDR variable destination address # DST.PORT 2 bytes destination port # $mssg = pack("CCCCa4n", 5, 1, 0, 1, inet_aton($MAIL_SERVER), $MAIL_PORT); wrsock($sock, $mssg); # # CONNECT reply: # VER 1 byte socks version (5) # REP 1 byte reply code # RSV 1 byte reserved # ATYP 1 byte address type (1 = IPv4) # BND.ADDR variable server bound address # BND.PORT 2 bytes server bound port # $mssg = rdsock($sock, -nbytes => 10) or return 0; $repcode = (unpack("C*", $mssg))[1]; $repmssg = $SOCKS5_CONNECT_RESPONSES{$repcode} || "unknown or reserved reply code"; print "socks reply code = $repcode ($repmssg)\n"; return 0 unless ($repcode == 0); # grab the SMTP banner, but return TRUE even if that chokes found_smtp_banner($sock); return 1; } ##### # # usage: proxy_test_wingate($sock) # function: Test for an open Wingate proxy. # returns: Return TRUE if open proxy detected. # sub proxy_test_wingate { my $sock = shift; wrsock($sock, "${MAIL_SERVER}:${MAIL_PORT}\r\n"); $_ = rdsock($sock) or return 0; return found_smtp_banner($sock, -abort => ["^Password:"]); } ##### # # usage: proxy_test_telnet($sock) # function: Test for an open telnet proxy. # returns: Return TRUE if open proxy detected. # # This is something that accepts a command: telnet # # Here is an example of what one of these looks like (with the # destination address elided to protect the guilty): # # $ telnet a.b.c.d # Trying a.b.c.d... # Connected to a.b.c.d. # Escape character is '^]'. # ÿûÿûsrvfwcm telnet proxy (Version 5.5) ready: # tn-gw-> telnet 207.200.4.66 25 # telnet 207.200.4.66 25 # Trying 207.200.4.66 port 25... # ÿüÿüÿüConnected to 207.200.4.66. # 220 mail.soaustin.net ESMTP Postfix [NO UCE C=US L=TX] # sub proxy_test_telnet { my $sock = shift; wrsock($sock, "telnet $MAIL_SERVER $MAIL_PORT\r\n") or return 0; return found_smtp_banner($sock, -abort => ["^Password:"]); } ##### # # usage: proxy_test_cisco($sock) # function: Test for an proxy thru an unsecured Cisco router. # returns: Return TRUE if open proxy detected. # # The idea is you use the factory default login to access the router, and # then you can use it like a telnet proxy. # # Here is a sample session: # # # [chip@mint chip]$ telnet a.b.c.d # Trying a.b.c.d... # Connected to a.b.c.d. # Escape character is '^]'. # # # User Access Verification # # Password: (bad password) # Password: (another bad password) # Password: (yet another bad password) # % Bad passwords # Connection closed by foreign host. # sub proxy_test_cisco { my $sock = shift; rdsock_for_message($sock, -match => "^User Access Verification") or return 0; # # There should be a "Password:" prompt here, but we won't see # it until the newline is terminated. # wrsock($sock, "cisco\r\n"); rdsock_for_message($sock, -match => "^Password:") or return 0; # # If the password worked, it's just a standard telnet proxy test. # return proxy_test_telnet($sock); } ##### # # usage: found_smtp_banner($sock, [options ...]) # options passed to rdsock_for_message() # function: Look for the SMTP greeting banner from a mail server. # returns: TRUE if we can obtain an SMTP greeting banner. # # Actually, can be used to look for anything given the -match option. # sub found_smtp_banner { my($sock, @args) = @_; # example: 220 mail.soaustin.net ESMTP Postfix [NO UCE C=US L=TX] return rdsock_for_message($sock, -match => "^220 ", @args); } ##### # # usage: generate_mail_message($proxy_addr, $proxy_port, $proxy_proto) # function: Generate an email message to use as a test probe. # returns: Email message, with complete headers and body. # sub generate_mail_message { my($proxy_addr, $proxy_port, $proxy_proto) = @_; use vars qw(%ENV); my $hostname = hostname || ""; my $username = $ENV{'LOGNAME'} || $ENV{'USER'} || `whoami 2>/dev/null` || `id --user --name 2>/dev/null` || ""; my $arpa_date = arpa_date(); my $mssgid = sprintf("", time(), $$, $hostname); $_ = $MAIL_MESSAGE_TEMPLATE; s/%VERSION%/$VERSION/g; s/%PROXY_ADDR%/$proxy_addr/g; s/%PROXY_PORT%/$proxy_port/g; s/%PROXY_PROTOCOL%/$proxy_proto/g; if (defined($Mail_tag)) { s/%MAIL_TAG%/$Mail_tag/g; } else { s/\s*%MAIL_TAG%//g; } s/%TO_ADDR%/$Mail_addr/g; s/%FROM_ADDR%/$Mail_addr/g; s/%HDR_DATE%/$arpa_date/g; s/%HDR_MSSGID%/$mssgid/g; s/%ORIG_SENDER%/${username}\@${hostname}/g; s/%ORIG_HOST%/$hostname/g; s/\n/\r\n/g; return $_; } ##### # # usage: transmit_mail_message($sock, $mssg) # function: Transmit an email message via SMTP. # returns: TRUE if the message is successfully transmitted. # sub transmit_mail_message { my($sock, $mssg) = @_; my $hostname = hostname || "unknown_hostname"; smtp_command($sock, "HELO $hostname") == 250 or return 0; smtp_command($sock, "MAIL FROM:<$Mail_addr>") == 250 or return 0; smtp_command($sock, "RCPT TO:<$Mail_addr>") == 250 or return 0; smtp_command($sock, "DATA") == 354 or return 0; wrsock($sock, $mssg, -mssg => "(email message)"); smtp_command($sock, ".") == 250 or return 0; smtp_command($sock, "QUIT") == 221 or return 0; return 1; } ##### # # usage: smtp_command($sock, $command) # function: Transmit an SMTP command. # returns: The numeric SMTP response code, or 0 on error. # sub smtp_command { my($sock, $command) = @_; my $rc = 0; my $cont = '-'; wrsock($sock, $command . "\r\n"); while (1) { $_ = rdsock($sock) or return 0; my($rc, $cont) = /^(\d\d\d)([- ])/ or return 0; return $rc if ($cont eq " "); } } ##### # # usage: arpa_date([$secs_since_epoch]) # function: Format a date for use in an RFC-2822 email message header. # returns: Date, as a string. # sub arpa_date { my $gm = gmtime(shift || time()); my @Day_name = ("Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"); my @Month_name = ( "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"); sprintf("%-3s, %02d %-3s %4d %02d:%02d:%02d GMT", $Day_name[$gm->wday], $gm->mday, $Month_name[$gm->mon], 1900+$gm->year, $gm->hour, $gm->min, $gm->sec); } ##### # # usage: wrsock($sock, $data, [options ...]) # options: # -mssg => "message to display" # -timeout => secs # function: Transmit data across socket, with timeout. # returns: TRUE if successful. # # Displays $data before sending it. # A diagnostic message is printed if the write fails. # sub wrsock { my $sock = shift; my $data = shift; my %args = @_; my $mssg = $args{-mssg} || $data; my $timeout = $args{-timeout} || $TIMEOUT_DATA; print ">>> ", printable_mssg($mssg), "\n"; alarm($timeout); my $rc = $sock->print($data); alarm(0); print ">>> ERROR: error writing socket: $!\n" if (!$rc); return $rc; } ##### # # usage: rdsock_for_message($sock, [options ...]) # options: # -match => pattern # -abort => [pattern, ...] # function: Look for the indicated match pattern. # returns: TRUE if we can obtain the pattern. # sub rdsock_for_message { my($sock, %args) = @_; my $matchpat = $args{-match} or die "$0: must specify \"-match\" for rdsock_for_message()\n"; my $abortlist = $args{-abort}; while (1) { $_ = rdsock($sock) or return 0; /$matchpat/ and return 1; if ($abortlist) { foreach my $pat (@$abortlist) { /$pat/ and return 0; } } } return 0; } ##### # # usage: rdsock($sock, [options ...]) # options: # -timeout => secs # -bytes => n (default is to read a line) # function: Retrieve data from socket, with timeout. # returns: Value retrieved. # # Displays data retrieved. # Returns undefined on timeout, end of input, or read failure. # sub rdsock { my $sock = shift; my %args = @_; my $timeout = $args{-timeout} || $TIMEOUT_DATA; my $nb = $args{-nbytes}; my $data; $Alarm_timeout = 0; alarm($timeout); if (defined($nb)) { $sock->read($data, $nb); } else { $data = $sock->getline(); } alarm(0); if ($Alarm_timeout) { print "<<< TIMEOUT: timeout waiting for response\n"; undef $data; } elsif (!defined($data)) { print "<<< EOF: end of input\n"; } else { print "<<< ", printable_mssg($data), "\n"; } return $data; } ##### # # usage: printable_mssg($data) # function: Generate a printable string from an arbitrary data string. # returns: Printable string. # # If the data is printable text data, then it is returned with trailing # newlines elided. # # If the data includes unprintable content, then it is displayed as a # list of byte values. # sub printable_mssg { my $data = shift; if ($data =~ /^[[:print:][:space:]]*$/) { $data =~ s/[\r\n]*$//; return $data } my @x = unpack("C*", $data); return "binary message: " . join(" ", map(sprintf("%d", $_), @x)); } ############################################################################## # # Start of execution. # $| = 1; # autoflush stdout main(@ARGV); exit(0); # ############################################################################## __END__ =head1 NAME pxytest - test proxy server for unsecured mail relay =head1 SYNOPSIS B [ B<-M> I ] [ B<-m> I ] [ B<-T> I ] I [ I ... ] =head1 DESCRIPTION The B utility performs a test on I (given as a host name or address) to determine whether it will allow connections to a mail server through an unsecured proxy. Normally, it will not actually attempt to relay mail through the proxy, only verify that a proxy exists and accepts a connection request. If the test runs to completion without encountering an unsecured proxy, the program terminates with a message: Z<> Test complete - no proxies found As soon as the program encounters an open proxy, it terminates with a message: Z<> Test complete - identified open proxy I:I/I The following options are available. =over 4 =item B<-M> I Specifies a target I, given as a name or number. B will attept to connect to this server through the proxy. =item B<-m> I A probe email message is transmitted to I. Normally, B stops as soon as it sees the startup banner from the SMTP server. When this option is given it continues on to send an email to the indicated recipient. =item B<-T> I An arbitray I is added to the probe email headers. This tag may be used, for example, to serialize the email so it may be correlated with a particular incident. This option has no effect unless B<-m> was specified. =back =head2 The I Arguments This utility does not perform an exhaustive search for proxies. The search is directed by the I arguments. These may be simply TCP port numbers, a tag name, or a specification in the form: Z<> I[-I][/I] where I is the starting port number of the scan, I is the ending port number of the scan, and I is the proxy mechanism to test. If I is not specified, then a single-port scan is done. The possible I values are: B, B, B, B, B, and B. If I is not specified then it defaults to B. (The next section describes what these proxy mechanisms mean.) The I may also be a mnemonic tags. The available tags, as distributed, are: =over 4 =item B 80 3128 8080 8081 1080/socks4 1080/socks5 23/telnet 23/cisco 23/wingate =item B all of the basic tests, plus: 81 85 1182 1282 4480 6588 7033 8000 8085 8090 8095 8100 8105 8110 8888 =item B 1080/socks4 1080/socks5 =back Your local administrator may have modified this script to change the definition of these tags, or added additional tags. If no I argument is given on the command line, the default is to do a B scan. =head2 Proxy Mechanisms There are a number of different proxy mechanisms that can be abused for mail relay. The mechanisms supported by this utility include: =over 4 =item B A web proxy or cache that supports the C mechanism. See I (http://www.kb.cert.org/vuls/id/150227) for further information. This is the most commonly found type of unsecured proxy. It may appear on any TCP port. Some of the common locations are port 3128 (the well known port for I), port 8080 (the well known port for I), and port 8081 (the well known port for I). Unsecured or misconfigured web servers can often act as proxies, so these are often found on port 80 (the well known port for I). The I uses port 6588. =item B SOCKS version 4 proxy. See the I for further information on this service. TCP port 1080 is the well known port allocated to I. =item B SOCKS version 5 proxy. See the I for further information on this service. TCP port 1080 is the well known port allocated to I. =item B A proxy that accepts a command in the form "telnet dstaddr dstport", and establishes a connection to the indicated destination. =item B An unsecured Cisco router that allows login with the factory set values. Once a user is logged into the router, they can use it as a telnet proxy. =item B The B Internet Sharing/Proxy Server by Deerfield.com. See their corporate web site for further information on this product. This proxy typically appears on TCP port 23, which, unfortunately, is the well known port reserved for the I service. =back =head2 Mail Server Selection This utility works by attempting a connection to a target mail server. The mail server is selected by the following process: =over 4 =item o If the B<-M> command line option is used, that is selected. =item o Otherwise, if the C<$DEFAULT_MAIL_SERVER> parameter is defined in the script, that is selected. Typically that parameter is left undefined, although the local administrator may choose to modify the script to set a value. =item o Otherwise, if the perl Net::DNS module is installed, the utility will attempt to determine the mail server for the local host and use that. =back If none of these methods may be used, the utility terminates with an error. =head2 Probe Email When the B<-m> option is specified, the utility attempts to send a probe email message through the target mail server. Here is the header from a sample probe message: To: chip+pxytest@unicom.com From: chip+pxytest@unicom.com Subject: open proxy test X-Mailer: pxytest v1.17 X-Proxy-Spec: 192.108.105.34:1080/socks4 ID-000034 The C and C headers were specified with the B<-m> option. The C header may be used to simplify recognition and sorting of incoming test probes. The C header identifies the proxy, plus any tag that may have been given with the B<-T> option. =head1 EXIT STATUS An exit status of 0 means the test ran to completion without finding any open proxies. An exit status of 2 means that an open proxy was detected. Any other non-zero exit status indicates some sort of error. =head1 DIAGNOSTICS This section provides additional explanation for selected error messages: =over 4 =item error setting SIGALRM handler This utility uses the POSIX interface to set timeout alarms. This error likely indicates you are running on a non-POSIX system. If you run into this, please contact the author. =item cannot locate mailserver for "I" Was unable to locate a mail exchanger (MX) for your host or your domain. This would happen if there is no MX for your host or your domain. It also could happen if there are DNS problems. This can be worked around by using the B<-M> option, or modifying the script to define a C<$DEFAULT_MAIL_SERVER> value. =item you must define a mail server (Net::DNS unavailable) The automatic mail server lookup cannot run, because your system does not have the I Net::DNS module installed. If you do not want to install this module, then you will need to specify the target mail server. Either use the B<-M> option, or modify the script to define define a C<$DEFAULT_MAIL_SERVER> value. =item Cannot get host name of local machine See the documentation for the I Sys::Hostname module for information. =back =head1 BUGS Proxies may appear on any TCP port. A complete test would require an exhaustive scan of all available ports, which is infeasible. Instead, the B and B scans cover ports that (based on past observation) are mostly likely to be bound to a proxy service. The author welcomes feedback on the ports definitions for the B and B scans. The author also welcomes information on additional proxy mechanisms that may be used for email abuse (spam). If you attempt to scan a host that is not up (or whose firewall silently blocks scans), the scan will run for an inordinate amount of time. This utility is highly inefficient due to its sequential, single-threaded design. This is actually a feature; it makes this utility largely useless for abusive large-scale scanning. =head1 SEE ALSO services(5), httpd(8), sockd(8) =head1 ACKNOWLEDGMENTS I found the following programs helpful in developing this utility. =over 4 =item I =item I =back =head1 AUTHOR Chip Rosenthal Unicom Systems Development $Id: pxytest,v 1.19 2002/11/20 20:14:36 chip Exp $ See for latest version.