I2022: You suspect FreeProxy is routing/producing spam
Versions: FreeProxyClient V3.0 onwards
Date reported: 02 November 2003 Issue Detail
Typical symptoms are
Your ISP reports that your IP address has been used to route SPAM.
You find that your access report shows hits from foreign IP addresses.
Your firewall reports FreeProxy is generating SPAM
Use local binding.
For each port or service definition, FreeProxy opens a "listening" port to enable computers to make a TCP/IP connection to it. It then opens a connection to another computer based on configuration and the information contained in the protocol requests. This is how proxies work. FreeProxy does not do anything special in this case.
As with any open port, this could be exploited.
In the diagram above, FreeProxy is connected to both the internet (blue) and to the local network (orange). As such it is known as a "multihomed" - able to interact with more than one network. Normally, you would have a physical network card that you'd use to connect to your local network and also a software defined network connection for dialup or broadband connection. The important point to make here is that your server has become visible on 2 different networks; yours and the internet.
Before a server can communicate it must allocate a port number and then set that port into "listen" mode. Once in listen mode, the operating system will direct connection requests for that port to the program that requested the opening of the port.
Now here is the important part. When setting listen mode, you can be non-specific or specific. A non-specific listen will direct the software to listen on say port 8080, on ANY network adapter. A specific listen will direct the software to listen on a specific network adapter. Remember adapters can be physical (network card) or virtual (dial up connection). By running the IPCONFIG (Winnt/2000/XP/2003) or WINIPCFG (Win98/Me) command from the command line, you can list all the network adapters, real and virtual defined on your system. This only makes sense on the computer connected to the internet and running FreeProxy.
a non-specific listen will accept connections from any network adapter
A specific listen will accept connections from a specified network adapter.
Without specific listening, or in the case of FreeProxy, "Local binding", your system is vulnerable. For example, anyone could connect to your proxy server. Anyone could redirect mail via your email connection. Why would they want to do this when they are able to connect to the internet anyway ? The reason is a form of spoofing - assuming a different identity.
For example, a spammer wants to send millions of emails but does not want his own IP address to appear in the email trace. If he can find an open port (25 - SMTP) somewhere on the network which is redirecting to an email server as Freeproxy would do without local binding, he can connect to the FreeProxy server and redirect all the email to that SMTP server. The advantage of doing this is that the IP address showing on the email header is the one from which the last connection was made, that is, the Freeproxy server.
In the same way, connections can be made to your FreeProxy 8080 port (http) and the attacker can access any site possibly ones that he may not be able to access. Recommendations