Open proxies

Proxies are machines that relay pages between a website and a user. They're often used at companies, where the proxy is the only visible machine from the outside world. It was a security measure, and a cheap way to share a dialup line, at a time when the internet was rather small.

Today, the internet is big, bad and dangerous, and what was once a good idea, may come back to bite you.

Proxies can be misconfigured to not only let the local LAN users use it, but also anyone that knows how.

Aside from people with a legitimate need and noble causes, there are many ways to abuse such an open proxy:

• Spammers
• Click fraud
• Harassment
• Credit card and identity fraud
• Hacking (actually cracking) 

Referrer, comment and trackback fraud has been a big problem recently, and has had many bloggers tear their hair out.

So this page is an attempt to explain what's happening, and let admins know how to uncover the problem and fix it.

Why should an open proxy be secured?

• Bandwidth use will increase more and more, to a point where legitimate use of the server will suffer
• You may get angry e-mails from bloggers who don't realize you are not the spammer
• You may get angry e-mails from merchants that have been defrauded by credit card and identity scammers
• You, by being negligent, are contributing to the breakdown of the web - signal to noise is way off

If your argument is that open proxies are good and necessary, my argument is that having an open proxy that isn't closely monitored is negligent. If you insist on having a proxy, it should be secured so only users on the local LAN or with a login should be able to use it. If they have a legitimate need of a proxy (yes, I know cases where people do legitimately need a proxy), then the best way would be for them to use a commercial service, say Anonymizer.

How can I tell if my server is being misused as an open proxy?

Like one guys said, he was using a Mac on a DSL line. He couldn't sleep for all the blinking. Traffic had shot up fairly suddently. It's slowly building at first, and then the line is saturated.

At the same time, some abusers are careful, and won't overuse a server, so gauging traffic shouldn't be your only check.

You should at all times have a way of monitoring your logs. Access logs.

Grep them, either using grep in Unix/Linux, or by downloading the logs to your Windows computer and using TextHarvest. Here are some tests you could do. How effective they are depends on your setup.

One important fact: All traffic by people using your machine as a proxy will be to the IP address of the server, not to any domain name hosted on it.

But if you get an angry e-mail, citing a specific IP number, check Google using this syntax:

"xx.xxx.xxx.xx"

Where the x's represent the IP number.

That might give you a list of guestbook and message board spam, as well as proxy lists featuring your server.

If you get both, then your server IS (or was) an abused open proxy. No ifs or buts about it.

I've had admins tell me I'm mistaken, because they can't find that proxying is enabled on port 80 or 8080. Well, some have proxying enabled on weird ports, so that's no proof. The proof is in the pudding, as they say. Doesn't matter if some popular ports are closed and secured if others are open and abused. Remember that socks proxies on *NIX and trojans on Windows machines can introduce problems.

Some use nmap to check how leaky their servers are. That can help uncover problems. A preventative measure, if you will. But I wouldn't trust one negative test, if you've been notified that there's a problem.

Check this list of servers and how to close/secure proxies.

Discuss