pxytest - test proxy server for unsecured mail relay
pxytest [ -a ] [ -h ] [ -M mail_server ] [ -m mail_addr ] [ -S smtp_banner ] [ -T mail_tag ] [ -t num_threads ] [ -v verbosity ] target_host [ port_spec ... ]
The pxytest utility performs a test on target_host (given as a host name or address) to locate an unsecured proxy that allows allow connections to a mail server. Spammers use such hosts to distribute vast amounts of junk email.
Normally, pxytest will not actually attempt to relay mail through the proxy, only verify that an open proxy exists and can connect to a mail server. If the test runs to completion without encountering an unsecured proxy, the program terminates with a message:
Test complete - no proxies found
Normally, as soon as the program encounters an open proxy, it terminates with a message:
Test complete - identified open proxy addr:port/protocol
The following options are available.
0 - Display nothing but program errors.
1 - Display final test result.
2 - Display individual test results.
3 - Display details of individual tests.
4 - Display thread management information.
The default verbosity level is 3.
Exhaustive testing for open proxies is impractical. Proxies may appear on any of 65,536 TCP ports. Also, there are a number of different forms of proxies, each requiring its own test. At 50msec/test, it could take over 6 hours to test a single host.
The user must direct the pxytest test sequence. This is done with port_spec arguments. These may be simply a tag name (discussed shortly) or a specification in the form:
min[-max][/proto]
where min is the starting port number of the scan, max is the ending port number of the scan, and proto is the proxy mechanism to test. If max is not specified (it usually isn't), then a single-port scan is done. The possible proto values are: http-connect, http-post, http, socks4, socks5, telnet, cisco, wingate, and all. If proto is not specified then it defaults to http-connect. (The next section describes what these proxy mechanisms mean.)
The port_spec may also be a mnemonic tags. As distributed, there are three tags defined:
Your local administrator may have modified this script to change the definition of these tags or added additional tags. Run pxytest with the -h option to get a list of all the tags and their exact definitions.
There are a number of different proxy mechanisms that can be abused for mail relay. The mechanisms supported by this utility include:
HTTP CONNECT
mechanism. See CERT Vulnerability Note VU#150227
(http://www.kb.cert.org/vuls/id/150227) for further information.
This is the most common type of unsecured proxy. It may appear on any TCP port. Some of the common locations are port 3128 (the well known port for squid), port 8080 (the well known port for webcache), and port 8081 (the well known port for tproxy). Unsecured or misconfigured web servers can often act as proxies, so these are often found on port 80 (the well known port for http). The AnalogX Proxy uses port 6588.
If no proto is specified in a port_spec, it defaults to http-connect.
HTTP POST mechanism. This vulnerability is not well
documented, but according to the OPM stats it's the second
most prevalent type.
telnet dstaddr dstport
and establishes a connection to the indicated destination.
dstaddr:dstport
and establishes a connection to the indicated destination. This proxy typically appears on TCP port 23, which, confusingly enough, is the well known port reserved for the telnet service.
The pxytest utility attempts connection to a target mail server, and declares a proxy as open if it succeeds. The target mail server is selected by the following process:
If none of these methods may be used, the utility terminates with an error.
The utility will attempt to recognize the mail server by its SMTP welcome banner, which typically looks something like:
220 mail.soaustin.net ESMTP Postfix [NO UCE C=US L=TX]
By default, it declares success when it sees a line beginning with ``220 '' (two-two-oh-space). In certain conditions, this may be a problem.
Some rare mail servers do not use the 220 code. If, for example, the mail server does not want to accept incoming mail, it may use some other code. Such a server can be used by pxytest, although the -m option won't work.
Some proxies are actually honeypots that are used to trap spammers and crackers. These honeypots may redirect SMTP connections. So pxytest will declare success when it sees the SMTP welcome banner generated by the honeypot.
In these cases, the -S option may be used to specify a more specific match for the SMTP banner. The smtp_banner argument will specify a fixed string that appears at the start of the banner. For example,
-S "220 mail.soaustin.net"
might be a good way to ensure pxytest has connected back to the server that gives the SMTP banner shown above.
When the -m option is specified, the utility attempts to send a probe email message through the target mail server. Here is the header from a sample probe message:
To: chip+pxytest@unicom.com
From: chip+pxytest@unicom.com
Subject: open proxy test
X-Mailer: pxytest v1.17
X-Proxy-Spec: 192.108.105.34:1080/socks4 ID-000034
The To and From headers were specified with the -m option.
The X-Mailer header may be used to simplify recognition and
sorting of incoming test probes. The X-Proxy-Spec header
identifies the proxy, plus any tag that may have been given
with the -T option.
An exit status of 0 means the test ran to completion without finding any open proxies. An exit status of 2 means that an open proxy was detected. Any other non-zero exit status indicates some sort of error.
This section provides additional explanation for selected error messages:
Proxies may appear on any TCP port. A complete test would require an exhaustive scan of all available ports, which is infeasible. Instead, the basic and full scans cover ports that (based on past observation) are mostly likely to be bound to a proxy service. The author welcomes feedback on the ports definitions for the basic and full scans. The author also welcomes information on additional proxy mechanisms that may be used for email abuse (spam).
Ideally, the -S option should not be required. We ought be able to probe the target mail server to get the SMTP banner. We don't do this automatically, because in some cases (e.g. running the test from a host on a network that blocks outbound port 25) it won't work.
The threading is an ugly hack to address the inordinately long test times against a proxy that is not responding. Hell, it isn't even real threading. It's a lame facsimile implemented with fork().
The port 23 tests can be troublesome. If there is something listening at that port, these tests frequently will hang until timeout occurs. I ought to investigate whether there is some way they all can be combined into some smarter, optimized test.
Severely overloaded proxies are prone to false negatives. That is, pxytest might fail to connect because the proxy is throttled or dropping connections or otherwise busy puking its guts out. So it will declare this proxy as closed, even though a repeated attempt might prove otherwise.
services(5),
httpd(8),
sockd(8)
I found the following programs helpful in developing this utility.
Chip Rosenthal Unicom Systems Development <chip@unicom.com>
$Id: pxytest,v 1.36 2002/12/28 20:56:55 chip Exp $ See <http://www.unicom.com/sw/pxytest/>; for latest version.