DragonFly On-Line Manual Pages
PXYTEST(1) User Contributed Perl Documentation PXYTEST(1)
NAME
pxytest - test proxy server for unsecured mail relay
SYNOPSIS
pxytest [ -a ] [ -h ] [ -M mail_server ] [ -m mail_addr ] [ -S
smtp_banner ] [ -T mail_tag ] [ -t num_threads ] [ -v verbosity ]
target_host [ port_spec ... ]
DESCRIPTION
The pxytest utility performs a test on target_host (given as a host
name or address) to locate an unsecured proxy that allows allow
connections to a mail server. Spammers use such hosts to distribute
vast amounts of junk email.
Normally, pxytest will not actually attempt to relay mail through the
proxy, only verify that an open proxy exists and can connect to a mail
server. If the test runs to completion without encountering an
unsecured proxy, the program terminates with a message:
Test complete - no proxies found
Normally, as soon as the program encounters an open proxy, it
terminates with a message:
Test complete - identified open proxy addr:port/protocol
The following options are available.
-a Find all open proxies. Instead of terminating as soon as an open
proxy is detected, pxytest will continue on to perform the full set
of tests. At completion, it will indicate the number of open
proxies detected.
-h Display a help message and then exit. The help message provides
information on defaults and definitions that may have been modified
by your local administrator.
-M mail_server
Specifies a target mail_server, given as a name or number. pxytest
will attempt to connect to this server through the proxy. See Mail
Server Selection for more information.
-m mail_addr
A probe email message is transmitted to mail_addr. Normally,
pxytest stops as soon as it verifies connection to the SMTP server.
When this option is given it continues on to send an email to the
indicated recipient.
-S smtp_banner
Specifies string that identifies the SMTP banner from the mail
server. See the Mail Server Selection section for more
information.
-T mail_tag
An arbitrary mail_tag is added to the probe email headers. This
tag may be used, for example, to serialize the email so it may be
correlated with a particular incident. This option has no effect
unless -m was specified.
-t num_threads
This option is experimental. The test is accelerated by running up
to num_threads probes in parallel. Under best-to-normal case
conditions, this will actually slow down the test, taking it longer
to complete. In the worst case situation, however, where certain
tests are pausing for long times waiting for server responses, this
can greatly reduce the total test time.
-v verbosity
Controls the amount of output messages produced. The verbosity
levels are:
0 - Display nothing but program errors.
1 - Display final test result.
2 - Display individual test results.
3 - Display details of individual tests.
4 - Display thread management information.
The default verbosity level is 3.
The port_spec Arguments
Exhaustive testing for open proxies is impractical. Proxies may appear
on any of 65,536 TCP ports. Also, there are a number of different
forms of proxies, each requiring its own test. At 50msec/test, it
could take over 6 hours to test a single host.
The user must direct the pxytest test sequence. This is done with
port_spec arguments. These may be simply a tag name (discussed
shortly) or a specification in the form:
min[-max][/proto]
where min is the starting port number of the scan, max is the ending
port number of the scan, and proto is the proxy mechanism to test. If
max is not specified (it usually isn't), then a single-port scan is
done. The possible proto values are: http-connect, http-post, http,
socks4, socks5, telnet, cisco, wingate, and all. If proto is not
specified then it defaults to http-connect. (The next section
describes what these proxy mechanisms mean.)
The port_spec may also be a mnemonic tags. As distributed, there are
three tags defined:
basic
A basic set of tests that covers most common cases. If no
port_spec argument is given on the command line, the default is to
do a basic scan.
full
All of the basic tests plus several more that have been reported in
less common instances.
socks
A shortcut for: 1080/socks4 1080/socks5
Your local administrator may have modified this script to change the
definition of these tags or added additional tags. Run pxytest with
the -h option to get a list of all the tags and their exact
definitions.
Proxy Mechanisms
There are a number of different proxy mechanisms that can be abused for
mail relay. The mechanisms supported by this utility include:
http-connect
A web proxy or cache that supports the "HTTP CONNECT" mechanism.
See CERT Vulnerability Note VU#150227
(http://www.kb.cert.org/vuls/id/150227) for further information.
This is the most common type of unsecured proxy. It may appear on
any TCP port. Some of the common locations are port 3128 (the well
known port for squid), port 8080 (the well known port for
webcache), and port 8081 (the well known port for tproxy).
Unsecured or misconfigured web servers can often act as proxies, so
these are often found on port 80 (the well known port for http).
The AnalogX Proxy uses port 6588.
If no proto is specified in a port_spec, it defaults to http-
connect.
http
An alias for http-connect.
http-post
A web proxy or cache that supports access to a URL via the "HTTP
POST" mechanism. This vulnerability is not well documented, but
according to the OPM stats it's the second most prevalent type.
socks4
SOCKS version 4 proxy. See the SOCKS Version 4 Overview
<http://www.socks.nec.com/socksv4.html> for further information on
this service. TCP port 1080 is the well known port allocated to
socks.
socks5
SOCKS version 5 proxy. See the SOCKS Version 5 Overview
<http://www.socks.nec.com/socksv5.html> for further information on
this service. TCP port 1080 is the well known port allocated to
socks.
telnet
A proxy that accepts a command in the form:
telnet dstaddr dstport
and establishes a connection to the indicated destination.
cisco
An unsecured Cisco router that allows login with the factory
default values. Once a user is logged into the router, they can
use it as a telnet proxy.
wingate
The WinGate Internet Sharing/Proxy Server by Deerfield.com. See
their corporate web site
<http://www.deerfield.com/products/wingate/> for further
information on this product. Such a proxy accepts a specification
in the form:
dstaddr:dstport
and establishes a connection to the indicated destination. This
proxy typically appears on TCP port 23, which, confusingly enough,
is the well known port reserved for the telnet service.
all This value is expanded out to all the available test mechanisms.
Mail Server Selection
The pxytest utility attempts connection to a target mail server, and
declares a proxy as open if it succeeds. The target mail server is
selected by the following process:
o If the -M command line option is given, the mail_server value it
specifies (host name or address) is used.
o Otherwise, if the $DEFAULT_MAIL_SERVER parameter is defined in the
script, that is selected. Typically that parameter is left
undefined, although the local administrator may choose to modify
the script to set a value.
o Otherwise, if the perl Net::DNS module is installed, the utility
will attempt to determine the mail server (MX) for the local host
and use that.
If none of these methods may be used, the utility terminates with an
error.
The utility will attempt to recognize the mail server by its SMTP
welcome banner, which typically looks something like:
220 mail.soaustin.net ESMTP Postfix [NO UCE C=US L=TX]
By default, it declares success when it sees a line beginning with "220
" (two-two-oh-space). In certain conditions, this may be a problem.
Some rare mail servers do not use the 220 code. If, for example, the
mail server does not want to accept incoming mail, it may use some
other code. Such a server can be used by pxytest, although the -m
option won't work.
Some proxies are actually honeypots that are used to trap spammers and
crackers. These honeypots may redirect SMTP connections. So pxytest
will declare success when it sees the SMTP welcome banner generated by
the honeypot.
In these cases, the -S option may be used to specify a more specific
match for the SMTP banner. The smtp_banner argument will specify a
fixed string that appears at the start of the banner. For example,
-S "220 mail.soaustin.net"
might be a good way to ensure pxytest has connected back to the server
that gives the SMTP banner shown above.
Probe Email
When the -m option is specified, the utility attempts to send a probe
email message through the target mail server. Here is the header from
a sample probe message:
To: chip+pxytest@unicom.com
From: chip+pxytest@unicom.com
Subject: open proxy test
X-Mailer: pxytest v1.17
X-Proxy-Spec: 192.108.105.34:1080/socks4 ID-000034
The "To" and "From" headers were specified with the -m option. The
"X-Mailer" header may be used to simplify recognition and sorting of
incoming test probes. The "X-Proxy-Spec" header identifies the proxy,
plus any tag that may have been given with the -T option.
EXIT STATUS
An exit status of 0 means the test ran to completion without finding
any open proxies. An exit status of 2 means that an open proxy was
detected. Any other non-zero exit status indicates some sort of error.
DIAGNOSTICS
This section provides additional explanation for selected error
messages:
unknown host target_host
unknown proxy type proto
bad port specification num
These all indicate a problem with the port_spec given on the
command line.
error setting SIGALRM handler
This utility uses the POSIX interface to set timeout alarms. This
error likely indicates you are running on a non-POSIX system. If
you run into this, please contact the author.
cannot locate mailserver for "hostname"
Was unable to locate a mail exchanger (MX) for your host or your
domain. This would happen if there is no MX for your host or your
domain. It also could happen if there are DNS problems. This can
be worked around by either using the -M option or modifying the
script to define a $DEFAULT_MAIL_SERVER value.
you must define a mail server (Net::DNS unavailable)
The automatic mail server lookup cannot run, because your system
does not have the perl Net::DNS module installed. If you do not
want to install this module, then you will need to specify the
target mail server. Either use the -M option or modify the script
to define define a $DEFAULT_MAIL_SERVER value.
host lookup for hostname failed
The indicated host was identified as the target mail server to use,
but pxytest was unable to determine the IP address of that host.
This typically results from DNS problems. Either resolve the DNS
problems, or specify the target mail host as an address rather than
a name.
Cannot get host name of local machine
This diagnostic is produced by the perl Sys::Hostname module. See
the documentation on that module for information.
cannot determine your username
A number of methods were attempted to determine your username, none
of which worked. Please contact the author if you get this
message.
BUGS
Proxies may appear on any TCP port. A complete test would require an
exhaustive scan of all available ports, which is infeasible. Instead,
the basic and full scans cover ports that (based on past observation)
are mostly likely to be bound to a proxy service. The author welcomes
feedback on the ports definitions for the basic and full scans. The
author also welcomes information on additional proxy mechanisms that
may be used for email abuse (spam).
Ideally, the -S option should not be required. We ought be able to
probe the target mail server to get the SMTP banner. We don't do this
automatically, because in some cases (e.g. running the test from a host
on a network that blocks outbound port 25) it won't work.
The threading is an ugly hack to address the inordinately long test
times against a proxy that is not responding. Hell, it isn't even real
threading. It's a lame facsimile implemented with fork().
The port 23 tests can be troublesome. If there is something listening
at that port, these tests frequently will hang until timeout occurs. I
ought to investigate whether there is some way they all can be combined
into some smarter, optimized test.
Severely overloaded proxies are prone to false negatives. That is,
pxytest might fail to connect because the proxy is throttled or
dropping connections or otherwise busy puking its guts out. So it will
declare this proxy as closed, even though a repeated attempt might
prove otherwise.
SEE ALSO
services(5), httpd(8), sockd(8)
ACKNOWLEDGMENTS
I found the following programs helpful in developing this utility.
Blitzed Open Proxy Monitor
<http://www.blitzed.org/bopm/>
Proxy Stress Tester
<ftp://ftp.monkeys.com/pub/proxy/pxstress-1.1.tar.gz>
AUTHOR
Chip Rosenthal
Unicom Systems Development
<chip@unicom.com>
$Id: pxytest,v 1.36 2002/12/28 20:56:55 chip Exp $
See <http://www.unicom.com/sw/pxytest/> for latest version.
perl v5.20.3 2015-10-07 PXYTEST(1)