---

TidBITS#704/03-Nov-03

Is your Classic Mac OS server aiding and abetting spammers? Chuck
Goolsbee has found a serious security flaw in older Mac server software
that's being exploited, and we have the details. Continuing in the
security vein, Glenn Fleishman looks at the WPA support in the latest
AirPort software update, and we note security fixes in Panther. Also
this week, Apple identifies a problem with Panther and external FireWire
800 drives, and Eudora 6.0.1 is released.

* MailBITS/03-Nov-03
* Fixes Available for Some Panther FireWire Troubles
* AirPort 3.2 Update Adds New Security Options
* Classic Mac OS Servers Exploited by Spammers
* Hot Topics in TidBITS Talk/03-Nov-03


Copyright 2003 TidBITS; reuse governed by this Creative Commons License.
Contact: <editors@tidbits.com>

....

Classic Mac OS Servers Exploited by Spammers

by Chuck Goolsbee <goolsbee@forest.net>

The Internet's spam volume has increased exponentially over the past
four months. How? Spammers have found a new way to send their spam, in
far greater volumes than previously thought possible. Unfortunately, and
perhaps for the first time, Macs are a small part of the problem.

When it comes to worms, viruses, and other forms of network abuse,
including spam, the Macintosh community frequently sees itself as an
island of immunity in a Windows-dominated world of insecurity. Mac OS X
has a pretty good track record so far, and the previous versions of the
Classic Mac OS were seemingly near perfect with regard to network
security, though many experts, including myself, would tell you that the
Classic Mac OS's invulnerability was due more to pure luck than
intentional design.

That luck has now run out. The Mac OS Internet server community, once
thought to be immune from exploit, has indeed become part of the spam
and network abuse problem. How could such a thing happen? The same way
every other operating system used as an Internet server has been
exploited by evildoers: a fateful combination of software shipped "open
by default" and system administrators failing to take the time to
understand and configure their servers properly in order to prevent
abuse.

What's the specific culprit in this situation? It used to be that
spammers relied primarily on open mail relays, which are mail servers
that accept mail from anyone on the Internet without restriction and
relay it on to the final destination. As system administrators and mail
server developers have become alert to the idiocy of a mail server set
to relay mail without requiring authentication of some sort, spammers
have changed their tactics and started relying on a new tool: the open
proxy server.

What Is a Proxy Server? A proxy server is a piece of software that
facilitates Web surfing by users on an internal network, usually one
that's protected from the outside Internet by a firewall. In essence,
the proxy server sits between the Web and all the users on the internal
network, sending out all the requests for Web pages from its users,
receiving the pages back, and passing them along to the appropriate
users. Institutions use proxy servers to increase performance (because
the proxy server can store a copy of retrieved Web pages for other users
on the internal network to access without going out to the Internet) and
for content filtering purposes (since the proxy server can refuse to
return requested Web pages that contain sufficiently naughty words;
schools often used proxy servers as content filters).

You would think that proxy servers are handy for enforcing security, and
in fact, they can be, if configured and deployed properly by a competent
network administrator. Unfortunately, those conditions are rarely met.
Well-meaning software vendors, such as (but not limited to) Microsoft in
the Windows market, and StarNine (now owned by 4D Inc.) in the Macintosh
market, shipped proxy servers as part of their "Web Server Suites"
starting in the late 1990s. It was a logical move because customers were
clamoring for these features, but in the interest of simplifying setup
and making everything work out of the box, these suites were usually
configured to install and start the proxy server by default, and worse,
to allow access by anyone, not just users on the internal network. Those
decisions, now easily seen as mistakes, are what brings us up to today.
Now, open-by-default proxy servers exist all over the Internet. A
portion of those are Macs.

How many of these Macintosh Internet servers exist on the Internet?
Google, the all-seeing eye of the Internet, can give you a glimpse with
the link below, which searches for the default page installed by 4D's
WebSTAR 4. Most users delete or overwrite this file, so the list on
Google should show only a small fraction of the actual number of WebSTAR
4 servers that may or may not have the included proxy server turned on
by default. Don't forget to click the "repeat the search with the
omitted results included" link!

<http://www.google.com/search?q=Server+Suite+4+Test+Page>

How Are Open Proxies a Security Risk? The problem with open proxies is
that anyone on the Internet can use them as go-betweens to perform just
about any action related to Internet access. (To see how you'd configure
proxy servers for a number of types of Internet traffic in Mac OS X,
check out the Proxies tab in the Network preference pane.) The most
frequent exploit of an open proxy is to bypass local content filtering -
ironically, this exploit basically uses one proxy filter to bypass
another. In the many open proxy logs I have examined, 95 percent of the
hits fall into this category.

Spammers seem to have discovered open proxies sometime in the last year,
probably as the number of mail servers allowing open relaying started to
drop dramatically. Some of the recent Windows/Outlook virus outbreaks
were really just Trojan horses with hidden open proxy code as the true
payload. Noisy, high-profile worms like Blaster kept everyone, including
the media, distracted while the other worms managed to create, within
the space of about two weeks, hundreds of thousands (or perhaps more) of
open proxy servers that could be trivially exploited later on. Next, the
spammers had to find all the open proxies their worms had created, so
scanning programs searched out the available proxies.

It was at this point that the Macs were found, since those scanning
programs, while looking for their own captive open proxies, also ran
across old Macs running WebSTAR 3 and WebSTAR 4 with latent, unused, and
unknown proxy software. And since the Macs were equally as useful, the
spammers cataloged and starting exploiting them to send spam.

Once a spammer has access to an open proxy, he can do any or all of the
following with complete anonymity, while using somebody else's
bandwidth:

*

Send mail from unsecured form-to-mail scripts on that, or any other
server
*

Send mail via local SMTP servers since the source will be a trusted,
local IP address
*

Craft mail with forged Received headers
*

Connect to thousands of throwaway "freemail" (Hotmail, Yahoo, etc.)
accounts per minute and send untold millions of spam messages
*

Create traffic on pay-per-click systems
*

Create traffic to generate high page ranks/search engine results
*

Generate distributed denial of service (DDoS) attack traffic
*

Run brute force password cracks on Web sites or email servers
*

Run buffer-overrun cracks aimed at any URL-accessible service


In the last week, I've spoken with several people on the development
team for the version of WebSTAR that first shipped with a proxy server,
including the former product manager, and the developer who wrote the
proxy server code. I asked them why they'd decided to bundle a proxy
server into WebSTAR.

In answering, they gave the example of a school, where a teacher would
ask a class to visit a URL, and everyone would download the same pages
at the same time, resulting in slow performance. A local proxy server
would access the remote Web site once and distribute the content to
everyone locally, preventing the class from overwhelming the school's
bandwidth, which back in those days was frequently limited to a 56 Kbps
frame relay or 144 Kbps ISDN line, or even dedicated modem connections
in many places. They also cited bandwidth-constrained places such as
Australia or New Zealand as containing customers who needed proxy
servers to reduce bandwidth consumption and costs. These are very real
situations: when I was working in Europe in the mid-1990s it was common
for ISPs to run proxies (often called caching servers back then) to save
on cross-Atlantic bandwidth costs.

When talking to the WebSTAR folks, I noted that we never installed
WebSTAR's proxy component on any of digital.forest's servers, but I was
finding it on some of our client-owned co-located servers, so I asked
how it could have been installed without somebody knowing it. The former
product manager explained how a new install or an upgrade could have
installed the proxy component by default. Also, under certain conditions
that I have yet to determine, the proxy was open by default, leading us
to where we are today, with old Macintosh Web servers being exploited by
spammers.

My story of how these servers were being exploited was met by with a
mixture of wonder and regret: wonder that anyone would dream of doing
stuff like this, and regret for not anticipating it. I've shared their
reaction, since I don't think many people, if anyone, could have seen
this coming. Seven years ago, when these products were being developed,
spam was mostly an annoyance on Usenet, not the email scourge it has
become today.

How Did I Discover These Exploited Macs? Earlier this year, I started
hearing my peers in the network operations community talking about open
proxy abuse. Intrigued, I read some excellent papers presented at
conferences by researchers investigating the issue.

<http://www.uoregon.edu/~joe/proxies/open-proxy-problem.pdf>
<http://spamlinks.port5.com/proxy.htm>
<http://www.westdam.com/spamlinks/proxy.htm>

So I've known about the problem for a few months, but I didn't realize
how close to home it was. At digital.forest, we sell Internet colocation
services, and we bill clients who exceed certain bandwidth thresholds as
measured at the Ethernet switch layer (which records all the traffic to
and from the computer, rather than looking at just one service, like
HTTP). But since most clients who use lots of bandwidth are running
high-volume Web servers, they usually compare their HTTP access logs to
their usage bills. Last month, one of digital.forest's clients noticed a
large enough difference between our network usage bill and the amount of
bandwidth usage reported in his Web server logs to request an audit. I
expected the additional protocols of FTP and SMTP mail to explain the
discrepancy, but instead I discovered that their WebSTAR server's proxy
was the source of the extra bandwidth usage. My curiously piqued, I
started to investigate further, and a post on a network abuse newsgroup
alerted me to a few more open proxies in our network (though none
running on the TidBITS servers, I'm happy to say).

<http://groups.google.com/groups?selm=59c3aad4.0310192058.6683a403%40pos
ting.google.com>
<http://chuck.forest.net/images/tidbits/port8000.txt>

In searching this published list, I noted over 100 that included
WebSTAR's default proxy port of 8000, and a few with obvious Mac-related
DNS names, so I began contacting their webmasters to let them know about
their vulnerability. I've talked with quite a few webmasters, but
there's no way I can track down and call all the people whose Macs are
on this list. Worse, this list contains only a small fraction of the
potential open proxies on Macs out there, and worse yet, because these
Macs were so easy to set up and have been so reliable, many of the
people who did the initial work have long since moved on, leaving others
with less technical experience in their place.

Are You Part of the Problem? Luckily, it's easy to tell if you're
running an open proxy in WebSTAR, unlike the worm-created Windows open
proxies, which are invisible and which don't log their activities. In
WebSTAR 3 or 4, check to see if the WebSTAR Proxy Plug-in is installed
in the WebSTAR folder, inside the Plug-ins folder. Also be sure to check
any folders that may be inside the Plug-ins folder. To disable the
WebSTAR Proxy Plug-in, just remove it from the WebSTAR folder hierarchy
and restart WebSTAR. Before you do that, however, switch to the WebSTAR
application and choose WebSTAR Proxy Log from the Plug-ins menu (the
screenshot linked below shows what it looks like).

<http://chuck.forest.net/images/tidbits/ProxyLogMenu.gif>

WebSTAR then opens a window showing proxy server activity, which you can
use to check what's currently happening (see the screenshot linked
below). The top of the window shows current active connections, the
total number of connections, a total number of bytes sent, what the
cache efficiency percentage is (this last one is useless information
when the proxy is being exploited), and the maximum connection limit.
The window's bottom portion lists a scrolling log of current activity.
In the example screenshot linked below, I've altered IP numbers,
domains, and URLs, but you can see what's going on. There are two logins
to two different Yahoo Mail accounts, one search engine hit, and three
hits on adult Web sites, all in under two seconds:

<http://chuck.forest.net/images/tidbits/proxylogwindow.gif>

If you don't want to disable your proxy server because it's serving a
useful purpose for your organization, you can secure it to prevent
spammers and others from using it. The WebSTAR Admin application
provides a graphical interface for restricting both the "to" and "from"
sides of the proxy to fit your needs. Consult the WebSTAR manual for
details.

Please note too, that you risk being rejected, blocked, or blacklisted
if your network is a source for spam. As system administrators on the
Internet starts getting tough with proxies, as they did with open
relays, your risk of hurting your legitimate traffic by being
blacklisted will only increase.

If you think this issue is only a concern when spammers start misusing
your network, you should also consider the penalty of not taking action
quickly. You could find your network addresses added to blackhole lists,
which are compiled by a number of well-meaning individuals around the
world who constantly scan and test for open proxies, even before they're
exploited. These blackhole lists, in turn, are used by Internet service
providers, academic institutions, and companies to block email,
sometimes with undesired effects. TidBITS Contributing Editor Glenn
Fleishman's mail server was once blacklisted because of the problem I
note in this article, and it took him weeks to have his mail server
removed from all the blackhole lists. He even had to appeal to the
chairman of the board of one large ISP after their published procedures
left him still blacklisted. So an open proxy isn't just a problem for
you or your bandwidth bill: it can be a messy cleanup that restricts the
ability of everyone on your network to send email.

What about Mac OS X? WebSTAR V, which is the current Mac OS X-compatible
version of WebSTAR developed and sold by 4D, does not include a proxy
server, so it's not vulnerable to open proxy exploits. Nonetheless, the
folks at 4D are doing the right thing and have already started alerting
customers to this vulnerability in the older versions of WebSTAR.

<http://www.4d.com/products/webstar.html>

Apple's Mac OS X Server has never had a proxy server included by default
either. I spoke with the product manager, and he said adding one has
been considered, but I suspect after our conversation that Apple will
think twice before doing so, or take careful steps to secure it prior to
shipping.

How do we resolve this situation? What remains now is hard work, and
this article is just the beginning. I've spent every waking hour over
the last two weeks investigating this problem on our network, reporting
the problem to the abuse departments of the largest ISPs, and contacting
many webmasters who are running open proxies without realizing. My work
is having an effect already. Some of the data I shared with AOL helped
them complete their investigation of a "known criminal spammer," and
Yahoo is shutting down thousands of email accounts based on the
information I shared with them from exploited open proxy logs.

But I can't do this alone. We must all work to spread the word, farther
than even TidBITS can reach, to other Macintosh news sites, and to
individuals who may be running open proxies. My hope is that open
proxies on all platforms can eventually be shut down everywhere, and
that the Macintosh community can lead the way. Fortunately, and true to
form, performing these tasks on a Mac is far easier than on other
platforms.

If you are a webmaster or system administrator, take a look at your
servers and secure them if necessary. If you are a network administrator
I strongly suggest you read Joe St. Sauver's "Open Proxy Problem" PDF
(linked previously) for a complete, well-written analysis of the issue.
Then make use of the suggested tools to search out open proxies on your
network. If you find one that has been keeping a log (WebSTAR's proxy
server does by default), you can greatly assist other network operators
and abuse desks in shutting down their open proxies, and even more
importantly, track and shut down spammers and other network abusers.

I'm sorry to be the bearer of the bad news that spammers could be
exploiting our older Macs, but now that we're aware of the problem,
working to resolve it will also provide the satisfaction of stemming the
flood of spam.

--
Per Erik Rønne