Date: Wed, 11 Feb 1998 15:14:02 +1300 From: Alans other account To: BUGTRAQ@NETSPACE.ORG Subject: WIngate: the sequel I've had a fair amount of mail following my posting about this to the list. What follows is a very brief summary. 1: Confirmation that a large number of sites have already experienced spammers smtp relaying via insecure wingates. Numbers relayed have ranged from "a couple of thousand" to "over 20,000" messages. 2: Ditto on nntp. This seems to be a favourite method for porn spammers in particular. 3: Ditto on IRC. I have a mirc IRC abuse script onhand which quite happily searches for wingates and attaches one floodbot per gateway. Tests have shown that upwards of 100 wingates can quite easily be used by a single attacker. 4: Open wingates are also wide open for any savvy attacker to attach to machines behind the wingate "firewall". 5: Although the primary attack method is to use socks port 1080, the same techniques are easily used on port 23, so firewalling socks is a temporary solution at best. All of these are worrying, given the number of people who attack sites perceived as participating in spam. There's a fairly good set of web pages on securing wingate at http://www.deerfield.com/wingate/secure-wingate.htm - this appears to be the Wingate home site. The Undernet IRC network has had to temporarily lock out users from 2 large cable networks in Canada and the USA due to attacks against network admins. Those attacks were at one point coming from upwards of 200 different IPs and seemed to be driven by one individual. Given Wingate's lack of logging facilities, there is almost no hope of tracing attackers who initiate denial of service actions like this, so ISPs may well face having this kind of action taken against them by IRC (or other) networks in order to maintain usability of their systems. The end result is chaos on helpdesks. Wingate's authors apparently are continuing to ignore the abuse issues associated with default settings. How long before they get the message?