Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PXYTEST(1)	      User Contributed Perl Documentation	    PXYTEST(1)

       pxytest - test proxy server for unsecured mail relay

       pxytest [ -a ] [	-h ] [ -M mail_server ]	[ -m mail_addr ] [ -S
       smtp_banner ] [ -T mail_tag ] [ -t num_threads ]	[ -v verbosity ]
       target_host [ port_spec ... ]

       The pxytest utility performs a test on target_host (given as a host
       name or address)	to locate an unsecured proxy that allows allow
       connections to a	mail server.  Spammers use such	hosts to distribute
       vast amounts of junk email.

       Normally, pxytest will not actually attempt to relay mail through the
       proxy, only verify that an open proxy exists and	can connect to a mail
       server.	If the test runs to completion without encountering an
       unsecured proxy,	the program terminates with a message:

	    Test complete - no proxies found

       Normally, as soon as the	program	encounters an open proxy, it
       terminates with a message:

	    Test complete - identified open proxy addr:port/protocol

       The following options are available.

       -a  Find	all open proxies.  Instead of terminating as soon as an	open
	   proxy is detected, pxytest will continue on to perform the full set
	   of tests.  At completion, it	will indicate the number of open
	   proxies detected.

       -h  Display a help message and then exit.  The help message provides
	   information on defaults and definitions that	may have been modified
	   by your local administrator.

       -M mail_server
	   Specifies a target mail_server, given as a name or number.  pxytest
	   will	attempt	to connect to this server through the proxy.  See Mail
	   Server Selection for	more information.

       -m mail_addr
	   A probe email message is transmitted	to mail_addr.  Normally,
	   pxytest stops as soon as it verifies	connection to the SMTP server.
	   When	this option is given it	continues on to	send an	email to the
	   indicated recipient.

       -S smtp_banner
	   Specifies string that identifies the	SMTP banner from the mail
	   server.  See	the Mail Server	Selection section for more

       -T mail_tag
	   An arbitrary	mail_tag is added to the probe email headers.  This
	   tag may be used, for	example, to serialize the email	so it may be
	   correlated with a particular	incident.  This	option has no effect
	   unless -m was specified.

       -t num_threads
	   This	option is experimental.	 The test is accelerated by running up
	   to num_threads probes in parallel.  Under best-to-normal case
	   conditions, this will actually slow down the	test, taking it	longer
	   to complete.	 In the	worst case situation, however, where certain
	   tests are pausing for long times waiting for	server responses, this
	   can greatly reduce the total	test time.

       -v verbosity
	   Controls the	amount of output messages produced.  The verbosity
	   levels are:

	       0 - Display nothing but program errors.
	       1 - Display final test result.
	       2 - Display individual test results.
	       3 - Display details of individual tests.
	       4 - Display thread management information.

	   The default verbosity level is 3.

   The port_spec Arguments
       Exhaustive testing for open proxies is impractical.  Proxies may	appear
       on any of 65,536	TCP ports.  Also, there	are a number of	different
       forms of	proxies, each requiring	its own	test.  At 50msec/test, it
       could take over 6 hours to test a single	host.

       The user	must direct the	pxytest	test sequence.	This is	done with
       port_spec arguments.  These may be simply a tag name (discussed
       shortly)	or a specification in the form:


       where min is the	starting port number of	the scan, max is the ending
       port number of the scan,	and proto is the proxy mechanism to test.  If
       max is not specified (it	usually	isn't),	then a single-port scan	is
       done.  The possible proto values	are: http-connect, http-post, http,
       socks4, socks5, telnet, cisco, wingate, and all.	 If proto is not
       specified then it defaults to http-connect.  (The next section
       describes what these proxy mechanisms mean.)

       The port_spec may also be a mnemonic tags.  As distributed, there are
       three tags defined:

	   A basic set of tests	that covers most common	cases.	If no
	   port_spec argument is given on the command line, the	default	is to
	   do a	basic scan.

	   All of the basic tests plus several more that have been reported in
	   less	common instances.

	   A shortcut for:  1080/socks4	1080/socks5

       Your local administrator	may have modified this script to change	the
       definition of these tags	or added additional tags.  Run pxytest with
       the -h option to	get a list of all the tags and their exact

   Proxy Mechanisms
       There are a number of different proxy mechanisms	that can be abused for
       mail relay.  The	mechanisms supported by	this utility include:

	   A web proxy or cache	that supports the "HTTP	CONNECT" mechanism.
	   See CERT Vulnerability Note VU#150227
	   ( for further information.

	   This	is the most common type	of unsecured proxy.  It	may appear on
	   any TCP port.  Some of the common locations are port	3128 (the well
	   known port for squid), port 8080 (the well known port for
	   webcache), and port 8081 (the well known port for tproxy).
	   Unsecured or	misconfigured web servers can often act	as proxies, so
	   these are often found on port 80 (the well known port for http).
	   The AnalogX Proxy uses port 6588.

	   If no proto is specified in a port_spec, it defaults	to http-

	   An alias for	http-connect.

	   A web proxy or cache	that supports access to	a URL via the "HTTP
	   POST" mechanism.  This vulnerability	is not well documented,	but
	   according to	the OPM	stats it's the second most prevalent type.

	   SOCKS version 4 proxy.  See the SOCKS Version 4 Overview
	   <> for further information on
	   this	service.  TCP port 1080	is the well known port allocated to

	   SOCKS version 5 proxy.  See the SOCKS Version 5 Overview
	   <> for further information on
	   this	service.  TCP port 1080	is the well known port allocated to

	   A proxy that	accepts	a command in the form:

		telnet dstaddr dstport

	   and establishes a connection	to the indicated destination.

	   An unsecured	Cisco router that allows login with the	factory
	   default values.  Once a user	is logged into the router, they	can
	   use it as a telnet proxy.

	   The WinGate Internet	Sharing/Proxy Server by	See
	   their corporate web site
	   <>	for further
	   information on this product.	 Such a	proxy accepts a	specification
	   in the form:


	   and establishes a connection	to the indicated destination.  This
	   proxy typically appears on TCP port 23, which, confusingly enough,
	   is the well known port reserved for the telnet service.

       all This	value is expanded out to all the available test	mechanisms.

   Mail	Server Selection
       The pxytest utility attempts connection to a target mail	server,	and
       declares	a proxy	as open	if it succeeds.	 The target mail server	is
       selected	by the following process:

       o   If the -M command line option is given, the mail_server value it
	   specifies (host name	or address) is used.

       o   Otherwise, if the $DEFAULT_MAIL_SERVER parameter is defined in the
	   script, that	is selected.  Typically	that parameter is left
	   undefined, although the local administrator may choose to modify
	   the script to set a value.

       o   Otherwise, if the perl Net::DNS module is installed,	the utility
	   will	attempt	to determine the mail server (MX) for the local	host
	   and use that.

       If none of these	methods	may be used, the utility terminates with an

       The utility will	attempt	to recognize the mail server by	its SMTP
       welcome banner, which typically looks something like:

	   220 ESMTP Postfix [NO UCE C=US L=TX]

       By default, it declares success when it sees a line beginning with "220
       " (two-two-oh-space).  In certain conditions, this may be a problem.

       Some rare mail servers do not use the 220 code.	If, for	example, the
       mail server does	not want to accept incoming mail, it may use some
       other code.  Such a server can be used by pxytest, although the -m
       option won't work.

       Some proxies are	actually honeypots that	are used to trap spammers and
       crackers.  These	honeypots may redirect SMTP connections.  So pxytest
       will declare success when it sees the SMTP welcome banner generated by
       the honeypot.

       In these	cases, the -S option may be used to specify a more specific
       match for the SMTP banner.  The smtp_banner argument will specify a
       fixed string that appears at the	start of the banner.  For example,

	   -S "220"

       might be	a good way to ensure pxytest has connected back	to the server
       that gives the SMTP banner shown	above.

   Probe Email
       When the	-m option is specified,	the utility attempts to	send a probe
       email message through the target	mail server.  Here is the header from
       a sample	probe message:

	       Subject:	open proxy test
	       X-Mailer: pxytest v1.17
	       X-Proxy-Spec:	ID-000034

       The "To"	and "From" headers were	specified with the -m option.  The
       "X-Mailer" header may be	used to	simplify recognition and sorting of
       incoming	test probes.  The "X-Proxy-Spec" header	identifies the proxy,
       plus any	tag that may have been given with the -T option.

       An exit status of 0 means the test ran to completion without finding
       any open	proxies.  An exit status of 2 means that an open proxy was
       detected.  Any other non-zero exit status indicates some	sort of	error.

       This section provides additional	explanation for	selected error

       unknown host target_host
       unknown proxy type proto
       bad port	specification num
	   These all indicate a	problem	with the port_spec given on the
	   command line.

       error setting SIGALRM handler
	   This	utility	uses the POSIX interface to set	timeout	alarms.	 This
	   error likely	indicates you are running on a non-POSIX system.  If
	   you run into	this, please contact the author.

       cannot locate mailserver	for "hostname"
	   Was unable to locate	a mail exchanger (MX) for your host or your
	   domain.  This would happen if there is no MX	for your host or your
	   domain.  It also could happen if there are DNS problems.  This can
	   be worked around by either using the	-M option or modifying the
	   script to define a $DEFAULT_MAIL_SERVER value.

       you must	define a mail server (Net::DNS unavailable)
	   The automatic mail server lookup cannot run,	because	your system
	   does	not have the perl Net::DNS module installed.  If you do	not
	   want	to install this	module,	then you will need to specify the
	   target mail server.	Either use the -M option or modify the script
	   to define define a $DEFAULT_MAIL_SERVER value.

       host lookup for hostname	failed
	   The indicated host was identified as	the target mail	server to use,
	   but pxytest was unable to determine the IP address of that host.
	   This	typically results from DNS problems.  Either resolve the DNS
	   problems, or	specify	the target mail	host as	an address rather than
	   a name.

       Cannot get host name of local machine
	   This	diagnostic is produced by the perl Sys::Hostname module.  See
	   the documentation on	that module for	information.

       cannot determine	your username
	   A number of methods were attempted to determine your	username, none
	   of which worked.  Please contact the	author if you get this

       Proxies may appear on any TCP port.  A complete test would require an
       exhaustive scan of all available	ports, which is	infeasible.  Instead,
       the basic and full scans	cover ports that (based	on past	observation)
       are mostly likely to be bound to	a proxy	service.  The author welcomes
       feedback	on the ports definitions for the basic and full	scans.	The
       author also welcomes information	on additional proxy mechanisms that
       may be used for email abuse (spam).

       Ideally,	the -S option should not be required.  We ought	be able	to
       probe the target	mail server to get the SMTP banner.  We	don't do this
       automatically, because in some cases (e.g. running the test from	a host
       on a network that blocks	outbound port 25) it won't work.

       The threading is	an ugly	hack to	address	the inordinately long test
       times against a proxy that is not responding.  Hell, it isn't even real
       threading.  It's	a lame facsimile implemented with fork().

       The port	23 tests can be	troublesome.  If there is something listening
       at that port, these tests frequently will hang until timeout occurs.  I
       ought to	investigate whether there is some way they all can be combined
       into some smarter, optimized test.

       Severely	overloaded proxies are prone to	false negatives.  That is,
       pxytest might fail to connect because the proxy is throttled or
       dropping	connections or otherwise busy puking its guts out.  So it will
       declare this proxy as closed, even though a repeated attempt might
       prove otherwise.

       services(5), httpd(8), sockd(8)

       I found the following programs helpful in developing this utility.

       Blitzed Open Proxy Monitor

       Proxy Stress Tester

	Chip Rosenthal
	Unicom Systems Development

	$Id: pxytest,v 1.36 2002/12/28 20:56:55	chip Exp $
	See <>	for latest version.

perl v5.32.0			  2020-08-10			    PXYTEST(1)


Want to link to this manual page? Use this URL:

home | help