Wingate abuse problems continue.

Alan Brown admin access (Alan@MANAWATU.GEN.NZ)
Fri, 06 Feb 1998 04:49:00 +1300

A heads up for the list's readers.

We saw the response to complaints about Wingate's default settings
from Wingate's authors several months ago.

As a reminder, Wingate is a product to allow IP masquerading
through a windows 95 platform. Unfortunately by default it binds
to ALL network ports, including the WAN port.

Wingate is being used extensively by IRC abusers and is starting to
be used heavily by SMTP abusers (ie, Spammers) via the open Socks
port on dialup modem connections.

As far as I can see, from the point of view of abuse control,
wingate is currently a disaster for anyone trying to track abusers.
It doesn't log connects by default, so the only way the abusers
can be traced is via the netstat command on the victim win95
machine - and most win95 users being relayed through don't have
enough of a clue to be able to do this, let alone know that they're
being used as pawns in attacks.

IRC abuse via Wingates appears to be increasing exponentially as
more and more abuse scripts appear which use them. Several seen
recently will connect to 50 or more machines in order to effect
denial of service attacks on IRC users and services. Presumably the
same rapid increase will soon be seen in SMTP relaying attacks.

AB