Proxo - Fake Proxy Host_Name & IP Filters

Discussion in 'privacy technology' started by peakaboo, Jan 28, 2003.

Thread Status:
Not open for further replies.
  1. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Kudos to JakBeNymble, Arne and whomever else worked on this proxo config & filters

    This post is for those using Proxomitron wanting to test a config employing fake proxy, and Name & IP Filters:

    Follow the link below to the post by Arne, download JakxPack.zip and follow the instructions in the post.

    http://asp.flaaten.dk/proxo/topic.asp?TOPIC_ID=173

    After I did the above, I went to a number of sites and got some interesting results:

    * be kind if you use this proxo config., and either add wilders site to the bypass spoofed list (right click on proxo with filter in use and "Add to blockfile - SpooferByPass"), or consider not using it on this site.

    1) working thru pc flanks browser test this is what I got:

    http://www.pcflank.com/browser_test1.htm

    The test has found that the IP address used by your computer cannot be scanned. This commonly occurs because of a firewall program on your computer and/or you are connected to the Internet through a proxy-server or your ISP uses Network Address Translation (NAT) to share IP addresses.

    This means the test cannot check your system as the results of the testing would be incorrect.

    Interesting result! ;)

    2) http://www.all-nettools.com/pr.htm

    the above link is really kool - and if you followed Arne's post (By JakBeNymble!) you will get the following result:

    Proxy server detected

    even though you are faking a Proxy.

    the site also shows some other interesting information.


    My assessment regarding this proxo config is:

    1) interesting results but your real IP appears to be still gettable, not masked, however it may confuse some as in PC Flanks case. Other sites like privacy.net are still able to zero in on your real IP address

    2) Jak's config does what it says it will do - spoofs the following: via, xforward, client IP, and includes a rotating list of user agents.

    *Also allows you to bypass the spoofing for specific sites.

    3) if you turn on your proxo log and look at the results of Jak's config. it is really cool, every match on via, xforward, and client ip, rotates to a different result. Same is true I'm sure if you use Jak's user agent filters. No wonder the PC Flank Browser test had so much trouble with this proxo config. ;)

    4) You may want to modify via.txt. Some of the spoofed names are quite colorful.

    5) had 1 report of a slow down in surfing as a result of using the config. I will monitor but so far I have not experienced a noticeable difference in my own surfing with this config.

    I ran some tests on Jak's config using TclockEx which adds seconds to time in sys tray and monitored the page load time of some sites I frequent.

    My Assessment on the surfing slow down issue:

    I did not see any slow down in surfing speed on my pc using this Jak's proxo config.

    Note: when I run Jak's config. I am only using Via, Xforward, & CLient IP spoof - (I am not using the user agent spoof provided - since I have my own user agent filter.)

    Conjecture: Any slow down experienced may be PC specific.



    Looks like a good add to my arsenal of keeper configs. at this point, however I am still looking for a proxo solution if it exists which will cloak or stealth the actual IP address.

    I'll keep ya posted if I run across something.
     
  2. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    interesting result using Jak's config. at auditmypc:

    http://www.auditmypc.com/freescan/info.asp?S=EI2068R2

    Your Forwarded for IP is 11.237.236.49 Warning: Your computer is telling websites that your IP address is 11.237.236.49 and has been forwarded for IP address xxx.my real ip address.xxx. This could mean that you are using a proxy server that is NOT hiding your IP address. If this is correct, everyone can see this information. Feel free to try other proxy servers until you find one that doesn't release this information.

    Your Forwarded for Name is sainte.chapelle.france.cable-com.net

    HTTP_X_FORWARDED_FOR 11.237.236.49

    my real IP info is still captured by this site.
     
  3. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    good result using Jak's config. at lockdown:

    http://stealthtests.lockdowncorp.com/cgi-bin/proxy

    HTTP_VIA: HTTP1.1/i-am-on-a.stealthedhost.com
    If you are using a proxy and this line shows what proxy software is being used, including it's version number, you may want to ask your proxy service if they can stealth this information. What type of proxy software and the version number you are using, is no one`s business but your own. Example: In the test on my proxy server the proxy domain and port are displayed, but where the proxy software and version information should be it simply shows (STEALTHED).

    HTTP_X_FORWARDED_FOR: 151.483.257.461
    If this shows your REAL IP address or domain name, you are not using an ANONYMOUS proxy server. In the test, on my proxy server "unknown" is displayed in this field which is REALLY good!

    HTTP_FORWARDED:
    If this field has any of your real information, you are either not stealthed, or your proxy is not anonymous! Some proxies give you the IP address of the end-user, which would show up either in this field or the one above.

    HTTP_FROM:
    If this field has any of your real information you are either not stealthed, or your proxy is not anonymous!



    Stealth Test ...
    You DO NOT Appear To Be Stealthed Or You are connected to An ANONYMOUS Proxy!

    This Could Be Bad! ;)
     
  4. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Good find Peakaboo.
     
  5. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    I did some searching last night and came up with a couple of avenues for those who choose to pursue.

    I have not discovered a proxo filter, so far, which can hide or mask your IP address - and if you think about how the internet works, seems almost impossible to hide or cloak your IP unless you use some sort of anonymous proxy/ or go between local proxy like JAP (see below) - even if you use an anonymous proxy, you are still exposing your IP addy to the proxy.

    With that said here are two avenues you may wish to take a look at:

    1) using proxomitron, you can add multiple anonymous proxies and actually have proxo do an initial test of the anonymous proxies.

    ** see Admonition or caveat regarding Anonymous proxies below.**

    Once your multiple anonymous proxies are added to proxomitron, you can use the special feature in proxo to rotate thru your list of proxies using either a specified number of connections or random rotation.


    help info regarding this is in your proxo help file under something like /External Proxy Dialog.html

    or simply right click on proxo in sys tray and

    a) select Open Proxomitron.

    b) Under Edit Filters, select Proxy. Here you can add your proxies. Go ahead and add multiple proxies (if you have them, if you don't you need to use a proxy hunter or find a list of proxies - see proxo boards, or contact your isp - they may have this feature).

    c) Right click over the white space to access the Advanced Proxy settings (rotating multiple proxies).


    2) I ran across a link for free program called Jap. I have never used it, but I did visit the site and it looks interesting. Here is the link:

    http://anon.inf.tu-dresden.de/index_en.html

    That's it for now.

    p.s. I saw a couple of linked references to advanced proxomitron filters using a google search of "hide ip address proxomitron" but since I practice safe surf, I did not click on the links since the sites were pretty obscure.

    ----------------------------------

    ** This admonition comes from a Yahoo Proxo board user, judge for yourself its usefulness. Here is the link and excerpt:

    Admonition re: Anonymous proxies

    (Note: you have to sign in to yahoo to access the link)

    http://groups.yahoo.com/group/prox-list/message/9352

    From: "bigpurplemoon"
    Date: Sun Jan 13, 2002 3:48 pm
    Subject: Using proxy servers

    There have been a couple posts lately from people requesting addresses of proxy servers (presumably anonymous ones).

    I've never used an anonymous proxy server, and probably never will, as I see no need for one.

    From what I gather, there are two main uses for them:
    1) Testing a local or remote tool where you want to access from a different apparent IP for testing purposes.
    2) To hide who you are or what you are doing.

    To me, anonymous proxy servers would be a bad choice for either purpose. How do you really know the security of the anonymous proxy you choose to use? The server could be logging everything you do, including your IP address.

    This would obviously render their use for #2 pointless, and #1 potentially dangerous (if you were transmitting passwords or other important data during your testing).

    Anyways, I just post this out of curiosity. It seems like they are a bad idea. But, as I said, I've never used one, so I obviously am speaking with a high level of ignorance on the topic.

     
  6. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    just wanted to say for those considering the two options in the above post...:

    1) anonymous proxies

    2) JAP


    think very carefully b4 you go the route of a go-between you and the internet. Bottom line is if you don't know or trust the stuff in between you and the net, don't use it.

    you just never know what info the go between may be logging.

    in the case of anonymous proxies - no way to know what you are getting even if you use Norton to do a tracert to id the proxy:

    (http://security.symantec.com/SSC/jsdetect.asp?langid=us&venid=sym&plfid=20&from=/ssc/vr_main.asp&pkj=EUCNMQCKMRKRFPECDME) <---broken link won't wrap so copy n paste

    in the case of JAP, it may be a good product (I don't know) - certainly the price is right - free, but again trusting the go-between (Mixes) is the key question.

    more on JAP:

    How it works

    JAP acts as a local proxy between the browser and the insecure Internet. All requests for web pages are handled by JAP and are encrypted several times. The encrypted messages are sent through a chain of intermediate servers (named Mixes by the inventor of the theoretical background, David Chaum) to the final destination on the Internet.

    more info at the link in the above post for JAP....

    --------------------------------------------------------------------------

    final look at Jak's fake proxy config. test results from the following link:

    http://www.lagado.com/proxy-test

    Proxy Test
    This request appears to have come via a proxy.

    The proxy host is which has ip address

    The proxy server has announced itself as HTTP1.1/galaxy.star-travel.org

    The proxy informs us that the client host ip address was 12.148.163.136

    Please Note: The conclusion that the request came via a proxy is based on the presence of at least one of the Via, Forwarded, X-Forwarded-For or Client-ip headers.

    ;)
     
  7. GRCbasher

    GRCbasher Guest

    That is correct. You can fake having a x-forwarded header or whatnot, but when it comes down to it, the source ip must be correct, otherwise you wouldnt receive anything.


    Right. But you have to trust someone... LOL.

    One strange idea, run a anonymous proxy server yourself, Then use it....


    - Fixed mis-match quote tags which was causing page display problems - LWM
     
  8. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Just for the record, the fake via, xforward & client IP using Jak's config. is a good slight of hand using Proxomitron.

    Looks to me like it is successful in confusing many test sites. Even though the real IP is gettable, there appears to be a question left at some sites as to whether my IP is the host proxy since a client IP is presented. ;)

    This is the result we want. May not fool them all, but if it fools some - good enough for me.

    Bottom line is obfuscation, and misdirection have the potential to work here if nothing more than to keep 'em guessing.

    As I stated, JAP may be a good avenue to try, but there are some issues there also.

    For instance:

    I wonder how much of a performance slow down you get from JAP encrypting info. and then sending thru mixes .... sounds pretty slow to me.

    Also don't like that to try JAP you have to install it over the net as opposed to downloading and installing locally.

    May be a good product, but will wait to hear others endorse b4 MSA tries it ;)

    One final point is until better security and/or laws are in place to safeguard privacy over the Net and prosecute those who violate same, the only someone I will trust is me... LOL.
     
  9. Grcbasher

    Grcbasher Guest

    It doesnt fool many I have being testing though. It's fairly simple to check if the fake IP address is really a annymous proxy
    server and or the x-forwarded for ip is valid.

    To truly confuse them, you have to really run a annymous proxy server for others to use at your IP address. That way if "they"
    trace back to your ip, they will see it is really a open annymous proxy server and hence they may have some evidence that it is really being forwarded elsewhere .

    :-*

    I have used JAP and I didnt notice any slowdwon on a cable connection.
     
  10. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    I will be using Jak's proxo config. with your admonitions in mind. :-*

    However, 2 points:

    1) the way I interpreted results from testing is the client IP and or xforward presented is not the "anonymous proxy" as you put it, the tests are presuming the fake info as a failed attempt at being stealth using a proxy. The host IP id'd, is my IP, but is interpreted as the host proxy (which some tests are citing as a warning saying your proxy doesn't work because we can see your client IP).

    Or at least that is the way I interpreted the result.

    2) all this is in the context of layered defenses. So with so many on the net who are surfing with little or no defense, given the choice, I'm betting they will bypass me and go for the low hanging fruit.

    Regarding JAP maybe I should open up another topic. I would like to know more about this. For example is it light on resources?, Does JAP do what it says it can do? Stability? Any other concerns, likes or dislikes?

    p.s. maybe another addition to Jak's config. if it is possible, which I doubt but maybe if Proxo can spoof port 8080 somehow upon probe to say yes there is an anonymous proxy here. ;)
     
  11. grcbasher

    grcbasher Guest

    Yes that is what I'm trying to explain.

    I don't like to use the word "stealth". But basically a remote proxy server is anything that sits between you and the requested web server and receives data on your behalf before forwarding to your real ip,nothing more nothing less.

    Unfortunately some proxy servers are useless for annoymity because they show the x-forwarded for and client-ip tags which the web server can see. Others don't do so, so for all intentions and purposes the request appears to be coming from the proxy server.

    I'm not certain if there is a third class of proxy servers that do not reveal the real source IP, but allow the web server to figure out that a proxy server is being used, but this doesnt really matter for understanding how Jax's filter works.

    Many IP revealers look at such tags (x-forwarded for etc) to see if your proxy server is truly annoynous, they expect the x-forwarded for to be your real ip.

    Jax's proxomitron settings acts has a "double-buff" , it fakes the x-forwarded header, so that hopefully, your real ip will be be intrepreted as the remote proxy server ,while your faked client-ip is supposed to be the real ip...

    In your example, your real ip is galaxy.star-travel.org , while the faked one is 12.148.163.136. But the url you gave thinks it's the other way around. I'm not sure if most web-server logs will log the faked one or the real one or most probably most, I'll check and see.

    Still, It doesnt seem to fool say http://www.privacy.net/analyze/ and a few others ,eg computercops etc which traces routes you back, but I'm not certain if it's because it's too dumb (it doesnt check for x-forwarded environment tags) or it has some automated way of figuring out that you are faking cllient-ip and x-forwarded for.

    Manually though I can see how it's easy to check, assuming the weblogs keep both figures as i explained in previous posts.
    In your example I'm suppoed to think that galaxy.star-travel.org os just the proxy, while 12.148.163.136
    is your real address. But it's simple to check that this isnt so.


    I've being using Jax's spoof ip filters since last year, personally I dont think it's effective, but it's harmless, so why not?
     
  12. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Sounds like we are in sync in thinking it can't hurt to use Jak's config.

    I'll go a step further and say if it is good enough for JD5000 config. set, (http://www.computercops.biz/modules.php?name=Downloads&d_op=getit&lid=85 ), it's good enough for me.

    I don't use the JD 5000 config (way too much stuff in there for me, but I downloaded and looked at some of the filters out of curiousity)

    BTW the example you picked the lagado test, http://www.lagado.com/proxy-test shows the result we want.

    galaxy.star-travel.org = the spoofed VIA and is shown as The proxy server

    The proxy host was picked up as my IP (not shown)

    the spoofed client host ip address was 12.148.163.136 (actually was pulled from the xforward spoof - I just chked)
     
  13. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    I'm now using Jap together with Proxomitron, and this combination works fine.

    Reason I use Jap is very simple: your and my privacy on Internet is now-a-days hurt in an unacceptable way, everybody is being traced, tracked, logged, spammed, hacked and God knows whatelse, and I don't like that at all.

    I've a legal right on privacy, and nobody else have the right to hurt my legal rights.
    But because privacy on internet don't exist, I have to act against attempts to damage me.

    I've have nothing to hide, but are only defending me, in a legal way.

    It is a shame that I have to, the only definitive solution to get rid of all is to put the switch on my PC to off.

    But because that is not an alternative, I use proxies, firewalls, virusscanners, and so on and so on and........
     
  14. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Smokey and anyone using JAP,

    Would appreciate any feedback you have on JAP.

    first what is your connection: modem or high bandwidth access?

    is it light on resources? does it slow down your surfing?, Does JAP do what it says it can do? Stability? Any other concerns, likes or dislikes?

    Finally when you run JAP are getting any hits on your firewall? I would presume if JAP is working properly your firewall hits/scans would go to 0?

    I was also a little concerned about loading the JAP software via net versus locally, since I generally like to monitor my installs.

    TIA

    p.s. for the record the proxy admonition came from a another Yahoo user, not me. I presented it only for informational purposes.
     
  15. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Scanners go for IP ranges, so no - you'll still get the hits on your firewall.
     
  16. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Hi peakaboo!

    Here my answers on your questions:

    Jap is extreme light on resources!

    My connection: high bandwidth access (ADSL).

    It is slowing down while surfing, but that is expected and totally normal, and when you are downloading the speed sinks heavy, stabil is it for sure.

    Jap can not protect you for hits on your firewall.

    My conclusion about Jap: stabil, protects your privacy rather well, very light on resources, but slows down the surfing to much.
    But because Jap is still in development and beta-stage, that behaviour will maybe change in new versions.

    For the time I will stay follow and testing the development of Jap, it is a promising program.
     
  17. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    I appreciate the feedback on JAP Smokey. It does look like a promising program.

    Also thanks to you and Checkout for answering the firewall question.

    Helped me rethink the direction I was moving.

    I think at this point I feel good about where I am from a privacy point of view, although I think I still have a filter or 2 to add for trackers and possibly some other stuff.

    Going forward, important to stay in tune & not become complacent.
     
  18. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Would it hurt to use Proxo with JAP?


    Peakaboo, you looking for filters for proxo?
     
  19. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    notageek,

    I think I saw a prior post on this thread saying no problems using Proxo with JAP.

    Re: proxo filters, if you have any favorite ones you want to pass on please post.

    I dl'd JD5000 filter set, and am reviewing to see if I want to pull any filters there.
     
  20. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Thanks peakaboo. I found JD's list to slow down my surfing speed so I made my own list. :D I compared my list with JD's and they are about the same but I have mainly web bug filters and trcking filters.
     
  21. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Works fine together.
     
  22. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    notageek,

    we are on the same page re: customized proxo filters.

    I'm trying to pick the best filters I can find and add to my custom blend (speed is an issue for me too - I will not add any filter which will create noticeable surfing drag).

    Question regarding tracking filters:

    I pulled the following filter from JD5k and it seems to work well against tracking @ privacy.net:

    Name = "Convert: Tracking Links to Normal Links {6.d} "

    I also pulled the one below but not sure if it will ever kick in since I already have Java Script disable filter enabled:

    Name = "Block: Javascript Trackers {8.d}"

    Can you think of any other tracking filters I am missing?

    (note: I already have web bugs covered)
     
  23. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Hey peakaboo, I have Iframe trackers and Javascript trackers that I pulled from JD and a friend helped me modify it a bit.
     
  24. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Hi notageek,

    Thanks for the tracking filter info.

    I did not pull the iframe filter initially since I already use iframe to link filter. I may try it anyway to see if for some reason an iframe tracker can get by the iframe to link filter.

    Also, I found out the rationale behind the development of the fake proxy filter.

    sounds like it was developed in an attempt to hide the host (via) when using a proxy which is not anonymous, I think the client IP and xforward were added to further protect privacy when a weak (not anonymous) proxy was used.

    see the link:

    http://www.computercops.biz/modules.php?name=Forums&file=viewtopic&t=2166&sid=96dfa725d2b34dfa75e35cec8bb45ba5

    Take Care M8 ;)
     
  25. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Thanks peakaboo, I'm heading over to the link now.
     
Loading...
Thread Status:
Not open for further replies.