Unless you’ve been living under a rock, you’re aware of the spam problem on the Internet. Spam senders used to take advantage of open email relays. These days, a lot of spam comes from open proxies. An open proxy is one that allows outsiders to make requests through it. If others on the Internet receive spam email from your proxy, your IP address will be placed on one or more of the various blackhole lists. This will adversely affect your ability to communicate with other Internet sites.

Use the following access control rules to make sure this never happens to you. First, always deny all requests that don’t come from your local network. Define an ACL element for your subnet:

acl MyNetwork src 10.0.0.0/16


Then, place a deny rule near the top of your http_access rules that matches requests from anywhere else:

http_access deny !MyNetwork
http_access ...
http_access ...

While that may stop outsiders, it may not be good enough. It won’t stop insiders who intentionally, or unintentionally, try to forward spam through Squid. To add even more security, you should make sure that Squid never connects to another server’s SMTP port:

acl SMTP_port port 25
http_access deny SMTP_port

In fact, there are many well-known TCP ports, in addition to SMTP, to which Squid should never connect. The default squid.conf includes some rules to address this. There, you’ll see a Safe_ports ACL element that defines good ports. A deny !Safe_ports rule ensures that Squid does not connect to any of the bad ports, including SMTP.