• OUR SERVICES
• PRICING
• ABOUT US
• SUPPORT
• PARTNERS
• CONTACT

Open Proxy Spam

Open Proxies are a resource that spammers only started to find and exploit seriously in late 2002. By mid 2003 most spam was being sent through open proxies.

A proxy is a server that is designed to proxy one or more services for local users, to cache internet content, to speed things up, to provide access from non-routable address space, etc. However, a large number of such products seem to have been installed with no thought to security. In an insecure state these devices frequently allow anyone anywhere on the Internet to make a TCP connection to your mail server through them.

Spammers love open proxies because they completely obscure the real source of the spam. As far as the receiving mail server is concerned, the spam came directly from the IP address of the proxy server. None of the frequently abused proxy servers add any information to the message regarding the source of the connection.

A typical Open Proxy Spam looks like:

Return-Path: <erikalee@123india.com>
Received: from mail.skywaywest.com (test.hch.com.ar [200.41.250.92])
        by mail.skywaywest.com (8.11.0/8.11.0) with ESMTP id fB7LxVQ07484
        for <postmaster@hr-online.com>; Fri, 7 Dec 2001 13:59:31 -0800
Message-Id: <200112072159.fB7LxVQ07484@mail.skywaywest.com>
To: <cash@mail.skywaywest.com>
From: erikalee@123india.com
Subject: I just got a great job.
Date: Fri, 07 Dec 2002 09:06:02 -2000
MIME-Version: 1.0
Content-Type: text/html;
            charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Reply-To: erikalee@123india.com
Status: O
Content-Length: 1744
Lines: 38
					      
[-- text/html is unsupported (use 'v' to view this part) --]
[body snipped]
    

As you can see, the Received: headers indicate one hop only - from the Open Proxy at 200.41.250.92 to our server.

Since the name provided by the server is ours, we can be sure that either this address is the spammer or it's an Open Proxy. You could probe it with network utilities, but it's better just to complain to the site's network provider and let them deal with it.

The message will probably contain a web site URL or an E-mail contact address. These belong to the spammer. Complain about spamvertised web sites.

Forged and misleading information in the header:

• The To: header. The original To: header probably just read To: cash. Our mail server appended the local host name to the message when delivering it.
• The From: header. erikalee@123india.com doesn't exist and never did. Or if, they did, they almost certainly did not send this Spam. They may receive many complaints from people who receive it, though. The next message this spammer sends will have a different From: header that will be no more valid or worth filtering on.
• The Message-Id: header. This message arrived without a Message-Id: header. Our mail server helpfully created one, misleadingly making it look as though the message has something to do with mail.skywaywest.com.
• The Date: header. This one looks almost correct, but it could say anything. It has nothing to do with when the message was created or sent.
• The HELO information in the Received: headers. Spammers and intermediate servers can put anything they want. The receiving system trusts what the sending system tells it. The Open Relay probably does think it's name is HCHINTERNET1.s2.redynet.com.ar and that information may be helpful in contacting the Open Relay owner. The Spam sender has nothing to do with criticalpath.net, however.
• The Reverse DNS information. The Reverse DNS info can be helpful but shouldn't be relied on. It is often misconfigured. It can also be falsified by spammers who control their own IP space.
• The Return-Path: header. This header was created by our mail server to record the Envelope Sender of the message. This sender is just as forged as the From: address, with the added bonus that any undeliverable messages sent by the spammer will be sent to this address. When spammers use real people's addresses, their mailboxes can receive thousands or tens of thousands of bounces over a few hours, causing real problems for them and their E-mail provider.

[ Back to Skyway West Knowledge Center ]

[ Back to Spam Resource Page ]

Please send corrections or suggestions for improvements in this page to abuse@skywaywest.com