webmail + anonymizer = 419?

Filed Under: SophosLabs, Spam

Not too long ago we reported on how GMail's effort to kick out "419 fraud" spammers from its networks resulted in a positive decrease. Clearly, this problem is not specific to large webmail providers like GMail or Yahoo!, but is well observed across most of the ISPs with webmail services.

For example, recently I've been tracking down a large number of scam e-mail sent through Free.fr (Proxad) ISP:

419-from-smtp7-g19.png

Thankfully, the webmail system used (Horde IMP) adds X-Originating-IP header (in addition to the Received chain), which indicates the IP address that the sender used to connect to the web e-mail interface. In the case of "419/Nigerian" scams, these IP usually points to an Internet cafe network somewhere in Africa. But not this time:

Received: from server.unlockweb.org (server.unlockweb.org [64.22.117.2])
   by imp4.free.fr (Horde MIME library) with HTTP; ...
Subject: Att: Sir/Madam,
X-Originating-IP: 64.22.117.2

The IP in question resolves to server.unlockweb.org host, which is a known "free web anonymizing proxy" site. The "web proxies" are the most common technique for end-users to bypass web filtering products and the battle between "proxy owners" and the security labs is becoming increasingly similar to the the anti-spam war.

In SophosLabs we constantly update a list of known anonymizing proxy URLs to use in our Sophos Web Appliance products. Each day we automatically discover and classify many dozens of new "proxy URLs" to use on top of the real-time detection technology available in the product.

It's interesting to see how different aspects of computer security converge and interrelate. The malware and spam problems used to be completely different years ago. Today, they are two parts of the same problem. Now, the "web proxy" owners employ traditional spam techniques (i.e. content obfuscations, domain rotation) to avoid automated detection. And on the other side, 419 spammers rely on proxy sites to anonymously connect to the abused webmail servers. Yet another reason for having an integrated security research and response team to deliver the protection data.

The ISPs around the world should make a serious effort in eliminating outbound webmail spam from their networks. Failing to do so will result in decreasing reputation of their e-mail networks and eventual delivery problems. In this particular case, denying access from known anonymizing proxy sites seems like a "low-hanging fruit" to me. It's not going to solve the problem completely, but will make the scammer's life a little harder and may even push them out of your network. Another focus should be given to things like efficient handling of abuse reports, limiting number of outbound e-mail per account and spam scanning of outbound traffic to flag or prevent the abuse.

You might like