ISPs webmail forging IPs of webmail users as smtp senders!

[EricM]

I am trying to figure something out.

One of my customers run a cgi proxy service, access to port 25 is blocked so that spam cannot be relayed through the proxy, it only allows http access.

The problem is, spammers are accessing http sites (webmail) and using it to send spam, and those webmail servers are forging my IP as the sender in the headers, even tho they are the ones who are originating the SMTP connection.

Example:

Return-Path: <electronic_lottery[at]yahoo.cn>

Received: from barracuda-out1.linkline.com [64.30.215.67] by

maila61.webcontrolcenter.com with SMTP;

Sun, 23 Mar 2008 18:08:23 -0700

Received: from webmail.linkline.com (localhost [127.0.0.1])

by barracuda-out1.linkline.com (spam Firewall) with ESMTP

id 6F054952B2A; Sun, 23 Mar 2008 17:17:10 -0700 (PDT)

Received: from webmail.linkline.com (beth.linkline.com [64.30.215.37]) by

barracuda-out1.linkline.com with ESMTP id L3pcqCMG4SGGcHvY; Sun, 23 Mar 2008

17:17:10 -0700 (PDT)

Received: from 64.72.116.x

(SquirrelMail authenticated user DONDAVID)

by beth.linkline.com with HTTP;

Sun, 23 Mar 2008 17:16:59 -0700 (PDT)

X-ASG-Debug-ID: 1206317830-3373031d0000-SNOoqM

X-Barracuda-URL: http://64.30.215.67:8000/cgi-bin/mark.cgi

Message-ID: <5819_______________________________rrel[at]beth.linkline.com>

Date: Sun, 23 Mar 2008 17:16:59 -0700 (PDT)

X-ASG-Orig-Subj: Dear Beneficiary

Subject: Dear Beneficiary

From: "Mrs. Becky Owen" <electronic_lottery[at]yahoo.cn>

Reply-To: electronic_lottery[at]yahoo.cn

User-Agent: SquirrelMail/1.4.6

MIME-Version: 1.0

X-Content-Type: text/plain;charset=iso-8859-1

X-Priority: 3 (Normal)

Importance: Normal

X-Barracuda-Connect: beth.linkline.com[64.30.215.37]

X-Barracuda-Start-Time: 1206317832

X-Barracuda-Virus-Scanned: by Barracuda spam Firewall at linkline.com

X-Content-Transfer-Encoding: quoted-printable

X-Rcpt-To: <x>

X-SmarterMail-spam: SpamAssassin 0.6 [raw: 0.3], SPF_None

X-Antivirus: AVG for E-mail 7.5.519 [269.21.8/1339]

Content-Type: text/plain

X-SpamSource-note: Converted to text/plain by SpamSource

Why is this spam being reported to me and not beth.linkline.com where it really originated???

[Telarin]

Because it originated at your IP address, even if it was via an HTTP webmail session rather than an SMTP session. This is the preferred behavior for a webmail service, as it allows the recipient to trace the message back to the actual origination point, rather than just stopping at the webmail services servers. I would suggest securing your proxy service to require some kind of authentication.

[Wazoo]

One of my customers run a cgi proxy service, access to port 25 is blocked so that spam cannot be relayed through the proxy, it only allows http access.

And yet, you want to indicate that the "customer's proxy" is in fact kicking out e-mail ... ????

The problem is, spammers are accessing http sites (webmail) and using it to send spam, and those webmail servers are forging my IP as the sender in the headers, even tho they are the ones who are originating the SMTP connection.

In the above, you indicated that Port 25 was blocked, yet here you suggest that the 'proxy' is originating an outgoing SMTP connection. ???? I'm of the thought that 'proxy' perhaps actually makes a call to whatever SMTP service the hosting server/ISP/server (you?) is actually providing .. and this 'request' is being honored by that ISP/hosting-server, generally because it's coming from a 'trusted' service on the internal network. End result, the SMTP connection 'comes from you' .. not the customer's server (????) .. if that's what you're actually suggesting/asking about.

In my mind, I would change Telerin's response to read "your customer needs to secure the Proxy" or 'you need to evaluate whether your customers should be allowed to run/provide these kinds of abusable services' .... again, this is the way I read the definition of the problem.

[EricM]

Wazoo you are not understanding what i mean.

The proxy is not making a smtp connection.

The proxy is making a http connection to a webmail service on another server out of my control, the webmail then sends an email based on the http request.

eg. spammer visits hotmail.com in a browser through the proxy, and hotmail is forging a recieved header with my ip as the smtp originator when its really just a http request. (hotmail works correctly, this is just an example)

There are thousands of different webmail providers and software out there, there is no reasonable way for me to block access to webmails through the proxy.

The request is a standard http request to a webserver on port 80 when it leaves my network, it should not be my problem if some other external machine is converting these requests into smtp connections and then forging my ip as the orginator.

Mainly the problem is spamcop is not detecting the forged headers and is sending the complaints to the wrong place.

[DavidT]

One of my customers run a cgi proxy service

Please clarify, or give us the URL. Is this an "anonymous proxy" service, in which people are allowed to use the system to hide their identities while using the Internet? If yes, then the simple answer is, don't let your customer run such a service.

DT

[EricM]

Its like this

http://www.liveproxy.org/secure/nph-proxy.pl

[Wazoo]

Its like this

http://www.liveproxy.org/secure/nph-proxy.pl

Generic answers to a specific problem doesn't really help all that much. On the other hand, just off the top of my head, this is something like the third or fourth posted Topic in the last couple of months about spammer abuse of someone's attempt/decision to put up an open/anonomous proxy with absolutely no controls in place. I haven't yet figured out how and why someone wouldn't expect the spammers to show up these days to use such a tool.

Therefore, I also have to challenge the Subject/Title of your Topic. The IP address of the source of the spam is not forged at all .. it is the source of the spam delivery connection point. I'd say that in general, everything is working just as designed, to include the SpamCop.net parser.

[DavidT]

Exactly. Eric, thanks for answering, but proxy services like that are often abused by spammers, and the only way to deal with the abuse is to take action against the host. I'm sure that most people here would suggest to you that hosting such a service makes you a "part of the problem."

DT

[Miss Betsy]

I don't understand how proxies work very well. However, I do understand that when a server gets a request that it only knows the IP address of the server making the request. Therefore hotmail is /not/ forging your IP address. That's the only IP address it knows for sure since previous headers can be forged.

There are lots of neat things about email and the internet that can no longer be used because the spammers abuse them. Proxies are one of them that have to be 'secured'

You are in a position to stop this spammer from sending his spew. There is no one else. If you know where the spam is coming from then you are the one to either stop it (I think you can block access, can't you?) or to contact the source to stop it since you can verify that.

You are also in a position to secure this proxy from allowing unauthorized users. Once a spammer has found a way to abuse something, it isn't long before he sells the knowledge or other spammers find it. Therefore even if you stop this particular spammer, there will be others.

Other blocklists don't send reports; they just block. However, spamcop assumes that you want to know so that you can stop the spam.

The *sending* end is the only place where spammers can be stopped. Everyone else has to filter and the best way to filter out spam is by the last known IP address which, in this case, is yours.

You don't have to receive spamcop reports. You can ignore them. But neither does anyone else have to receive email from an IP address that also allows spammers to operate.

Miss Betsy

[Merlyn]

Wazoo you are not understanding what i mean.

The proxy is not making a smtp connection.

The proxy is making a http connection to a webmail service on another server out of my control, the webmail then sends an email based on the http request.

This would not be possible if you were not running a proxy service. Actually it is under your control because they are using your service to connect and send the spam :-(

[Mikescki]

Hi there,

You don't have to be hosting a proxy server to have your email address forged by spammers.

I just had my email in box swamped with "Undelivereds" - probably over 2,000 of them in the space of a few hours. It has taken me two days to get it sorted out and I expect there will still be knock-on effects as I had to burn that particular email address.

Can someone start a move to get "From" hardwired into the sending computer?

Just think of the consequences if this episode had not just been spam for knock off watches or P**** expansion.

What if it had been used to communicate information for Child Porn or an Al Qida terror message!

I would not want to loose my computer and suffer a few weeks held incommunicado while I tried to prove my innocence (yes the proof would be down to me as it seems that we now have a presumption of guilt in these cases).

I have already experienced first hand what it is like to be presumed guilty (of the theft of a jet engine from Gatwick airport). It ended amicably enough (not charged due to lack of evidence!) and is a topic of conversation. I have since seen the effect on an acquaintance of even heavier handed policing when they decided they didn't like him - try having your house raided and just about anything which isn't bolted down removed, bank and credit accounts frozen, all money kept for months - even though there is no case to answer.

Like it or not, this is increasingly a surveillance society and those that use computers and the internet should be doing as much as possible to protect from any form of identity theft.

Regards

Mike

[Miss Betsy]

There is a difference between forging an IP address and an email address. Email addresses are easily forged. IP addresses can also be forged except for the one which is connecting to another server. I was going to say that even overzealous police couldn't arrest someone on the basis of an email address, but since the general public doesn't seem to realize that email addresses can be easily forged, perhaps an unlucky sequence of ignorant police and lawyers and judges and suspects could produce a problem, for a time.

But it is true that people who use the internet should have more knowledge of how it works and how to protect oneself online from identity theft and from having one's computer used by spammers or criminals.

Miss Betsy

[Mikescki]

And given that a few weeks ago it was widely quoted that there was "Just one" policeman who was specifically assigned to internet fraud ....

He was apparently swamped.

Mike

[Miss Betsy]

quoted by whom? Again, I doubt that that statement is true unless it is true of one small town.

You would find more likelihood of people discussing the subject in spamcop.social (though they don't like to talk about spam; they do like to talk about the way that our freedoms are being eroded). In the forum, in general, we are pretty focused on spam and methods of spam transmission. forgery of one's email address is not likely to lead to bad consequences for one since most people who can perpetuate bad consequences of one kind or another know how common email address forgery is.

Miss Betsy

[Mikescki]

It was in PC Pro.

The topic was that when people try to report crimes they were being told to contact their bank.

It mentioned that there was only one Full Time policeman dedicated to the job.

The House of Lords were also scathing of the govts very poor record on internet security.

"Lord Broers, the committee chairman, claimed in the report that the internet "is increasingly perceived as a sort of 'wild west', outside the law." The government, however, denied the accusation in its official response, claiming "we would refute the suggestion that the public has lost confidence in the internet and that lawlessness is rife." However, when pressed by PC Pro, the government admitted it had no statistics to back up its claim."

I think that the BBC also did a piece on it.

[Miss Betsy]

The problem in the US is that law enforcement isn't interested unless you have lost a substantial sum of money. Many people think that they should be stopping them before they claim victims.

There is no law on the internet. Security depends on the people who use it.

Miss Betsy