Open Proxy Servers: A Growing Source of Spam

Joe St Sauver, Ph.D.
Director, User Services and Network Applications
joe@uoregon.edu

Most of the spam sent to UO users comes from one of five sources:

1. So-called "bulletproof" email servers (run by dedicated spam houses and connected by ISPs who fail to enforce any acceptable use policy on their customers)
   
2. Throw-away free email accounts which get used until they're cancelled, at which point spammers create and abuse new throw-away email accounts
   
3. Open SMTP relays, e.g., hosts that are willing to accept and resend email for virtually anyone, including random spammers
   
4. Abusable form-mail cgi-bins. These are web pages that are intended to be used just to send comments to a particular address, but which can be "hijacked" to send email to random addresses of a spammer's choice
   
5. Open proxy servers (systems that will accept connections from any network address, acting as a blind intermediary to virtually any other network addresses).
   

It is this last category--spam from open proxy servers--that has become a growing concern for Darkwing, Gladstone, and Oregon users lately.

In an effort to deal with this problem, the Computing Center Systems group--the group that's ultimately responsible for administering Darkwing, Gladstone, and Oregon's anti-spam measures--has been experimenting with a DNS-based Open Proxy blacklist known as the Blitzed Open Proxy Monitor. In a nutshell, when an email is received from network address A.B.C.D, the mail server checks via the domain name system to see whether or not the address D.C.B.A.opm.blitzed.org is defined. If it is, this signals that mail from that address is coming from an open proxy server, and we reject that email.

This check augments, but does not replace, other anti-spam measures already in place on the university's large shared hosts, including use of the mail-abuse.org RBL+ service.

We are also evaluating other open proxy black lists, including the monkeys.com Open Proxy List (http://www.monkeys.com/anti-spam/filtering/proxies.html) and the Osirusoft Open Proxy List (http://relays.osirusoft.com/faq.html ).

Like the Blitzed OPM, checking the monkeys.com list or the Osirusoft list is simply a matter of querying DNS to see whether or not D.C.B.A.proxies.relays.monkeys.com or D.C.B.A.relays.osirusoft.com are defined for a given numerical network address.

As open proxies are used to send email to Darkwing, Gladstone or Oregon users, they're being added to http://darkwing.uoregon.edu/~joe/open-proxies-used-to-send-spam.html, a page which tracks not only the source of open proxy spam, but also identifies which of the open proxy lists knows about each of those open proxy servers.

Based on these efforts, we hope to dramatically reduce spam received from open proxy servers, much as we've been able to successfully reduce other sources of spam abusing UO email addresses.