SpamCop and Webmail Spam via tor

[Tykling]

  On 27.10.2010 21:55, Peter Guhl wrote:
> Am 27.10.10 17:37, schrieb Moritz Bartl:
>> Am 27.10.2010 17:01, schrieb Peter Guhl:
>>> person accessing the webmail is not likely to be transmitted in the 
>>> mail
>>> headers. There's only the host where the webmail is running at.
>>
>> At least for the reports we're getting at torservers, this is exactly
>> the case. Most webmail providers I know include the sender IP in their
>> headers.
>
> Jikes... that's sort of strange. Hadn't expected that. Technically I 
> consinder that wrong since the MUA (the thing using SMTP) isn't 
> running at the user's machine and, even more, definitely not at the 
> router next to the server running the webmail. At the other and the 
> webmail providers may be right since the machine really transmitting 
> the message *is* the user's computer. Even though the first hop is 
> made using HTTP instead of SMTP. It's probably their strategy to 
> automatically direct complaints to the next level.
Hello,

It has been like this for a few years, since the botnets started using
saved browser passwords for webmail accounts to send out spam.

This method of sending spam is way more effective than sending
directly from the infected host, since it is an actual mailserver sending
the mails, and not some consumer dynamic ip or something.

The webmail operators putting the HTTP client IP in the SMTP header
helps the webmail operators avoid getting their SMTP servers RBL
blacklisted, and it also helps the blacklists find the correct IP to list,
which is the infected client rather than the mailserver with possibly
thousands of users where only one is infected.

I can speak on this topic with some certainty since I manage abuse for
the ISP where I work, so I am pretty involved in all this. I do however
give exit node operators (myself included) a lot of extra goodwill, 
something
I sense from reading these lists is pretty rare :)

/Thomas