To stop spam emails, it is common for companies to implement several anti-spam solutions, such as spam filters, in their mail servers. Nevertheless, there are many cases where anti-spam solutions are often bypassed. 

In order to bypass the anti-spam system, attackers use official mail services from well-known conglomerates or send malicious emails by skillfully avoiding the anti-spam detection system. In that case, a malicious email will make its way through to your inbox even if you have spam filters on. However, this nuisance can be addressed by using IP intelligence. This article will introduce how IP intelligence can deal with malicious emails that bypass anti-spam solutions.

How to Track Phishing IPs That Bypass Anti-Spam Solutions

As shown below, a spam email was received as a corporate email. Because this email was sent using a Korean mail service called Daum, SPF problems did not occur. Although the attached files contained malicious code, it was able to bypass the anti-spam detection system and make its way through to the user’s inbox. 

Phishing Mail That Bypassed the Anti-Spam System
Phishing Email That Bypassed the Anti-spam Solution

You can check the the email header to see the information of the attacker who sent the email.

Explaining the contents of the email header would be deviating from the purpose of this article, thus skipping the details; many sites like helps people who need to learn mail header analysis technology to find mail headers online immediately. They can do this by searching “email header analyzer” on Google, helping them access the needed resources. 

The image below shows the details of the header we looked at using the email header analyzer. 

 Information of the Attack Mail's Header That Bypassed the Anti-Spam System
 Header information of the attack email that bypassed the anti-spam solution

Amongst the headers, X-Originating-IP records the IP address of the person who wrote the email. In other words, if a hacker sent this email, you can deduce the fact that the IP address shown is the IP address of the PC they sent it from. 

IP Intelligence Analysis on IP Address Sending Spam 

From looking into this IP address through Criminal IP (, we found that their servers are located in Taiwan. However, the email did not use Chinese or Taiwanese, nor did it seem like the content suggested getting a job in another country.

Spam Attack IP Information Tracked By IP Intelligence Search Engine Criminal IP. Identified as a VPN Server in Taiwan
Spam Attack IP Information Tracked By IP Intelligence Search Engine Criminal IP. Identified as a VPN Server in Taiwan
Intelligence Analysis Result of Spam Attack IP Address, VPN is Operating at Port TCP/443
Intelligence Analysis Result of Spam Attack IP Address, VPN is Operating at Port TCP/443

For reference, the image below shows the banner results of the TCP/443 HTTPS protocol.

HTTPS Protocol Banner Results of a Common Port TCP/443
HTTPS Protocol Banner Results of a Common Port TCP/443

Why OpenVPN Protocol is Implemented at Port TCP/443

The reason why the OpenVPN protocol is implemented at port 443 is as follows:

When attempts to a VPN connection at corporate or institutions, internal security systems block them off because there is a risk of employees leaking internal information or there might be malicious code encrypted traffic that goes under the radar. However, if these OpenVPN ports are sent to port TCP/443 instead of the usual UDP/1194 port, access is often granted. This is because if outbound TCP/443 is blocked, all company employees will be unable to surf the internet.

That being said, common VPNs often have protocols like OpenVPN running on port TCP/443. By running the VPN on a different port, a typical IoT search engine will detect the IP as a normal IP address, not an IP address using the VPN service. Even when you are detecting VPN IP addresses to block connections, you can avoid radar networks. We can say that the IP address that bypassed the anti-spam system and sent a malicious email is related to this. 

Analysis Results of the Spam Attack Case

  • Resume sent to a company using VPN from Taiwan
  • The VPN port using OpenVPN is port TCP/443, not port UDP/1194
  • Seeing how they are using uncommon ports, it is clear that bypassing IP addresses is their motive

How to Handle Attacks That Bypasses Anti-spam Solutions Using IP Intelligence 

From an IP intelligence perspective, the following complementary strategies can be established: 

Useful strategies to use when dealing with IP addresses that attempt to circumvent anti-spam systems: 

  • With a plug-in that can connect to an anti-spam solution or spam filter, you can interlink that to an IP intelligence system that can detect VPN IP addresses
  • Check the X-Originating-IP by looking at the email header and interlink that IP address to an IP intelligence system to review 
  • If the IP address of X-Originating-IP is determined to be the VPN IP address, the corresponding email is confirmed to be spam
  • If the VPN is set at an abnormal port number, detection should be carried out with a higher priority
  • Apart from VPN, you can also detect whether the IP address is a Tor IP address, hosting IP address, or any other disreputable IP addresses 

Note that the X-Originating-IP field often gets omitted depending on the email server (Gmail does not log this field), so this strategy is not the perfect security fix for spam. However, by writing code using the detection logic above and integrating it with an anti-spam system, a significant number of attacks that penetrate existing spam solutions can be detected.

Criminal IP, IP address-based threat intelligence search engine, provides Open API intergration that can, as explained above, act as an IP intelligence complementary. After registering your Criminal IP account, use the search engine platform to search or get issued an API key at ‘My Page’ to quickly start interlinking. We also provide customizing service and custom API calls for any customers of enterprises that require a large number of calls.

For more information on why enterprise and institution cybersecurity need OSINT and IP intelligence along with IP tracking and analysis of real-time attacks, please refer to our article ‘Government Servers Hacked by the Unseen Cryptojackers‘.

To see more use of Criminal IP, please contact our Sales Team.

Source : Criminal IP (

Related Article :