In order to stop spam mails, it is common for companies to have several anti-spam systems and spam filters implemented in their mail servers. Nevertheless, there are many cases where anti-spam system are often bypassed. 

In order to bypass the anti-spam system, attackers use official mail services from well-known conglomerates or send malicious mails by skillfully avoiding the anti-spam detection system. In that case, malicious mails will make its way through to your inbox even if you have spam filters on. However, this nuisance can be addressed by using IP intelligence. This article will introduce to you how IP intelligence can be used to deal with malicious mails that bypasses anti-spam systems.

How to Track Attack Phishing IPs That Bypasses Anti-Spam System

As shown below, there is a spam mail received as corporate mail. Because this email was sent using a Korean mail service called Daum, SPF problems did not occur. Although the attached files contained malicious code, it was able to bypass the anti-spam detection system and make its way through to the user’s inbox. 

Phishing Mail That Bypassed the Anti-Spam System
Phishing Mail That Bypassed the Anti-Spam System

You can check the header of the mail to see the information of the attacker who sent the mail.

Explaining the contents of the mail header would be deviating from the purpose of this article thus skipping the details, there are many sites like that helps people who have no knowledge of mail header analysis technology to find mail headers online immediately. They can do this by searching “email header analyzer” on Google, helping them access the resources they need. 

The image below shows the details of the header we looked at using the mail header analysis system. 

 Information of the Attack Mail's Header That Bypassed the Anti-Spam System
Information of the Attack Mail’s Header That Bypassed the Anti-Spam System

Amongst the headers, X-Originating-IP records the IP address of the person who wrote the mail. In other words, if a hacker sent this email, you can deduce the fact that the IP address shown is the IP address of the PC they sent it from. 

IP Intelligence Analysis on Spam Mail’s Attack IP Address 

From looking into this IP address through Criminal IP (, we found that their servers are located in Taiwan. However, the mail did not use Chinese or Taiwanese nor did it seem like the content of the mail was suggesting to get a job at another country. 

Spam Attack IP Information Tracked By IP Intelligence Search Engine Criminal IP. Identified as a VPN Server in Taiwan
Spam Attack IP Information Tracked By IP Intelligence Search Engine Criminal IP. Identified as a VPN Server in Taiwan
Intelligence Analysis Result of Spam Attack IP Address, VPN is Operating at Port TCP/443
Intelligence Analysis Result of Spam Attack IP Address, VPN is Operating at Port TCP/443

For reference, the image below shows the banner results of TCP/443 HTTPS protocol.

HTTPS Protocol Banner Results of a Common Port TCP/443
HTTPS Protocol Banner Results of a Common Port TCP/443

Why OpenVPN Protocol is Implemented at Port TCP/443

The reason why OpenVPN protocol is implemented at port 443 is as follows:

When there is an attempt of VPN connection at corporate and institutions, internal security systems blocks them off because there is a risk of employees leaking internal information or there might be a malicious code encrypted traffic that went under the radar. However, if these OpenVPN ports are sent to port TCP/443 instead of the usual UDP/1194 port, access is often granted. In this case, outbound TCP/443 is blocked off to cut off all employees access to the internet.

That being said, common VPNs often have protocols like OpenVPN running on port TCP/443. By running VPN on a different port, a typical IoT search engine will detect the IP from a normal IP address, not the IP address ran from the VPN service. Even when you are detecting VPN IP addresses to block connections, you can avoid radar networks. We can say that the IP address that bypassed the anti-spam system and sent malicious mail is related to this. 

Analysis Results of the Spam Mail Attack Case

  • Resume sent to a company using VPN from Taiwan
  • The VPN port using OpenVPN is port TCP/443, not port UDP/1194
  • Seeing how they are using uncommon ports, it is clear that bypassing IP addresses is their motive

How to Handle Attacks That Bypasses Anti-Spam System Using IP Intelligence 

From an IP intelligence perspective, the following complementary strategies can be established: 

Useful strategies to use when dealing with IP addresses that attempt to circumvent anti-spam systems: 

  • With a plug-in that can connect to anti-spam system or spam filter, you can interlink that to a IP intelligence system that can detect VPN IP addresses
  • Check the X-Originating-IP by looking at the header of the mail and interlink that IP address to a IP intelligence system to review 
  • If the IP address of X-Originating-IP is determined to be the VPN IP address, the corresponding mail is confirmed to be a spam
  • If the VPN is set at an abnormal port number, detection should be carried out with higher priority
  • Apart from VPN, you can also detect whether the IP address is Tor IP address, hosting IP address or any other disreputable IP addresses 

Note that X-Originating-IP field often gets omitted depending on the mail server (Gmail does not log this field) so this strategy is not the perfect security fix to spam mails. However, by writing a code using detection logic and interlinking that with an anti-spam system will bring high level complementaries that are capable of detecting any attacks that penetrate through basic solutions.

IP address-based threat intelligence search engine Criminal IP provides interlinking Open API that can, as explained above, act as an IP intelligence complementary. After registering your Criminal IP account, use the search engine platform to search or get issued an API key at ‘My Page’ to quickly start interlinking. We also provide customizing and custom calls for any customers of enterprises that require a large number of API calls.

For more information on why enterprise and institution cybersecurity need OSINT and IP intelligence along with IP tracking and analysis of real-time attacks, please refer to our article ‘Government Servers Hacked by the Unseen Cryptojackers‘.

To see more use of Criminal IP, please contact our Sales Team.

Source : Criminal IP (

Related Article :