News Stay informed about the latest enterprise technology news and product updates.

Proxy chaining, onion routing, mixnets and phishing

Learn how phishers use proxy chaining, onion routing and mixnets to falsify their IP addresses to send you anonymous email.

The following is tip #6 from "Phishing exposed -- 10 tips in 10 minutes," excerpted from Chapter 3 of the book Phishing Exposed, published by Syngress Publishing.

When sending emails, most email clients to do not support SOCKS for the very reason that they do not want to contribute to the already existing spam epidemic. In this case, there are two options: Use a bulk-mailing tool that supports proxies, including SOCKS, or use a program like SocksChain ( for Windows or Proxychains ( for UNIX. This essentially "proxifies" any connection you set so that you can use any networked application through SOCKS. With the Proxychains programming you can also chain your proxies together to set a route and improve your odds against someone tracking you.

Let's "socksify" a Telnet session and create a proxy chain that we can use to send email and view the headers to relish our accomplished anonymity. To begin, we first need to set up our chain (see Figure 6):

Figure 6
Figure 6 Proxy Chain Setup

Next we set up our "socksify" host so that when we Telnet, we will Telnet to port 1080, and it will redirect to our mail server. Now as we Telnet to 1080, SockChain automatically begins to create its routes, as shown in Figure 7.

Figure 7
Figure 7 Established Chain of Proxies

We will now see the following:

Connected to
Escape character is '^]'.
220 ESMTP Postfix
HELO hostname
250 Hello [], pleased to meet you 
250 Ok
250 Ok
354 End data with <CR><LF>.<CR><LF>
Message body.
250 Ok: queued as 64A20E4D6A
221 Bye

And our email will look like the following:

Return-Path: <>
Received: by (Postfix, from userid 1999)
id 64A20E4D6A; Tue,  5 Apr 2005 22:21:17 -0700 (PDT)
Received: from hostname (
by (Postfix) with SMTP id 73F50EDD2B
  ; Tue,  5 Apr 2005 22:21:13 -0700 (PDT)
 Message-Id: <>
Date: Tue,  5 Apr 2005 22:21:13 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
X-Spam-Status: No, hits=2.3 required=5.0 tests=
autolearn=no version=2.63
Message body.

In this example, notice that our IP address is now quite different than the previous email, indicating that we have successfully sent an anonymous email.

Of course, there are more elements than just chaining arbitrary proxies together to "safely" send your phishing emails. In most cases, you would want to be on a proxy server that is outside the country you have targeted. This will help you establish some sort of safety zone so that you are untouchable by the law in the targeted country. If a proxy you used was located in the United States and you attacked an American target, there is a very good chance that the proxy would be served a subpoena for the logs in a very short amount of time. In comparison, depending on your actual location and whether the foreign authorities had any interest, the length of time it would take to get any help from the foreign proxy, even if they kept logs, would be next to a millennium, if at all. Many phishers count on the fact that they are not in the country they are targeting, which gives them sort of an added invincibility, although this depends on the country they are physically located in. An ever-growing method that is being implemented by phishers and spammers today is the botnet approach, which allows spammers to use drones of victim computers to perform their evil deeds. We cover botnets in detail in a later chapter.

From law enforcement's perspective, the ability to quickly track is essential to apprehending these criminals. But on the other side of the fence are the privacy advocates, who also have a valid point regarding anonymity. In the esoteric world of cryptography—specifically, the approach to addressing true anonymity, in which anonymity, according to Paul Syverson, has a more strict definition of "being indistinguishable in a group"—the Electronic Frontier Foundation (EFF) is supporting an anonymous Internet communication system. The intent and purpose of the system is to prevent any type of network traffic analysis to be successful at all. Traffic analysis is a form of surveillance that assists in establishing who is communicating to whom over a public network. The information that can be gathered by this type of analysis allows investigators to profile habits, behavior, and interests of a certain group. This system is known as The Onion Router, or TOR ( Ironically, onion-routing research was first done by the U.S. Navy ( in a rumored effort to protect the military's interests regarding their access to Web sites without giving away the fact that they are the ones accessing them. Another ironic point is that they encouraged ( the public community to run onion routers, thus performing a public duty to protect the military.

But now that it is supported by the EFF (TOR), the political and legal opposition from some world governments, along with the question of "What if?" have begun, especially in a time where cyber-crime is on the rise at an extremely aggressive rate. Technologies like TOR that allow anonymous communication would only put us farther away from tracking the individuals; as though it weren't difficult enough to keep up with their rate of attacks, now they could fully cloak themselves in a "darknet" ( Other systems that implement David Chaum's Mixnet ( concepts, such as JAP and Freedom, could pose a threat to the tracking technology used by forensic investigators and law enforcement agencies. Given that the systems are all still in a primitive state compared to their ambitious goals, phishers have not been observed gravitating to these bleeding-edge technological hopes. That does not mean darknets, mixnets, and onion routers alike won't take the stage for the phisher at some point. A good majority of phishers reside in Europe, and so far, the trend has dictated that the countries outside the United States are not exactly afraid to play with esoteric technology. Being that a major element to successfully committing electronic fraud is not getting caught, I won't be surprised to see the trading underground move to darknets to conduct their communication and material trades. An Australian bank is using an optional scramble pad for its customers' security—something we won't see in the United States due to possible customer inconvenience. OnlineBanking/AdBank

Phishing exposed -- 10 tips in 10 minutes

 Home: Introduction
 Tip 1: Phishing and email basics
 Tip 2: Phishing and the mail delivery process
 Tip 3: Anonymous email and phishing
 Tip 4: Forging headers and phishing
 Tip 5: Open relays, proxy servers and phishing
 Tip 6: Proxy chaining, onion routing, mixnets and phishing
 Tip 7: Harvesting email addresses and phishing
 Tip 8: Phishers, hackers and insiders
 Tip 9: Sending spam and phishing
 Tip 10: Fighting phishing with spam filters

This chapter excerpt from Phishing Exposed, Lance James, is printed with permission from Syngress Publishing, Copyright 2005. Click here for the chapter download.

Dig Deeper on Lotus Notes Domino Phishing and Email Fraud Protection

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.




  • iSeries tutorials's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...