How uncool is that?!


#1

I just moved 2 domains to DH - at last. And really excited about setting everything up… and the first thing I received was spam - with my own address as the sender. >: (

Very weird, it had two addresses in the “from” field, mine and someone else’s:
m.xxxxxx@spork.dreamhost.com; Ellen@syndicatesales.biz

So, aside from being kind of upset wondering how my address got pulled like this - from a server name (spork) somebody else knew I had before I even did - I’m wondering…

(1) how this happened? So I can make sure it doesn’t start a raft of spam, and

(2) if anybody has a good list of blocked addresses to add to the field for the discussion list?

btw, here is some of the ping from the rotten message, in case anyone could provide some info

Return-Path: ellen@syndicatesales.biz
Delivered-To: mXXXXXXX@spork.dreamhost.com
Received: from mx13.syndicatesales.biz (unknown [205.252.97.23])
by spork.dreamhost.com (Postfix)
Date: Thu, 15 Jan 2004 13:35:06 -0800
Message-ID: 1074202506.8296019751@mx13.syndicatesales.biz
From: m.xxxxxx@spork.dreamhost.com, Ellen@syndicatesales.biz
Subject: “The Quill” prevents Carpal Tunnel Syndrome
Content-type: multipart/alternative; boundary=1074202506.829601

This happened within hours of setting up my discussion list, which I set at “not public”. I would appreciate any advice available.


#2

Have a look at:
https://panel.dreamhost.com/kbase/index.cgi?area=2704

Does look like these are spammers, though - I’ll add them to our local blocks.


#3

Will,

Thanks so much for the reply; with any luck, syndicatesales.biz will be put out of’ biz’ pretty quick if that’s the way they want to play.

I still have a lot to learn, thanks for pointing out that topic.


#4

[quote]
Very weird, it had two addresses in the “from” field, mine and someone else’s:
m.xxxxxx@spork.dreamhost.com; Ellen@syndicatesales.biz[/quote]

You could try to setup a Server Filter to reject messages with the mxxxxx user name in the From field to keep the messages out of your Inbox.

:cool: Perl / MySQL / HTML CSS


#5

I assume it wasn’t an "mxxxxx’ username, but rather a literal m.xxxxxx. Could be wrong though.


#6

The mxxxx email address is mine, the ellen@whatever.biz was the spammer.

The reason why I thought this looked pretty dodgey and not just your usual harvest was because I had only just set up the discussion list, and only sent an email to 2 other of my own addresses, to test it and work out some settings and bugs before telling anyone about it, and I had it set on private.

I’ve never posted to any other list with this spork address and I only saw it for the first time while trying to get things sorted on the discussion list configuration.

So it does seem to be a very weird thing that it got grabbed like that, and readily admit I have little idea about the inner workings of these things, but it seemed likely to me that a dreamhost customer is not on the level.

I really appreciate the replies from everyone. It’s amazing all of the things that DH offers, I hope I don’t bring about my own demise in trying to make use of them : ) and very glad to know people are around to help, thanks.


#7

Hrm - I may have misread this originally. Can you send the full headers to support? The logs don’t show the envelope-recipient(s) - only the final recipient itself.

I think there should be some other stuff after:

Received: from mx13.syndicatesales.biz (unknown [205.252.97.23])
by spork.dreamhost.com (Postfix)

– the original envelope-recipient should probably show up here, which I imagine would be an address at your domain. If it actually says:

for mxxxxxxxxx@spork.dreamhost.com
it’s possible that they’ve harvested your actual username from somewhere. Does the mxxxxxx@spork.dreamhost.com really show up in the From line?


#8

Hi Will,

Yes, the from line says:

myname@spork.dreamhost.com;Ellen@syndicatesales.biz

where myname@ is actually one of my email addresses, the part that comes before the @ is exactly the same, but it says @spork.dreamhost.com, instead of my actual domain name.

I took a screenshot of it so you could see what it looked like exactly as I received it but I don’t think there’s any way to send an image, so I’ll send a url where it can be viewed, if that would make any difference.

I’ll send the full header to support right now; glad I didn’t delete it.


#9

Right - that makes more sense. I responded to your support message, but basically what’s happening is that the spammer is adding the LHS (left hand side) of your email address to the From line, presumably in an attempt to avoid blocks. However, they’re not quoting it correctly, so the system adds its own hostname (as described in the kbase article again).