Spam from Dreamhost (spoof)

TorbenGB · 2004-06-29 07:26:43 UTC

First off, I’m quite sure Dreamhost doesn’t spam anybody, so this is not an accusation. I’m just wondering very much how come then that I get spam that appears to spoof Dreamhost?

I submitted this to SpamCop (because I want to bust those spammers) but I’d also like to raise the issue here to hear DH’s comments on it.

Here’s the header – I’ve replaced my domain with “mydomain.com”. Clearly it’s spam, and clearly it’s spoofed, but since DH is so incredibly keen on the non-spam frontier, how come then that they know the mail subdomain “plunder”? Am I being a noob? Admittedly, the “from” line is really weird!

Return-Path: <a_dmirador@hotmail.com> Delivered-To: m3172755@plunder.dreamhost.com Received: from 8.Red-81-36-150.pooles.rima-tde.net (8.Red-81-36-150.pooles.rima-tde.net [81.36.150.8]) by plunder.dreamhost.com (Postfix) with SMTP id 538D886387 for <writeus@mydomain.com>; Sun, 27 Jun 2004 06:09:57 -0700 (PDT) Received: from [49.201.188.116] by 8.Red-81-36-150.pooles.rima-tde.net (MSD) Wed, 23 Jun 2004 22:35:25 -0700 (MSD) Date: Thu, 24 Jun 2004 13:07:27 -0700 From: Privacy@plunder.dreamhost.com, Keeper@plunder.dreamhost.com, Inc.we@plunder.dreamhost.com, did@plunder.dreamhost.com, it@plunder.dreamhost.com, you can use VISA now!!! <a_dmirador@hotmail.com> X-Mailer: Yamail [ http://yandex.ru ] Reply-To: Lidia Hensley <chutz30@hotmail.com> X-Priority: 3 Message-ID: <4673098010140033128699@hotmail.com> To: writeus@mydomain.com Subject: Review your account 5126826 MIME-Version: 1.0 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 7bit–
TorbenGB

Atropos7 · 2004-06-29 09:32:22 UTC

I

This is answered in this FAQ: https://panel.dreamhost.com/kbase/index.cgi?area=2704

Did you not notice what the usernames spell out?
This is most likely how the From header appearred when it was sent:

Recipients are separated by commas, so each comma-delimited part counts as a recipient, unless the comma is in a string enclosed by quotes, paranthesis, or angle brackets, IIRC.

So the spammer was trying to make the From header in your mail client appear as a phrase instead of a list of recipients.

Perl / MySQL / HTML CSS

TorbenGB · 2004-06-29 10:17:43 UTC

No, I didn’t notice that the “senders” spelled yet another ad text if I skipped the “dreamhost.com” bits. Thanks for the explanation!

–
TorbenGB

ozgreg · 2004-06-30 03:30:43 UTC

Received: from 8.Red-81-36-150.pooles.rima-tde.net (8.Red-81-36-150.pooles.rima-tde.net [81.36.150.8])
by plunder.dreamhost.com (Postfix) with SMTP id 538D886387
for writeus@mydomain.com; Sun, 27 Jun 2004 06:09:57 -0700 (PDT)

This part of the header actually spells it out clearly as SPAM, as the received from address is clearly outside of DH Network…

X-Mailer: Yamail [ http://yandex.ru ]

also gives it away as well