Spam from inside Dreamhost?


#1

Just curious, yes the 145.175.133.246 is forged, but how do those
spammers forge the “208.113.197.26”? Isn’t that what blingymail-mx2
detects directly?

Received: from rolls (rolls.dreamhost.com [208.113.197.26])
by blingymail-mx2.g.dreamhost.com (Postfix) with SMTP id A98FF2CC52
for jidanni@jidanni.org; Tue, 14 Oct 2008 16:00:27 -0700 (PDT)
Received: from krrap (145.175.133.246)
by rolls; Tue, 14 Oct 2008 16:00:27 -0700

Support says: the mail is not coming form rolls at all, as there are
no mail logs showing any sent mail from that server. It’s not
physically possible to send mail out to the blingy cluster directly
from rolls anyhow.


#2

Today I got another:
Received: from whittier (whittier.dreamhost.com [64.111.111.133])
by blingymail-mx1.g.dreamhost.com (Postfix) with SMTP id B3C4144B04
for jidanni@jidanni.org; Thu, 16 Oct 2008 04:43:50 -0700 (PDT)


#3

Here’s what a non-spam header looks like, on a test message I sent myself from my shell account:
Received: from crusty.g.dreamhost.com (lax-green-bigip-5.dreamhost.com [208.113.200.5])
by blingymail-mx2.g.dreamhost.com (Postfix) with ESMTP id 6316C2CE1D
for jidanni@jidanni.org; Thu, 16 Oct 2008 13:56:58 -0700 (PDT)

Blingymail couldn’t be making up the IP here, so how could the IPs of the two spam messages be forged?


#4

What’s the content of this spam?

Maximum Cash Discount on any plan with MAXCASH


#5

Russian spam. (The @dreamhost.com parts are automatically added due to the spam not having them when injected.) Isn’t that blingymail saying it got it from 208.113.197.26, and isn’t that a Dreamhost machine, and isn’t blingymail to be trusted to report IPs accurately?

Return-Path: Svetlana@dreamhost.com
Delivered-To: jidanni@blingymail-mx2.g.dreamhost.com
Received: from rolls (rolls.dreamhost.com [208.113.197.26])
by blingymail-mx2.g.dreamhost.com (Postfix) with SMTP id A98FF2CC52
for jidanni@jidanni.org; Tue, 14 Oct 2008 16:00:27 -0700 (PDT)
Received: from krrap (145.175.133.246)
by rolls; Tue, 14 Oct 2008 16:00:27 -0700
Date: Tue, 14 Oct 2008 16:00:27 -0700
From: Svetlana@dreamhost.com
X-Mailer: The Bat! (v2.01)
X-Priority: 3 (Normal)
Message-ID: 40828344.20071106142943@dreamhost.com
To: jidanni@jidanni.org
Subject: …
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------9F635DAE3EECA8"
Lines: 32

------------9F635DAE3EECA8
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: 8bit


#6

Looks like it’s reporting krrap > rolls > blingy.

Are you associated with rolls in any way?

Maximum Cash Discount on any plan with MAXCASH


#7

[quote]Are you associated with rolls in any way?
[/quote]

No.

All I am asking is how could this number be forged?
Received: from … [208.113.197.26] by blingymail-mx…
I mean how could that number be forged, but the other parts of the line not forged?


#8

OK, DH staff gave me the answer (below) how it gets forged. I see. OK, thanks.

Easily, all someone needs to do is configure a computer with the same
hostname and IP info on their network card. It’s a little trouble, but
can be done. The IP isn’t delegated to their network, so nothing responds
on their end, but the headers so the connection from them.

Received: from … [208.113.197.26] by blingymail-mx…"

That’s not the forged part. Blingy is accepting mail from that bad
server, as it should be doing.

They’re sending mail from the krrap server. That server has it’s
outgoing headers forging the “rolls” server and IP part of the headers.
They’re sending directly to blingy. Blingy then accepts mail from that
forged header server, as it it should.