[Scspamcop] Possible Error In Spamcop Parsing of Headers

Blue Rock nobody at devnull.spamcop.net
Tue Jul 8 11:14:11 EDT 2008 

I received this email:

http://www.spamcop.net/sc?id=z2050776314z4dc8498a8888fa667c2f09617b5c1cf1z

which I reported to Spamcop.  Since it was obviously spam, I didn't even 
read it, until I saw how Spamcop had handled the headers.

Here is what Spamcop said about the headers:

   0: Received: from mail.sunshinecable.com (mail.sunshinecable.com 
[209.52.200.3]) by spunkymail-mx10.g.dreamhost.com (Postfix) with ESMTP id 
83A42FE19 for <x>; Sun, 6 Jul 2008 21:46:59 -0700 (PDT)
   Hostname verified: mail.sunshinecable.com
   dreamhost received mail from sending system 209.52.200.3

   1: Received: from localhost (localhost [127.0.0.1]) by 
mail.sunshinecable.com (Postfix) with ESMTP id 56C22485E62; Sun, 6 Jul 2008 
09:16:35 -0700 (PDT)
   Internal handoff by trusted site 209.52.200.3

   2: Received: from mail.sunshinecable.com ([127.0.0.1]) by localhost (mail 
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12065-02; Sun, 6 Jul 
2008 09:16:29 -0700 (PDT)
   Internal handoff at dreamhost

   3: Received: from 192.168.1.34 (192.168.1.34 [192.168.1.34]) by 
mail.sunshinecable.com (Horde MIME library) with HTTP; Sun, 06 Jul 2008 
09:09:33 -0700
   Internal handoff by trusted site 209.52.200.3

Spamcop's handling of the first header (0:) makes sense.  The handling of 
the second header (1:) says that it was an internal handoff by a trusted 
site.  What makes mail.sunshinecable.com a "trusted site"?

The third header (2:) is the really puzzling one.  Why does it say that this 
was an internal handoff at "dreamhost"?  Dreamhost is my own domain host. 
At that point in the header chain, the message should have been in 
sunshinecable's system.  Dreamhost has never added headers for internal 
handoffs like this, in any message I have received.  And it has never added 
a header that would be out-of-sequence like this.

In the end, it looks like the spam was correctly reported to 
sunshinecable.com, despite the messed-up interpretation of the headers. 
But, I wanted to call this to the attention of someone at Spamcop, because 
it suggests an error in the parsing algorithm (where it thinks that third 
header was somehow linked to Dreamhost).

Now, in addition to the odd interpretation of the header, which prompted me 
to actually view this message, I also wanted to call attention to the 
message itself, which is both comical, and vaguely threatening.  This person 
seems to be saying he will hack both my email and my bank account, if I 
_do_not_ report him to the FBI, and/or if I do not contact him at the 
provided email address.  I can't really figure out what I am supposed to do 
(or not do) to avoid being hacked, or what the "treat" is, or what the 
spammer hopes to gain by sending this message.

(And, yes, Mike, I know it isn't productive to discuss the motivations of 
the spammers, but I thought this one was unusual).

Finally, I wanted to wish you all the best, just in case this is my last 
posting here.  After all, I am about to be hacked by the Master Of All 
Hackers!

More information about the SCspamcop mailing list