Two very important things here. The scammers are using BONDEDSENDER IP's, forged in the headers, in order to fool your system into passing this. You are clearly scanning on multiple hops, and any whitelist RBL that you are using need to be limited to the last hop only, i.e.
BONDEDSENDER(DYNA) AHBLEXEMPT(DYNA)
The naming convention will cause Declude to skip all but the last hop so that this won't happen. I've seen this before.
Scott, it might be nice to add a column to the definitions of these tests so that we can specify how many hops they will work on instead of relying on a naming convention. It also would be nice in some cases to have a way to define what hop to start scanning on, in the event that you want to score hits on the last hop, and hits on previous hops differently...maybe another column.
Another note to Kevin...I dumped AHBLEXEMPT fairly quickly because they have a good number of ISP mail servers listed, and as things stand, there is an increasing amount of spam that is being forwarded through such mail servers from zombies, which are challenging enough to detect without giving them extra credit. There are of course issues with BONDEDSENDER as well, but I won't rehash this except to say that you should review your scoring of them at a minimum.
Matt
Kevin Bilbee wrote:
Here is the header and source information.
Kevin
Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for <[EMAIL PROTECTED]>; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for <[EMAIL PROTECTED]>; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee <[EMAIL PROTECTED]> Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 <[EMAIL PROTECTED]> Reply-To: PayPal Customer Service 2 <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset = "us-ascii" Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 373607793
Dear PayPal user,<br> As part of our continuing commitment to protect your account <br>and to reduce the instance of fraud on our website, we are undertaking a <br>period review of our member accounts.<p> You are requested to visit our site by following the link given below.<br> <a href="http://216.55.162.5/";> http://www.paypal.com/verification/%?6488820019=20</a><p> Please fill in the required information. This is required for us to continue to offer <br>you a safe and risk free environment to send and receive money online, <br>and maintain the PayPal Experience.<br> Thank you.<p> Accounts Management As outlined in our User Agreement, PayPal will periodically <br>send you information about site changes and enhancements. <br>Visit our Privacy Policy and User Agreement if you have any questions. <p>Copyright 2003 PayPal.<br> All Rights Reserved. Designated trademarks and brands are the property of their respective owners.</html>
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
