> One of our customers forwarded us these headers of a porn spam which made
it
> through Spamassassin:
>
> Return-Path: <[EMAIL PROTECTED]>
> Received: from paypal.com ([211.111.52.7])
> by merlin.boreal.org (8.12.11/8.12.11) with SMTP id
i4H3CuUm007290
> for <snipped>; Sun, 16 May 2004 22:12:59 -0500 (CDT)
> Message-ID: <[EMAIL PROTECTED]>
Hum. I thought we had a ruleset that would check the dotquad against the 4
or 5 valid Paypal mail sources to catch this sort of thing. Maybe not, but
we probably should.
As you noticed, that isn't really a paypal address. For that matter, there
are only about 6 valid names at paypal that will send out mail, other than
possibly some real people now and then. And I believe all Paypal mail will
provide a message-id that is valid for paypal.
For instance, here are some valid paypal headers:
Received: from smtp-outbound.nix.paypal.com ([64.4.240.67])
by condor (EarthLink SMTP Server) with ESMTP id 1blv1B1U03NZFjK0
Received: from web31.sc5.paypal.com (web65.nix.paypal.com [10.192.2.65])
by smtp-outbound.nix.paypal.com (Postfix) with SMTP id F3F6B4F765E
Received: (qmail 23684 invoked by uid 99); 5 May 2004 22:37:59 -0000
Date: Wed, 05 May 2004 15:37:59 -0700
Message-Id: <[EMAIL PROTECTED]>
I can think of several checks:
received with 'paypal.com' but not '.paypal.com'
received with 'paypal.com ([' and the following 3 number aren't in a
set of about 4 possibilities that I don't have written down here at the
moment
received from paypal.com and message-id doesn't contain
'@paypal.com>'
There aren't at least two chained paypal.com received headers.
Loren
