More explicitly the sender has his machine identifying itself as
yahoo.com in the email transaction when it's really something quite
different. This is generally a positive indication of spam.
--8<--
Received: from yahoo.com (h-67-101-100-18.snfccasy.dynamic.covad.net
[67.101.100.18])
(authenticated bits=0)
by mail837.megamailservers.com (8.12.10/8.12.9) with ESMTP id
i6LJPNrc010128
for <[EMAIL PROTECTED]>; Wed, 21 Jul 2004 15:25:23 -0400
--8<--
and
--8<--
Message-Id: <[EMAIL PROTECTED]>
--8<--
If he quits trying to lie about his source being yahoo.com he might get
past the spam filters. This triggered 10.1 points of spam tests. If he
really has yahoo.com as his ISP somehow then the rules authors need to
look at this again. (I'd simply recommend he not use yahoo.com as an ISP.
It will take years for people to clear this out of email filters. The
message triggers even more yahoo.com rules I have in my private rule
set. I ain't gonna change 'em either.)
{^_^}
----- Original Message -----
From: "Jim Maul" <[EMAIL PROTECTED]>
> Quoting Dan Karney <[EMAIL PROTECTED]>:
>
> > Someone at my company received an order inquiry from someone whose
> > return address was at a yahoo account, but they must have sent it from
> > another account. The message was tagged by several "Forged Yahoo"
> > rules and Faked HELO rules. Viewable at:
> > http://mail.photoresearchers.com/spam/false-neg20040722.txt
> >
> > If it hadn't been for a custom positive score and a AWL score, the
> > message would have gotten an 11.60. Why does this message look so
> > spammy?
>
> The answer is right there in the message itself:
>
> Content analysis details: (6.60 points, 5 required)
> RATWR8_MESSID (0.7 points) Message-ID has ratware pattern
(excessive
> dashes and dollars)
> LOC_BADYAHOOMSGID1 (1.2 points) From Charles Gregory
<[EMAIL PROTECTED]>
> RCVD_FAKE_HELO_DOTCOM (3.4 points) Received contains a faked HELO
hostname
> USER_AGENT_APPLEMAIL (0.0 points) X-Mailer header indicates a non-spam
MUA
> (Apple Mail)
> GOOD_PHOTOS (-2.5 points) BODY: decreases score because we
> get a lot of
> mail about phot
> os
> RCVD_FAKE_HELO_DOTCOM_2 (2.8 points) Received contains a faked HELO
> hostname
> (2)
> FORGED_YAHOO_RCVD (2.7 points) 'From' yahoo.com does not match
'Received'
> headers
> RCVD_IN_NJABL (0.8 points) RBL: Received via a relay in
> dnsbl.njabl.org
> [RBL check: found 18.100.101.67.dnsbl.njabl.org.,]
> [type: 127.0.0.3]
> AWL (-2.5 points) AWL: Auto-whitelist adjustment
>
>
> When you ask "Why does this message look so spammy" i assume you mean "why
did
> spamassassin mark this as spam".
>
> Jim
