We had several messages from people at PayPal get rejected due to false positives from the rule SARE_FORGED_PAYPAL and SARE_FORGED_PAYPAL_C. The reason is that now PayPal is part of eBay and their email is no longer sent with any Received: headers containing the paypal.com domain. Their mail servers are now all in ebay.com. Here are the headers from a legit PayPal sender:
Received: from smtp1.oreilly.com (mercury.west.ora.com [172.17.146.22])
by roll.oreilly.com (Postfix) with ESMTP
id 3AA6D14A34; Thu, 19 Aug 2004 14:53:45 -0700 (PDT)
Received: from outbound4.ebay.com ([216.113.168.128]:48018 helo=csa002.corp.ebay.com)
by smtp1.oreilly.com with esmtp (Exim 4.34 #3 (Slackware))
id 1Bxups-0005cd-DL; Thu, 19 Aug 2004 14:52:55 -0700
Received: from [10.244.16.33] (HELO sjn-exm-03.corp.ebay.com)
by csa002.corp.ebay.com (CommuniGate Pro SMTP 4.1.8)
with ESMTP id 6499030; Thu, 19 Aug 2004 14:52:54 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 19 Aug 2004 14:52:54 -0700
Message-ID: <[EMAIL PROTECTED]>
X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Mail sent to oreilly.com that was rejected
Thread-Index: AcSGNrB9/by6Za/2SDKT9qOkwKprIAAAAy+w
From: "Redacted" <[EMAIL PROTECTED]>
To: "Bob Amen" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
The rule __RCVD_PAYPAL should be changed to look for ebay.com.
A side note is that eBay's mail service is so broken that the folks at PayPal had no idea we were rejecting their messages...the ebay mail servers didn't return the email to them with the 500 error I so carefully crafted. Eeesh. I am appalled at how many mail servers are poorly configured or just plain broken.
Cheers, Bob
--
Bob Amen
O'Reilly Media, Inc.
http://www.ora.com/
http://www.oreilly.com/