> We had several messages from people at PayPal get rejected due to
> false positives from the rule SARE_FORGED_PAYPAL and
> SARE_FORGED_PAYPAL_C. The reason is that now PayPal is part of eBay and
> their email is no longer sent with any Received: headers containing the
> paypal.com domain. Their mail servers are now all in ebay.com. Here are
> the headers from a legit PayPal sender:
Waht you say is unfortunately not completely true, which complicates the
problem somewhat.
Paypal is indeed part of Ebay and has been for more than a year.
However, as well as sending from Ebay servers, they are still sending from
Paypal servers.
Here is a (slightly munged) header I got from them a couple hours ago:
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp-outbound.nix.paypal.com ([64.4.240.67])
by killdeer (EarthLink SMTP Server) with ESMTP id 1bXETf2C63NZFlr0
for <user>; Wed, 18 Aug 2004 21:51:05 -0700 (PDT)
Received: from web30.sc5.paypal.com (web95.nix.paypal.com [10.192.2.95])
by smtp-outbound.nix.paypal.com (Postfix) with SMTP id C55CE3CC10E
for <user>; Wed, 18 Aug 2004 21:51:04 -0700 (PDT)
Received: (qmail 16129 invoked by uid 99); 19 Aug 2004 04:51:04 -0000
Date: Wed, 18 Aug 2004 21:51:04 -0700
Message-Id: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: [EMAIL PROTECTED]
To: user
Subject: Receipt for Your Payment
So it looks like the rule has to be changed to allow either ebay or paypal
received headers, and should probably insure that they match.
Loren
>
> Received: from smtp1.oreilly.com (mercury.west.ora.com [172.17.146.22])
> by roll.oreilly.com (Postfix) with ESMTP
> id 3AA6D14A34; Thu, 19 Aug 2004 14:53:45 -0700 (PDT)
> Received: from outbound4.ebay.com ([216.113.168.128]:48018
helo=csa002.corp.ebay.com)
> by smtp1.oreilly.com with esmtp (Exim 4.34 #3 (Slackware))
> id 1Bxups-0005cd-DL; Thu, 19 Aug 2004 14:52:55 -0700
> Received: from [10.244.16.33] (HELO sjn-exm-03.corp.ebay.com)
> by csa002.corp.ebay.com (CommuniGate Pro SMTP 4.1.8)
> with ESMTP id 6499030; Thu, 19 Aug 2004 14:52:54 -0700
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
> content-class: urn:content-classes:message
> MIME-Version: 1.0
> Date: Thu, 19 Aug 2004 14:52:54 -0700
> Message-ID:
<[EMAIL PROTECTED]>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: Mail sent to oreilly.com that was rejected
> Thread-Index: AcSGNrB9/by6Za/2SDKT9qOkwKprIAAAAy+w
> From: "Redacted" <[EMAIL PROTECTED]>
> To: "Bob Amen" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>
> The rule __RCVD_PAYPAL should be changed to look for ebay.com.
>
> A side note is that eBay's mail service is so broken that the folks
> at PayPal had no idea we were rejecting their messages...the ebay mail
> servers didn't return the email to them with the 500 error I so
> carefully crafted. Eeesh. I am appalled at how many mail servers are
> poorly configured or just plain broken.
>
> Cheers,
> Bob
>
> --
> Bob Amen
> O'Reilly Media, Inc.
> http://www.ora.com/
> http://www.oreilly.com/
