Thanks to everyone who responded to this. The responses make the user think again about the purchase. Combined with a couple strange details like the seller appeared to be U.S.-based at first and then became foreign; the price more than doubled; PayPal was removed as a payment option leaving only Western Union, it really looks like a scam. Anyway, the user decided against the purchase and this is apparently NOT a FP. So, good think it scores so high or I probably wouldn't have thought twice about why it ended up in the spam folder to begin with.
Thanks again, Bret > -----Original Message----- > From: Pierre Thomson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 28, 2005 10:38 AM > To: Bret Miller > Cc: users@spamassassin.apache.org > Subject: RE: SARE_FORGED_EBAY FP?? > > Definitely not a false positive! And considering that it is > promoting and purportedly protecting the sale of an expensive > ($2210) item outside of eBay, and demanding a Western Union > money transfer (no, no, no!) I would treat it with the utmost > suspicion. > > Other anomalies: > > - as Justin points out, the sender IP is a dynamic AOL address > - the message was sent via webmail (first hop is HTTP) > - note the header "X-RocketYMMF: cacabeat99"; that gives a > clue to the Yahoo ID of the sender. > > The text seems to be cut-n-pasted from an actual eBay email. > But that gives it no authenticity. > > Bottom line: SARE_FORGED_EBAY is working just fine! > > Pierre Thomson > BIC > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 28, 2005 12:21 PM > To: Bret Miller > Cc: users@spamassassin.apache.org > Subject: Re: SARE_FORGED_EBAY FP?? > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Definitely sent from Yahoo! Mail through their webmail interface, > by the user "cacabeat99", at IP address 172.179.255.127 (AOL space): > > Received: (qmail 94635 invoked by uid 60001); 27 Sep 2005 > 14:12:13 -0000 > Message-ID: > <[EMAIL PROTECTED]> > Received: from [172.179.255.127] by > web203.biz.mail.re2.yahoo.com via > HTTP; Tue, 27 Sep 2005 07:12:13 PDT > X-RocketYMMF: cacabeat99 > > I'd suspect someone on his auctions is spoofing eBay mails to > fool him. > > - --j. > > "Bret Miller" writes: > > I have a user who swears this message is legit and has been > dealing with > > this seller through ebay. I warned him that hitting SARE_FORGED_EBAY > > isn't a good thing, but that I would report what seems to > him to be a > > false positive on it. The thing that gets me is that it claims to be > > from ebay, but comes from a yahoo server. Here is the > message that hit: > > > > X-Spam-Tests: > > tests=BAYES_00=-2.599,HTML_MESSAGE=0.001,J_CHICKENPOX_44=0.6, > > J_CHICKENPOX_48=0.6,J_CHICKENPOX_52=0.6,J_CHICKENPOX_55=0.6, > > > > > J_CHICKENPOX_73=0.6,RCVD_IN_MXRATE_WL=-1,SARE_FORGED_EBAY=104; > autolearn= > > no > > X-Spam-Score: 103.4 > > X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on > > mail.hq.wcg.org > > X-Spam-Level: ++++++++++++++++++++++++++++++++++++++++++++++++++ > > X-TFF-CGPSA-Version: 1.4 > > X-WCG-CGPSA-Filter: Scanned > > Return-Path: <[EMAIL PROTECTED]> > > Received: from web203.biz.mail.re2.yahoo.com > ([68.142.224.165] verified) > > by mail.wcg.org (CommuniGate Pro SMTP 4.3.6) > > with SMTP id 14560007 for [EMAIL PROTECTED]; Tue, 27 Sep 2005 > > 07:12:32 -0700 > > Received: (qmail 94635 invoked by uid 60001); 27 Sep 2005 > 14:12:13 -0000 > > Message-ID: > <[EMAIL PROTECTED]> > > Received: from [172.179.255.127] by > web203.biz.mail.re2.yahoo.com via > > HTTP; Tue, 27 Sep 2005 07:12:13 PDT > > X-RocketYMMF: cacabeat99 > > Date: Tue, 27 Sep 2005 07:12:13 -0700 (PDT) > > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > Subject: eBay International Second Chance Offer Invoice for Item: > > 8333405041 > > To: [EMAIL PROTECTED] > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="0-1651436707-1127830333=:91265" > > Content-Transfer-Encoding: 8bit > > > > --0-1651436707-1127830333=:91265 > > Content-Type: text/plain; charset=iso-8859-1 > > Content-Transfer-Encoding: 8bit > > > > Buying new items, brand names, and collectibles on eBay > is simple. > > Here's how it works... Congratulations, eBay transaction started! > > * Current status: Payment pending. Purchase protection granted. > > > > > > Dear rryd.thornton ( 54) , > > > > After verifying the trustworthiness of the seller nurit214 ( 1028) > > and the availability of the merchandise for immediate > shipping, we have > > approved your buy it now transaction and offered you as the buyer, > > full purchase protection for the amount you agreed on with > the seller. > > > > > > Complete your eBay transaction in 5 easy steps: > > ************************************************* > > > > 1-Buyer and seller agree on the transaction terms and a > selling price. > > 2-Seller contacts eBay with the transaction details. > > eBay accepts the transaction and offers purchase protection to the > > buyer (if the transaction is declined, no further action > is required > > from either the buyer or the seller). > > 3-The buyer sends payment. After the payment > > cleared, the seller must notify eBay. Buyer will send the payment > > details directly to the seller email address. The seller has three > > business days to send the buyer and eBay the tracking number of the > > shipment. If no tracking number is provided, a full refund is > > immediately sent to the buyer; > > 4-Buyer receives the merchandise and has five days to inspect it. > > If it is complete and as described, the buyer should accept the > > merchandise. > > If he refuses the merchandise, the buyer must ship the merchandise > > back to the seller within three business days. > > 5-After the inspection period is over, the buyer must > contact eBay with > > the result of the inspection. If the buyer refuses the merchandise, > > the refund will be sent to the buyer after the tracking > number for the > > returned shipment is verified. > > > > To enjoy the purchase protection, you must send the payment by the > > insured payment method below. > > Attention: Sending the payment by any other method will void this > > transaction and your right to refund. > > > > Details and instructions of this transaction: > > > > * The following item(s) are protected in this eBay transaction: > > Item name: RARE 1896 $5.00 SILVER CERTIFICATE "EDUCATIONAL NOTE"Item > > price:US $2,210.50/ Amount insuredShipping price:Ready to ship / The > > Item price includes shipping and insurance > fees.Payment:Pending Seller's > > verified payment address:Jim Oliver > > 112 Edith Road > > London,W14 9AP > > United Kingdom Buyer's shipping address: > > Jerry Thornton > > PO Box 50602 > > Pasadena, CA 91115-0602 > > United States > > > > > > > > Date of verification: Sept-24-2005 > > Payment must be sent by: Western Union Money Transfer > > Next step to be taken: The buyer must send > the payment to > > the seller > > * Complete your eBay transaction: > > > > Payment instructions: > > > > To submit the payment with Western Union Money Transfer, > you have two > > options: > > > > 1. Pay for the transfer with cash at a local Western Union agent. > > Click here to locate the agents in your area > > http://www.westernunion.com/info/agentInquiryIntl.asp > > > > 2. If you are now in the USA and need to use a credit/debit card > > (Visa or MC), call 1-800-CALL-CASH and make the payment to > the verified > > name > > of the seller. An additional fee will be charged on most > cards because > > this transaction will be considered a cash advance on your card. > > > > ... > >
