-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ah, I missed the Western Union aspect. In that case, it's unquestionably a scam ;) - --j. "Bret Miller" writes: > Thanks to everyone who responded to this. The responses make the user > think again about the purchase. Combined with a couple strange details > like the seller appeared to be U.S.-based at first and then became > foreign; the price more than doubled; PayPal was removed as a payment > option leaving only Western Union, it really looks like a scam. Anyway, > the user decided against the purchase and this is apparently NOT a FP. > So, good think it scores so high or I probably wouldn't have thought > twice about why it ended up in the spam folder to begin with. > > Thanks again, > Bret > > > -----Original Message----- > > From: Pierre Thomson [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, September 28, 2005 10:38 AM > > To: Bret Miller > > Cc: users@spamassassin.apache.org > > Subject: RE: SARE_FORGED_EBAY FP?? > > > > Definitely not a false positive! And considering that it is > > promoting and purportedly protecting the sale of an expensive > > ($2210) item outside of eBay, and demanding a Western Union > > money transfer (no, no, no!) I would treat it with the utmost > > suspicion. > > > > Other anomalies: > > > > - as Justin points out, the sender IP is a dynamic AOL address > > - the message was sent via webmail (first hop is HTTP) > > - note the header "X-RocketYMMF: cacabeat99"; that gives a > > clue to the Yahoo ID of the sender. > > > > The text seems to be cut-n-pasted from an actual eBay email. > > But that gives it no authenticity. > > > > Bottom line: SARE_FORGED_EBAY is working just fine! > > > > Pierre Thomson > > BIC > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, September 28, 2005 12:21 PM > > To: Bret Miller > > Cc: users@spamassassin.apache.org > > Subject: Re: SARE_FORGED_EBAY FP?? > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > Definitely sent from Yahoo! Mail through their webmail interface, > > by the user "cacabeat99", at IP address 172.179.255.127 (AOL space): > > > > Received: (qmail 94635 invoked by uid 60001); 27 Sep 2005 > > 14:12:13 -0000 > > Message-ID: > > <[EMAIL PROTECTED]> > > Received: from [172.179.255.127] by > > web203.biz.mail.re2.yahoo.com via > > HTTP; Tue, 27 Sep 2005 07:12:13 PDT > > X-RocketYMMF: cacabeat99 > > > > I'd suspect someone on his auctions is spoofing eBay mails to > > fool him. > > > > - --j. > > > > "Bret Miller" writes: > > > I have a user who swears this message is legit and has been > > dealing with > > > this seller through ebay. I warned him that hitting SARE_FORGED_EBAY > > > isn't a good thing, but that I would report what seems to > > him to be a > > > false positive on it. The thing that gets me is that it claims to be > > > from ebay, but comes from a yahoo server. Here is the > > message that hit: > > > > > > X-Spam-Tests: > > > tests=BAYES_00=-2.599,HTML_MESSAGE=0.001,J_CHICKENPOX_44=0.6, > > > J_CHICKENPOX_48=0.6,J_CHICKENPOX_52=0.6,J_CHICKENPOX_55=0.6, > > > > > > > > J_CHICKENPOX_73=0.6,RCVD_IN_MXRATE_WL=-1,SARE_FORGED_EBAY=104; > > autolearn= > > > no > > > X-Spam-Score: 103.4 > > > X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on > > > mail.hq.wcg.org > > > X-Spam-Level: ++++++++++++++++++++++++++++++++++++++++++++++++++ > > > X-TFF-CGPSA-Version: 1.4 > > > X-WCG-CGPSA-Filter: Scanned > > > Return-Path: <[EMAIL PROTECTED]> > > > Received: from web203.biz.mail.re2.yahoo.com > > ([68.142.224.165] verified) > > > by mail.wcg.org (CommuniGate Pro SMTP 4.3.6) > > > with SMTP id 14560007 for [EMAIL PROTECTED]; Tue, 27 Sep 2005 > > > 07:12:32 -0700 > > > Received: (qmail 94635 invoked by uid 60001); 27 Sep 2005 > > 14:12:13 -0000 > > > Message-ID: > > <[EMAIL PROTECTED]> > > > Received: from [172.179.255.127] by > > web203.biz.mail.re2.yahoo.com via > > > HTTP; Tue, 27 Sep 2005 07:12:13 PDT > > > X-RocketYMMF: cacabeat99 > > > Date: Tue, 27 Sep 2005 07:12:13 -0700 (PDT) > > > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > > > Reply-To: [EMAIL PROTECTED] > > > Subject: eBay International Second Chance Offer Invoice for Item: > > > 8333405041 > > > To: [EMAIL PROTECTED] > > > MIME-Version: 1.0 > > > Content-Type: multipart/alternative; > > > boundary="0-1651436707-1127830333=:91265" > > > Content-Transfer-Encoding: 8bit > > > > > > --0-1651436707-1127830333=:91265 > > > Content-Type: text/plain; charset=iso-8859-1 > > > Content-Transfer-Encoding: 8bit > > > > > > Buying new items, brand names, and collectibles on eBay > > is simple. > > > Here's how it works... Congratulations, eBay transaction started! > > > * Current status: Payment pending. Purchase protection granted. > > > > > > > > > Dear rryd.thornton ( 54) , > > > > > > After verifying the trustworthiness of the seller nurit214 ( 1028) > > > and the availability of the merchandise for immediate > > shipping, we have > > > approved your buy it now transaction and offered you as the buyer, > > > full purchase protection for the amount you agreed on with > > the seller. > > > > > > > > > Complete your eBay transaction in 5 easy steps: > > > ************************************************* > > > > > > 1-Buyer and seller agree on the transaction terms and a > > selling price. > > > 2-Seller contacts eBay with the transaction details. > > > eBay accepts the transaction and offers purchase protection to the > > > buyer (if the transaction is declined, no further action > > is required > > > from either the buyer or the seller). > > > 3-The buyer sends payment. After the payment > > > cleared, the seller must notify eBay. Buyer will send the payment > > > details directly to the seller email address. The seller has three > > > business days to send the buyer and eBay the tracking number of the > > > shipment. If no tracking number is provided, a full refund is > > > immediately sent to the buyer; > > > 4-Buyer receives the merchandise and has five days to inspect it. > > > If it is complete and as described, the buyer should accept the > > > merchandise. > > > If he refuses the merchandise, the buyer must ship the merchandise > > > back to the seller within three business days. > > > 5-After the inspection period is over, the buyer must > > contact eBay with > > > the result of the inspection. If the buyer refuses the merchandise, > > > the refund will be sent to the buyer after the tracking > > number for the > > > returned shipment is verified. > > > > > > To enjoy the purchase protection, you must send the payment by the > > > insured payment method below. > > > Attention: Sending the payment by any other method will void this > > > transaction and your right to refund. > > > > > > Details and instructions of this transaction: > > > > > > * The following item(s) are protected in this eBay transaction: > > > Item name: RARE 1896 $5.00 SILVER CERTIFICATE "EDUCATIONAL NOTE"Item > > > price:US $2,210.50/ Amount insuredShipping price:Ready to ship / The > > > Item price includes shipping and insurance > > fees.Payment:Pending Seller's > > > verified payment address:Jim Oliver > > > 112 Edith Road > > > London,W14 9AP > > > United Kingdom Buyer's shipping address: > > > Jerry Thornton > > > PO Box 50602 > > > Pasadena, CA 91115-0602 > > > United States > > > > > > > > > > > > Date of verification: Sept-24-2005 > > > Payment must be sent by: Western Union Money Transfer > > > Next step to be taken: The buyer must send > > the payment to > > > the seller > > > * Complete your eBay transaction: > > > > > > Payment instructions: > > > > > > To submit the payment with Western Union Money Transfer, > > you have two > > > options: > > > > > > 1. Pay for the transfer with cash at a local Western Union agent. > > > Click here to locate the agents in your area > > > http://www.westernunion.com/info/agentInquiryIntl.asp > > > > > > 2. If you are now in the USA and need to use a credit/debit card > > > (Visa or MC), call 1-800-CALL-CASH and make the payment to > > the verified > > > name > > > of the seller. An additional fee will be charged on most > > cards because > > > this transaction will be considered a cash advance on your card. > > > > > > ... > > > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh CVS iD8DBQFDOxnMMJF5cimLx9ARAvYiAJ955bQ3nwEKq32JLLTtNaBExE7UvQCcCMLD XCTobjyGAmhzR4mJvI4pbQc= =DHmW -----END PGP SIGNATURE-----
