Re: OK guys - why did this one get through.

[mouss]

Chris a écrit :

On Monday 31 October 2005 04:22 pm, jdow wrote:
 

===8<---
Status:  U
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.209]
by localhost with POP3 (fetchmail-6.2.5)
for [EMAIL PROTECTED] (single-drop); Mon, 31 Oct 2005 03:55:59
-0800 (PST) Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1ewyfT2wu3Nl3490 for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12
-0500 (EST) Received: from mx15.stngva01.us.mxservers.net
(204.202.242.101)
by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
pattersonbunweb.com) by mx15.stngva01.us.mxservers.net
(mxl_mta-1.3.8-10p4) with ESMTP id
02606634.9450.122.mx15.stngva01.us.mxservers.net;
Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: (from [EMAIL PROTECTED])
by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
Mon, 31 Oct 2005 06:55:12 -0500 (EST)
(envelope-from patt12)
Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: E-Mail ID #356042  PayPal Security Notification of Limited
Account Access [28 Oct 2005 15:36:12 +0400]
Content-Type: text/html; charset=us-ascii
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Content-Transfer-Encoding: 7bit
X-Accept-Language: en-us, en
   

X-Spam-Flag: YES
X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
spamtraq-heur=0.956(2005103001)] X-MAIL-FROM:
 

<[EMAIL PROTECTED]>
X-SOURCE-IP: [207.56.100.245]
X-Loop-Detect:1
X-DistLoop-Detect:1
X-ELNK-AV: 0
X-NKVIR: Scanned
===8<---
(The "X-MAIL-FROM:" header seems like an obvious tool. However some of
the SARE rules probably should have triggered and didn't. These rule SARE
sets nominally hit paypal spam:
70_sare_genlsubj1.cf
70_sare_header.cf
70_sare_spoof.cf    <-- this one really should have caught it.
{^_^}
   


Where did the X-Spam-Flag: YES tag come from? I'm not much good on this but 
could it be since it already had a flag that it was skipped by SA?
 

That would make SA useless. any spammer can add that header.

anyway, 70_sare_spoof.cf wan't catch this From. it catches spam when the 
From is a paypal address but the Received headers don't contain a paypal 
hop.