From: "Chris" <[EMAIL PROTECTED]>
On Monday 31 October 2005 04:22 pm, jdow wrote:
===8<---
Status: U
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.209]
by localhost with POP3 (fetchmail-6.2.5)
for [EMAIL PROTECTED] (single-drop); Mon, 31 Oct 2005 03:55:59
-0800 (PST) Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1ewyfT2wu3Nl3490 for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12
-0500 (EST) Received: from mx15.stngva01.us.mxservers.net
(204.202.242.101)
by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
pattersonbunweb.com) by mx15.stngva01.us.mxservers.net
(mxl_mta-1.3.8-10p4) with ESMTP id
02606634.9450.122.mx15.stngva01.us.mxservers.net;
Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: (from [EMAIL PROTECTED])
by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
Mon, 31 Oct 2005 06:55:12 -0500 (EST)
(envelope-from patt12)
Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: E-Mail ID #356042 PayPal Security Notification of Limited
Account Access [28 Oct 2005 15:36:12 +0400]
Content-Type: text/html; charset=us-ascii
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Content-Transfer-Encoding: 7bit
X-Accept-Language: en-us, en
X-Spam-Flag: YES
X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
spamtraq-heur=0.956(2005103001)] X-MAIL-FROM:
<[EMAIL PROTECTED]>
X-SOURCE-IP: [207.56.100.245]
X-Loop-Detect:1
X-DistLoop-Detect:1
X-ELNK-AV: 0
X-NKVIR: Scanned
===8<---
(The "X-MAIL-FROM:" header seems like an obvious tool. However some of
the SARE rules probably should have triggered and didn't. These rule SARE
sets nominally hit paypal spam:
70_sare_genlsubj1.cf
70_sare_header.cf
70_sare_spoof.cf <-- this one really should have caught it.
{^_^}
Where did the X-Spam-Flag: YES tag come from? I'm not much good on this but
could it be since it already had a flag that it was skipped by SA?
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 JD_MY_NAME To my ids at Earthlink.
0.1 JD_TO_EARTHLINK To somebody at @earthlink.net specifically
0.0 HTML_90_100 BODY: Message is 90% to 100% HTML
0.4 HTML_SHORT_LENGTH BODY: HTML is extremely short
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5042]
0.9 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
3.3 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
0.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?204.202.242.24>]
0.3 DNS_FROM_AHBL_RHSBL RBL: From: sender listed in dnsbl.ahbl.org
0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
In otherwords it was caught by accident rather than anything else. It was
NOT caught by a paypal rule. It should have been. It's not from paypal.
It does not go near paypal mailing hosts. Yet it's not caught except by
accident of it being short html mimed image only. It should have triggered
PayPal scam rules.
Gee, I'd hoped someone would run the headers and tell me how it would
be caught as a PayPal forgery, which it quite obviously is.
{^_-}