It occurred to me to check SenderBase for all IPs that eBay has sent, and when I saw that they have about a dozen, I checked instead to see if they might have an SPF record... yup, they do.
In fact, they make extensive use of SPF "includes" to cover their many mailhosts. Interestingly enough, the IP that sent the message that Markus caught was not in their SPF (but a neighbor on the same /24 is). And for what it's worth, they end their SPF with ~ALL to "soft fail" any MAILFROM that uses @ebay.com but isn't in their records. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, March 08, 2005 4:25 PM To: [email protected] Subject: RE: [Declude.JunkMail] Legit Ebay message failing spamdomains Thanks for the heads-up, Markus. Based on that, I've added a counterweight for them in my system for their /19 subnet. http://www.senderbase.org/search?searchString=216.113.168.141 REMOTEIP -20 CIDR 216.113.160.0/19 Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, March 08, 2005 2:43 PM To: [email protected] Subject: [Declude.JunkMail] Legit Ebay message failing spamdomains Today I've seen a legit message from ebay's fraud protection departement Received: from neutron.corp.ebay.com [216.113.168.141] by xxxxxxxxxxxxx id A567EB3009E; Mon, 07 Mar 2005 08:40:23 +0100 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on sjc-lxs-02 X-Spam-Level: X-Spam-Status: No, hits=0.4 required=3.0 tests=HTML_MESSAGE,MIME_HTML_ONLY, NO_REAL_NAME autolearn=no version=2.64 X-TFF-CGPSA-Version: 1.3.1 X-TFF-CGPSA-Filter: Scanned Received: from [10.244.20.100] (HELO SJN-EWS-12) by neutron.corp.ebay.com (CommuniGate Pro SMTP 4.1.8) with ESMTP id 121133090 for xxxxxxxxxxxxxxxx; Sun, 06 Mar 2005 23:10:21 -0800 Unfortunately 216.113.168.141 has no REVDNS entry and so it would fail the spamdomains test. Maybe someone know people at ebay and can explain him that they have to configure the own email systems 120% correct as their domain is a common forged one and also used for phishing attempts. Keeping the own systems conform to rules it would help people like us to catch bad messages. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
