It occurred to me to check SenderBase for all IPs that eBay has sent,
and when I saw that they have about a dozen, I checked instead to see if
they might have an SPF record... yup, they do.

In fact, they make extensive use of SPF "includes" to cover their many
mailhosts.  

Interestingly enough, the IP that sent the message that Markus caught
was not in their SPF (but a neighbor on the same /24 is).

And for what it's worth, they end their SPF with ~ALL to "soft fail" any
MAILFROM that uses @ebay.com but isn't in their records.

Andrew 8)

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, March 08, 2005 4:25 PM
To: [email protected]
Subject: RE: [Declude.JunkMail] Legit Ebay message failing spamdomains


Thanks for the heads-up, Markus.

Based on that, I've added a counterweight for them in my system for
their /19 subnet.

http://www.senderbase.org/search?searchString=216.113.168.141

REMOTEIP -20 CIDR 216.113.160.0/19

Andrew 8)

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Tuesday, March 08, 2005 2:43 PM
To: [email protected]
Subject: [Declude.JunkMail] Legit Ebay message failing spamdomains


Today I've seen a legit message from ebay's fraud protection departement


Received: from neutron.corp.ebay.com [216.113.168.141] by xxxxxxxxxxxxx 
        id A567EB3009E; Mon, 07 Mar 2005 08:40:23 +0100
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on sjc-lxs-02
X-Spam-Level: 
X-Spam-Status: No, hits=0.4 required=3.0
tests=HTML_MESSAGE,MIME_HTML_ONLY,
NO_REAL_NAME autolearn=no version=2.64
X-TFF-CGPSA-Version: 1.3.1
X-TFF-CGPSA-Filter: Scanned
Received: from [10.244.20.100] (HELO SJN-EWS-12)
  by neutron.corp.ebay.com (CommuniGate Pro SMTP 4.1.8)
  with ESMTP id 121133090 for xxxxxxxxxxxxxxxx; Sun, 06 Mar 2005
23:10:21 -0800


Unfortunately 216.113.168.141 has no REVDNS entry and so it would fail
the spamdomains test.

Maybe someone know people at ebay and can explain him that they have to
configure the own email systems 120% correct as their domain is a common
forged one and also used for phishing attempts. Keeping the own systems
conform to rules it would help people like us to catch bad messages.

Markus

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to