Ron Horist wrote:
Both of these should have been marked SPAM.
They came from different mail servers: first came from 66.23.211.14
(83.238.147.3) second came from 216.55.149.18
The first one answered with a numeric HELO, which gave it 1.4 points,
where the second server answered correctly.
The first one answered with a IP_MISMATCH (fake IP - answered as
66.23.211.14, but was REALLY 83.238.147.3), which gave it 3.2 points,
where the second server answered correctly.
The first server answered with an illegal IP address giving it 1.6
points, where the second server did not.
The first server was probably a dial-up spammer, which would explain
some of the extra points, where the second server is not.
The first server was a dial-up/broadband account from Poland, acting as
a server from Georgia, USA. The second server is a (looks like)
legitimate server for Abacus America, Inc., located in San Diego at 5276
Eastgate Mall.
If you would like some more explanations on how I got all this info, or
just have questions in general, email me off-list and I'll be more than
happy to help!
Here is the first one:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 739 invoked by uid 89); 5 Dec 2005 18:59:19 -0000
Received: by simscan 1.1.0 ppid: 721, pid: 735, t: 41.2794s
scanners: clamav: 0.87.1/m:34/d:1162 spam: 3.1.0
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.horistjr.com
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.5 required=5.0 tests=DRUGS_PAIN,
RCVD_HELO_IP_MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO autolearn=no
version=3.1.0
X-Spam-Report:
* 3.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but
* should
* 1.4 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
* 1.6 RCVD_ILLEGAL_IP Received: contains illegal IP address
* 0.3 DRUGS_PAIN Refers to a pain relief drug
Received: from unknown (HELO 66.23.211.14) (83.238.147.3)
by mail.horistjr.com with SMTP; 5 Dec 2005 18:58:38 -0000
Received-SPF: none (mail.horistjr.com: domain at mtnmovers.com does not
designate permitted sender hosts)
Received: from gangling.herr.xearthlink.net (0.11.120.169) by
cyclic.diary.earthlink.net with XSMTP; Mon, 05 Dec 2005 23:56:58 +0500
Errors-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Tue, 06 Dec 2005 00:49:58 +0600
From: "Corrine Reaves" <[EMAIL PROTECTED]>
Subject: ***SPAM*** ultram inclination
X-Mailer: Novell GroupWise 5.5.5
X-Spam-Prev-Subject: ultram inclination
Here is the second one:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 748 invoked by uid 89); 5 Dec 2005 18:59:43 -0000
Received: by simscan 1.1.0 ppid: 743, pid: 745, t: 0.3679s
scanners: clamav: 0.87.1/m:34/d:1162 spam: 3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.horistjr.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.2 required=5.0 tests=AWL,DRUGS_PAIN,
RCVD_ILLEGAL_IP autolearn=no version=3.1.0
Received: from unknown (HELO mx3.zoneedit.com) (216.55.149.18)
by mail.horistjr.com with SMTP; 5 Dec 2005 18:59:43 -0000
Received-SPF: none (mail.horistjr.com: domain at mtnmovers.com does not
designate permitted sender hosts)
Received: from host46-27.pool873.interbusiness.it
(host46-27.pool873.interbusiness.it [87.3.27.46])
by mx3.zoneedit.com (Postfix) with SMTP id 185B5930D5E
for <[EMAIL PROTECTED]>; Mon, 5 Dec 2005 13:59:35 -0500 (EST)
Received: from gangling.herr.xearthlink.net (0.11.120.169) by
cyclic.diary.earthlink.net with XSMTP; Mon, 05 Dec 2005 23:56:58 +0500
Errors-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Tue, 06 Dec 2005 00:49:58 +0600
From: "Corrine Reaves" <[EMAIL PROTECTED]>
Subject: ultram inclination
X-Mailer: Novell GroupWise 5.5.5
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
