Most notably, the outgoing servers used the citicorp.com domain (some of the HELOs used c2it.com, which is also valid).
I already knew my payment was due, since I still get a paper statement, but if I'd gone to email-only - well, I'd be very glad I dropped those scores from 110 to 1!
Suggested modification (untested):
header __RCVD_CITIBNK Received =~ /(?:c2it|citibank|citicorp)\.com/i
Relevant headers:
Return-Path: <[EMAIL PROTECTED]>
Received: from majesty.pobox.com (majesty.pobox.com [208.210.124.70])
by speed3.speed.net (8.12.10/8.12.10) with ESMTP id i2HI33x7021355
for <address removed>; Wed, 17 Mar 2004 10:03:03 -0800
Received: from majesty.pobox.com (localhost [127.0.0.1])
by majesty.pobox.com (Postfix) with ESMTP id 4A0BA88ED3
for <address removed>; Wed, 17 Mar 2004 12:59:49 -0500 (EST)
Delivered-To: removed
Received: from colander (localhost [127.0.0.1])
by majesty.pobox.com (Postfix) with ESMTP id 6C9F788E79
for <address removed>; Wed, 17 Mar 2004 12:59:48 -0500 (EST)
Received-SPF: none (majesty.pobox.com: domain of [EMAIL PROTECTED] does not designate permitted sender hosts)
Received: from ssmail2.c2it.com (ssmail2.c2it.citicorp.com [192.193.208.104])
by majesty.pobox.com (Postfix) with ESMTP
for <address removed>; Wed, 17 Mar 2004 12:59:14 -0500 (EST)
Received: from alertsapp10.Cardalerts.sub.citicorp.com ([169.176.5.2])
by ssmail2.c2it.com (8.8.8p3+Sun/8.8.8) with ESMTP id MAA01027
for <address removed>; Wed, 17 Mar 2004 12:51:43 -0500 (EST)
From: [EMAIL PROTECTED]
Received: from mail pickup service by alertsapp10.Cardalerts.sub.citicorp.com with Microsoft SMTPSVC;
Wed, 17 Mar 2004 12:46:14 -0500
Kelson Vibber
SpeedGate Communications <www.speed.net>
