The attached phish evaded 70_sare_spoof.cf simply by forging the helo.
Adjusting the __RCVD_* rules to include
" \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]"
at the end matches correctly for postfix at least.
e.g.:
header __RCVD_EBAY Received =~ /(?:email)?ebay\.com \[\d{1,3}\.
\d{1,3}\.\d{1,3}\.\d{1,3}\]/i
From [EMAIL PROTECTED] Wed May 26 15:21:48 2004
Return-Path: <[EMAIL PROTECTED]>
Received: by mailhost.idcomm.com (Postfix, from userid 89)
id 030E5E622AB4; Wed, 26 May 2004 15:51:33 -0600 (MDT)
Received: from ebay.com (119.16-201-80.adsl.skynet.be [80.201.16.119])
by mailhost.idcomm.com (Postfix) with SMTP id 20598E618306
for <[EMAIL PROTECTED]>; Wed, 26 May 2004 15:24:18 -0600 (MDT)
Date: Wed, 26 May 2004 21:21:48 +0000
From: eBay customers support <[EMAIL PROTECTED]>
Subject: Urgent lnformation from eBay
To: xxxx <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Reply-To: eBay <[EMAIL PROTECTED]>
Sender: eBay customers support <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1251
Content-Transfer-Encoding: 8bit
Errors-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cranium2.idcomm.com
X-Spam-Status: No, hits=5.4 required=6.0 tests=BAYES_10,BIZ_TLD,CLICK_BELOW,
HTML_20_30,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_DYNABLOCK,RCVD_IN_SORBS autolearn=no version=2.63
X-Spam-Level: *****
Status: R
X-Status: N
<html>
<head></head>
<body>
<p align="left">
Dear eBay member #xxxx!<br><br>
It has come to our attention that your account<br>
may be used by third party in a fraudulent activity<br>
with eBay. As a result, your access to bid or buy<br>
on eBay has been restricted. According to our site<br>
policy you will have to confirm that you are the real<br>
owner of the eBay account by entering your credit card<br>
information. Please click on the link below to get to<br>
the eBay security update page and complete the form that<br>
will appears. After that your account information will be<br>
verifyed and you will be redirected to the eBay home page. Thank you.<br>
<a
href="http://ebay.dasmarket.biz/eb/isap.html";>https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation</a><br><br>
Visit our <a href="http://pages.ebay.com/help/community/png-priv.html";>Privacy
Policy</a> and <a
href="http://pages.ebay.com/help/community/png-user.html";>User Agreement</a> if
you have any questions.<br>
Copyright 2003 eBay Inc. All Rights Reserved.<br>
Designated trademarks and brands are the property of their respective
owners.<br>
eBay and the eBay logo are trademarks of eBay Inc.<br>
</p>
</body>
</html>
