This was just brought to my attention this morning. It is a legit message from a legit user using excite.com. There were three messages sent trying to get through to my user and all three were hammered by these rules.
Here is the header:
Return-Path: <[EMAIL PROTECTED]>
Received: from excite.com (nn3.excitenetwork.com [207.159.120.57])
by babyblue-eth1.parkstpress.com (8.10.2/8.10.2) with ESMTP id i5TCTBR19131
for <[EMAIL PROTECTED]>; Tue, 29 Jun 2004 08:29:12 -0400
Received: by xprdmailfe6.nwk.excite.com (Postfix, from userid 110)
id 234B23DDC; Tue, 29 Jun 2004 08:30:49 -0400 (EDT)
To: [EMAIL PROTECTED]
Subject: hellloooooooo it`s me
Received: from [208.60.249.61] by xprdmailfe6.nwk.excite.com via HTTP; Tue, 29 Jun 2004 08:30:49 EST
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: ID = 9763b6252acc1748ab9a8d15059c8147
Reply-To: [EMAIL PROTECTED]
From: REAL NAME <[EMAIL PROTECTED]>
MIME-Version: 1.0
X-Sender: [EMAIL PROTECTED]
X-Mailer: PHP
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <[EMAIL PROTECTED]>
Date: Tue, 29 Jun 2004 08:30:49 -0400 (EDT)
It got smacked hard on the following rules:
Content analysis details: (7.10 points, 5 required)
RCVD_FAKE_HELO_DOTCOM (3.6 points) Received contains a faked HELO hostname
SARE_FREE_WEBM_Excite (0.7 points) Sender used free email account - may be spammer
RCVD_FAKE_HELO_DOTCOM_2 (2.8 points) Received contains a faked HELO hostname (2)
Ouch! Which rulset are the FAKE_HELO_DOTCOMs in? I can't find them.
I think this qualifies as a serious FP. This person was trying to place an order and finally called to find out why we hadn't responded. Oops.
This is the first major FP I've had in 1.5 years. Not too bad, as things go. Just thought I'd bring this to everyone's attention so adjustments can be made.
Scott
--
Scott V. Blomquist,A-SA-CN-NRK TINLC(tm) #2598
ITI/Bear&Co Rochester, VT
802-767-3174(v) 802-767-3726(f)
"Any technology sufficiently advanced is indistinguishable from Magic."
A. C. Clarke