Looks like the first attempts at some phishing. The domain name and everything look like NCR BUT the DNS servers are NCRWEBHOST.COM with what looks like a bogus email address for admin contract.
Gary -----Original Message----- From: Michael Barnes [mailto:[EMAIL PROTECTED] Sent: Friday, December 17, 2004 12:27 PM To: SpamAssassin Users Subject: Equifax/NCR partnership in spam??? All, Does anyone have an opinion of the mail below? To me it looks like deceptive marketing practice where the people at equifaxmktg.com are trying to validate emails or something. The scary thing is that equifaxmktg.com appears to be a division of NCR. I guess its common knowledge that Equifax is pretty much a spam company in disguise a credit company. But I was under the assumption that NCR was a real company. Any opinions on this? Also, this mail was sent via PowerMTA, which appears to be a tool of choice for spammers. I've created a rule for this, should this be a standard rule? Mike ----- Forwarded message from Equifax <[EMAIL PROTECTED]> ----- >From [EMAIL PROTECTED] Fri Dec 17 13:02:51 2004 Return-Path: <[EMAIL PROTECTED]> Received: from a.machine.here (a.machine.here [xxx.xxx.x.xx]) by another.machine.here (8.11.7p1+Sun/8.10.2) with ESMTP id iBHI2pH13385 for <[EMAIL PROTECTED]>; Fri, 17 Dec 2004 13:02:51 -0500 (EST) Received: from ncr2249.ncr2249 (mail244.ncrecommerce.com [153.69.128.244]) by a.machine.here (8.12.8/8.12.8) with ESMTP id iBHI2lfA027614 for <[EMAIL PROTECTED]>; Fri, 17 Dec 2004 13:02:47 -0500 Received: by ncr2249.ncr2249 (PowerMTA(TM) v3.0r7) id hocfje0721cv; Fri, 17 Dec 2004 13:02:23 -0500 (envelope-from +<[EMAIL PROTECTED]>) X-BPS1: 12303 X-BPS2: 1 Reply-To: "Equifax" <[EMAIL PROTECTED]> From: "Equifax" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: *****SPAM***** (score=16.2/10.0) Equifax Holiday Fun Date: Fri, 17 Dec 2004 13:02:22 -0500 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_F87B3_01C4E438.A5E2C420" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft CDO for Windows 2000 Thread-Index: AcTkYo62jLoTmpSWTqaVFYSBB7UXaw== Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Spam-Prev-Subject: Equifax Holiday Fun X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on mymachine X-Spam-Report: * 1.0 NO_SPACE_IN_FRM No space in from between quotes * 0.2 EXTRA_SUBJ_SPACES Subject with extra spaces in it (2) * 0.0 HTML_WEB_BUGS BODY: Image tag intended to identify you * 0.1 HTML_80_90 BODY: Message is 80% to 90% HTML * 0.1 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to * image area * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5039] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.3 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [153.69.128.244 listed in sbl-xbl.spamhaus.org] * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL * blocklist * [URIs: equifaxmktg.com] * 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL * blocklist * [URIs: ncrpmreports.com equifaxmktg.com] * 0.7 FRM_NOT_TWO_WORDS From does not have 2 words in it * 5.9 SCORE_CORRECTION Correction for multiple positive test * scores X-Spam-Status: Yes, score=16.2 required=10.0 tests=BAYES_50,DCC_CHECK, EXTRA_SUBJ_SPACES,FRM_NOT_TWO_WORDS,HTML_80_90,HTML_IMAGE_RATIO_06, HTML_MESSAGE,HTML_WEB_BUGS,NO_SPACE_IN_FRM,RCVD_IN_XBL, SCORE_CORRECTION,URIBL_OB_SURBL,URIBL_WS_SURBL autolearn=no version=3.0.1 X-Spam-Level: **************** Status: RO Content-Length: 6137 Lines: 126 Happy Holidays! Thank You! You're an important Equifax customer. We appreciate you and want to pass on some holiday fun to you. Take a look at our holiday card for some holiday cheer. http://equifaxmktg.com/equifax/redirect.asp?lid=1051267&o=1&eid=OneOfMyL [EMAIL PROTECTED] If you have any questions, please call us at 1-800-829-3616, 8:00AM - 3:00AM (EST), 7 days a week. You may e-mail us anytime at [EMAIL PROTECTED] Or you can write us: Equifax Consumer Services, Inc. PO Box 105496, Atlanta, GA 30348. Click below to unsubscribe from future mailings. http://equifaxmktg.com/equifax/redirect.asp?lid=1051268&o=1&eid=OneOfMyL [EMAIL PROTECTED]&DATI=evLVYy4d%2Bx27Uxndjx8MHAxPIV5xvK%2x0 ----- End forwarded message ----- -- /-----------------------------------------\ | Michael Barnes <[EMAIL PROTECTED]> | | UNIX Systems Administrator | | College of William and Mary | | Phone: (757) 879-3930 | \-----------------------------------------/
