Re: OK guys - why did this one get through.

Mon, 31 Oct 2005 18:38:19 -0800 

On Monday 31 October 2005 04:22 pm, jdow wrote:
> ===8<---
> Status:  U
> Return-Path: <[EMAIL PROTECTED]>
> Received: from smtp.earthlink.net [209.86.93.209]
>  by localhost with POP3 (fetchmail-6.2.5)
>  for [EMAIL PROTECTED] (single-drop); Mon, 31 Oct 2005 03:55:59
> -0800 (PST) Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
>  by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> 1ewyfT2wu3Nl3490 for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12
> -0500 (EST) Received: from mx15.stngva01.us.mxservers.net
> (204.202.242.101)
>  by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
>  for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
> pattersonbunweb.com) by mx15.stngva01.us.mxservers.net
> (mxl_mta-1.3.8-10p4) with ESMTP id
> 02606634.9450.122.mx15.stngva01.us.mxservers.net;
>  Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Received: (from [EMAIL PROTECTED])
>  by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
>  Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>  (envelope-from patt12)
> Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Message-Id: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: E-Mail ID #356042  PayPal Security Notification of Limited
> Account Access [28 Oct 2005 15:36:12 +0400]
> Content-Type: text/html; charset=us-ascii
> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Reply-to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Content-Transfer-Encoding: 7bit
> X-Accept-Language: en-us, en
X-Spam-Flag: YES
X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
spamtraq-heur=0.956(2005103001)] X-MAIL-FROM:
> <[EMAIL PROTECTED]>
> X-SOURCE-IP: [207.56.100.245]
> X-Loop-Detect:1
> X-DistLoop-Detect:1
> X-ELNK-AV: 0
> X-NKVIR: Scanned
> ===8<---
> (The "X-MAIL-FROM:" header seems like an obvious tool. However some of
> the SARE rules probably should have triggered and didn't. These rule SARE
> sets nominally hit paypal spam:
> 70_sare_genlsubj1.cf
> 70_sare_header.cf
> 70_sare_spoof.cf    <-- this one really should have caught it.
>
> {^_^}

Where did the X-Spam-Flag: YES tag come from? I'm not much good on this but 
could it be since it already had a flag that it was skipped by SA?

-- 
Chris
Registered Linux User 283774 http://counter.li.org
20:35:58 up 25 days, 57 min, 3 users, load average: 0.42, 2.08, 2.39
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Honi soit la vache qui rit.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reply via email to