See the headers below, it 'appears' to me that this message went through the spammers isp before being sent to me or is this just another spammers 'game'?
Received: from localhost by cpollock.localdomain with SpamAssassin (version 3.1.5); Wed, 06 Sep 2006 11:57:43 -0500 From: "eBay" <[EMAIL PROTECTED]> To: undisclosed-recipients: ; Subject: [SPAM] Question about Item Date: Wed, 6 Sep 2006 18:41:22 +0200 Message-Id: <[EMAIL PROTECTED]> X-Spam-Virus: No X-Spam-Seen: Tokens 409 X-Spam-New: Tokens 444 X-Spam-Remote: Host localhost.localdomain X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on cpollock.localdomain X-Spam-Hammy: Tokens 56 X-Spam-Status: Yes, score=13.8 required=5.0 tests=BAYES_50, DBL_12_LETTER_PGIMG,DCC_CHECK,DIGEST_MULTIPLE,DK_POLICY_SIGNSOME, DK_POLICY_TESTING,DNS_FROM_RFC_ABUSE,FORGED_RCVD_HELO,HTML_MESSAGE, RAZOR2_CHECK,SAGREY,SARE_FORGED_EBAY,SPF_SOFTFAIL,UNDISC_RECIPS, UNPARSEABLE_RELAY,URIBL_SBL autolearn=disabled version=3.1.5 X-Spam-Spammy: Tokens 95 X-Spam-Pyzor: Reported 0 times. X-Spam-Token: Summary Tokens: new, 35; hammy, 56; neutral, 258; spammy, 95. X-Spam-DCC: cpollock 1113; Body=many Fuz1=many Fuz2=many X-Spam-Untrusted: Relays [ ip=200.80.221.2 rdns=200.80.221.2.static.techtelnet.net helo=dtnet.com.ar by=mx-herron.atl.sa.earthlink.net ident= envfrom= intl=0 id=1gl0GJ6q03Nl34a0 auth= ] X-Spam-Level: ************* X-Spam-RBL: Results <dns:2.221.80.200.dnsbl.sorbs.net> [127.0.0.6] <dns:ebay.com.fulldom.rfc-ignorant.org> [127.0.0.4] <dns:ebay.com> [66.135.192.87] <dns:ebay.com?type=MX> [10 data.ebay.com., 10 lore.ebay.com.] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_44FEFE07.5C699AE2" X-UID: 68324 X-Length: 20931 Spam detection software, running on the system "cpollock.localdomain", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see Chris for details. Content preview: This mail is probably spam. The original message has been altered so you can recognise or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. [...] Content analysis details: (13.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.8 UNDISC_RECIPS Valid-looking To "undisclosed-recipients" 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) [SPF failed: Please see http://spf.pobox.com/why.html?sender=aw-confirm%40ebay.com&ip=200.80.221.2&receiver=localhost.localdomain] 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5011] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: smtp.ru] 0.8 DIGEST_MULTIPLE Message hits more than one network digest check 0.2 DBL_12_LETTER_PGIMG DBL_12_LETTER_PGIMG 4.0 SARE_FORGED_EBAY Message appears to be forged, (ebay.com) 1.0 SAGREY Adds 1.0 to spam from first-time senders The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ---->My headers above<---- Encapsulated message Status: U Return-Path: <[EMAIL PROTECTED]> Received: from pop.earthlink.net [209.86.93.205] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Wed, 06 Sep 2006 11:57:35 -0500 (CDT) Received: from dtnet.com.ar ([200.80.221.2]) by mx-herron.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1gl0GJ6q03Nl34a0 for <[EMAIL PROTECTED]>; Wed, 6 Sep 2006 12:55:50 -0400 (EDT) Received: by dtnet.com.ar (Postfix, from userid 100) id 10D4E5C0C5; Wed, 6 Sep 2006 13:29:10 -0300 (ART) Received: from localhost by dtnet.com.ar with SpamAssassin (2.63 2004-01-11); Wed, 06 Sep 2006 13:29:09 -0300 From: "eBay" <[EMAIL PROTECTED]> To: undisclosed-recipients: ; Subject: [SPAM] Question about Item Date: Wed, 6 Sep 2006 18:41:22 +0200 Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on dtnet.com.ar X-Spam-Level: ******** X-Spam-Status: Yes, hits=8.3 required=5.0 tests=CLICK_BELOW, FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_TAGS,HTML_70_80,HTML_FONTCOLOR_BLUE, HTML_FONTCOLOR_UNSAFE,HTML_FONT_BIG,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,HTML_TAG_EXISTS_TBODY,MIME_HTML_ONLY, MSGID_FROM_MTA_SHORT autolearn=no version=2.63 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_44FEF755.E4D77490" X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000; X-SenderIP: 200.80.221.2 X-ASN: ASN-11664 X-CIDR: 200.80.192.0/19 ---------------------------------------------------------------------- This mail is probably spam. The original message has been altered so you can recognise or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Score: 8.3 Threshold: 5.0 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_FONT_BIG BODY: HTML has a big font 0.1 HTML_FONTCOLOR_UNSAFE BODY: HTML font color not in safe 6x6x6 palette 0.1 HTML_TAG_EXISTS_TBODY BODY: HTML has "tbody" tag 0.1 HTML_70_80 BODY: Message is 70% to 80% HTML 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 3.3 MSGID_FROM_MTA_SHORT Message-Id was added by a relay 1.7 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 1.1 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format 0.0 CLICK_BELOW Asks you to click below 1.6 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook ---------------------------------------------------------------------- The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. Running nslookup on the X-SenderIP: 200.80.221.2 equates to: [EMAIL PROTECTED] chris]$ nslookup 200.80.221.2 Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: 2.221.80.200.in-addr.arpa name = 200.80.221.2.static.techtelnet.net. and going to www.techtelnet.net gives me: En construccion Under Construction? And lastly the 'stupid' phisher link, this is the one that has the russian links to ads at the bottom of the page. http://signin-ebay-co-uk-uk.smtp.ru/ws.eBayISAPI.dll.SignIn.pUserid.co.partnerId.siteid.pageType.pa1.i1.html -- Chris
pgpt4E2YFCGT2.pgp
Description: PGP signature
