RE: Bank Of A FP

Sun, 14 Jan 2007 15:04:34 -0800 

Sorry to confuse the list with un-marked up Emails <g>.

Here's the MARKUP from the BankOfA FP:

Content analysis details:   (10.3 points, 5.0 required)

 pts rule name              description
---- ---------------------- ------------------------------------------------
--
 1.4 X_MAILER_SPAM          X-Mailer: header is bulk email fingerprint
 1.0 NO_REAL_NAME           From: does not include a real name
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 0.0 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 1.4 DNS_FROM_RFC_WHOIS     RBL: Envelope sender in whois.rfc-ignorant.org
 3.0 SARE_FORGED_BANKOFA    SARE_FORGED_BANKOFA

So, you see the SPF pass from SpamAssassin. Looking at why, we see the
Envelope From is billpay.bankofamerica.com, and the mailer is
208.235.248.20. Someone posted the bankofamerica.com SPF data, but that has
nothing to do with this email. The correct data (dig txt
billpay.bankofamerica.com) is:

"v=spf1 a:outbd-pstfx.customercenter.net a:devnull.ebillinvite.com mx ~all"

and it lists outbd-pstfx.customercenter.net (208.235.248.20) first, thus the
Pass. The Fail or Softfail is never parsed.

Dan



-----Original Message-----
From: Matt Kettler [mailto:[EMAIL PROTECTED]
Sent: Sunday, January 14, 2007 4:51 PM
To: Michael Scheidell
Cc: Dan Barker; users@spamassassin.apache.org
Subject: Re: Bank Of A FP


Michael Scheidell wrote:
> Also they via SPF that 'customercenter.net' is not a valid host for
> their email.
>
> host -t txt bankofamerica.com
> bankofamerica.com descriptive text "v=spf1 a:sfmx02.bankofamerica.com
> a:sfmx04.bankofamerica.com a:vamx04.bankofamerica.com
> a:vamx02.bankofamerica.com a:txmx02.bankofamerica.com
> a:txmx04.bankofamerica.com include:_spfx.bankofamerica.com ~all"
>
>  host -t txt _spfx.bankofamerica.com
> _spfx.bankofamerica.com descriptive text "v=spf1
> a:cr-mailgw.bankofamerica.com a:cw-mailgw.bankofamerica.com
> ip4:216.98.25.71 ip4:216.98.24.71 ip4:12.129.128.135 ip4:199.15.61.23
> ~all"
>
>
> So, according to their SPF records, that is a forged email.
>
Where's the !all in that record.. I don't see it.. do you?

Reply via email to