> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Bryan > Hoover > Sent: Friday, December 26, 2003 1:59 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Ebay spoof? > > > Does anyone know if the following mail is an ebay spoof? I think I've > got an account with them, but it's been so long since I used it... And > the site requires you to sign in in order to make a report, or request > info -- apparently ebay does not provide a direct contact email address. > > Bayes won't learn it - to any sufficient degree - as spam either (below, > is after sa-learn(ed), though I have no ham ebay tokens (debug info does > show a hit on the forged helo rule: > > debug: forged-HELO: from=ebay.com helo=ebay.com by=pair.com > debug: forged-HELO: from=ebay.com helo=sjcbat01 by=ebay.com > > but I'm using the default score, 0 so it does not show in the SA > header): > > >From [EMAIL PROTECTED] Fri Dec 26 13:46:58 2003 > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: bhoover-wecs:[EMAIL PROTECTED] > X-Envelope-To: [EMAIL PROTECTED] > Received: (qmail 78353 invoked from network); 26 Dec 2003 13:46:58 -0000 > Received: from mxsmfpool23.ebay.com (HELO mx47.smf.ebay.com) > (66.135.209.220) > by coll.pair.com with SMTP; 26 Dec 2003 13:46:58 -0000 > Received: from sjcbat01 (sjcbat01.sjc.ebay.com [10.6.37.40]) > by mx47.smf.ebay.com (8.12.3/8.12.3) with SMTP id hBQDkRRt025990 > for <[EMAIL PROTECTED]>; Fri, 26 Dec 2003 05:46:28 -0800
It is best to post the entire message as an attachment. In this case, I'd bet that the apparent Ebay link goes somewheree elese (do "view source" on the message). As far as 66.135.209.220 goes: # dig -x 220.209.135.66 +recursive ; <<>> DiG 9.2.1 <<>> -x 220.209.135.66 +recursive ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5517 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;66.135.209.220.in-addr.arpa. IN PTR ;; ANSWER SECTION: 66.135.209.220.in-addr.arpa. 85659 IN PTR actkyo142066.adsl.ppp.infoweb.ne.jp. [snip] Compare this to a legit IP (pointing to a machine named 'data') in ebay.com: # dig -x 66.135.195.180 +recursive ; <<>> DiG 9.2.1 <<>> -x 66.135.195.180 +recursive ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33955 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 ;; QUESTION SECTION: ;180.195.135.66.in-addr.arpa. IN PTR ;; ANSWER SECTION: 180.195.135.66.in-addr.arpa. 3600 IN PTR data.ebay.com. [snip] Thus, it looks as if the spoofed ebay message originated at: actkyo142066.adsl.ppp.infoweb.ne.jp ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
