Definitely not a false positive! And considering that it is promoting and purportedly protecting the sale of an expensive ($2210) item outside of eBay, and demanding a Western Union money transfer (no, no, no!) I would treat it with the utmost suspicion.
Other anomalies: - as Justin points out, the sender IP is a dynamic AOL address - the message was sent via webmail (first hop is HTTP) - note the header "X-RocketYMMF: cacabeat99"; that gives a clue to the Yahoo ID of the sender. The text seems to be cut-n-pasted from an actual eBay email. But that gives it no authenticity. Bottom line: SARE_FORGED_EBAY is working just fine! Pierre Thomson BIC -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 12:21 PM To: Bret Miller Cc: [email protected] Subject: Re: SARE_FORGED_EBAY FP?? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Definitely sent from Yahoo! Mail through their webmail interface, by the user "cacabeat99", at IP address 172.179.255.127 (AOL space): Received: (qmail 94635 invoked by uid 60001); 27 Sep 2005 14:12:13 -0000 Message-ID: <[EMAIL PROTECTED]> Received: from [172.179.255.127] by web203.biz.mail.re2.yahoo.com via HTTP; Tue, 27 Sep 2005 07:12:13 PDT X-RocketYMMF: cacabeat99 I'd suspect someone on his auctions is spoofing eBay mails to fool him. - --j. "Bret Miller" writes: > I have a user who swears this message is legit and has been dealing with > this seller through ebay. I warned him that hitting SARE_FORGED_EBAY > isn't a good thing, but that I would report what seems to him to be a > false positive on it. The thing that gets me is that it claims to be > from ebay, but comes from a yahoo server. Here is the message that hit: > > X-Spam-Tests: > tests=BAYES_00=-2.599,HTML_MESSAGE=0.001,J_CHICKENPOX_44=0.6, > J_CHICKENPOX_48=0.6,J_CHICKENPOX_52=0.6,J_CHICKENPOX_55=0.6, > > J_CHICKENPOX_73=0.6,RCVD_IN_MXRATE_WL=-1,SARE_FORGED_EBAY=104;autolearn= > no > X-Spam-Score: 103.4 > X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on > mail.hq.wcg.org > X-Spam-Level: ++++++++++++++++++++++++++++++++++++++++++++++++++ > X-TFF-CGPSA-Version: 1.4 > X-WCG-CGPSA-Filter: Scanned > Return-Path: <[EMAIL PROTECTED]> > Received: from web203.biz.mail.re2.yahoo.com ([68.142.224.165] verified) > by mail.wcg.org (CommuniGate Pro SMTP 4.3.6) > with SMTP id 14560007 for [EMAIL PROTECTED]; Tue, 27 Sep 2005 > 07:12:32 -0700 > Received: (qmail 94635 invoked by uid 60001); 27 Sep 2005 14:12:13 -0000 > Message-ID: <[EMAIL PROTECTED]> > Received: from [172.179.255.127] by web203.biz.mail.re2.yahoo.com via > HTTP; Tue, 27 Sep 2005 07:12:13 PDT > X-RocketYMMF: cacabeat99 > Date: Tue, 27 Sep 2005 07:12:13 -0700 (PDT) > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Subject: eBay International Second Chance Offer Invoice for Item: > 8333405041 > To: [EMAIL PROTECTED] > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="0-1651436707-1127830333=:91265" > Content-Transfer-Encoding: 8bit > > --0-1651436707-1127830333=:91265 > Content-Type: text/plain; charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > > Buying new items, brand names, and collectibles on eBay is simple. > Here's how it works... Congratulations, eBay transaction started! > * Current status: Payment pending. Purchase protection granted. > > > Dear rryd.thornton ( 54) , > > After verifying the trustworthiness of the seller nurit214 ( 1028) > and the availability of the merchandise for immediate shipping, we have > approved your buy it now transaction and offered you as the buyer, > full purchase protection for the amount you agreed on with the seller. > > > Complete your eBay transaction in 5 easy steps: > ************************************************* > > 1-Buyer and seller agree on the transaction terms and a selling price. > 2-Seller contacts eBay with the transaction details. > eBay accepts the transaction and offers purchase protection to the > buyer (if the transaction is declined, no further action is required > from either the buyer or the seller). > 3-The buyer sends payment. After the payment > cleared, the seller must notify eBay. Buyer will send the payment > details directly to the seller email address. The seller has three > business days to send the buyer and eBay the tracking number of the > shipment. If no tracking number is provided, a full refund is > immediately sent to the buyer; > 4-Buyer receives the merchandise and has five days to inspect it. > If it is complete and as described, the buyer should accept the > merchandise. > If he refuses the merchandise, the buyer must ship the merchandise > back to the seller within three business days. > 5-After the inspection period is over, the buyer must contact eBay with > the result of the inspection. If the buyer refuses the merchandise, > the refund will be sent to the buyer after the tracking number for the > returned shipment is verified. > > To enjoy the purchase protection, you must send the payment by the > insured payment method below. > Attention: Sending the payment by any other method will void this > transaction and your right to refund. > > Details and instructions of this transaction: > > * The following item(s) are protected in this eBay transaction: > Item name: RARE 1896 $5.00 SILVER CERTIFICATE "EDUCATIONAL NOTE"Item > price:US $2,210.50/ Amount insuredShipping price:Ready to ship / The > Item price includes shipping and insurance fees.Payment:Pending Seller's > verified payment address:Jim Oliver > 112 Edith Road > London,W14 9AP > United Kingdom Buyer's shipping address: > Jerry Thornton > PO Box 50602 > Pasadena, CA 91115-0602 > United States > > > > Date of verification: Sept-24-2005 > Payment must be sent by: Western Union Money Transfer > Next step to be taken: The buyer must send the payment to > the seller > * Complete your eBay transaction: > > Payment instructions: > > To submit the payment with Western Union Money Transfer, you have two > options: > > 1. Pay for the transfer with cash at a local Western Union agent. > Click here to locate the agents in your area > http://www.westernunion.com/info/agentInquiryIntl.asp > > 2. If you are now in the USA and need to use a credit/debit card > (Visa or MC), call 1-800-CALL-CASH and make the payment to the verified > name > of the seller. An additional fee will be charged on most cards because > this transaction will be considered a cash advance on your card. > > ...
