===8<---
Status: U
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.209]
by localhost with POP3 (fetchmail-6.2.5)
for [EMAIL PROTECTED] (single-drop); Mon, 31 Oct 2005 03:55:59 -0800 (PST)
Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1ewyfT2wu3Nl3490
for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: from mx15.stngva01.us.mxservers.net (204.202.242.101)
by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
pattersonbunweb.com)
by mx15.stngva01.us.mxservers.net (mxl_mta-1.3.8-10p4) with ESMTP id
02606634.9450.122.mx15.stngva01.us.mxservers.net;
Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: (from [EMAIL PROTECTED])
by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
Mon, 31 Oct 2005 06:55:12 -0500 (EST)
(envelope-from patt12)
Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: E-Mail ID #356042 PayPal Security Notification of Limited Account Access [28 Oct
2005 15:36:12 +0400]
Content-Type: text/html; charset=us-ascii
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Content-Transfer-Encoding: 7bit
X-Accept-Language: en-us, en
X-Spam-Flag: YES
X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
spamtraq-heur=0.956(2005103001)]
X-MAIL-FROM: <[EMAIL PROTECTED]>
X-SOURCE-IP: [207.56.100.245]
X-Loop-Detect:1
X-DistLoop-Detect:1
X-ELNK-AV: 0
X-NKVIR: Scanned
===8<---
(The "X-MAIL-FROM:" header seems like an obvious tool. However some of the
SARE rules probably should have triggered and didn't. These rule SARE sets
nominally hit paypal spam:
70_sare_genlsubj1.cf
70_sare_header.cf
70_sare_spoof.cf <-- this one really should have caught it.
{^_^}
