New phish looks like a LEGIT ebay messege from another user
I handle all problems like this at the SMTP level using the old, but extremely powerful Obtuse smtpd daemon (http://sd.inodes.org/). All inbound mail is collected by the smtpd daemon on my MX server, then passed to another machine for SA scanning and delivery.
The Obtuse daemon lets you write rules based on the sending server's identity (both IP and domain name) and the data contained in the MAIL FROM and RCPT TO fields in the SMTP exchange.
In the case of eBay, we only accept messages with an @ebay.com From address if they come from a server in *.ebay.com. I've found this to be a very effective deterrent to phishing scams and use it with a number of banking and financial domains. I also apply similar rules to messages from commonly-forged domains like AOL, Yahoo, hotmail, etc.
This approach occasionally runs afoul of people, usually on residential connections, who erroneously use their AOL or Yahoo address in the From, but mail out through another ISP's server. When this happens I politely explain why there is a Reply-To header. We process about 100K messages a week; these problems arise at most once a month.
The Obtuse daemon also has a function that can reject mail according to the domain of the sending server's DNS host. That works well with some spamming operations that have dozens of bogus domains all pointing at a common DNS host.
Peter
