On Monday 20 September 2004 06:20 pm, Jeff Chan wrote:
Please test the MailPolice Fraud list as Bill described earlier (copied below). We would like to include this data in our PH anti-phishing list, but request your help in testing it first.
We're particularly interested in any false positives.
Jeff C. __
Jeff, I know you're interested in FP's but how about a fraud/phishing spam that wasn't tagged by MP? The message mentions new servers and upgrading your account info.
Status: R Return-Path: test@localhost.localdomain Received: from localhost.localdomain ([202.82.17.60]) by tanager.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cc6Dr2lm3NZFmQ0 for cpollock@earthlink.net; Mon, 27 Sep 2004 18:18:29 -0700 (PDT) Received: from localhost.localdomain (httpserver [127.0.0.1]) by localhost.localdomain (8.12.11/8.12.11) with ESMTP id i8S1ISC3018023 for cpollock@earthlink.net; Tue, 28 Sep 2004 09:18:28 +0800 Received: (from test@localhost) by localhost.localdomain (8.12.11/8.12.11/Submit) id i8S1IS7M018022; Tue, 28 Sep 2004 09:18:28 +0800 Date: Tue, 28 Sep 2004 09:18:28 +0800 Message-Id: 200409280118.i8S1IS7M018022@localhost.localdomain To: cpollock@earthlink.net Subject: *****SPAM***** Ebay account update to new servers From: eBay Online Communitysupport@ebay.com Content-Type: text/html X-ELNK-AV: 0 X-Spam-DCC: sgs_public_dcc_server: cpollock 1199; Body=many Fuz1=many Fuz2=many X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cpollock X-Spam-Level: ************************************************** X-Spam-Status: Yes, hits=119.9 required=5.0 tests=AM_BODY_PLING, ASKS_BILLING_ADDRESS,BAYES_70,DCC_CHECK,HTML_FONTCOLOR_BLUE, HTML_FONTCOLOR_RED,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HEADER_CTYPE_ONLY,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY, NORMAL_HTTP_TO_IP,RM_uwd_affiliate,SARE_FORGED_EBAY,SARE_HTML_FSIZE6 autolearn=no version=2.63 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 1.0 AM_BODY_PLING BODY: Body has lots of exclamation points * 0.4 ASKS_BILLING_ADDRESS BODY: Asks for a billing address * 2.6 BAYES_70 BODY: Bayesian spam probability is 70 to 80% * [score: 0.7408] * 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue * 0.1 HTML_MESSAGE BODY: HTML included in message * 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red * 0.2 SARE_HTML_FSIZE6 BODY: Message uses suspicious font size and/or color * 1.4 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset * 2.4 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL * 1.3 RM_uwd_affiliate URI: text references affiliate program * 2.7 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 2.2 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers * 104 SARE_FORGED_EBAY Message appears to be forged, (ebay.com) X-Status: N