You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@earthlink.net> on 2006/12/04 00:48:41 UTC
real or fake capital-one message
I got this in my inbox today, I believe it to be real, however I'll post the
headers below. The reason I think it may be real is that there is some
person out there named Carol Pollock who for some reason and some how is
using the email address of cpollock@earthlink.net. How, I haven't the
faintest clue. Here are the headers:
X-Spam-Virus: No
X-Spam-Seen: Tokens 204
X-Spam-New: Tokens 293
X-Spam-Remote: Host localhost.localdomain
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
cpollock.localdomain
X-Spam-Hammy: Tokens 56
X-Spam-Status: No, score=-105.3 required=5.0 tests=BAYES_00,HTML_MESSAGE,
SPF_FAIL,SPF_HELO_PASS,USER_IN_WHITELIST autolearn=disabled
version=3.1.7
X-Spam-Spammy: Tokens 5
X-Spam-Pyzor: Reported 0 times.
X-Spam-Token: Summary Tokens: new, 89; hammy, 56; neutral, 143; spammy, 5.
X-Spam-DCC: CollegeOfNewCaledonia cpollock 1189; Body=1 Fuz1=1 Fuz2=1
X-Spam-Untrusted: Relays [ ip=216.35.62.79
rdns=arm79.bigfootinteractive.com
helo=bigfootinteractive.com by=mx-bracke.atl.sa.earthlink.net ident=
envfrom= intl=0 id=1gQWIB30u3Nl34i6 auth= ]
X-Spam-Level:
X-Spam-RBL: Results <dns:email.capitalone.com?type=MX> [20
arm.bigfootinteractive.com.]
<dns:email.capitalone.com> [206.132.3.45]
Status: U
Return-Path: <ca...@email.capitalone.com>
Received: from pop.earthlink.net [209.86.93.201]
by localhost with POP3 (fetchmail-6.2.5)
for cpollock@localhost (single-drop); Sun, 03 Dec 2006 13:11:30
-0600 (CST)
Received: from bigfootinteractive.com ([216.35.62.79])
by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
id 1gQWIB30u3Nl34i6
for <cp...@earthlink.net>; Sun, 3 Dec 2006 14:09:41 -0500 (EST)
Reply-To: Capital One
<ca...@email.capitalone.com>
Message-ID:
<TB...@email.capitalone.com>
X-BFI: TBTH0562119F1CA6AC909D05A5EBC0
Date: Sun, 03 Dec 2006 14:09:41 EST
From: Capital One <ca...@email.capitalone.com>
Subject: Welcome to Capital One No Hassle Rewards
To: cpollock@earthlink.net
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="ABCD-TBTH0562119F1CA6AC909D05A5EBC0-EFGH"
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-SenderIP: 216.35.62.79
X-ASN: ASN-3561
X-CIDR: 216.32.0.0/14
X-UID: 24237
X-Length: 11032
[chris@cpollock chris]$ nslookup 216.35.62.79
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
79.62.35.216.in-addr.arpa canonical name =
79.0/25.62.35.216.in-addr.arpa.
79.0/25.62.35.216.in-addr.arpa name = arm79.bigfootinteractive.com.
I could of course throw this into my spam folder and report it with the rest
or I could just delete it, however I'm curious as to whether its an actual
message from them or not. It has a valid certificate issued by VeriSign
OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
OU = VeriSign International Server CA - Class 3
OU = VeriSign, Inc.
O = VeriSign Trust Network
02/12/2006 18:00:00
(02/13/2006 00:00:00 GMT)
02/13/2007 17:59:59
(02/13/2007 23:59:59 GMT)
I'm going to assume that its a vaild message and that she's again using my
email address and that I'm getting some of her mail. This happened with
Circuit City last month and I 'tried' talking to them about this but since
their support apparently has been outsourced I got nowhere, the same as
when I tried to talk to Earthlink about it.
--
Chris
Re: real or fake capital-one message
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Sun, 3 Dec 2006, Chris wrote:
> I got this in my inbox today, I believe it to be real, however I'll post the
> headers below. The reason I think it may be real is that there is some
> person out there named Carol Pollock who for some reason and some how is
> using the email address of cpollock@earthlink.net. How, I haven't the
> faintest clue. Here are the headers:
>
> X-Spam-Untrusted: Relays [ ip=216.35.62.79
> rdns=arm79.bigfootinteractive.com
> helo=bigfootinteractive.com by=mx-bracke.atl.sa.earthlink.net ident=
> envfrom= intl=0 id=1gQWIB30u3Nl34i6 auth= ]
> X-Spam-Level:
> X-Spam-RBL: Results <dns:email.capitalone.com?type=MX> [20
> arm.bigfootinteractive.com.]
> <dns:email.capitalone.com> [206.132.3.45]
> Status: U
> Return-Path: <ca...@email.capitalone.com>
> Received: from pop.earthlink.net [209.86.93.201]
> by localhost with POP3 (fetchmail-6.2.5)
> for cpollock@localhost (single-drop); Sun, 03 Dec 2006 13:11:30
> -0600 (CST)
> Received: from bigfootinteractive.com ([216.35.62.79])
> by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
[snip..]
I'd vote for this being a legit case of pilot error on the
original user's part. Much to their shame, CapitalOne -does- use
BFI for sending out many of their mailings.
I even had to go so far as to whitelist_from_rcvd *@email.capitalone.com
sent via bigfootinteractive.com
Now to be fair, CapitalOne isn't the only culprit in this crime,
email.discovercard.com & email.chase.com use BFI too.
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: real or fake capital-one message
Posted by Loren Wilton <lw...@earthlink.net>.
Received: from bigfootinteractive.com ([216.35.62.79])
by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
My first guess would be fake just from the headers. However, if it looks
like legit opt-in stuff, then maybe it is.
I suspect (assuming the person really exists) that their email address is
similar to yours, and she fat-fingered you address instead of hers when
entering the info on their web site.
Then again, there are a whole lot of spammers that think I want property in
Costa Rica and that my name is Jose Martinez.
Loren