real or fake capital-one message

[Chris <cp...@earthlink.net>]

I got this in my inbox today, I believe it to be real, however I'll post the 
headers below. The reason I think it may be real is that there is some 
person out there named Carol Pollock who for some reason and some how is 
using the email address of cpollock@earthlink.net. How, I haven't the 
faintest clue. Here are the headers:

X-Spam-Virus: No
 X-Spam-Seen: Tokens 204
 X-Spam-New: Tokens 293
 X-Spam-Remote: Host localhost.localdomain
 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on 
        cpollock.localdomain
 X-Spam-Hammy: Tokens 56
 X-Spam-Status: No, score=-105.3 required=5.0 tests=BAYES_00,HTML_MESSAGE,
        SPF_FAIL,SPF_HELO_PASS,USER_IN_WHITELIST autolearn=disabled 
        version=3.1.7
 X-Spam-Spammy: Tokens 5
 X-Spam-Pyzor: Reported 0 times.
 X-Spam-Token: Summary Tokens: new, 89; hammy, 56; neutral, 143; spammy, 5.
 X-Spam-DCC: CollegeOfNewCaledonia cpollock 1189; Body=1 Fuz1=1 Fuz2=1
 X-Spam-Untrusted: Relays [ ip=216.35.62.79 
rdns=arm79.bigfootinteractive.com 
        helo=bigfootinteractive.com by=mx-bracke.atl.sa.earthlink.net ident= 
        envfrom= intl=0 id=1gQWIB30u3Nl34i6 auth= ]
 X-Spam-Level: 
 X-Spam-RBL: Results <dns:email.capitalone.com?type=MX> [20 
arm.bigfootinteractive.com.]
        <dns:email.capitalone.com> [206.132.3.45]
 Status: U
 Return-Path: <ca...@email.capitalone.com>
 Received: from pop.earthlink.net [209.86.93.201]
        by localhost with POP3 (fetchmail-6.2.5)
        for cpollock@localhost (single-drop); Sun, 03 Dec 2006 13:11:30 
-0600 (CST)
 Received: from bigfootinteractive.com ([216.35.62.79])
        by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP 
id 1gQWIB30u3Nl34i6
        for <cp...@earthlink.net>; Sun, 3 Dec 2006 14:09:41 -0500 (EST)
 Reply-To: Capital One 
<ca...@email.capitalone.com>
 Message-ID: 
<TB...@email.capitalone.com>
 X-BFI: TBTH0562119F1CA6AC909D05A5EBC0
 Date: Sun, 03 Dec 2006 14:09:41 EST
 From: Capital One <ca...@email.capitalone.com>
 Subject: Welcome to Capital One No Hassle Rewards
 To: cpollock@earthlink.net
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
  boundary="ABCD-TBTH0562119F1CA6AC909D05A5EBC0-EFGH"
 X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
 X-SenderIP: 216.35.62.79
 X-ASN: ASN-3561
 X-CIDR: 216.32.0.0/14
 X-UID: 24237
 X-Length: 11032

[chris@cpollock chris]$ nslookup 216.35.62.79
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
79.62.35.216.in-addr.arpa       canonical name = 
79.0/25.62.35.216.in-addr.arpa.
79.0/25.62.35.216.in-addr.arpa  name = arm79.bigfootinteractive.com.

I could of course throw this into my spam folder and report it with the rest 
or I could just delete it, however I'm curious as to whether its an actual 
message from them or not.  It has a valid certificate issued by VeriSign 

OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
OU = VeriSign International Server CA - Class 3
OU = VeriSign, Inc.
O = VeriSign Trust Network

02/12/2006 18:00:00
(02/13/2006 00:00:00 GMT)
02/13/2007 17:59:59
(02/13/2007 23:59:59 GMT)

I'm going to assume that its a vaild message and that she's again using my 
email address and that I'm getting some of her mail. This happened with 
Circuit City last month and I 'tried' talking to them about this but since 
their support apparently has been outsourced I got nowhere, the same as 
when I tried to talk to Earthlink about it.

-- 
Chris

Re: real or fake capital-one message

[David B Funk <db...@engineering.uiowa.edu>]

On Sun, 3 Dec 2006, Chris wrote:

> I got this in my inbox today, I believe it to be real, however I'll post the
> headers below. The reason I think it may be real is that there is some
> person out there named Carol Pollock who for some reason and some how is
> using the email address of cpollock@earthlink.net. How, I haven't the
> faintest clue. Here are the headers:
>
>  X-Spam-Untrusted: Relays [ ip=216.35.62.79
> rdns=arm79.bigfootinteractive.com
>         helo=bigfootinteractive.com by=mx-bracke.atl.sa.earthlink.net ident=
>         envfrom= intl=0 id=1gQWIB30u3Nl34i6 auth= ]
>  X-Spam-Level:
>  X-Spam-RBL: Results <dns:email.capitalone.com?type=MX> [20
> arm.bigfootinteractive.com.]
>         <dns:email.capitalone.com> [206.132.3.45]
>  Status: U
>  Return-Path: <ca...@email.capitalone.com>
>  Received: from pop.earthlink.net [209.86.93.201]
>         by localhost with POP3 (fetchmail-6.2.5)
>         for cpollock@localhost (single-drop); Sun, 03 Dec 2006 13:11:30
> -0600 (CST)
>  Received: from bigfootinteractive.com ([216.35.62.79])
>         by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
[snip..]

I'd vote for this being a legit case of pilot error on the
original user's part. Much to their shame, CapitalOne -does- use
BFI for sending out many of their mailings.

I even had to go so far as to whitelist_from_rcvd  *@email.capitalone.com
sent via bigfootinteractive.com

Now to be fair, CapitalOne isn't the only culprit in this crime,
email.discovercard.com & email.chase.com use BFI too.

Dave

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: real or fake capital-one message

[Loren Wilton <lw...@earthlink.net>]

 Received: from bigfootinteractive.com ([216.35.62.79])
        by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP

My first guess would be fake just from the headers.  However, if it looks 
like legit opt-in stuff, then maybe it is.

I suspect (assuming the person really exists) that their email address is 
similar to yours, and she fat-fingered you address instead of hers when 
entering the info on their web site.

Then again, there are a whole lot of spammers that think I want property in 
Costa Rica and that my name is Jose Martinez.

        Loren