Check out the SARES_FORGED_PAYPAL score!\r\n

Return-path: <shop@server.canalmicro.com>\r\nEnvelope-to: peter@localhost\r\nDelivery-date: Wed, 27 Apr 2005 18:14:22 +0100\r\nReceived: from Debian-exim by ariel.tranquillity.lan with spam-scanned (Exim 4.34)\r\n        id 1DQq7C-0006DX-Av\r\n        for peter@localhost; Wed, 27 Apr 2005 18:14:22 +0100\r\nReceived: from localhost by ariel.tranquillity.lan\r\n        with SpamAssassin (version 3.0.2);\r\n        Wed, 27 Apr 2005 18:14:22 +0100\r\nFrom: update@paypal.com <service@paypal.com>\r\nTo: peter.whysall@ntlworld.com\r\nSubject: TKO Notice: Update and Verify Your PayPal account***\r\nDate: Wed, 27 Apr 2005 19:13:08 +0200 (CEST)\r\nMessage-Id: <20050427171308.25E9E10E491F@server.canalmicro.com>\r\nX-Spam-Flag: YES\r\nX-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on ariel.tranquillity.lan\r\nX-Spam-Level: **************************************************\r\nX-Spam-Status: Yes, score=108.9 required=4.0\r\ntests=BIZ_TLD,HTML_MESSAGE,HTML_TAG_EXIST_TBODY,HTML_TITLE_EMPTY,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,SARE_FORGED_PAYPAL,SARE_FORGED_PAYPAL_C,SARE_FROM_PAYPAL_INV\r\nautolearn=no version=3.0.2\r\nMIME-Version: 1.0\r\nContent-Type: multipart/mixed; boundary="----------=_426FC86E.CE24AF85"\r\n\r\nThis is a multi-part message in MIME format.\r\n\r\n------------=_426FC86E.CE24AF85\r\nContent-Type: text/plain\r\nContent-Disposition: inline\r\nContent-Transfer-Encoding: 8bit\r\n\r\nSpam detection software, running on the system "ariel.tranquillity.lan", has\r\nidentified this incoming email as possible spam.  The original message\r\nhas been attached to this so you can view it (if it isn't spam) or label\r\nsimilar future email.  If you have any questions, see\r\nthe administrator of that system for details.\r\n\r\nContent preview:  Security Center Advisory! We recently noticed one or\r\n  more attempts to log in to your PayPal account from a foreign IP\r\n  address and we have reasons to belive that your account was hijacked by\r\n  a third party without your authorization. If you recently accessed your\r\n  account while traveling, the unusual log in attempts may have been\r\n  initiated by you. [...] \r\n\r\nContent analysis details:   (108.9 points, 4.0 required)\r\n\r\n pts rule name              description\r\n---- ---------------------- --------------------------------------------------\r\n 1.1 SARE_FROM_PAYPAL_INV   From invalid address at PayPal\r\n 0.5 BIZ_TLD                URI: Contains an URL in the BIZ top-level domain\r\n 0.0 HTML_MESSAGE           BODY: HTML included in message\r\n 0.2 HTML_TAG_EXIST_TBODY   BODY: HTML has "tbody" tag\r\n 1.2 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts\r\n 0.0 HTML_TITLE_EMPTY       BODY: HTML title contains no text\r\n 104 SARE_FORGED_PAYPAL     Message appears to be forged, (paypal.com)\r\n 1.3 SARE_FORGED_PAYPAL_C   Has Paypal from, no Paypal received header.\r\n 0.5 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers\r\n\r\nThe original message was not completely plain text, and may be unsafe to\r\nopen with some email clients; in particular, it may contain a virus,\r\nor confirm that your address can receive spam.  If you wish to view\r\nit, it may be safer to save it to a file and open it with an editor.\r\n