L2.APEWS.ORG False Positive #2

This is only the second FP that we have seen, and remember folks, we're using the L2.Apews.org balcklist straight "out-of-the-box" by allowing all connections, testing only the connecting IP address, and inserting an X-Header reference for Apews.org listed senders.

Thu 2011-11-24 16:57:53: [632:1914] Accepting SMTP connection from [50.56.45.130]
Thu 2011-11-24 16:57:53: [632:1914] Looking up PTR record for 50.56.45.130 (130.45.56.50.IN-ADDR.ARPA)
Thu 2011-11-24 16:57:53: [632:1914] Name server reports domain name unknown.
Thu 2011-11-24 16:57:53: [632:1914] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Thu, 24 Nov 2011 16:57:53 -0500
Thu 2011-11-24 16:57:54: [632:1914] <-- EHLO 356523-web2.x.com
Thu 2011-11-24 16:57:54: [632:1914] Performing reverse lookup on 356523-web2.x.com (looking for 50.56.45.130)
Thu 2011-11-24 16:57:54: [632:1914] Name server reports domain name unknown.
Thu 2011-11-24 16:57:54: [632:1914] --> 250-xxx.xxx.xxx Hello 356523-web2.x.com (may be forged), pleased to meet you
Thu 2011-11-24 16:57:54: [632:1914] --> 250-ETRN
Thu 2011-11-24 16:57:54: [632:1914] --> 250-AUTH=LOGIN
Thu 2011-11-24 16:57:54: [632:1914] --> 250-AUTH LOGIN CRAM-MD5
Thu 2011-11-24 16:57:54: [632:1914] --> 250-8BITMIME
Thu 2011-11-24 16:57:54: [632:1914] --> 250 SIZE 0
Thu 2011-11-24 16:57:54: [632:1914] <-- MAIL FROM:< admin @ x.com > SIZE=1834 BODY=8BITMIME
Thu 2011-11-24 16:57:54: [632:1914] Performing reverse lookup on x.com (looking for 50.56.45.130)
Thu 2011-11-24 16:57:54: [632:1914] D=x.com TTL=(5) A=[50.56.45.133]
Thu 2011-11-24 16:57:54: [632:1914] P=010 D=x.com TTL=(60) MX=[lore.ebay.com] {216.113.175.103}
Thu 2011-11-24 16:57:54: [632:1914] P=010 D=x.com TTL=(60) MX=[gort.ebay.com] {216.113.167.215}
Thu 2011-11-24 16:57:54: [632:1914] P=010 D=x.com TTL=(60) MX=[data.ebay.com] {66.135.195.180}
Thu 2011-11-24 16:57:54: [632:1914] Spam Blocker A-record resolution of [130.45.56.50.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Thu 2011-11-24 16:57:55: [632:1914] Spam Blocker D=130.45.56.50.l2.apews.org TTL=(35) A=[127.0.0.2]
Thu 2011-11-24 16:57:55: [632:1914] APEWS listed, 99.7% certain it is spam
Thu 2011-11-24 16:57:55: [632:1914] Message will be accepted and X-RBL-Warning: header will be inserted.
Thu 2011-11-24 16:57:55: [632:1914] --> 250 < admin @ x.com >, Sender ok
Thu 2011-11-24 16:57:55: [632:1914] <-- RCPT TO:
Thu 2011-11-24 16:57:55: [632:1914] --> 250 , Recipient ok
Thu 2011-11-24 16:57:55: [632:1914] <-- DATA
Thu 2011-11-24 16:57:55: [632:1914] --> 354 Enter mail, end with .
Thu 2011-11-24 16:57:55: [632:1914] --> 250 Ok, message saved
Thu 2011-11-24 16:57:55: [632:1914] <-- QUIT
Thu 2011-11-24 16:57:55: [632:1914] --> 221 See ya in cyberspace
Thu 2011-11-24 16:57:55: [632:1914] SMTP session successful, 1840 bytes transferred.
Thu 2011-11-24 16:57:55: [632:1914] Shuffling message(s) into proper queue(s)
Thu 2011-11-24 16:57:55: [632:1914] Message received from 356523-web2.x.com [50.56.45.130] < admin @ x.com > with SMTP for [Size 1829] {j:\localq\md00000000.msg}

The client found this email in his spam folder and it should not have been there. The IP address seems to be Ebay developers website using Rackspace web hosting so maybe Rackspace are listed rather than Ebay!