RE: Pretty good, Paypal are making their own phish these days!
Funny, my reaction to seeing (I assume) the same message was that they'd learned how *not* to look like a phish. In particular, they used their own domain name for *everything*, including the sending server, the return address, matching forward reverse DNS on the sending server (mine came from 206.165.246.86, which has a PTR to email-86.paypal.com, which resolves to 206.165.246.86), all the hyperlinks (with matching rDNS), and nearly all the images. Not to mention validating DomainKeys and SPF. The only thing I found that didn't point to something.paypal.com were two references to the same one-pixel image on postdirect.com, used for spacing and possibly also for tracking. FWIW, I submitted that original emil message to paypal spoof department. I just got this reply back: Dear Loren Wilton, Thank you for bringing this suspicious email to our attention. We can confirm that the email you received was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used by PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website. So apparently email1.paypal.com in some manner is NOT part of paypal.com! I wonder how they managed that. Loren [Tom replied with:] I know that paypal has been having some XSS issues. I wonder if the spammers have used this XSS vulnerability to somehow relay spam from paypal? Go to http://xssed.com/ to read up on it. It doesn't say anything about relaying email, but it makes me wonder... Thomas J. Raef e-Based Security, LLC www.ebasedsecurity.com 1-866-838-6108 You're either hardened, or you're hacked!
Re: Pretty good, Paypal are making their own phish these days!
Loren Wilton wrote: Thank you for bringing this suspicious email to our attention. We can confirm that the email you received was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used by PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website. So apparently email1.paypal.com in some manner is NOT part of paypal.com! I wonder how they managed that. *blink* *blink* Great. Now *that's* encouraging. -- Kelson Vibber SpeedGate Communications www.speed.net
RE: Pretty good, Paypal are making their own phish these days!
Just got a thing that claims to come from email-109.paypal.com. It backtracks to there, too. (Snip) Clam seems to think it is a phish. I think it is a phish. It looks like a phish. The disturbing thing is it seems to have come from the real Paypal servers, AND, it has my correct name in the body of the email. Now, they don't actually ask me to log on to a link in the email. They just say click here to win with a link with a tracking id. I have to wonder if they have been taking lessons on how to make spam look and feel like week-old dead phish, or if they just brilliantly came up with the idea all on their own. Loren Loren I had mentioned this before in a fairly recent thread. In fact, we just got an email yesterday from the same company from the same IP space. ** Received: from email-112.paypal.com (206.165.243.112) The email is actually from The InfoUSA IP networks... and appears to involve postdirect.com which appears to be yesmail.com and they list Paypal and many others as customers. If you traceroute email-109.paypal.com you will see Now paypal does do the forward DNS resolution. Now do a dig -x 206.165.243.109 and see that reverse dns resolution is different and lists a lot of the good info necessary to track down. The spf record showed postdirect.com info. Im my opinion they have an agreement they shouldn't have... It is disgusting regardless. - rh
Re: Pretty good, Paypal are making their own phish these days!
Loren Wilton wrote: The disturbing thing is it seems to have come from the real Paypal servers, AND, it has my correct name in the body of the email. Now, they don't actually ask me to log on to a link in the email. They just say click here to win with a link with a tracking id. I have to wonder if they have been taking lessons on how to make spam look and feel like week-old dead phish, or if they just brilliantly came up with the idea all on their own. Funny, my reaction to seeing (I assume) the same message was that they'd learned how *not* to look like a phish. In particular, they used their own domain name for *everything*, including the sending server, the return address, matching forward reverse DNS on the sending server (mine came from 206.165.246.86, which has a PTR to email-86.paypal.com, which resolves to 206.165.246.86), all the hyperlinks (with matching rDNS), and nearly all the images. Not to mention validating DomainKeys and SPF. The only thing I found that didn't point to something.paypal.com were two references to the same one-pixel image on postdirect.com, used for spacing and possibly also for tracking. I've seen way too many messages from, say, financial institutions, stores, or even security software companies (*cough*symantec*cough*) where they use multiple domain names, sometimes including that of their third-party list manager, for everything -- even the click-tracked links. Back when I used to shop at what was then DeepDiscountDVD, I'd actually get order confirmations with a return address at their ISP, instead of at their domain. The problem with these companies is that they're training their users to trust mail from and linking to random domains -- not to mention making it harder for us admins to prevent false positives through whitelisting. It was nice to see a sender that had learned to not make that mistake. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Pretty good, Paypal are making their own phish these days!
Funny, my reaction to seeing (I assume) the same message was that they'd learned how *not* to look like a phish. In particular, they used their own domain name for *everything*, including the sending server, the return address, matching forward reverse DNS on the sending server (mine came from 206.165.246.86, which has a PTR to email-86.paypal.com, which resolves to 206.165.246.86), all the hyperlinks (with matching rDNS), and nearly all the images. Not to mention validating DomainKeys and SPF. The only thing I found that didn't point to something.paypal.com were two references to the same one-pixel image on postdirect.com, used for spacing and possibly also for tracking. FWIW, I submitted that original emil message to paypal spoof department. I just got this reply back: Dear Loren Wilton, Thank you for bringing this suspicious email to our attention. We can confirm that the email you received was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used by PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website. So apparently email1.paypal.com in some manner is NOT part of paypal.com! I wonder how they managed that. Loren
Pretty good, Paypal are making their own phish these days!
Just got a thing that claims to come from email-109.paypal.com. It backtracks to there, too. pts rule name description -- -- 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK 0.0 DK_SIGNED Domain Keys: message has a signature -0.0 DK_VERIFIEDDomain Keys: signature passes verification 0.2 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5007] 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 10 CLAMAV Clam AntiVirus detected a virus -0.0 SARE_LEGIT_PAYPAL Has signs it's from paypal, from, headers, uri 0.6 HELO_MISMATCH_COM HELO_MISMATCH_COM Clam seems to think it is a phish. I think it is a phish. It looks like a phish. The disturbing thing is it seems to have come from the real Paypal servers, AND, it has my correct name in the body of the email. Now, they don't actually ask me to log on to a link in the email. They just say click here to win with a link with a tracking id. I have to wonder if they have been taking lessons on how to make spam look and feel like week-old dead phish, or if they just brilliantly came up with the idea all on their own. Loren
