date:20060524

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Colbeck, Andrew

John, I think my last post answered that.

FWIW, also check out the SPF record:

nslookup -type=TXT email.paypal.com

Which allows postdirect.com as a mailer.  In this case, it's not needed,
because they also allow SPF from the PTR records that match.

Andrew 8)


> -Original Message-
> From: Message Sniffer Community 
> [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> Sent: Wednesday, May 24, 2006 9:45 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> But how is PayPal's DNS involved in this as at what point are 
> the Paypal DNS servers queried?
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 
> > -Original Message-
> > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On 
> > Behalf
> Of
> > Colbeck, Andrew
> > Sent: Wednesday, May 24, 2006 9:38 AM
> > To: Message Sniffer Community
> > Subject: Re: [sniffer]Possible Paypal Phishing
> > 
> > It's really from PostDirect.com aka YesMail.com ...
> > 
> > You can tell that it's authorized because the reverse DNS 
> which ends 
> > in PayPal.com (ok, that does set off alarm bells when it's someone 
> > else's
> > netblock) matches the forward lookup of the resulting 
> address at PayPal.
> > 
> > Therefore, PayPal is deliberately allowing that reverse IP 
> in someone 
> > else's netblock.
> > 
> > That, or both the netblock and PayPal's DNS have been p0wned.
> > 
> > Andrew 8)
> > 
> > 
> > 
> > > -Original Message-
> > > From: Message Sniffer Community
> > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > > Sent: Wednesday, May 24, 2006 9:31 AM
> > > To: Message Sniffer Community
> > > Subject: [sniffer]Possible Paypal Phishing
> > >
> > > Attached are the headers to an e-mail I am suspecting as a clever 
> > > phising that has me worried.
> > >
> > > It looks like a legit message sent on behalf of Paypal, 
> however, it 
> > > is sent from an IP address not owned by Paypal BUT which has a 
> > > REVDNS that ends in paypal.com.
> > >
> > > The message is full of links to images.postdirect.com but 
> does have 
> > > legit links to paypal.com.
> > >
> > > John T
> > > eServices For You
> > >
> > > "Seek, and ye shall find!"
> > >
> > >
> > 
> > 
> > #
> > 
> > This message is sent to you because you are subscribed to
> >   the mailing list .
> > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To 
> switch to 
> > the DIGEST mode, E-mail to <[EMAIL PROTECTED]> 
> To switch 
> > to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send 
> > administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> #
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To 
> switch to the DIGEST mode, E-mail to 
> <[EMAIL PROTECTED]> To switch to the INDEX mode, 
> E-mail to <[EMAIL PROTECTED]> Send administrative 
> queries to  <[EMAIL PROTECTED]>
> 
> 


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread John T (Lists)

But how is PayPal's DNS involved in this as at what point are the Paypal DNS
servers queried?

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 9:38 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS which ends in
> PayPal.com (ok, that does set off alarm bells when it's someone else's
> netblock) matches the forward lookup of the resulting address at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in someone
> else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -Original Message-
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> >
> > Attached are the headers to an e-mail I am suspecting as a
> > clever phising that has me worried.
> >
> > It looks like a legit message sent on behalf of Paypal,
> > however, it is sent from an IP address not owned by Paypal
> > BUT which has a REVDNS that ends in paypal.com.
> >
> > The message is full of links to images.postdirect.com but
> > does have legit links to paypal.com.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Colbeck, Andrew

> The owner of a domain need not authorize a reverse DNS PTR 

Indeed.  Which is why I wrote: "...matches the forward lookup of the
resulting address at PayPal"

e.g. 

The IP address of the MTA in question is [206.165.246.83]

nslookup 206.165.246.83 -> Name: email-83.paypal.com

nslookup email-83.paypal.com -> Address: 206.165.246.83

And also why I wrote "Therefore, PayPal is deliberately allowing that
reverse IP in someone else's netblock."

I meant "allowing" in a business procedures sense, not in a technical
sense of DNS being delegated.  If I had written "agreeing with" or
"collaborating with" it would have been clearer.

Andrew 8)


> -Original Message-
> From: Message Sniffer Community 
> [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - 
> Handy Networks LLC
> Sent: Wednesday, May 24, 2006 9:51 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> The owner of a domain need not authorize a reverse DNS PTR 
> record in any way, shape or form.  If the netblock was owned, 
> or the netblock owner had delegated rDNS to a malicious 
> customer, they could easily set rDNS to whatever they wanted. 
>  Aol.com, paypal.com, ebay.com, chase.com ...
> 
> -Jay
> -Original Message-
> From: Message Sniffer Community 
> [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 12:38 PM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS 
> which ends in PayPal.com (ok, that does set off alarm bells 
> when it's someone else's
> netblock) matches the forward lookup of the resulting address 
> at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in 
> someone else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -Original Message-
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> > 
> > Attached are the headers to an e-mail I am suspecting as a clever 
> > phising that has me worried.
> > 
> > It looks like a legit message sent on behalf of Paypal, 
> however, it is 
> > sent from an IP address not owned by Paypal BUT which has a REVDNS 
> > that ends in paypal.com.
> > 
> > The message is full of links to images.postdirect.com but does have 
> > legit links to paypal.com.
> > 
> > John T
> > eServices For You
> > 
> > "Seek, and ye shall find!"
> > 
> > 
> 
> 
> #
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To 
> switch to the DIGEST mode, E-mail to 
> <[EMAIL PROTECTED]> To switch to the INDEX mode, 
> E-mail to <[EMAIL PROTECTED]> Send administrative 
> queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> #
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To 
> switch to the DIGEST mode, E-mail to 
> <[EMAIL PROTECTED]> To switch to the INDEX mode, 
> E-mail to <[EMAIL PROTECTED]> Send administrative 
> queries to  <[EMAIL PROTECTED]>
> 
> 


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Jim Matuska Jr.

I had one a couple months back from Cisco Systems asking for some updated
information regarding my Cisco Certifications, looked totally bogus going to
a non Cisco.com domain hosted in a foreign country, the links listed in the
email went to a different spot than they said they were for.  I put in a TAC
case to let them know someone was phishing asking for Cisco certification
info and CCO logins, I got the response back from Cisco to just click the
links and all would be fine, this time they sent legitimate links though.
After asking them to escalate as they seemed to have no clue, 2 weeks later
I got a response back from someone who actually knew what they were doing
saying they made the mistake of outsourcing that email to a legitimate
foreign company who was tracking responses through their overseas servers
and then redirecting back to Cisco.com.  It's really bad when the big guys
don't even know what they are doing.

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]

 


-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of John T (Lists)
Sent: Wednesday, May 24, 2006 9:59 AM
To: Message Sniffer Community
Subject: Re: [sniffer]Possible Paypal Phishing

That is what has me worried.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Jay
> Sudowski - Handy Networks LLC
> Sent: Wednesday, May 24, 2006 9:51 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> The owner of a domain need not authorize a reverse DNS PTR record in any
> way, shape or form.  If the netblock was owned, or the netblock owner
> had delegated rDNS to a malicious customer, they could easily set rDNS
> to whatever they wanted.  Aol.com, paypal.com, ebay.com, chase.com ...
> 
> -Jay
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
> Behalf Of Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 12:38 PM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS which ends in
> PayPal.com (ok, that does set off alarm bells when it's someone else's
> netblock) matches the forward lookup of the resulting address at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in someone
> else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -Original Message-
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> >
> > Attached are the headers to an e-mail I am suspecting as a
> > clever phising that has me worried.
> >
> > It looks like a legit message sent on behalf of Paypal,
> > however, it is sent from an IP address not owned by Paypal
> > BUT which has a REVDNS that ends in paypal.com.
> >
> > The message is full of links to images.postdirect.com but
> > does have legit links to paypal.com.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>







#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread John T (Lists)

That is what has me worried.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Jay
> Sudowski - Handy Networks LLC
> Sent: Wednesday, May 24, 2006 9:51 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> The owner of a domain need not authorize a reverse DNS PTR record in any
> way, shape or form.  If the netblock was owned, or the netblock owner
> had delegated rDNS to a malicious customer, they could easily set rDNS
> to whatever they wanted.  Aol.com, paypal.com, ebay.com, chase.com ...
> 
> -Jay
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
> Behalf Of Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 12:38 PM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS which ends in
> PayPal.com (ok, that does set off alarm bells when it's someone else's
> netblock) matches the forward lookup of the resulting address at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in someone
> else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -Original Message-
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> >
> > Attached are the headers to an e-mail I am suspecting as a
> > clever phising that has me worried.
> >
> > It looks like a legit message sent on behalf of Paypal,
> > however, it is sent from an IP address not owned by Paypal
> > BUT which has a REVDNS that ends in paypal.com.
> >
> > The message is full of links to images.postdirect.com but
> > does have legit links to paypal.com.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Jay Sudowski - Handy Networks LLC

The owner of a domain need not authorize a reverse DNS PTR record in any
way, shape or form.  If the netblock was owned, or the netblock owner
had delegated rDNS to a malicious customer, they could easily set rDNS
to whatever they wanted.  Aol.com, paypal.com, ebay.com, chase.com ...

-Jay
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Wednesday, May 24, 2006 12:38 PM
To: Message Sniffer Community
Subject: Re: [sniffer]Possible Paypal Phishing

It's really from PostDirect.com aka YesMail.com ...

You can tell that it's authorized because the reverse DNS which ends in
PayPal.com (ok, that does set off alarm bells when it's someone else's
netblock) matches the forward lookup of the resulting address at PayPal.

Therefore, PayPal is deliberately allowing that reverse IP in someone
else's netblock.

That, or both the netblock and PayPal's DNS have been p0wned.

Andrew 8)



> -Original Message-
> From: Message Sniffer Community 
> [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> Sent: Wednesday, May 24, 2006 9:31 AM
> To: Message Sniffer Community
> Subject: [sniffer]Possible Paypal Phishing
> 
> Attached are the headers to an e-mail I am suspecting as a 
> clever phising that has me worried.
> 
> It looks like a legit message sent on behalf of Paypal, 
> however, it is sent from an IP address not owned by Paypal 
> BUT which has a REVDNS that ends in paypal.com.
> 
> The message is full of links to images.postdirect.com but 
> does have legit links to paypal.com.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread John T (Lists)

Disregard my last post.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 9:38 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS which ends in
> PayPal.com (ok, that does set off alarm bells when it's someone else's
> netblock) matches the forward lookup of the resulting address at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in someone
> else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -Original Message-
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> >
> > Attached are the headers to an e-mail I am suspecting as a
> > clever phising that has me worried.
> >
> > It looks like a legit message sent on behalf of Paypal,
> > however, it is sent from an IP address not owned by Paypal
> > BUT which has a REVDNS that ends in paypal.com.
> >
> > The message is full of links to images.postdirect.com but
> > does have legit links to paypal.com.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Colbeck, Andrew

It's really from PostDirect.com aka YesMail.com ...

You can tell that it's authorized because the reverse DNS which ends in
PayPal.com (ok, that does set off alarm bells when it's someone else's
netblock) matches the forward lookup of the resulting address at PayPal.

Therefore, PayPal is deliberately allowing that reverse IP in someone
else's netblock.

That, or both the netblock and PayPal's DNS have been p0wned.

Andrew 8)



> -Original Message-
> From: Message Sniffer Community 
> [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> Sent: Wednesday, May 24, 2006 9:31 AM
> To: Message Sniffer Community
> Subject: [sniffer]Possible Paypal Phishing
> 
> Attached are the headers to an e-mail I am suspecting as a 
> clever phising that has me worried.
> 
> It looks like a legit message sent on behalf of Paypal, 
> however, it is sent from an IP address not owned by Paypal 
> BUT which has a REVDNS that ends in paypal.com.
> 
> The message is full of links to images.postdirect.com but 
> does have legit links to paypal.com.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer]Possible Paypal Phishing

2006-05-24 Thread John T (Lists)

Attached are the headers to an e-mail I am suspecting as a clever phising
that has me worried.

It looks like a legit message sent on behalf of Paypal, however, it is sent
from an IP address not owned by Paypal BUT which has a REVDNS that ends in
paypal.com.

The message is full of links to images.postdirect.com but does have legit
links to paypal.com.

John T
eServices For You

"Seek, and ye shall find!"

Received: from srv5.eservicesforyou.net [67.94.227.40] by 
mail.eservicesforyou.net (SMTPD-8.20) id A02A059C;
 Tue, 23 May 2006 12:19:06 -0700
Received: from email-83.paypal.com ([206.165.246.83]) by 
srv5.eservicesforyou.net with Microsoft SMTPSVC(6.0.3790.1830);
 Tue, 23 May 2006 12:19:04 -0700
DomainKey-Signature: a=rsa-sha1;
 
h=Date:From:Subject:To:X-Header-CompanyDBUserName:Errors-To:List-Unsubscribe:Reply-To:X-Header-MasterId:X-Header-Versions:Message-ID:MIME-Version:Content-Type;
 
b=WlXEq1pDWhpajVdRtFzPcMshLTMrz08l/ijYdx+vckIXWxVdYeyr5NIpJxQeNPWyUCarrOPq21w4dRyp2X6KbCRrHgHIfPkX2eXvho3C4KwridkCfzshGGflsDPpkiHE;
 c=nofws; d=email.paypal.com;
 q=dns; s=yesmail1
Date: Tue, 23 May 2006 12:11:03 PDT
From: PayPal <[EMAIL PROTECTED]>
Subject: New: Tips, ID Theft Q&A, and more
To: "Srikanth Gudapati" <[EMAIL PROTECTED]>
X-Header-CompanyDBUserName: paypal
Errors-To: [EMAIL PROTECTED]
List-Unsubscribe: 
Reply-To: [EMAIL PROTECTED]
X-Header-MasterId: 905605
X-Header-Versions: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/html;
 charset=us-ascii
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 23 May 2006 19:19:04.0536 (UTC) 
FILETIME=[C157CD80:01C67E9D]
X-RBL-Warning: SPAMCHECK: Message failed SPAMCHECK: 10.
X-RBL-Warning: WHITEFILTER3: Message failed WHITEFILTER3 test (line 28, weight 
-25)
X-RBL-Warning: GRAYFILTER1: Message failed GRAYFILTER1 test (line 145, weight 5)
X-RBL-Warning: GRAYFILTER2: Message failed GRAYFILTER2 test (line 5, weight 5)
X-RBL-Warning: SUBJECTSTART_IS: Message failed SUBJECTSTART_IS test (line 52, 
weight 15) (weight capped at 15)
X-RBL-Warning: KEYSUBJECT: Message failed KEYSUBJECT test (line 85, weight 15)
X-Note: ###
X-Note:  This message scanned by eServices For You for viruses and junkmail.
X-Note:  Scan time start at 12:20:50 on 23 May 2006.
X-Note:  Total weight of message as a result of tests: 28
X-Note:  TESTS FAILED: NOABUSE, IPNOTINMX, NOLEGITCONTENT, SPAMCHECK, 
SUBJECTSTART_IS, KEYSUBJECT
X-Note:  Sender is [EMAIL PROTECTED] and spool file is D602a007c3bbd.smd
X-Note:  This E-mail was received from RevDNS: [email-83.paypal.com]
X-Note:  This e-mail was received from IP: [206.165.246.83]
X-Note:  To report any issues,
 please contact [EMAIL PROTECTED]
X-Note: 
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

Re: [sniffer]Possible Paypal Phishing

Re: [sniffer]Possible Paypal Phishing

Re: [sniffer]Possible Paypal Phishing

Re: [sniffer]Possible Paypal Phishing

Re: [sniffer]Possible Paypal Phishing

Re: [sniffer]Possible Paypal Phishing

Re: [sniffer]Possible Paypal Phishing

[sniffer]Possible Paypal Phishing

9 matches

Site Navigation

Mail list logo

Footer information