It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal.
Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) > -----Original Message----- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > Sent: Wednesday, May 24, 2006 9:31 AM > To: Message Sniffer Community > Subject: [sniffer]Possible Paypal Phishing > > Attached are the headers to an e-mail I am suspecting as a > clever phising that has me worried. > > It looks like a legit message sent on behalf of Paypal, > however, it is sent from an IP address not owned by Paypal > BUT which has a REVDNS that ends in paypal.com. > > The message is full of links to images.postdirect.com but > does have legit links to paypal.com. > > John T > eServices For You > > "Seek, and ye shall find!" > > ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
