John, I think my last post answered that.

FWIW, also check out the SPF record:

nslookup -type=TXT email.paypal.com

Which allows postdirect.com as a mailer.  In this case, it's not needed,
because they also allow SPF from the PTR records that match.

Andrew 8)


> -----Original Message-----
> From: Message Sniffer Community 
> [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> Sent: Wednesday, May 24, 2006 9:45 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> But how is PayPal's DNS involved in this as at what point are 
> the Paypal DNS servers queried?
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 
> > -----Original Message-----
> > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On 
> > Behalf
> Of
> > Colbeck, Andrew
> > Sent: Wednesday, May 24, 2006 9:38 AM
> > To: Message Sniffer Community
> > Subject: Re: [sniffer]Possible Paypal Phishing
> > 
> > It's really from PostDirect.com aka YesMail.com ...
> > 
> > You can tell that it's authorized because the reverse DNS 
> which ends 
> > in PayPal.com (ok, that does set off alarm bells when it's someone 
> > else's
> > netblock) matches the forward lookup of the resulting 
> address at PayPal.
> > 
> > Therefore, PayPal is deliberately allowing that reverse IP 
> in someone 
> > else's netblock.
> > 
> > That, or both the netblock and PayPal's DNS have been p0wned.
> > 
> > Andrew 8)
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Message Sniffer Community
> > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > > Sent: Wednesday, May 24, 2006 9:31 AM
> > > To: Message Sniffer Community
> > > Subject: [sniffer]Possible Paypal Phishing
> > >
> > > Attached are the headers to an e-mail I am suspecting as a clever 
> > > phising that has me worried.
> > >
> > > It looks like a legit message sent on behalf of Paypal, 
> however, it 
> > > is sent from an IP address not owned by Paypal BUT which has a 
> > > REVDNS that ends in paypal.com.
> > >
> > > The message is full of links to images.postdirect.com but 
> does have 
> > > legit links to paypal.com.
> > >
> > > John T
> > > eServices For You
> > >
> > > "Seek, and ye shall find!"
> > >
> > >
> > 
> > 
> > #####################################################
> > ########
> > This message is sent to you because you are subscribed to
> >   the mailing list <sniffer@sortmonster.com>.
> > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To 
> switch to 
> > the DIGEST mode, E-mail to <[EMAIL PROTECTED]> 
> To switch 
> > to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send 
> > administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <sniffer@sortmonster.com>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To 
> switch to the DIGEST mode, E-mail to 
> <[EMAIL PROTECTED]> To switch to the INDEX mode, 
> E-mail to <[EMAIL PROTECTED]> Send administrative 
> queries to  <[EMAIL PROTECTED]>
> 
> 


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Reply via email to