I just received this spam a little while ago. What many novice users will find is a site identical to paypal. The problem is the link actually goes to http://shelbycreative.com/alacarte/webscr.dll which emulates the paypal site exactly, pop's it up in a new window and asks you for all of your CC information. I think it might be time to create a rule that says if the link domain (whatever.com) doesn't match the href domain (for at least two levels of the TLD) it should be considered spoof. This might help out a lot. Unfortunately I'm on outlook web access so I can't get all of the headers. Gary Smith
Dear PayPal user, We recently reviewed your account, and suspect that your PayPal account may have been accessed by an unauthorized third party. Protecting the security of your account and of the PayPal network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive PayPal account features. Click below in order to regain access to your account: https://www.paypal.com/cgi-bin/webscr?cmd=_login-run <http://shelbycreative.com/alacarte/webscr.dll> For more information about how to protect your account, please visit PayPal's Security Center, accessible via the "Security Center" link located at the bottom of each page of the PayPal website. We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire PayPal system. Thank you for your prompt attention to this matter. Sincerely, The PayPal Team Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the header of any page. PayPal Email ID PP198 PayPal Email ID PP316
