Funny, my reaction to seeing (I assume) the same message was that they'd
learned how *not* to look like a phish.
In particular, they used their own domain name for *everything*, including
the sending server, the return address, matching forward & reverse DNS on
the sending server (mine came from 206.165.246.86, which has a PTR to
email-86.paypal.com, which resolves to 206.165.246.86), all the hyperlinks
(with matching rDNS), and nearly all the images. Not to mention
validating DomainKeys and SPF.
The only thing I found that didn't point to something.paypal.com were two
references to the same one-pixel image on postdirect.com, used for spacing
and possibly also for tracking.
FWIW, I submitted that original emil message to paypal spoof department. I
just got this reply back:
Dear Loren Wilton,
Thank you for bringing this suspicious email to our attention. We can
confirm that the email you received was not sent to you by PayPal. The
website linked to this email is not a registered URL authorized or used
by PayPal. We are currently investigating this incident fully. Please do
not enter any personal or financial information into this website.
So apparently email1.paypal.com in some manner is NOT part of paypal.com!
I wonder how they managed that.
Loren