You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2007/11/06 07:17:35 UTC
Pretty good, Paypal are making their own phish these days!
Just got a thing that claims to come from "email-109.paypal.com". It
backtracks to there, too.
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK
0.0 DK_SIGNED Domain Keys: message has a signature
-0.0 DK_VERIFIED Domain Keys: signature passes verification
0.2 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5007]
1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
10 CLAMAV Clam AntiVirus detected a virus
-0.0 SARE_LEGIT_PAYPAL Has signs it's from paypal, from, headers, uri
0.6 HELO_MISMATCH_COM HELO_MISMATCH_COM
Clam seems to think it is a phish. I think it is a phish. It looks like a
phish.
The disturbing thing is it seems to have come from the real Paypal servers,
AND, it has my correct name in the body of the email.
Now, they don't actually ask me to "log on" to a link in the email. They
just say "click here to win" with a link with a tracking id.
I have to wonder if they have been taking lessons on how to make spam look
and feel like week-old dead phish, or if they just brilliantly came up with
the idea all on their own.
Loren
RE: Pretty good, Paypal are making their own phish these days!
Posted by Robert - elists <li...@abbacomm.net>.
>
> Just got a thing that claims to come from "email-109.paypal.com". It
> backtracks to there, too.
>
(Snip)
>
> Clam seems to think it is a phish. I think it is a phish. It looks like
> a
> phish.
>
> The disturbing thing is it seems to have come from the real Paypal
> servers,
> AND, it has my correct name in the body of the email.
>
> Now, they don't actually ask me to "log on" to a link in the email. They
> just say "click here to win" with a link with a tracking id.
>
> I have to wonder if they have been taking lessons on how to make spam look
> and feel like week-old dead phish, or if they just brilliantly came up
> with
> the idea all on their own.
>
> Loren
>
Loren
I had mentioned this before in a fairly recent thread.
In fact, we just got an email yesterday from the same company from the same
IP space.
** Received: from email-112.paypal.com (206.165.243.112)
The email is actually from The InfoUSA IP networks... and appears to involve
postdirect.com which appears to be yesmail.com and they list Paypal and many
others as customers.
If you traceroute email-109.paypal.com you will see
Now paypal does do the forward DNS resolution.
Now do a
dig -x 206.165.243.109
and see that reverse dns resolution is different and lists a lot of the good
info necessary to track down.
The spf record showed postdirect.com info.
Im my opinion they have an agreement they shouldn't have...
It is disgusting regardless.
- rh
Re: Pretty good, Paypal are making their own phish these days!
Posted by Kelson <ke...@speed.net>.
Loren Wilton wrote:
> Thank you for bringing this suspicious email to our attention. We can
> confirm that the email you received was not sent to you by PayPal. The
> website linked to this email is not a registered URL authorized or used
> by PayPal. We are currently investigating this incident fully. Please do
> not enter any personal or financial information into this website.
>
> So apparently email1.paypal.com in some manner is NOT part of paypal.com!
> I wonder how they managed that.
*blink* *blink*
Great. Now *that's* encouraging.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Pretty good, Paypal are making their own phish these days!
Posted by Loren Wilton <lw...@earthlink.net>.
> Funny, my reaction to seeing (I assume) the same message was that they'd
> learned how *not* to look like a phish.
>
> In particular, they used their own domain name for *everything*, including
> the sending server, the return address, matching forward & reverse DNS on
> the sending server (mine came from 206.165.246.86, which has a PTR to
> email-86.paypal.com, which resolves to 206.165.246.86), all the hyperlinks
> (with matching rDNS), and nearly all the images. Not to mention
> validating DomainKeys and SPF.
>
> The only thing I found that didn't point to something.paypal.com were two
> references to the same one-pixel image on postdirect.com, used for spacing
> and possibly also for tracking.
FWIW, I submitted that original emil message to paypal spoof department. I
just got this reply back:
Dear Loren Wilton,
Thank you for bringing this suspicious email to our attention. We can
confirm that the email you received was not sent to you by PayPal. The
website linked to this email is not a registered URL authorized or used
by PayPal. We are currently investigating this incident fully. Please do
not enter any personal or financial information into this website.
So apparently email1.paypal.com in some manner is NOT part of paypal.com!
I wonder how they managed that.
Loren
Re: Pretty good, Paypal are making their own phish these days!
Posted by Kelson <ke...@speed.net>.
Loren Wilton wrote:
> The disturbing thing is it seems to have come from the real Paypal
> servers, AND, it has my correct name in the body of the email.
>
> Now, they don't actually ask me to "log on" to a link in the email.
> They just say "click here to win" with a link with a tracking id.
>
> I have to wonder if they have been taking lessons on how to make spam
> look and feel like week-old dead phish, or if they just brilliantly came
> up with the idea all on their own.
Funny, my reaction to seeing (I assume) the same message was that they'd
learned how *not* to look like a phish.
In particular, they used their own domain name for *everything*,
including the sending server, the return address, matching forward &
reverse DNS on the sending server (mine came from 206.165.246.86, which
has a PTR to email-86.paypal.com, which resolves to 206.165.246.86), all
the hyperlinks (with matching rDNS), and nearly all the images. Not to
mention validating DomainKeys and SPF.
The only thing I found that didn't point to something.paypal.com were
two references to the same one-pixel image on postdirect.com, used for
spacing and possibly also for tracking.
I've seen way too many messages from, say, financial institutions,
stores, or even security software companies (*cough*symantec*cough*)
where they use multiple domain names, sometimes including that of their
third-party list manager, for everything -- even the click-tracked
links. Back when I used to shop at what was then DeepDiscountDVD, I'd
actually get order confirmations with a return address at their ISP,
instead of at their domain. The problem with these companies is that
they're training their users to trust mail from and linking to random
domains -- not to mention making it harder for us admins to prevent
false positives through whitelisting.
It was nice to see a sender that had learned to not make that mistake.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>