Kami I think your confusion was my fault. In one of my posts I incorrectly posted the bounce message from payplas abuse email.
I later posted the correct headers. Sorry, Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan > Sent: Saturday, February 14, 2004 5:25 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] New Phishing Scam > > > John.. > > Yes I agree it is a scam.. I visited the site and it is definitely a scam. > Needless to say PayPal would never send such an email. > > But my question was not posed right... It is confusing .. The > email shows as > if it has come through a PayPal computer. The IP, REVDNS, etc. All show > PayPal. > > I guess my question should have been: How? > > Regards, > Kami > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Friday, February 13, 2004 6:23 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] New Phishing Scam > > It is a scam. I went to the IP address in IE. I clicked on log in with no > user name or password and went to screen to input info like CC > number. Left > all blank, and submit and it said thank you. > > Key is it is a IP address in the URL and not a SSL site. > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of Kami Razvan > > Sent: Friday, February 13, 2004 3:12 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.JunkMail] New Phishing Scam > > > > This is strange Kevin... > > > > http://www.senderbase.org/search?searchString=64.4.240.74 > > > > That is a PayPal IP address.. It is also coming from a PayPal reverse > > dns.. > > > > Am I not seeing this right? > > > > Regards, > > Kami > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee > > Sent: Friday, February 13, 2004 6:06 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.JunkMail] New Phishing Scam > > > > Here is the header and source information. > > > > Kevin > > > > Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com > > (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 > > Received: from smtp1.nix.paypal.com ([64.4.240.74]) by > > ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 > > for <[EMAIL PROTECTED]>; Fri, 13 Feb 2004 14:52:35 -0800 > > Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com > > [10.248.50.2]) > > by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for > > <[EMAIL PROTECTED]>; Fri, 13 Feb 2004 14:48:17 -0800 (PST) > > Precedence: bulk > > Auto-Submitted: auto-replied > > Date: Fri, 13 Feb 2004 16:55:20 -0600 > > To: Kevin Bilbee <[EMAIL PROTECTED]> > > Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) > > From: PayPal Customer Service 2 <[EMAIL PROTECTED]> > > Reply-To: PayPal Customer Service 2 <[EMAIL PROTECTED]> > > MIME-Version: 1.0 > > Content-Type: text/plain; charset = "us-ascii" > > Content-Transfer-Encoding: quoted-printable > > X-Mailer: KANA Response 7.01.102 > > Message-Id: <[EMAIL PROTECTED]> > > X-RBL-Warning: AHBLEXEMPT: Paypal > > X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] > > X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] > > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) > > for spam. > > X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] > > X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). > > X-RemoteIp: [64.4.240.74] > > X-RCPT-TO: <[EMAIL PROTECTED]> > > Status: U > > X-UIDL: 373607793 > > > > Dear PayPal user,<br> > > As part of our continuing commitment to protect your account <br>and > > to reduce the instance of fraud on our website, we are undertaking a > > <br>period review of our member accounts.<p> You are requested to > > visit our site by following the link given below.<br> <a > > href="http://216.55.162.5/";> > > http://www.paypal.com/verification/%?6488820019=20</a><p> > > Please fill in the required information. > > This is required for us to continue to offer <br>you a safe and risk > > free environment to send and receive money online, <br>and maintain > > the PayPal Experience.<br> Thank you.<p> Accounts Management As > > outlined in our User Agreement, PayPal will periodically <br>send you > > information about site changes and enhancements. <br>Visit our Privacy > > Policy and User Agreement if you have any questions. > > <p>Copyright 2003 PayPal.<br> All Rights Reserved. > > Designated trademarks and brands are the property of their respective > > owners.</html> > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
