> > Just got a thing that claims to come from "email-109.paypal.com". It > backtracks to there, too. > (Snip) > > Clam seems to think it is a phish. I think it is a phish. It looks like > a > phish. > > The disturbing thing is it seems to have come from the real Paypal > servers, > AND, it has my correct name in the body of the email. > > Now, they don't actually ask me to "log on" to a link in the email. They > just say "click here to win" with a link with a tracking id. > > I have to wonder if they have been taking lessons on how to make spam look > and feel like week-old dead phish, or if they just brilliantly came up > with > the idea all on their own. > > Loren >
Loren I had mentioned this before in a fairly recent thread. In fact, we just got an email yesterday from the same company from the same IP space. ** Received: from email-112.paypal.com (206.165.243.112) The email is actually from The InfoUSA IP networks... and appears to involve postdirect.com which appears to be yesmail.com and they list Paypal and many others as customers. If you traceroute email-109.paypal.com you will see Now paypal does do the forward DNS resolution. Now do a dig -x 206.165.243.109 and see that reverse dns resolution is different and lists a lot of the good info necessary to track down. The spf record showed postdirect.com info. Im my opinion they have an agreement they shouldn't have... It is disgusting regardless. - rh
