> > Funny, my reaction to seeing (I assume) the same message was that they'd > > learned how *not* to look like a phish. > > > > In particular, they used their own domain name for *everything*, > including > > the sending server, the return address, matching forward & reverse DNS > on > > the sending server (mine came from 206.165.246.86, which has a PTR to > > email-86.paypal.com, which resolves to 206.165.246.86), all the > hyperlinks > > (with matching rDNS), and nearly all the images. Not to mention > > validating DomainKeys and SPF. > > > > The only thing I found that didn't point to something.paypal.com were > two > > references to the same one-pixel image on postdirect.com, used for > spacing > > and possibly also for tracking. > > FWIW, I submitted that original emil message to paypal spoof department. > I > just got this reply back: > > Dear Loren Wilton, > > Thank you for bringing this suspicious email to our attention. We can > confirm that the email you received was not sent to you by PayPal. The > website linked to this email is not a registered URL authorized or used > by PayPal. We are currently investigating this incident fully. Please do > not enter any personal or financial information into this website. > > So apparently email1.paypal.com in some manner is NOT part of paypal.com! > I wonder how they managed that. > > Loren >
[Tom replied with:] I know that paypal has been having some XSS issues. I wonder if the spammers have used this XSS vulnerability to somehow relay spam from paypal? Go to http://xssed.com/ to read up on it. It doesn't say anything about relaying email, but it makes me wonder... Thomas J. Raef e-Based Security, LLC www.ebasedsecurity.com 1-866-838-6108 "You're either hardened, or you're hacked!"
