Is this on the up & up?

[Li'l Abner]

There's lots of links on here. Any of them I hover over shows a link
starting with "https://email0.paypal.com/servlet/cc6....."
It sure looks like phishing to me. If I just log into PayPal the normal
way, I don't see anything about "enhanced account statement"
Is it real or do I forward it to spoof@paypal.com?

From: "PayPal" <paypal@info.paypal.com>
Reply-To: "PayPal" <reply1@info.paypal.com>
Subject: My Name, your enhanced account statement is here
X-cid: pplna.4510.2
X-sgxh1: L7HP7LgxuLOgtplLQJhu
To: ME
X-valueof-OFFERID: 43929
X-valueof-CAMPAIGNID: 8417
X-valueof-TREATMENTCODE: 000814556
X-valueof-EMAILCATEGORY: NON
X-valueof-HASHID: 43A21497869790451
Message-ID: <0.0.E4.807.1CBFEF052E486EE.0@om-paypal-na.rsys4.com>
X-MDRcpt-To: me@myfinaldomain.com
X-Rcpt-To: me@myfinaldomain.com
X-MDRemoteIP: 167.142.228.191
X-Return-Path: paypal@info.paypal.com
X-MDaemon-Deliver-To: (valid)
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on MOXIE
X-Spam-Status: No, score=-104.5 required=8.0 tests=BAYES_00,HTML_90_100,
HTML_MESSAGE,HTML_TAG_EXIST_TBODY,UPPERCASE_25_50, USER_IN_WHITELIST
autolearn=no version=3.0.2
X-Spam-Level:
X-Spam-Processed: Moxie, Tue, 19 Apr 2011 19:17:34 -0500

Date: Tue, 19 Apr 2011 17:17:24 -0700
Content-Type: multipart/alternative; boundary="----alt_border_1"

Review your enhanced PayPal account statement today.
View mobile | View online
Recover your password | Get help | Your account
Hello MY NAME,
Exciting news! You now have an enhanced way to view and quickly keep
track of your account activity.
See your enhanced Account Statement
You can access your statement any time by clicking Statements from your
Account Overview. Want to see it now? Go
Accept electronic communications from us
To continue to receive information about your account electronically*
including your account statements*you must accept our Electronic
Communications Delivery Policy. It only takes a few clicks:
• Log in to PayPal
• Click the Electronic Communications Delivery Policy link and read the
policy
• Click the checkbox to accept the policy
• Click Agree and Continue
For additional information on reporting unauthorized transactions or
other errors, follow the steps listed in section 12 of the PayPal User
Agreement: Resolution Procedures for Unauthorized Transactions and Other
Errors
© 2011 PayPal Inc. All rights reserved. PayPal is located at 2211 N.
First St., San Jose, CA 95131.











--
--- Everybody has a right to my opinion. ---

[Heather]

FWIW, I use Paypal frequently and I recently got a phishing one that was
pretty damn good........so good that I now even doubt the REAL Paypal
emails.

I guess the best thing to do might be to send it to the spoof address and
ask for their opinion. I seem to recall that they never ask you to login
and see all of the latest account stuff with their own links........and
the fact that you don't see this "enhanced account" on the real site is
enough to make me VERY suspicious.

Heather

"Li'l Abner" <blvstk@dogpatch.com> wrote in message
news:Xns9ECCDF01E1E79butter@wefb973cbe498...
> There's lots of links on here. Any of them I hover over shows a link
> starting with "https://email0.paypal.com/servlet/cc6....."
> It sure looks like phishing to me. If I just log into PayPal the normal
> way, I don't see anything about "enhanced account statement"
> Is it real or do I forward it to spoof@paypal.com?
>
> From: "PayPal" <paypal@info.paypal.com>
> Reply-To: "PayPal" <reply1@info.paypal.com>
> Subject: My Name, your enhanced account statement is here
> X-cid: pplna.4510.2
> X-sgxh1: L7HP7LgxuLOgtplLQJhu
> To: ME
> X-valueof-OFFERID: 43929
> X-valueof-CAMPAIGNID: 8417
> X-valueof-TREATMENTCODE: 000814556
> X-valueof-EMAILCATEGORY: NON
> X-valueof-HASHID: 43A21497869790451
> Message-ID: <0.0.E4.807.1CBFEF052E486EE.0@om-paypal-na.rsys4.com>
> X-MDRcpt-To: me@myfinaldomain.com
> X-Rcpt-To: me@myfinaldomain.com
> X-MDRemoteIP: 167.142.228.191
> X-Return-Path: paypal@info.paypal.com
> X-MDaemon-Deliver-To: (valid)
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on MOXIE
> X-Spam-Status: No, score=-104.5 required=8.0
> tests=BAYES_00,HTML_90_100,
> HTML_MESSAGE,HTML_TAG_EXIST_TBODY,UPPERCASE_25_50, USER_IN_WHITELIST
> autolearn=no version=3.0.2
> X-Spam-Level:
> X-Spam-Processed: Moxie, Tue, 19 Apr 2011 19:17:34 -0500
>
> Date: Tue, 19 Apr 2011 17:17:24 -0700
> Content-Type: multipart/alternative; boundary="----alt_border_1"
>
> Review your enhanced PayPal account statement today.
> View mobile | View online
> Recover your password | Get help | Your account
> Hello MY NAME,
> Exciting news! You now have an enhanced way to view and quickly keep
> track of your account activity.
> See your enhanced Account Statement
> You can access your statement any time by clicking Statements from your
> Account Overview. Want to see it now? Go
> Accept electronic communications from us
> To continue to receive information about your account electronically*
> including your account statements*you must accept our Electronic
> Communications Delivery Policy. It only takes a few clicks:
> . Log in to PayPal
> . Click the Electronic Communications Delivery Policy link and read
> the
> policy
> . Click the checkbox to accept the policy
> . Click Agree and Continue
> For additional information on reporting unauthorized transactions or
> other errors, follow the steps listed in section 12 of the PayPal User
> Agreement: Resolution Procedures for Unauthorized Transactions and
> Other
> Errors
> © 2011 PayPal Inc. All rights reserved. PayPal is located at 2211 N.
> First St., San Jose, CA 95131.
>
>
>
>
>
>
>
>
>
>
>
> --
> --- Everybody has a right to my opinion. ---

[VanguardLH]

Li'l Abner wrote:

> There's lots of links on here. Any of them I hover over shows a link
> starting with "https://email0.paypal.com/servlet/cc6....."
> It sure looks like phishing to me. If I just log into PayPal the normal
> way, I don't see anything about "enhanced account statement"
> Is it real or do I forward it to spoof@paypal.com?
>
> From: "PayPal" <paypal@info.paypal.com>
> Reply-To: "PayPal" <reply1@info.paypal.com>
> Subject: My Name, your enhanced account statement is here
> X-cid: pplna.4510.2
> X-sgxh1: L7HP7LgxuLOgtplLQJhu
> To: ME
> X-valueof-OFFERID: 43929
> X-valueof-CAMPAIGNID: 8417
> X-valueof-TREATMENTCODE: 000814556
> X-valueof-EMAILCATEGORY: NON
> X-valueof-HASHID: 43A21497869790451
> Message-ID: <0.0.E4.807.1CBFEF052E486EE.0@om-paypal-na.rsys4.com>
> X-MDRcpt-To: me@myfinaldomain.com
> X-Rcpt-To: me@myfinaldomain.com
> X-MDRemoteIP: 167.142.228.191
> X-Return-Path: paypal@info.paypal.com
> X-MDaemon-Deliver-To: (valid)
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on MOXIE
> X-Spam-Status: No, score=-104.5 required=8.0 tests=BAYES_00,HTML_90_100,
> HTML_MESSAGE,HTML_TAG_EXIST_TBODY,UPPERCASE_25_50, USER_IN_WHITELIST
> autolearn=no version=3.0.2
> X-Spam-Level:
> X-Spam-Processed: Moxie, Tue, 19 Apr 2011 19:17:34 -0500
>
> Date: Tue, 19 Apr 2011 17:17:24 -0700
> Content-Type: multipart/alternative; boundary="----alt_border_1"
>
> Review your enhanced PayPal account statement today.
> View mobile | View online
> Recover your password | Get help | Your account
> Hello MY NAME,
> Exciting news! You now have an enhanced way to view and quickly keep
> track of your account activity.
> See your enhanced Account Statement
> You can access your statement any time by clicking Statements from your
> Account Overview. Want to see it now? Go
> Accept electronic communications from us
> To continue to receive information about your account electronically*
> including your account statements*you must accept our Electronic
> Communications Delivery Policy. It only takes a few clicks:
> • Log in to PayPal
> • Click the Electronic Communications Delivery Policy link and read the
> policy
> • Click the checkbox to accept the policy
> • Click Agree and Continue
> For additional information on reporting unauthorized transactions or
> other errors, follow the steps listed in section 12 of the PayPal User
> Agreement: Resolution Procedures for Unauthorized Transactions and Other
> Errors
> © 2011 PayPal Inc. All rights reserved. PayPal is located at 2211 N.
> First St., San Jose, CA 95131.

Since you didn't bother to show all the headers, including the Received
headers, how would anyone else know from where you got the e-mail? Show
*ALL* the headers in the original e-mail except munge/star out your
username (not the domain since that's public info, anyway).

Since you decided to show just the plain text version and not the HTML
code, just how would we know what the URLs really pointed at? Show
*ALL* the HTML code, not what you see or the rendered version of it.

What you showed above was an incomplete exhibit.

[Li'l Abner]

VanguardLH <V@nguard.LH> wrote in news:iolp3d$ga1$1@news.albasani.net:

> Li'l Abner wrote:
>
>> There's lots of links on here. Any of them I hover over shows a link
>> starting with "https://email0.paypal.com/servlet/cc6....."
>> It sure looks like phishing to me. If I just log into PayPal the
>> normal way, I don't see anything about "enhanced account statement"
>> Is it real or do I forward it to spoof@paypal.com?
>>
>> From: "PayPal" <paypal@info.paypal.com>
>> Reply-To: "PayPal" <reply1@info.paypal.com>
>> Subject: My Name, your enhanced account statement is here
>> X-cid: pplna.4510.2
>> X-sgxh1: L7HP7LgxuLOgtplLQJhu
>> To: ME
>> X-valueof-OFFERID: 43929
>> X-valueof-CAMPAIGNID: 8417
>> X-valueof-TREATMENTCODE: 000814556
>> X-valueof-EMAILCATEGORY: NON
>> X-valueof-HASHID: 43A21497869790451
>> Message-ID: <0.0.E4.807.1CBFEF052E486EE.0@om-paypal-na.rsys4.com>
>> X-MDRcpt-To: me@myfinaldomain.com
>> X-Rcpt-To: me@myfinaldomain.com
>> X-MDRemoteIP: 167.142.228.191
>> X-Return-Path: paypal@info.paypal.com
>> X-MDaemon-Deliver-To: (valid)
>> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on MOXIE
>> X-Spam-Status: No, score=-104.5 required=8.0
>> tests=BAYES_00,HTML_90_100,
>> HTML_MESSAGE,HTML_TAG_EXIST_TBODY,UPPERCASE_25_50, USER_IN_WHITELI
>> ST autolearn=no version=3.0.2
>> X-Spam-Level:
>> X-Spam-Processed: Moxie, Tue, 19 Apr 2011 19:17:34 -0500
>>
>> Date: Tue, 19 Apr 2011 17:17:24 -0700
>> Content-Type: multipart/alternative; boundary="----alt_border_1"
>>
>> Review your enhanced PayPal account statement today.
>> View mobile | View online
>> Recover your password | Get help | Your account
>> Hello MY NAME,
>> Exciting news! You now have an enhanced way to view and quickly keep
>> track of your account activity.
>> See your enhanced Account Statement
>> You can access your statement any time by clicking Statements from
>> your Account Overview. Want to see it now? Go
>> Accept electronic communications from us
>> To continue to receive information about your account electronically*
>> including your account statements*you must accept our Electronic
>> Communications Delivery Policy. It only takes a few clicks:
>> • Log in to PayPal
>> • Click the Electronic Communications Delivery Policy link and read
>> the
>> policy
>> • Click the checkbox to accept the policy
>> • Click Agree and Continue
>> For additional information on reporting unauthorized transactions or
>> other errors, follow the steps listed in section 12 of the PayPal
>> User Agreement: Resolution Procedures for Unauthorized Transactions
>> and Other Errors
>> © 2011 PayPal Inc. All rights reserved. PayPal is located at 2211 N.
>> First St., San Jose, CA 95131.
>
> Since you didn't bother to show all the headers, including the
> Received headers, how would anyone else know from where you got the
> e-mail? Show *ALL* the headers in the original e-mail except
> munge/star out your username (not the domain since that's public info,
> anyway).
>
> Since you decided to show just the plain text version and not the HTML
> code, just how would we know what the URLs really pointed at? Show
> *ALL* the HTML code, not what you see or the rendered version of it.
>
> What you showed above was an incomplete exhibit.

I can post headers a mile long, but there won't be any html in it. What's
confusing is that my eBay email address comes to one domain and then is
forwarded to my own domain that I hosts right at home on "Moxie" I was
afraid that all that would throw anyone who was trying to figure it out.
But here goes anyway. My email address is in a a bunch of times so it will
take me some time to get it all munged.
--------------------------------------------------------------------

Return-path: <paypal@info.paypal.com>
Authentication-Results: Moxie
from=paypal@info.paypal.com
Received: from cgp.netins.net (cgpf1.cgp.netins.net [167.142.228.191])
by alongthewapsie.com (Moxie [127.0.0.1])
(MDaemon.PRO.v8.0.1.R)
with ESMTP id md50000021597.msg
for <(ME)@alongthewapsie.com>; Tue, 19 Apr 2011 19:17:32 -0500
Received: from <(ME)@mewnlite.com>
by cgpb3.cgp.netins.net (CommuniGate Pro RULE 5.3.13)
with RULE id 17584571; Tue, 19 Apr 2011 19:17:26 -0500
X-Autogenerated: Mirror
Resent-From: <(ME)@mewnlite.com>
Resent-Date: Tue, 19 Apr 2011 19:17:26 -0500
Received: from [208.80.204.32] (HELO smtp432.redcondor.net)
by cgpf1.cgp.netins.net (CommuniGate Pro SMTP 5.3.13)
with ESMTP id 154232050 for (ME)@mewnlite.com; Tue, 19 Apr 2011 19:17:25
-0500
Received: from om-paypal-na.rsys4.com ([12.130.139.53])
by smtp432.redcondor.net ({a3b42d5d-6a93-485e-92f2-d19129022c38})
via TCP (inbound) with ESMTP id 20110420001724969
for <(ME)@mewnlite.com>;
Wed, 20 Apr 2011 00:17:24 +0000
X-RC-FROM: <paypal@info.paypal.com>
X-RC-RCPT: <(ME)@mewnlite.com>
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=responsys;
d=info.paypal.com;

b=J3aGYtF1tPRuuMaMiw1fzmhcqop73sYhNr7kM96qR5FEjsdm pZ3nqZNBNGewicdV5sZSaN0vz
jCY

YjNNYUCElAlL4UNi15H9zr0DYzaonuaYa4drlBwgVDPpv7cSVN nuzBJdg9CEDgr5yly0vo88ijd
/
Tb1OZbsjlh2Je7k2koc=;
Received: by om-paypal-na.rsys4.com (PowerMTA(TM) v3.5r15) id hloj180morcv
for
<ME@mewnlite.com>; Tue, 19 Apr 2011 17:17:24 -0700 (envelope-from
<paypal@info.paypal.com>)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----msg_border"
Date: Tue, 19 Apr 2011 17:17:24 -0700
From: "PayPal" <paypal@info.paypal.com>
Reply-To: "PayPal" <reply1@info.paypal.com>
Subject: (My Name), your enhanced account statement is here
X-cid: pplna.4510.2
X-sgxh1: L7HP7LgxuLOgtplLQJhu
To: ME@mewnlite.com
X-valueof-OFFERID: 43929
X-valueof-CAMPAIGNID: 8417
X-valueof-TREATMENTCODE: 000814556
X-valueof-EMAILCATEGORY: NON
X-valueof-HASHID: 43A21497869790451
Message-ID: <0.0.E4.807.1CBFEF052E486EE.0@om-paypal-na.rsys4.com>
X-MDRcpt-To: (ME)@alongthewapsie.com
X-Rcpt-To: (ME)@alongthewapsie.com
X-MDRemoteIP: 167.142.228.191
X-Return-Path: paypal@info.paypal.com
X-MDaemon-Deliver-To: (ME)@alongthewapsie.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on MOXIE
X-Spam-Status: No, score=-104.5 required=8.0 tests=BAYES_00,HTML_90_100,
HTML_MESSAGE,HTML_TAG_EXIST_TBODY,UPPERCASE_25_50, USER_IN_WHITELIST
autolearn=no version=3.0.2
X-Spam-Level:
X-Spam-Processed: Moxie, Tue, 19 Apr 2011 19:17:34 -0500

Date: Tue, 19 Apr 2011 17:17:24 -0700
Content-Type: multipart/alternative; boundary="----alt_border_1"

Review your enhanced PayPal account statement today.

-----------NOTE-------- The Next Two Lines are links ------------

View mobile | View online
Recover your password | Get help | Your account

------ They point to email0.paypal.com/servelt/cc6?..xxxx --------
---------------see http://mewnlite.com/statusbar.jpg ----------

Hello (My Name),
Exciting news! You now have an enhanced way to view and quickly keep track
of your account activity.
See your enhanced Account Statement
You can access your statement any time by clicking Statements from your
Account Overview. Want to see it now? Go
Accept electronic communications from us
To continue to receive information about your account electronically*
including your account statements*you must accept our Electronic
Communications Delivery Policy. It only takes a few clicks:
• Log in to PayPal
• Click the Electronic Communications Delivery Policy link and read the
policy
• Click the checkbox to accept the policy
• Click Agree and Continue
For additional information on reporting unauthorized transactions or other
errors, follow the steps listed in section 12 of the PayPal User Agreement:
Resolution Procedures for Unauthorized Transactions and Other Errors
© 2011 PayPal Inc. All rights reserved. PayPal is located at 2211 N. First
St., San Jose, CA 95131.
-------------------
That's the best I can do. I have my email client (Eudora) set for text only
so I cannot display the HTML, although the links *DO* work
The Your Account link winds me up at
https://www.paypal.com/cgi-bin/webscr?cmd=_account, even though the status
bar (shown in diagram) isn't pointing there.

I'm going to forward it as a spoof anyway.

--
--- Everybody has a right to my opinion. ---

[VanguardLH]

Li'l Abner wrote:

> Received:
> by alongthewapsie.com (Moxie [127.0.0.1]) for <(ME)@alongthewapsie.com>
> from cgp.netins.net (cgpf1.cgp.netins.net [167.142.228.191])

The 'by' host is where you retrieved the e-mail; i.e., your Moxie
account. The 'from' host is where it came from (the prior hop).

> Received:
> by cgpb3.cgp.netins.net (CommuniGate Pro RULE 5.3.13)
> with RULE id 17584571; Tue, 19 Apr 2011 19:17:26 -0500
> from <(ME)@mewnlite.com>

The 'by' host is still in the netins.net domain and may be different
than the 'from' host above due to internal routing within netins.net.

> Received:
> by cgpf1.cgp.netins.net (CommuniGate Pro SMTP 5.3.13) for (ME)@mewnlite.com
> from [208.80.204.32] (HELO smtp432.redcondor.net)

The 'by' host looks like more internal routing or proxying at netins.net
for your account. It's the 'from' host that starts to look suspicious.
Is redcondor.net somehow involved in your Moxie forwarding setup?

> Received:
> by smtp432.redcondor.net ({a3b42d5d-6a93-485e-92f2-d19129022c38})
> via TCP (inbound) with ESMTP id 20110420001724969
> for <(ME)@mewnlite.com>;
> from om-paypal-na.rsys4.com ([12.130.139.53])

The 'by' host here matches up with the 'from' host in the next (above)
hop. However, notice that the 'from' host is NOT a paypal domain
(http://www.networksolutions.com/whois-search/rsys4.com). None of my
legitimate e-mails have come through the rsys4.com domain (their web
site is at responsys.com).

> Received:
> by om-paypal-na.rsys4.com for <ME@mewnlite.com> (envelope-from <paypal@info.paypal.com>)

There is no 'from' host in this header which leads me to believe it is a
fake header inserted by the sender.

> From: "PayPal" <paypal@info.paypal.com>

This is whatever value the *sender* wants to put there. It is *data*
added by the sender's e-mail client, not by any e-mail servers.

While it is suspicious that the so-called "PayPal" communication
originated from responsys.com, ResponSys appears to be a contracted
service provider. That is, a company may hire them to handle some
campaign. My ISP (Comcast) had hired a 3rd party to send out e-mails
regarding their user accounts; however, because the e-mails originated
from this contracted service provider, it was seen as an "official"
e-mail that did NOT originate from my ISP which meant, to me, that it
was fraudulent e-mail. I notified my ISP that any e-mail claiming to be
from them had better originate from their domain; else, such e-mails
would be reported to SpamHaus, SpamCop, and other blacklists as
spam/phish sources. This convinced them to allocate a special account
hosted within Comcast's domain through which the 3rd party contracted
service would send their e-mails. That way, the "official" notices
authorized by my ISP to be send from this 3rd party would appear to have
originated at my ISP's domain.

So, on one hand, it appears suspicious that a professed "official"
notice from PayPal originates at a non-PayPal domain. On the other
hand, it's possible that PayPal contracted this 3rd party to send out
their notifications - but PayPal really ****ed up by not providing a
mailing route through PayPal's domain so such e-mails show as
originating from PayPal. Until PayPal corrects their **** up by making
sure any 3rd party contracted communications authorized by them show as
originating from the PayPal domain, I would warn PayPal that all such
e-mails will be reporting as phishing e-mails and reported to all public
blacklists that accept user submissions. I doubt they really want to be
paying a 3rd party to deliver these e-mails only to have them get
blocked by filters using the blacklists. As far as I care, if it didn't
originate from a PayPal domain, especially for communications related to
my account with them, then it is a phish e-mail despite whether or not
PayPal authorized its transmission. They should well understand how
e-mail works and how it gets traced.

> Review your enhanced PayPal account statement today.
>
> -----------NOTE-------- The Next Two Lines are links ------------
>
> View mobile | View online
> Recover your password | Get help | Your account
>
> ------ They point to email0.paypal.com/servelt/cc6?..xxxx --------
> ---------------see http://mewnlite.com/statusbar.jpg ----------
>
> Hello (My Name),
> Exciting news! You now have an enhanced way to view and quickly keep track
> of your account activity.
> See your enhanced Account Statement
> You can access your statement any time by clicking Statements from your
> Account Overview. Want to see it now? Go
> Accept electronic communications from us
> To continue to receive information about your account electronically*
> including your account statements*you must accept our Electronic
> Communications Delivery Policy. It only takes a few clicks:
> • Log in to PayPal
> • Click the Electronic Communications Delivery Policy link and read the
> policy
> • Click the checkbox to accept the policy
> • Click Agree and Continue
> For additional information on reporting unauthorized transactions or other
> errors, follow the steps listed in section 12 of the PayPal User Agreement:
> Resolution Procedures for Unauthorized Transactions and Other Errors
> © 2011 PayPal Inc. All rights reserved. PayPal is located at 2211 N. First
> St., San Jose, CA 95131.


I don't know what the statusbar.jpg link is about. Maybe that's
something your e-mail client or e-mail setup has added. I doubt PayPal
or even a phisher would know about some sidebar/statusbar you have in an
e-mail client or web browser add-on.

The "Paypal" link is pointing to a PayPal domain. You don't have to use
it. Just log into your PayPal account and then go to its account
properties.

I'm assuming there was no HTML and you are not showing the rendered
version of that HTML code and the hypertext links you show are accurate,
or you showed the actual href value from the <A> tag in the HTML code.
Although you only show a single hypertext link, there actually were 5
links: View mobile, View online, Recover your password. Get help, and
Your account. Presumably you showed the link to just the Your Account
link. The rest of the e-mail doesn't give you any links and instead
just tells you to log into your PayPal account.

When I logged into my PayPal account, I get presented with the
solicitation to elect electronic delivery about account notifications.
I don't have to accept it now and can click "Remind me later". I
haven't logged into my PayPal account for months but the Statements
section does look to be a new feature. Personally I wouldn't qualify
this as an "enhanced" account but just another view of it by giving me a
3-month summary of my account in .pdf that I could download.

> I'm going to forward it as a spoof anyway.

I would report it to PayPal's spoof address. I would also find other
PayPal contact information to warn them that ALL e-mails through any 3rd
party content provider with who they contract to deliver their content
*MUST* trace back to a PayPal domain. If they tell their contracted
content delivery service to send out official PayPal notices then they
must show as originating from PayPal, not from the 3rd party content
provider. I'd tell them that any e-mails claiming to be from them but
which do not originate from their domain WILL get reported to the DNSBLs
(DNS blacklists; e.g., SpamHaus, SpamCop, SORBS, etc) so their so-called
official e-mails will get blacklisted by anyone using those blacklists
(and may anti-spam programs and filters used by users and e-mail
providers use those blacklists), plus reporting the phish e-mail to my
own ISP (to update their anti-spam filter).

PayPal should know better than to send official e-mails through a 3rd
party where the content pretends to have come from PayPal but actually
was sent from elsewhere.

[Li'l Abner]

VanguardLH <V@nguard.LH> wrote in news:ionb1k$umd$1@news.albasani.net:

> Li'l Abner wrote:
>
>> Received:
>> by alongthewapsie.com (Moxie [127.0.0.1]) for
>> <(ME)@alongthewapsie.com> from cgp.netins.net (cgpf1.cgp.netins.net
>> [167.142.228.191])
>
> The 'by' host is where you retrieved the e-mail; i.e., your Moxie
> account. The 'from' host is where it came from (the prior hop).
>
>> Received:
>> by cgpb3.cgp.netins.net (CommuniGate Pro RULE 5.3.13)
>> with RULE id 17584571; Tue, 19 Apr 2011 19:17:26 -0500
>> from <(ME)@mewnlite.com>
>
> The 'by' host is still in the netins.net domain and may be different
> than the 'from' host above due to internal routing within netins.net.
>
>> Received:
>> by cgpf1.cgp.netins.net (CommuniGate Pro SMTP 5.3.13) for
>> (ME)@mewnlite.com from [208.80.204.32] (HELO smtp432.redcondor.net)
>
> The 'by' host looks like more internal routing or proxying at
> netins.net for your account. It's the 'from' host that starts to look
> suspicious. Is redcondor.net somehow involved in your Moxie forwarding
> setup?
>
>> Received:
>> by smtp432.redcondor.net ({a3b42d5d-6a93-485e-92f2-d19129022c38})
>> via TCP (inbound) with ESMTP id 20110420001724969
>> for <(ME)@mewnlite.com>;
>> from om-paypal-na.rsys4.com ([12.130.139.53])
>
> The 'by' host here matches up with the 'from' host in the next (above)
> hop. However, notice that the 'from' host is NOT a paypal domain
> (http://www.networksolutions.com/whois-search/rsys4.com). None of my
> legitimate e-mails have come through the rsys4.com domain (their web
> site is at responsys.com).
>
>> Received:
>> by om-paypal-na.rsys4.com for <ME@mewnlite.com> (envelope-from
>> <paypal@info.paypal.com>)
>
> There is no 'from' host in this header which leads me to believe it is
> a fake header inserted by the sender.
>
>> From: "PayPal" <paypal@info.paypal.com>
>
> This is whatever value the *sender* wants to put there. It is *data*
> added by the sender's e-mail client, not by any e-mail servers.
>
> While it is suspicious that the so-called "PayPal" communication
> originated from responsys.com, ResponSys appears to be a contracted
> service provider. That is, a company may hire them to handle some
> campaign. My ISP (Comcast) had hired a 3rd party to send out e-mails
> regarding their user accounts; however, because the e-mails originated
> from this contracted service provider, it was seen as an "official"
> e-mail that did NOT originate from my ISP which meant, to me, that it
> was fraudulent e-mail. I notified my ISP that any e-mail claiming to
> be from them had better originate from their domain; else, such
> e-mails would be reported to SpamHaus, SpamCop, and other blacklists
> as spam/phish sources. This convinced them to allocate a special
> account hosted within Comcast's domain through which the 3rd party
> contracted service would send their e-mails. That way, the "official"
> notices authorized by my ISP to be send from this 3rd party would
> appear to have originated at my ISP's domain.
>
> So, on one hand, it appears suspicious that a professed "official"
> notice from PayPal originates at a non-PayPal domain. On the other
> hand, it's possible that PayPal contracted this 3rd party to send out
> their notifications - but PayPal really ****ed up by not providing a
> mailing route through PayPal's domain so such e-mails show as
> originating from PayPal. Until PayPal corrects their **** up by
> making sure any 3rd party contracted communications authorized by them
> show as originating from the PayPal domain, I would warn PayPal that
> all such e-mails will be reporting as phishing e-mails and reported to
> all public blacklists that accept user submissions. I doubt they
> really want to be paying a 3rd party to deliver these e-mails only to
> have them get blocked by filters using the blacklists. As far as I
> care, if it didn't originate from a PayPal domain, especially for
> communications related to my account with them, then it is a phish
> e-mail despite whether or not PayPal authorized its transmission.
> They should well understand how e-mail works and how it gets traced.
>
>> Review your enhanced PayPal account statement today.
>>
>> -----------NOTE-------- The Next Two Lines are links ------------
>>
>> View mobile | View online
>> Recover your password | Get help | Your account
>>
>> ------ They point to email0.paypal.com/servelt/cc6?..xxxx --------
>> ---------------see http://mewnlite.com/statusbar.jpg ----------
>>
>> Hello (My Name),
>> Exciting news! You now have an enhanced way to view and quickly keep
>> track of your account activity.
>> See your enhanced Account Statement
>> You can access your statement any time by clicking Statements from
>> your Account Overview. Want to see it now? Go
>> Accept electronic communications from us
>> To continue to receive information about your account electronically*
>> including your account statements*you must accept our Electronic
>> Communications Delivery Policy. It only takes a few clicks:
>> • Log in to PayPal
>> • Click the Electronic Communications Delivery Policy link and read
>> the
>> policy
>> • Click the checkbox to accept the policy
>> • Click Agree and Continue
>> For additional information on reporting unauthorized transactions or
>> other errors, follow the steps listed in section 12 of the PayPal
>> User Agreement: Resolution Procedures for Unauthorized Transactions
>> and Other Errors © 2011 PayPal Inc. All rights reserved. PayPal is
>> located at 2211 N. First St., San Jose, CA 95131.
>
>
> I don't know what the statusbar.jpg link is about. Maybe that's
> something your e-mail client or e-mail setup has added. I doubt
> PayPal or even a phisher would know about some sidebar/statusbar you
> have in an e-mail client or web browser add-on.
>
> The "Paypal" link is pointing to a PayPal domain. You don't have to
> use it. Just log into your PayPal account and then go to its account
> properties.
>
> I'm assuming there was no HTML and you are not showing the rendered
> version of that HTML code and the hypertext links you show are
> accurate, or you showed the actual href value from the <A> tag in the
> HTML code. Although you only show a single hypertext link, there
> actually were 5 links: View mobile, View online, Recover your
> password. Get help, and Your account. Presumably you showed the link
> to just the Your Account link. The rest of the e-mail doesn't give
> you any links and instead just tells you to log into your PayPal
> account.
>
> When I logged into my PayPal account, I get presented with the
> solicitation to elect electronic delivery about account notifications.
> I don't have to accept it now and can click "Remind me later". I
> haven't logged into my PayPal account for months but the Statements
> section does look to be a new feature. Personally I wouldn't qualify
> this as an "enhanced" account but just another view of it by giving me
> a 3-month summary of my account in .pdf that I could download.
>
>> I'm going to forward it as a spoof anyway.
>
> I would report it to PayPal's spoof address. I would also find other
> PayPal contact information to warn them that ALL e-mails through any
> 3rd party content provider with who they contract to deliver their
> content *MUST* trace back to a PayPal domain. If they tell their
> contracted content delivery service to send out official PayPal
> notices then they must show as originating from PayPal, not from the
> 3rd party content provider. I'd tell them that any e-mails claiming
> to be from them but which do not originate from their domain WILL get
> reported to the DNSBLs (DNS blacklists; e.g., SpamHaus, SpamCop,
> SORBS, etc) so their so-called official e-mails will get blacklisted
> by anyone using those blacklists (and may anti-spam programs and
> filters used by users and e-mail providers use those blacklists), plus
> reporting the phish e-mail to my own ISP (to update their anti-spam
> filter).
>
> PayPal should know better than to send official e-mails through a 3rd
> party where the content pretends to have come from PayPal but actually
> was sent from elsewhere.

Thanks. I have a pretty good understanding of mail headers myself, but I
hesitated to post ALL of them because of the confusion of my own domains.
My internet provider is netins.net which hosts my domain mewnlite.com. My
eBay email address is xxx@mewnlite.com. However I have sitting here right
beside me a computer named "Moxie" which hosts alongthewapsie.com. ALL of
my email no matter what the original domain it was mailed to is forwarded
to an address at alongthewapsie.com.

That's why I left most of those out because I knew they were valid. But I
have no idea where or what the redcondor.net was. Or the responsys.com
for that matter.

My first introduction to studying email headers was when a customer of
mine said her computer was sending out spam emails to all her friends. It
turns out her hotmail account had been hijacked and the emails were
actually originating from some other country.

Thanks for the insight. Every little bit helps me learn more. Sorry you
and Rhonda had to get in to it... :-) I have a great deal of respect for
both of you!

--
--- Everybody has a right to my opinion. ---

[Dustin]

VanguardLH <V@nguard.LH> wrote in news:ionb1k$umd$1@news.albasani.net:

> PayPal should know better than to send official e-mails through a
> 3rd party where the content pretends to have come from PayPal but
> actually was sent from elsewhere.

<BIG SNIP>

Wow.. all this disection, no effort to google any of the information
visible in the headers.. Why is that? Honestly, save yourself some time
Google is your friend.

http://preview.************/3f2bt68


--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

[VanguardLH]

Dustin wrote:

> VanguardLH <V@nguard.LH> wrote in news:ionb1k$umd$1@news.albasani.net:
>
>> PayPal should know better than to send official e-mails through a
>> 3rd party where the content pretends to have come from PayPal but
>> actually was sent from elsewhere.
>
> <BIG SNIP>
>
> Wow.. all this disection, no effort to google any of the information
> visible in the headers.. Why is that? Honestly, save yourself some time
> Google is your friend.

That advice is worthless unless you actually provide the search criteria
that provides a narrow (small count) matching list of articles so
someone other than yourself could find the same info? Oh yeah, Google
it without giving any reasonable search criteria that gives a results
count under a couple thousand articles.

You'll notice when I interrogated the headers that I actually removed
the irrelevant ones regarding the goal (to find out where the e-mail
originated) and even reordered the 'by' and 'from' clauses in the
Received headers to make it clearer that the 'from' host in a Received
header should be related or match on the 'by' clause in the next
Received header.

> http://preview.************/3f2bt68

Why would I waste time with multiple Google searches trying to find
search criteria that eventually led me to an article where the headers
were interpreted when I can do that already just by myself? Geez, how
do you manage to put on your underwear without using Google?

The article that you magically found using non-described search criteria
in a Google search to sift through the millions of matching articles
never showed the interrogation of the headers to prove where the e-mail
originated.

The problem is that neither the OP here or that forum article show the
actual content (raw source) of the e-mail. Look at this phish tracker
article:

http://www.dslreports.com/phishtrack...fb51ba9b3604a0

Notice ALL of the links go to the paypal.com domain. So how can an
article that doesn't lead you astray to a phishing domain but actually
take you to the PayPal domain qualify as a phish e-mail? A phish e-mail
has to take you somewhere ELSE or cull info from you to send somewhere
ELSE. That someone reported it as a phish e-mail doesn't make it so.

Turns out I was right about ResponSys (rsys4.com source for the e-mail)
being a 3rd party content delivery service for PayPal. Those claiming
it was a phish e-mail were wrong. Go read:

http://seekingalpha.com/article/2646...of-good-demand
http://marketplace.demandware.com/Re...efault,pd.html
http://willesdenherald.blogspot.com/...o-yesmail.html

And how did I find this? By a Google search but, unlike you, I'll
provide the search criteria:

http://www.google.com/search?q=%2Bpa...s=0&lr=lang_en

What PayPal needs to do is provide a proxy or account through which
their contracted delivery provider sends PayPal-authorized announcements
through them so those e-mails trace back to a PayPal domain, not to the
3rd party content delivery service but which is unknown to the 2nd party
(the e-mail recipient).

[Dustin]

"Li'l Abner" <blvstk@dogpatch.com> wrote in
news:Xns9ECD1F79A80DBbutter@wefb973cbe498:

> https://www.paypal.com/cgi-bin/webscr?cmd=_account, even though the
> status bar (shown in diagram) isn't pointing there.

Abner, if you googled this from the headers; You'd quickly discover it's
a phishing email and has been floating around since 2009, possibly even
longer.

om-paypal-na.rsys4.com

DSL reports had this to say about it,

http://preview.************/3f2bt68

No need to forward it along, as paypal has seen thousands of identical
emails. You were wise NOT to follow the instructions contained withen.

--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

[Rhonda Lea Kirk Fries]

Dustin wrote:
> "Li'l Abner" <blvstk@dogpatch.com> wrote in
> news:Xns9ECD1F79A80DBbutter@wefb973cbe498:
>
>> https://www.paypal.com/cgi-bin/webscr?cmd=_account, even though the
>> status bar (shown in diagram) isn't pointing there.
>
> Abner, if you googled this from the headers; You'd quickly discover
> it's a phishing email and has been floating around since 2009,
> possibly even longer.
>
> om-paypal-na.rsys4.com
>
> DSL reports had this to say about it,
>
> http://preview.************/3f2bt68
>
> No need to forward it along, as paypal has seen thousands of identical
> emails. You were wise NOT to follow the instructions contained withen.

Apparently there were some phishing emails with similar content, because
employees at PayPal confirmed to some people that the emails were spoofed.
Either that or someone is asleep at the switch (which appears more likely
based on some of the queries I've seen).

The email I received was not a spoof--each and every link landed directly at
the PayPal site. There's a 3rd party servicer doing the mailings, but PayPal
hired them, so they're doing what they were paid to do. All the mishegoss at
the end of the links is apparently something that they use for
tracking/statistical purposes.

It may have been misguided, but it was not a phish.