Is this on the up & up?

[Rhonda Lea Kirk Fries]

VanguardLH wrote:
> Rhonda Lea Kirk Fries wrote:
>
>> VanguardLH wrote:
>>> Li'l Abner wrote:
>>>
>>>> There's lots of links on here. Any of them I hover over shows a
>>>> link starting with "https://email0.paypal.com/servlet/cc6....."
>>>> It sure looks like phishing to me. If I just log into PayPal the
>>>> normal way, I don't see anything about "enhanced account statement"
>>>> Is it real or do I forward it to spoof@paypal.com?
>>>>
>>>> From: "PayPal" <paypal@info.paypal.com>
>>>> Reply-To: "PayPal" <reply1@info.paypal.com>
>>>> Subject: My Name, your enhanced account statement is here
>>>> X-cid: pplna.4510.2
>>>> X-sgxh1: L7HP7LgxuLOgtplLQJhu
>>>> To: ME
>>>> X-valueof-OFFERID: 43929
>>>> X-valueof-CAMPAIGNID: 8417
>>>> X-valueof-TREATMENTCODE: 000814556
>>>> X-valueof-EMAILCATEGORY: NON
>>>> X-valueof-HASHID: 43A21497869790451
>>>> Message-ID: <0.0.E4.807.1CBFEF052E486EE.0@om-paypal-na.rsys4.com>
>>>> X-MDRcpt-To: me@myfinaldomain.com
>>>> X-Rcpt-To: me@myfinaldomain.com
>>>> X-MDRemoteIP: 167.142.228.191
>>>> X-Return-Path: paypal@info.paypal.com
>>>> X-MDaemon-Deliver-To: (valid)
>>>> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on MOXIE
>>>> X-Spam-Status: No, score=-104.5 required=8.0
>>>> tests=BAYES_00,HTML_90_100,
>>>> HTML_MESSAGE,HTML_TAG_EXIST_TBODY,UPPERCASE_25_50, USER_IN_WHITELIST
>>>> autolearn=no version=3.0.2
>>>> X-Spam-Level:
>>>> X-Spam-Processed: Moxie, Tue, 19 Apr 2011 19:17:34 -0500
>>>>
>>>> Date: Tue, 19 Apr 2011 17:17:24 -0700
>>>> Content-Type: multipart/alternative; boundary="----alt_border_1"
>>>>
>>>> Review your enhanced PayPal account statement today.
>>>> View mobile | View online
>>>> Recover your password | Get help | Your account
>>>> Hello MY NAME,
>>>> Exciting news! You now have an enhanced way to view and quickly
>>>> keep track of your account activity.
>>>> See your enhanced Account Statement
>>>> You can access your statement any time by clicking Statements from
>>>> your Account Overview. Want to see it now? Go
>>>> Accept electronic communications from us
>>>> To continue to receive information about your account
>>>> electronically* including your account statements*you must accept
>>>> our Electronic Communications Delivery Policy. It only takes a few
>>>> clicks: . Log in to PayPal
>>>> . Click the Electronic Communications Delivery Policy link and
>>>> read the policy
>>>> . Click the checkbox to accept the policy
>>>> . Click Agree and Continue
>>>> For additional information on reporting unauthorized transactions
>>>> or other errors, follow the steps listed in section 12 of the
>>>> PayPal User Agreement: Resolution Procedures for Unauthorized
>>>> Transactions and Other Errors
>>>> © 2011 PayPal Inc. All rights reserved. PayPal is located at 2211
>>>> N. First St., San Jose, CA 95131.
>>>
>>> Since you didn't bother to show all the headers, including the
>>> Received headers, how would anyone else know from where you got the
>>> e-mail? Show *ALL* the headers in the original e-mail except
>>> munge/star out your username (not the domain since that's public
>>> info, anyway).
>>>
>>> Since you decided to show just the plain text version and not the
>>> HTML code, just how would we know what the URLs really pointed at?
>>> Show *ALL* the HTML code, not what you see or the rendered version
>>> of it.
>>>
>>> What you showed above was an incomplete exhibit.
>>
>> If you don't have anything relevant to contribute, why do you post?
>
> Yeah, I see how detailed you were in showing how to trace the delivery
> of an e-mail without the appropriate headers in the exhibit.

As if headers cannot be forged.

In other words, the headers are useless to the purpose of determining the
legitimacy of the email.

> Now look
> at my reply after the OP did provide the headers. It was a hell of a
> lot more informative than your other reply (versus your worthless
> response here).

I have firsthand proof that the email is legitmate--I used the links
therein, and I agreed to the requested changes for the enhanced billing
statement. No problem.

> If you don't have anything relevant to contribute, why do you post?

Apparently your interpretation of "relevance" favors your blathering, not
anything that might be useful.

> See, your inane statement applies to you, too. Pretty soon if you
> keep this up, you'll be the female equivalent of richard (another
> well-known ignorant responder).

No one can outdo you for ignorance.

[Li'l Abner]

VanguardLH <V@nguard.LH> wrote in news:ionb1k$umd$1@news.albasani.net:

> Li'l Abner wrote:
>
>> Received:
>> by alongthewapsie.com (Moxie [127.0.0.1]) for
>> <(ME)@alongthewapsie.com> from cgp.netins.net (cgpf1.cgp.netins.net
>> [167.142.228.191])
>
> The 'by' host is where you retrieved the e-mail; i.e., your Moxie
> account. The 'from' host is where it came from (the prior hop).
>
>> Received:
>> by cgpb3.cgp.netins.net (CommuniGate Pro RULE 5.3.13)
>> with RULE id 17584571; Tue, 19 Apr 2011 19:17:26 -0500
>> from <(ME)@mewnlite.com>
>
> The 'by' host is still in the netins.net domain and may be different
> than the 'from' host above due to internal routing within netins.net.
>
>> Received:
>> by cgpf1.cgp.netins.net (CommuniGate Pro SMTP 5.3.13) for
>> (ME)@mewnlite.com from [208.80.204.32] (HELO smtp432.redcondor.net)
>
> The 'by' host looks like more internal routing or proxying at
> netins.net for your account. It's the 'from' host that starts to look
> suspicious. Is redcondor.net somehow involved in your Moxie forwarding
> setup?
>
>> Received:
>> by smtp432.redcondor.net ({a3b42d5d-6a93-485e-92f2-d19129022c38})
>> via TCP (inbound) with ESMTP id 20110420001724969
>> for <(ME)@mewnlite.com>;
>> from om-paypal-na.rsys4.com ([12.130.139.53])
>
> The 'by' host here matches up with the 'from' host in the next (above)
> hop. However, notice that the 'from' host is NOT a paypal domain
> (http://www.networksolutions.com/whois-search/rsys4.com). None of my
> legitimate e-mails have come through the rsys4.com domain (their web
> site is at responsys.com).
>
>> Received:
>> by om-paypal-na.rsys4.com for <ME@mewnlite.com> (envelope-from
>> <paypal@info.paypal.com>)
>
> There is no 'from' host in this header which leads me to believe it is
> a fake header inserted by the sender.
>
>> From: "PayPal" <paypal@info.paypal.com>
>
> This is whatever value the *sender* wants to put there. It is *data*
> added by the sender's e-mail client, not by any e-mail servers.
>
> While it is suspicious that the so-called "PayPal" communication
> originated from responsys.com, ResponSys appears to be a contracted
> service provider. That is, a company may hire them to handle some
> campaign. My ISP (Comcast) had hired a 3rd party to send out e-mails
> regarding their user accounts; however, because the e-mails originated
> from this contracted service provider, it was seen as an "official"
> e-mail that did NOT originate from my ISP which meant, to me, that it
> was fraudulent e-mail. I notified my ISP that any e-mail claiming to
> be from them had better originate from their domain; else, such
> e-mails would be reported to SpamHaus, SpamCop, and other blacklists
> as spam/phish sources. This convinced them to allocate a special
> account hosted within Comcast's domain through which the 3rd party
> contracted service would send their e-mails. That way, the "official"
> notices authorized by my ISP to be send from this 3rd party would
> appear to have originated at my ISP's domain.
>
> So, on one hand, it appears suspicious that a professed "official"
> notice from PayPal originates at a non-PayPal domain. On the other
> hand, it's possible that PayPal contracted this 3rd party to send out
> their notifications - but PayPal really ****ed up by not providing a
> mailing route through PayPal's domain so such e-mails show as
> originating from PayPal. Until PayPal corrects their **** up by
> making sure any 3rd party contracted communications authorized by them
> show as originating from the PayPal domain, I would warn PayPal that
> all such e-mails will be reporting as phishing e-mails and reported to
> all public blacklists that accept user submissions. I doubt they
> really want to be paying a 3rd party to deliver these e-mails only to
> have them get blocked by filters using the blacklists. As far as I
> care, if it didn't originate from a PayPal domain, especially for
> communications related to my account with them, then it is a phish
> e-mail despite whether or not PayPal authorized its transmission.
> They should well understand how e-mail works and how it gets traced.
>
>> Review your enhanced PayPal account statement today.
>>
>> -----------NOTE-------- The Next Two Lines are links ------------
>>
>> View mobile | View online
>> Recover your password | Get help | Your account
>>
>> ------ They point to email0.paypal.com/servelt/cc6?..xxxx --------
>> ---------------see http://mewnlite.com/statusbar.jpg ----------
>>
>> Hello (My Name),
>> Exciting news! You now have an enhanced way to view and quickly keep
>> track of your account activity.
>> See your enhanced Account Statement
>> You can access your statement any time by clicking Statements from
>> your Account Overview. Want to see it now? Go
>> Accept electronic communications from us
>> To continue to receive information about your account electronically*
>> including your account statements*you must accept our Electronic
>> Communications Delivery Policy. It only takes a few clicks:
>> • Log in to PayPal
>> • Click the Electronic Communications Delivery Policy link and read
>> the
>> policy
>> • Click the checkbox to accept the policy
>> • Click Agree and Continue
>> For additional information on reporting unauthorized transactions or
>> other errors, follow the steps listed in section 12 of the PayPal
>> User Agreement: Resolution Procedures for Unauthorized Transactions
>> and Other Errors © 2011 PayPal Inc. All rights reserved. PayPal is
>> located at 2211 N. First St., San Jose, CA 95131.
>
>
> I don't know what the statusbar.jpg link is about. Maybe that's
> something your e-mail client or e-mail setup has added. I doubt
> PayPal or even a phisher would know about some sidebar/statusbar you
> have in an e-mail client or web browser add-on.
>
> The "Paypal" link is pointing to a PayPal domain. You don't have to
> use it. Just log into your PayPal account and then go to its account
> properties.
>
> I'm assuming there was no HTML and you are not showing the rendered
> version of that HTML code and the hypertext links you show are
> accurate, or you showed the actual href value from the <A> tag in the
> HTML code. Although you only show a single hypertext link, there
> actually were 5 links: View mobile, View online, Recover your
> password. Get help, and Your account. Presumably you showed the link
> to just the Your Account link. The rest of the e-mail doesn't give
> you any links and instead just tells you to log into your PayPal
> account.
>
> When I logged into my PayPal account, I get presented with the
> solicitation to elect electronic delivery about account notifications.
> I don't have to accept it now and can click "Remind me later". I
> haven't logged into my PayPal account for months but the Statements
> section does look to be a new feature. Personally I wouldn't qualify
> this as an "enhanced" account but just another view of it by giving me
> a 3-month summary of my account in .pdf that I could download.
>
>> I'm going to forward it as a spoof anyway.
>
> I would report it to PayPal's spoof address. I would also find other
> PayPal contact information to warn them that ALL e-mails through any
> 3rd party content provider with who they contract to deliver their
> content *MUST* trace back to a PayPal domain. If they tell their
> contracted content delivery service to send out official PayPal
> notices then they must show as originating from PayPal, not from the
> 3rd party content provider. I'd tell them that any e-mails claiming
> to be from them but which do not originate from their domain WILL get
> reported to the DNSBLs (DNS blacklists; e.g., SpamHaus, SpamCop,
> SORBS, etc) so their so-called official e-mails will get blacklisted
> by anyone using those blacklists (and may anti-spam programs and
> filters used by users and e-mail providers use those blacklists), plus
> reporting the phish e-mail to my own ISP (to update their anti-spam
> filter).
>
> PayPal should know better than to send official e-mails through a 3rd
> party where the content pretends to have come from PayPal but actually
> was sent from elsewhere.

Thanks. I have a pretty good understanding of mail headers myself, but I
hesitated to post ALL of them because of the confusion of my own domains.
My internet provider is netins.net which hosts my domain mewnlite.com. My
eBay email address is xxx@mewnlite.com. However I have sitting here right
beside me a computer named "Moxie" which hosts alongthewapsie.com. ALL of
my email no matter what the original domain it was mailed to is forwarded
to an address at alongthewapsie.com.

That's why I left most of those out because I knew they were valid. But I
have no idea where or what the redcondor.net was. Or the responsys.com
for that matter.

My first introduction to studying email headers was when a customer of
mine said her computer was sending out spam emails to all her friends. It
turns out her hotmail account had been hijacked and the emails were
actually originating from some other country.

Thanks for the insight. Every little bit helps me learn more. Sorry you
and Rhonda had to get in to it... :-) I have a great deal of respect for
both of you!

--
--- Everybody has a right to my opinion. ---

[Li'l Abner]

"Rhonda Lea Kirk Fries" <rhondaleakirk@earthling.net> wrote in
news:ionb2u$v08$1@news.albasani.net:

> Li'l Abner wrote:
>> "Rhonda Lea Kirk Fries" <rhondaleakirk@earthling.net> wrote in
>> news:iomfak$hi$1@news.albasani.net:
>>
>>> Li'l Abner wrote:
>>>> There's lots of links on here. Any of them I hover over shows a
>>>> link starting with "https://email0.paypal.com/servlet/cc6....."
>>>> It sure looks like phishing to me. If I just log into PayPal the
>>>> normal way, I don't see anything about "enhanced account statement"
>>>> Is it real or do I forward it to spoof@paypal.com?
>>>
>>> It's not phishing.
>>>
>>> There's a new agreement that you're asked to sign about receiving
>>> electronic communications, i.e., the "Electronic Communications
>>> Delivery Policy."
>>>
>>> I admit that I didn't notice anything particularly new about my
>>> account, but apparently there are some tweaks in there of which they
>>> are inordinately proud.
>>>
>>> The nice thing about PayPal is that real letters are addressed to
>>> your real name (or whatever name you gave them, in exactly the form
>>> you gave it to them), so that's a real clue that the letter is not a
>>> spoof.
>>>
>>> If you still suspect there's a problem, you can look further, but
>>> it's really not necessary until the day comes that someone breaks
>>> into PayPal's database, and then it's not going to matter what you
>>> do.
>>
>> I've always been told that legitimate emails will ask you to log in
>> to your account directly (www.paypal.com) and would never contain
>> links.
>> And those mile long links with random looking letters and numbers
>> aren't very assuring wither.
>
> The links go directly to the real PayPal site.
>
> I have received a number of emails from PayPal, all legitimate, that
> contain links back to the PayPal site, so I don't know who told you
> that.

My service provider sends out notices occassionly with such warnings.
They'll tell you to type email links into your browser rather than click
on them in case they are actually pointing somewhere else. And since my
"hover" was showing up as pointing to that ridicously long URL atarting
with "email0" I became suspicious.

Thanks for putting me at ease though. I did forward it to Paypal and
never heard anything back from them. I never did investigate the
"agreement". I've got a good record with Paypal and they've never
threatened to cut me off. Yet, anyway!

--
--- Everybody has a right to my opinion. ---

[Rhonda Lea Kirk Fries]

Li'l Abner wrote:
> "Rhonda Lea Kirk Fries" <rhondaleakirk@earthling.net> wrote in
> news:ionb2u$v08$1@news.albasani.net:
>
>> Li'l Abner wrote:
>>> "Rhonda Lea Kirk Fries" <rhondaleakirk@earthling.net> wrote in
>>> news:iomfak$hi$1@news.albasani.net:
>>>
>>>> Li'l Abner wrote:
>>>>> There's lots of links on here. Any of them I hover over shows a
>>>>> link starting with "https://email0.paypal.com/servlet/cc6....."
>>>>> It sure looks like phishing to me. If I just log into PayPal the
>>>>> normal way, I don't see anything about "enhanced account
>>>>> statement" Is it real or do I forward it to spoof@paypal.com?
>>>>
>>>> It's not phishing.
>>>>
>>>> There's a new agreement that you're asked to sign about receiving
>>>> electronic communications, i.e., the "Electronic Communications
>>>> Delivery Policy."
>>>>
>>>> I admit that I didn't notice anything particularly new about my
>>>> account, but apparently there are some tweaks in there of which
>>>> they are inordinately proud.
>>>>
>>>> The nice thing about PayPal is that real letters are addressed to
>>>> your real name (or whatever name you gave them, in exactly the form
>>>> you gave it to them), so that's a real clue that the letter is not
>>>> a spoof.
>>>>
>>>> If you still suspect there's a problem, you can look further, but
>>>> it's really not necessary until the day comes that someone breaks
>>>> into PayPal's database, and then it's not going to matter what you
>>>> do.
>>>
>>> I've always been told that legitimate emails will ask you to log in
>>> to your account directly (www.paypal.com) and would never contain
>>> links.
>>> And those mile long links with random looking letters and numbers
>>> aren't very assuring wither.
>>
>> The links go directly to the real PayPal site.
>>
>> I have received a number of emails from PayPal, all legitimate, that
>> contain links back to the PayPal site, so I don't know who told you
>> that.
>
> My service provider sends out notices occassionly with such warnings.

Ah, I've seen such emails, but most online businesses, even banks, contain
links back to their sites, which is why phishing is such a problem. People
get lazy, and they don't check to be sure where they are.

> They'll tell you to type email links into your browser rather than
> click on them in case they are actually pointing somewhere else. And
> since my "hover" was showing up as pointing to that ridicously long
> URL atarting with "email0" I became suspicious.

I can't be bothered to do all that typing every time I want to go to a site,
so I click on links all the time, but I always check them in the browser
bar. Moreover, I use Roboform, so if a link takes me to a spoof site,
Roboform will not show a password for that site.

> Thanks for putting me at ease though. I did forward it to Paypal and
> never heard anything back from them. I never did investigate the
> "agreement". I've got a good record with Paypal and they've never
> threatened to cut me off. Yet, anyway!

You can read about the agreement on the PayPal site. Just search "enhanced."

I'm pretty sure, however, that when you log in, you will eventually get a
page that asks to you to read and accept the agreement.

Oh, and there's more good news. Even if someone does get your login
information, s/he cannot change your password without access to your
financial information (bank account or credit card number). So if you do
notice suspicious activity, or fear that your login information has been
compromised, you are able to access your account anyway to change your
password immediately.

[VanguardLH]

Rhonda Lea Kirk Fries wrote:

> VanguardLH wrote:
>
>> Yeah, I see how detailed you were in showing how to trace the delivery
>> of an e-mail without the appropriate headers in the exhibit.
>
> As if headers cannot be forged.

Not once it is past the e-mail server under the control of the phisher.
That's why you trace backwards and watch out for bogus headers inserted
by the phisher. Spend some time in the Spamcop newsgroup or forums to
get a feel on how to decipher the headers.

> In other words, the headers are useless to the purpose of determining the
> legitimacy of the email.

Yeah, sure, we believe you. They mean absolutely nothing, uh huh. The
source of an e-mail is never relevant to its content, yeah, right.

>> If you don't have anything relevant to contribute, why do you post?

Your reply (to me) was even less "relevant" than my reply to the OP (to
get more info to allow tracing the routing of the e-mail - something
only you claim is not relevant).

[Rhonda Lea Kirk Fries]

VanguardLH wrote:
> Rhonda Lea Kirk Fries wrote:
>
>> VanguardLH wrote:
>>
>>> Yeah, I see how detailed you were in showing how to trace the
>>> delivery of an e-mail without the appropriate headers in the
>>> exhibit.
>>
>> As if headers cannot be forged.
>
> Not once it is past the e-mail server under the control of the
> phisher. That's why you trace backwards and watch out for bogus
> headers inserted by the phisher. Spend some time in the Spamcop
> newsgroup or forums to get a feel on how to decipher the headers.
>
>> In other words, the headers are useless to the purpose of
>> determining the legitimacy of the email.
>
> Yeah, sure, we believe you. They mean absolutely nothing, uh huh.
> The source of an e-mail is never relevant to its content, yeah, right.
>
>>> If you don't have anything relevant to contribute, why do you post?
>
> Your reply (to me) was even less "relevant" than my reply to the OP
> (to get more info to allow tracing the routing of the e-mail -
> something only you claim is not relevant).

<plonk>

[Dustin]

VanguardLH <V@nguard.LH> wrote in news:iolp3d$ga1$1@news.albasani.net:

> Since you decided to show just the plain text version and not the
> HTML code, just how would we know what the URLs really pointed at?
> Show *ALL* the HTML code, not what you see or the rendered version
> of it.

He should place the html code somewhere and provide a link to it instead,
don't encourage people to post html here.



--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

[Dustin]

"Li'l Abner" <blvstk@dogpatch.com> wrote in
news:Xns9ECD1F79A80DBbutter@wefb973cbe498:

> https://www.paypal.com/cgi-bin/webscr?cmd=_account, even though the
> status bar (shown in diagram) isn't pointing there.

Abner, if you googled this from the headers; You'd quickly discover it's
a phishing email and has been floating around since 2009, possibly even
longer.

om-paypal-na.rsys4.com

DSL reports had this to say about it,

http://preview.************/3f2bt68

No need to forward it along, as paypal has seen thousands of identical
emails. You were wise NOT to follow the instructions contained withen.

--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

[Dustin]

VanguardLH <V@nguard.LH> wrote in news:ionb1k$umd$1@news.albasani.net:

> PayPal should know better than to send official e-mails through a
> 3rd party where the content pretends to have come from PayPal but
> actually was sent from elsewhere.

<BIG SNIP>

Wow.. all this disection, no effort to google any of the information
visible in the headers.. Why is that? Honestly, save yourself some time
Google is your friend.

http://preview.************/3f2bt68


--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

[Dustin]

VanguardLH <V@nguard.LH> wrote in news:ionb82$vag$1@news.albasani.net:

> Yeah, I see how detailed you were in showing how to trace the
> delivery of an e-mail without the appropriate headers in the
> exhibit. Now look at my reply after the OP did provide the headers.
> It was a hell of a lot more informative than your other reply
> (versus your worthless response here).

Overkill, and still not as informative as mine. See this link. One line.


http://preview.************/3f2bt68



--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?