Is this on the up & up?

[VanguardLH]

Dustin wrote:

> VanguardLH <V@nguard.LH> wrote in news:ionb1k$umd$1@news.albasani.net:
>
>> PayPal should know better than to send official e-mails through a
>> 3rd party where the content pretends to have come from PayPal but
>> actually was sent from elsewhere.
>
> <BIG SNIP>
>
> Wow.. all this disection, no effort to google any of the information
> visible in the headers.. Why is that? Honestly, save yourself some time
> Google is your friend.

That advice is worthless unless you actually provide the search criteria
that provides a narrow (small count) matching list of articles so
someone other than yourself could find the same info? Oh yeah, Google
it without giving any reasonable search criteria that gives a results
count under a couple thousand articles.

You'll notice when I interrogated the headers that I actually removed
the irrelevant ones regarding the goal (to find out where the e-mail
originated) and even reordered the 'by' and 'from' clauses in the
Received headers to make it clearer that the 'from' host in a Received
header should be related or match on the 'by' clause in the next
Received header.

> http://preview.************/3f2bt68

Why would I waste time with multiple Google searches trying to find
search criteria that eventually led me to an article where the headers
were interpreted when I can do that already just by myself? Geez, how
do you manage to put on your underwear without using Google?

The article that you magically found using non-described search criteria
in a Google search to sift through the millions of matching articles
never showed the interrogation of the headers to prove where the e-mail
originated.

The problem is that neither the OP here or that forum article show the
actual content (raw source) of the e-mail. Look at this phish tracker
article:

http://www.dslreports.com/phishtrack...fb51ba9b3604a0

Notice ALL of the links go to the paypal.com domain. So how can an
article that doesn't lead you astray to a phishing domain but actually
take you to the PayPal domain qualify as a phish e-mail? A phish e-mail
has to take you somewhere ELSE or cull info from you to send somewhere
ELSE. That someone reported it as a phish e-mail doesn't make it so.

Turns out I was right about ResponSys (rsys4.com source for the e-mail)
being a 3rd party content delivery service for PayPal. Those claiming
it was a phish e-mail were wrong. Go read:

http://seekingalpha.com/article/2646...of-good-demand
http://marketplace.demandware.com/Re...efault,pd.html
http://willesdenherald.blogspot.com/...o-yesmail.html

And how did I find this? By a Google search but, unlike you, I'll
provide the search criteria:

http://www.google.com/search?q=%2Bpa...s=0&lr=lang_en

What PayPal needs to do is provide a proxy or account through which
their contracted delivery provider sends PayPal-authorized announcements
through them so those e-mails trace back to a PayPal domain, not to the
3rd party content delivery service but which is unknown to the 2nd party
(the e-mail recipient).

[VanguardLH]

Dustin wrote:

> VanguardLH:
>
>> Since you decided to show just the plain text version and not the
>> HTML code, just how would we know what the URLs really pointed at?
>> Show *ALL* the HTML code, not what you see or the rendered version
>> of it.
>
> He should place the html code somewhere and provide a link to it instead,
> don't encourage people to post html here.

Showing HTML code does not make it a clickable link. That's just text.
All HTML is just text. Whether or not your client modifies the content
of a plain text document to make clickable some parsed text depends on
what client you use and how you configure it. If he wanted to make sure
it wasn't clickable by other viewers, he could do the same thing we all
do here when quoting some spam/scam/phish post here: munge it so it
isn't clickable (an easy way is to just add spaces in the hypertext
link, like https:// email0. paypal. com/ servelt/ cc6?..xxxx). If a
viewer wants to view the site (safely or however they want), they can
unmunge the *text* to make a string they can copy into their web
browser's address bar.

I didn't say he should post using HTML (i.e., his post is HTML
formatted). I said to post the raw source of the e-mail (headers and
body - but munge out his username in e-mail addresses). He would be
posting here in plain text the HTML in the e-mail which is also plain
text.

[Rhonda Lea Kirk Fries]

Dustin wrote:
> "Li'l Abner" <blvstk@dogpatch.com> wrote in
> news:Xns9ECD1F79A80DBbutter@wefb973cbe498:
>
>> https://www.paypal.com/cgi-bin/webscr?cmd=_account, even though the
>> status bar (shown in diagram) isn't pointing there.
>
> Abner, if you googled this from the headers; You'd quickly discover
> it's a phishing email and has been floating around since 2009,
> possibly even longer.
>
> om-paypal-na.rsys4.com
>
> DSL reports had this to say about it,
>
> http://preview.************/3f2bt68
>
> No need to forward it along, as paypal has seen thousands of identical
> emails. You were wise NOT to follow the instructions contained withen.

Apparently there were some phishing emails with similar content, because
employees at PayPal confirmed to some people that the emails were spoofed.
Either that or someone is asleep at the switch (which appears more likely
based on some of the queries I've seen).

The email I received was not a spoof--each and every link landed directly at
the PayPal site. There's a 3rd party servicer doing the mailings, but PayPal
hired them, so they're doing what they were paid to do. All the mishegoss at
the end of the links is apparently something that they use for
tracking/statistical purposes.

It may have been misguided, but it was not a phish.

[Max Wachtel]

On Tue, 19 Apr 2011 22:55:19 -0400, Li'l Abner <blvstk@dogpatch.com> wrote:
I received one the other day but gmail had correctly put it in the spam
folder.