Re: Can one determine from this Header .....

John D wrote:

NOTE: The OP cross-posted to UNRELATED and INAPPROPRIATE newsgroups.
The following newsgroups were removed from my reply:

............ that this is, in fact, a 'Spoof' email request?

Provide a Subject that actually means something. Or do you deliberately
speed in alluring spamspeak?

*I* think it is. (In my Windows Live mailbox today)

So do YOU even have a PayPal account? If not then why would you think
any e-mails from them were legit?

from ([])

That Received header was prepended by your e-mail provider (Hotmail). is allocated to, Texas, USA.

Received: (qmail 30449 invoked from network); ...

Some internal routing that you don't care about.

from (HELO User) (
by ...

Normally the host in the 'by' header in one Received header added by a
prior e-mail provider should be in the 'from' header in the next e-mail
hop; i.e., the hop identifies itself as the source and the next hop
identifies that source. The internal routing can obliterate that

The 'from' header here has "User" as the sending mail host claiming that
is its hostname which already makes it suspect. Could be a stupid
e-mail admin that thinks "User" is cutsy. Could be a bogus Received
header inserted by the spammer/scammer. That 'from' header already
identifies the sender is using a DSL connection (...dsl...). Do you
think PayPal really uses DSL connections to their Internet provider?
That's some joker's home account.

The for the sender's IP address is allocated to
NinthVector. You could complain to them about the phish mail.

From: "Support"<service@xxxxxxxxxxxx>

So just because it has "paypal" somewhere in the domain makes you think
that PayPal is involved? The domain is registered through who has elected to hide the actual registrant. ICANN
requires the responsibility party be identified in domain registration
records. Registration service providers (who really are not ICANN-
authorized registrars) get around the requirement by accepting
responsibility for the domain (for which their "responsibility" will be
to kill the domain, along with keeping the money the registrant paid).

Subject: You have (1) Message from PayPal

Again, do you actually have a PayPal account? Or are we to guess that
you do and the only reason why you would even consider that you would
get legit e-mails from PayPal?

Message-ID: <BAY0-MC5-F17VkTCbGt000982fc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Um, so you get an e-mail purporting to come from PayPal. Do you really
believe PayPal can't afford their own e-mail services and instead have
to use Hotmail? Look in the domain portion of the Message-ID. The
sender is somehow spewing their crap out through a Hotmail account
through some DSL account at NinthVector in Australia. You think PayPal
would really be jumping around like that?

... Account records click on the following link:

Again, you think because "paypal" is somewhere in the URL means it came
from PayPal? You think PayPal is at That domain
isn't registered anymore. If it did exist, it doesn't now so the phish
site has been killed.

Did you copy the *source* of the e-mail to copy here? Or was it an
HTML-formatted e-mail and you simply copied what was rendered on the
screen (and which may not match the actual URL underlying the link on
which you click)?

Thank you for your patience in this matter.
PayPal Customer Service.
Please do not reply to this e-mail as this is only a notification.
Mail sent to this address cannot be answered.

So did you go to, login, and change your password - to a
STRONG password - as a precaution against someone trying to hack into it
as evidenced by this phish mail?