Re: Can one determine from this Header .....



John D wrote:

NOTE: The OP cross-posted to UNRELATED and INAPPROPRIATE newsgroups.
The following newsgroups were removed from my reply:
microsoft.public.nntp.test
microsoft.public.test.here

............ that this is, in fact, a 'Spoof' email request?

Provide a Subject that actually means something. Or do you deliberately
speed in alluring spamspeak?

*I* think it is. (In my Windows Live mailbox today)

So do YOU even have a PayPal account? If not then why would you think
any e-mails from them were legit?

Received:
from 104747-web1.www.NinthVector.com ([72.3.253.24])
by bay0-mc5-f17.bay0.hotmail.com

That Received header was prepended by your e-mail provider (Hotmail).
72.3.253.24 is allocated to Backspace.com, Texas, USA.

Received: (qmail 30449 invoked from network); ...

Some internal routing that you don't care about.

Received:
from 246.009.dsl.nsw.iprimus.net.au (HELO User) (210.50.162.246)
by 72.32.234.251 ...

Normally the host in the 'by' header in one Received header added by a
prior e-mail provider should be in the 'from' header in the next e-mail
hop; i.e., the hop identifies itself as the source and the next hop
identifies that source. The internal routing can obliterate that
tracing.

The 'from' header here has "User" as the sending mail host claiming that
is its hostname which already makes it suspect. Could be a stupid
e-mail admin that thinks "User" is cutsy. Could be a bogus Received
header inserted by the spammer/scammer. That 'from' header already
identifies the sender is using a DSL connection (...dsl...). Do you
think PayPal really uses DSL connections to their Internet provider?
That's some joker's home account.

The 72.32.234.251 for the sender's IP address is allocated to
NinthVector. You could complain to them about the phish mail.

From: "Support"<service@xxxxxxxxxxxx>

So just because it has "paypal" somewhere in the domain makes you think
that PayPal is involved? The paypal18.com domain is registered through
HostMonster.com who has elected to hide the actual registrant. ICANN
requires the responsibility party be identified in domain registration
records. Registration service providers (who really are not ICANN-
authorized registrars) get around the requirement by accepting
responsibility for the domain (for which their "responsibility" will be
to kill the domain, along with keeping the money the registrant paid).


Subject: You have (1) Message from PayPal

Again, do you actually have a PayPal account? Or are we to guess that
you do and the only reason why you would even consider that you would
get legit e-mails from PayPal?

Message-ID: <BAY0-MC5-F17VkTCbGt000982fc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Um, so you get an e-mail purporting to come from PayPal. Do you really
believe PayPal can't afford their own e-mail services and instead have
to use Hotmail? Look in the domain portion of the Message-ID. The
sender is somehow spewing their crap out through a Hotmail account
through some DSL account at NinthVector in Australia. You think PayPal
would really be jumping around like that?

... Account records click on the following link:

http://www2.paypal.com.ssupda883844.org/webscr/login.htm?cmd=_login-submit

Again, you think because "paypal" is somewhere in the URL means it came
from PayPal? You think PayPal is at ssupda883844.org? That domain
isn't registered anymore. If it did exist, it doesn't now so the phish
site has been killed.

Did you copy the *source* of the e-mail to copy here? Or was it an
HTML-formatted e-mail and you simply copied what was rendered on the
screen (and which may not match the actual URL underlying the link on
which you click)?

Thank you for your patience in this matter.
PayPal Customer Service.
Please do not reply to this e-mail as this is only a notification.
Mail sent to this address cannot be answered.

So did you go to paypal.com, login, and change your password - to a
STRONG password - as a precaution against someone trying to hack into it
as evidenced by this phish mail?
.



Relevant Pages

  • Re: Can one determine from this Header .....
    ... So do YOU even have a PayPal account? ... That Received header was prepended by your e-mail provider. ... You could complain to them about the phish mail. ... HostMonster.com who has elected to hide the actual registrant. ...
    (alt.computer.security)
  • Re: Objection rec.knives PLEASE IGNORE if you dont want to see an off topic post
    ... I ignore bragging, and I expect that if you post on a newsgroup about knives you post about knives, at least initially. ... It's at the point that if Robert posts a legitimate request, ... I definitely don't think you'd lose your account at all. ... Nah it's okay I don't feel the sarcasm at all, the header information wasn't meant for you. ...
    (rec.knives)
  • Re: Changing the registrar for our existing SBS 2003 system
    ... I'll make the changes in the DNS records ... This isn't in SBS or your self managed DNS zone - it's the new ISP's job. ... change it to an account under our control. ... After you have your own account, the first registrant must ask GD ...
    (microsoft.public.windows.server.sbs)
  • Re: hiding recipient s email address without using cc or bb
    ... Are you asking about what the recipient gets for your sent e-mails? ... One way would be to remove the To column and add the E-mail Account column. ... The From header is *not* used to specify the ... What is Usenet: ...
    (microsoft.public.outlook)
  • Re: Changing the registrar for our existing SBS 2003 system
    ... SBS doesn't actually care what its external address is. ... change it to an account under our control. ... After you have your own account, the first registrant must ask GD to move ... BEFORE you do this, you need to document ALL DNS settings at GD, the move ...
    (microsoft.public.windows.server.sbs)