Paypal phishing attempt blocked

The phishing attemps are now blocked by the anti-spam gateway so they do no longer arrive in any of my mailboxes. Which, of course, is what it is the intended use, plus it allows a closer look to the message code without having the message actually delivered.

This one came in a few days ago:

<p><b><font face="Verdana" size="2">You are required to upgrade your PayPal
Account by subscribing to our New Security Center.</font></b></p>
<p><font face="Verdana" size="2">Please <b> <a href="http://202.67.156.66/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php">click here</a></b> in order to upgrade your PayPal account.</font></p>
<p><font face="Verdana" size="2">If you not perform the update now, your account will be placed on hold. On hold accounts can still send money, but they cannot withdraw or receive funds.</font></p>

Mind the hyperlink-address:

http://202.67.156.66/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php

This is NOT a paypal address.

PMAS signalled this – as is shown in the message header:


Received: from unknown ([72.54.216.109] EXTERNAL) (EHLO mail.iei-web.net) by
xxxxxxxxxxxxxxxxxxxx ([192.168.0.200]) (PreciseMail V3.0); Sun, 07 Oct
2007 06:41:42 +0100
Received: from User [62.14.249.101] by iei-web.net with ESMTP (SMTPD-9.10) id
A0F40294; Sat, 06 Oct 2007 23:39:00 -0600
Reply-To: <member_service@paypalsecurity.com>
From: "PayPal Inc."<member_service@paypalsecurity.com>
Subject: New Paypal Security Center: Update Your Account
Date: Sun, 7 Oct 2007 07:40:01 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <200710062339882.SM03048@User>

What are the findings:


X-PMAS-External: unknown [72.54.216.109] (EHLO mail.iei-web.net)
X-PMAS-Software: PreciseMail V3.0 [071006] (diana.GROOTERSNET.NL)
X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)

Quite well so far – except the “unknown” external address.
But now the problems show up:


X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-RCVD_FROM_UNKNOWN: Message received from host without DNS entry (4.000)
X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
X-PMAS-URI-NORMAL_HTTP_TO_IP: Uses a dotted-decimal IP address in URL (0.942)
X-PMAS-URI-IP_LINK_PLUS: Dotted-decimal IP address followed by CGI (0.708)
X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
X-PMAS-META-MISSING_BODY_TAG: Message has </BODY> tag, but no <BODY> tag (3.000)
X-PMAS-META-MISSING_HTML_TAG: Message has </HTML> tag, but no <HTML> tag (3.000)
X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format (5.000)

You learn something new every day


X-PMAS-META-NO_HTML_BEGIN: Message has </html> but not <html> (3.500)
X-PMAS-META-PHISHING_01: Message is a phishing scam (50.000)
X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
X-PMAS-META-LAME_PAYPAL_SCAM: Claims to be from PayPal, but no PayPal URIs (20.000)

I thought so 🙂


X-PMAS-META-CLICK_BELOW: Asks you to click below (0.727)
X-PMAS-META-BLIND_DATE3: Blind date spam (3) (20.000)
X-PMAS-Final-Score: 139.513
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes

Apart from what is unusual in Paypal: no addressing header (should use your Paypal name).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.