This message appears to come from eBay, but here are few clues that show it’s fake.
The original message is HTML – not uncommon – but that hides one crucial item.
The text itself should trigger you directly: it starts with the wrong header in the first place.
Dear eBay Community Member,
Next it tries to frighten you off:
We regret to inform you that your eBay account
has been suspended due to concerns we have for the
safety and integrity of the eBay community.
and it continues with some more bla bla, to push up the pressure, until there is the offering of relief:
Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. To confirm that you are the righfull owner of the account please confirm your identity by signing in and resolving this dispute
at: https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&CaseID142Disupte#1562
Right? This is where the danger lurks – the hidden information.. What you don’t see in HTML is the real link:
<a href="http://credit-card-application.docflow.info/.dll/link.php" target=_blank rel=nofollow></a>
I didn’t try that one, but quite likely it will try to get your identity (username and password) and, likely, credit card information.
Nice: you ARE warned, because to “legalize” the attempt, the message ends:
Please note that any seller fees due to eBay will immediately become due and payable. eBay will charge any amounts you have not previously disputed to the billing method currently on file. Confirm your identity at the following link we provided signing in and resolving this dispute:
Regards,
Safeharbor Department eBay, Inc.
The message header (normally hidden but wel worth examining) shows some interestying features as well:
Return-Path: member@ebay.com
Received: from 66.228.114.66-static.reverse.softlayer.com (66.228.114.66)
by diana.intra.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Fri, 27 Apr 2007 00:05:45 +0100 (CET)
Received: from nwblwibas02-pool1-a154.nwblwi.tds.net ([69.128.127.154] helo=User)
by cpanel.mysteryserver.net with esmtpa (Exim 4.63)
(envelope-from)
id 1HhC5H-0005kH-MJ; Thu, 26 Apr 2007 23:05:03 +0100
Reply-To:
From: “eBay Inc.”
Subject: FPA NOTICE: eBay Registration Suspension – User Agreement – Abusing eBay
Date: Thu, 26 Apr 2007 17:05:37 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – cpanel.mysteryserver.net
X-AntiAbuse: Original Domain – grootersnet.nl
X-AntiAbuse: Originator/Caller UID/GID – [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain – eBay.com
X-Source:
X-Source-Args:
X-Source-Dir:
A few things to keep in mind:
nwblwibas02-pool1-a154.nwblwi.tds.net
This looks like a broadband address from a home system – it’s a (rather basic) Windows PC:
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
When really sent from eBay, it might have been done by a Windows system, but I don’t think they will use “Outlook Express“.