A message received today, said from account(paypal.com,with subject “Cancel Your Payment” just states the refererence – exactly as shown:
<A HREF=”http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html”>
<IMG SRC=”http://www.myspacks.de/uploads/.x/scirosare2.jpg” border=”0″>
</A>
The raw message reads:
Return-Path: kevin@simon-tech.homelinux.com
Received: from 61-219-84-147.HINET-IP.hinet.net (61.219.84.147)
by XXXXXXXXXX.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Tue, 14 Aug 2007 12:36:11 +0100 (CET)
Received: (from kevin@localhost)
by simon-tech.homelinux.com (8.11.6/8.11.6) id l7EAPOh14797;
Tue, 14 Aug 2007 18:25:25 +0800
Date: Tue, 14 Aug 2007 18:25:25 +0800
Message-Id: <200708141025.l7EAPOh14797@simon-tech.homelinux.com>
To: XXXXXXXXXX@grootersnet.nl
Subject: Cancel Your Payment
From: “PayPal Inc.” <account@paypal.com>
Content-Type: text/html<A HREF=”http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html”>
<IMG SRC=”http://www.myspacks.de/uploads/.x/scirosare2.jpg” border=”0″>
</A>
NO hiding of links – just this.
You won’t get very far with this…
(Will be continued. I’ll check the image links tonight – from Diana, of course)
One day earlier, a similar message was received. The header:
Return-Path: account@paypal.com
Received: from 80.114.97.2.ip.onderwijs.casematelecom.nl (80.114.97.2)
by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Mon, 13 Aug 2007 04:14:06 +0100 (CET)
Received: from 116.0.68.84 by ; Mon, 13 Aug 2007 04:13:15 +0100
Message-ID: <SOXRQQULKMMBFKVTWBHAOR@msn.com>
From: "PayPal Inc." <account@paypal.com>
Reply-To: "PayPal Inc." <account@paypal.com&g';
To: xxxxxxxxxx@grootersnet.nl
Subject: Cancel The Payment
Date: Mon, 13 Aug 2007 06:11:15 +0300
X-Mailer: AOL 7.0 for Windows US sub 118
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--716555016311414036"
X-Priority: 1
X-MSMail-Priority: High
and the contents again just an URL, just as shown here:
<http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html>
This Dutch educational server has been abused – as well as MSN. It’s to be seen if something can be arranged…
UPDATE
It seems rice.edu has taken action. qcp.rice.edu is valid:
$ dig qcp.rice.edu
; <<>> DiG 9.3.1 <<>> qcp.rice.edu
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17552
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;qcp.rice.edu. IN A
;; ANSWER SECTION:
qcp.rice.edu. 3266 IN A 128.42.130.5
but theer is no answer accessing it with a browser.