Coffeehouse Thread

11 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

nice phish - paypal fake

Back to Forum: Coffeehouse
  • User profile image
    harumscarum

    This one almost caught me but I have not used paypal in years, just type in some bogus email to see what they want (note this is FAKE!):


    From security@paypal.com Sun May 20 15:01:56 2007
    Return-Path: <security@paypal.com>
    Authentication-Results: mta188.mail.re4.yahoo.com  from=paypal.com; domainkeys=neutral (no sig)
    Received: from 66.98.64.237  (EHLO amhsamarina.com) (66.98.64.237)
      by mta188.mail.re4.yahoo.com with SMTP; Sun, 20 May 2007 15:01:59 -0700
    Received: from User [84.19.241.125] by amhsamarina.com with ESMTP
      (SMTPD32-8.03) id A53249DC0084; Sun, 20 May 2007 18:01:22 -0400
    Reply-To: <security@paypal.com>
    From: "security@paypal.com"<security@paypal.com>
    Subject: About your account.
    Date: Mon, 21 May 2007 01:01:56 +0300
    MIME-Version: 1.0
    Content-Type: text/html;
        charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    Message-Id: <200705201801694.SM01492@User>
    Content-Length: 910

    You have added jessica.dickerson@edmondschools.net as a new e-mail address for
    your PayPal account. 

    If you did not authorize this change or if you need assistance
    with your account, please click here to contact PayPal customer service.

     

    Thank you for using PayPal
    The PayPal Team

    Please do not reply to this e-mail. Mail sent to this address cannot
    be answered. For assistance, log in to your PayPal account and choose
    the "Help" link in the header of any page.

    Just a heads up


  • User profile image
    mcampbell

    harumscarum wrote:
    This one almost caught me but I have not used paypal in years, just type in some bogus email to see what they want (note this is FAKE!):


    From security@paypal.com Sun May 20 15:01:56 2007
    Return-Path: <security@paypal.com>
    Authentication-Results: mta188.mail.re4.yahoo.com  from=paypal.com; domainkeys=neutral (no sig)
    Received: from 66.98.64.237  (EHLO amhsamarina.com) (66.98.64.237)
      by mta188.mail.re4.yahoo.com with SMTP; Sun, 20 May 2007 15:01:59 -0700
    Received: from User [84.19.241.125] by amhsamarina.com with ESMTP
      (SMTPD32-8.03) id A53249DC0084; Sun, 20 May 2007 18:01:22 -0400
    Reply-To: <security@paypal.com>
    From: "security@paypal.com"<security@paypal.com>
    Subject: About your account.
    Date: Mon, 21 May 2007 01:01:56 +0300
    MIME-Version: 1.0
    Content-Type: text/html;
        charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    Message-Id: <200705201801694.SM01492@User>
    Content-Length: 910

    You have added jessica.dickerson@edmondschools.net as a new e-mail address for
    your PayPal account. 

    If you did not authorize this change or if you need assistance
    with your account, please click here to contact PayPal customer service.

     

    Thank you for using PayPal
    The PayPal Team

    Please do not reply to this e-mail. Mail sent to this address cannot
    be answered. For assistance, log in to your PayPal account and choose
    the "Help" link in the header of any page.

    Just a heads up





    I probably get these everyday. Tongue Out  and sometimes if you folllow the post command you can see information people have submitted.

  • User profile image
    ZippyV

    You have to be pretty stupid to think that:

    http://asdl-65-69-124-169.dsl.tulsok.swbell.net/p.htm

    is a link to Paypal's site.

  • User profile image
    Lloyd_Humph

    They're really easy for me to spot - i get 1-5 every day - cause I'm 13 and I don't have a credi/debit/paypal account... so even if i wanted to put info in i couldn't.

    If Blackberrys are addictive cellphones, Channel9 is the ultimate addictive website.
    Last modified
  • User profile image
    Matthew van Eerde

    paypal.com has a SPF/SenderID record published (a DNS type TXT record at paypal.com)

    SPF:

    v=spf1
        mx
        include:s._spf.ebay.com
        include:m._spf.ebay.com
        include:p._spf.ebay.com
        include:c._spf.ebay.com
        include:spf-1.paypal.com
        ~all

    Sender ID:
    spf2.0/pra
        mx
        include:s._sid.ebay.com
        include:m._sid.ebay.com
        include:p._sid.ebay.com
        include:c._sid.ebay.com
        include:spf-2._sid.paypal.com
        ~all

    Yahoo's mail server got the mail from 66.98.64.237
    Received: from 66.98.64.237  (EHLO amhsamarina.com) (66.98.64.237)
      by mta188.mail.re4.yahoo.com with SMTP; Sun, 20 May 2007 15:01:59 -0700

    This IP address is a Verizon Dominicana address in the Dominican Republic.  I didn't follow the  SPF chains (s._sid.ebay.com etc.) but I doubt this is an authorized server.  So SPF would have caught this particular phish.

    % Joint Whois - whois.lacnic.net
    % This server accepts single ASN, IPv4 or IPv6 queries


    % Copyright LACNIC lacnic.net
    % The data below is provided for information purposes
    % and to assist persons in obtaining information about or
    % related to AS and IP numbers registrations
    % By submitting a whois query, you agree to use this data
    % only for lawful purposes.
    % 2007-05-21 12:24:11 (BRT -03:00)

    inetnum: 66.98.64/19
    status: allocated
    owner: VERIZON DOMINICANA
    ownerid: DO-CODE-LACNIC
    responsible: Indhira Medina
    address: Av. Abraham Lincoln, 1101,
    address: 1377 - Santo Domingo - DN
    country: DO
    phone: +1 809 220-2000 []
    owner-c: ABT
    tech-c: ABT
    inetrev: 66.98.64/19
    nserver: NS1.CODETEL.NET.DO
    nsstat: 20070519 AA
    nslastaa: 20070519
    nserver: NS2.CODETEL.NET.DO
    nsstat: 20070519 AA
    nslastaa: 20070519
    created: 20010406
    changed: 20060911

    nic-hdl: ABT
    person: Abuse Team
    e-mail: Abuse@VERIZON.NET.DO
    address: Av. Abraham Lincoln, 1101,
    address: 1377 - Santo Domingo - DN
    country: DO
    phone: +1 809 2202000 []
    created: 20021127
    changed: 20040309

    % whois.lacnic.net accepts only direct match queries.
    % Types of queries are: POCs, ownerid, CIDR blocks, IP
    % and AS numbers.

  • User profile image
    Lloyd_Humph

    Not sure if I just got an MS fake email actually... its very convincing and it asks you to register VS (again?) which is what made me think.. with personal details and bank cards etc... but it really looks very ms-style Perplexed. They can copy it all they want, I know, but I wonder if this is real - how would someone know I had VS on my pc?

    If Blackberrys are addictive cellphones, Channel9 is the ultimate addictive website.
    Last modified
  • User profile image
    ZippyV

    Just look at the source of the email and check if it comes from Microsoft's mail servers.

  • User profile image
    blowdart

    Matthew van Eerde wrote:
    paypal.com has a SPF/SenderID record published (a DNS type TXT record at paypal.com)

    SPF:

    v=spf1
        mx
        include:s._spf.ebay.com
        include:m._spf.ebay.com
        include:p._spf.ebay.com
        include:c._spf.ebay.com
        include:spf-1.paypal.com
        ~all

    Sender ID:
    spf2.0/pra
        mx
        include:s._sid.ebay.com
        include:m._sid.ebay.com
        include:p._sid.ebay.com
        include:c._sid.ebay.com
        include:spf-2._sid.paypal.com
        ~all



    Yes, but it's a TEST/Soft Fail record; so well behaved checkers shouldn't make decisions based on it.

  • User profile image
    Matthew van Eerde

    blowdart wrote:
    Yes, but it's a TEST/Soft Fail record; so well behaved checkers shouldn't make decisions based on it.


    It's within the bounds of propriety to assign "spam points" based on softfail.

  • User profile image
    blowdart

    Matthew van Eerde wrote:
    
    blowdart wrote:
    Yes, but it's a TEST/Soft Fail record; so well behaved checkers shouldn't make decisions based on it.


    It's within the bounds of propriety to assign "spam points" based on softfail.


    Just; but it shouldn't be an immediate block.

    It's weird; so many domains with soft fail and the same setup for years; paypal, ebay, banks, microsoft, hotmail and they really should be hard fails.

  • User profile image
    rjdohnert

    I got an interesting one from eBay called a second chance buying.  Something I supposedly bid on came up for rebid and I could buy it.  Only thing is it was something I never bid on nor would I have any reason to bid on it.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.