Can one determine from this Header .....

............ that this is, in fact, a 'Spoof' email request?

*I* think it is. (In my Windows Live mailbox today)

Thanks for any comment.

****************************************

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9Mw==
X-Message-Status: n:0
X-SID-PRA: Support <>
X-Message-Info:
JGTYoYF78jEao6QhsKvDqeHDqSnuw1ToOJRO6EbP1LpNJoLPAp 8zdRSqtjh3QjY1s6FpVkfoguM2LjVjBdhQYgq4OfCrBDR/
Received: from 104747-web1.www.NinthVector.com ([72.3.253.24]) by
bay0-mc5-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.266;
Fri, 9 Jan 2009 07:03:16 -0800
Received: (qmail 30449 invoked from network); 9 Jan 2009 07:27:08 -0600
Received: from 246.009.dsl.nsw.iprimus.net.au (HELO User)
(210.50.162.246)
by 72.32.234.251 with SMTP; 9 Jan 2009 07:27:07 -0600
From: "Support"<>
Subject: You have (1) Message from PayPal
Date: Sat, 10 Jan 2009 00:31:03 +1100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path:
Message-ID: <BAY0-MC5->
X-OriginalArrivalTime: 09 Jan 2009 15:03:17.0041 (UTC)
FILETIME=[66E96A10:01C9726B]

Dear PayPal Member ,

We recently have determined that different computers have logged onto
your PayPal account, and multiple password failures were present before
the logins. We now need you to re-confirm your account information to
us.
If this is not completed by January 08, 2009, we will be forced to
suspend
your account indefinitely, as it may have been used for fraudulent
purposes.
We thank you for your cooperation in this manner. To confirm your
Account
records click on the following link:


http://www2.paypal.com.ssupda883844....=_login-submit

Thank you for your patience in this matter.
PayPal Customer Service.
Please do not reply to this e-mail as this is only a notification.
Mail sent to this address cannot be answered.

2009 PayPal. All rights reserved.

John D

In alt.computer.security, John D wrote:

> ............ that this is, in fact, a 'Spoof' email request?

The answer is right there in the body of the message.

> http://www2.paypal.com.ssupda883844....=_login-submit

Do you think a paypal email would come from "ssupda883844.org" ?

--
-bts
-Friends don't let friends drive Windows

Beauregard T. Shagnasty

Thanks for your reply, Guy. I've got the message!

Interesting CV, btw. FYI, there's a 'typo' in the second paragraph: "
HARDWARE DESIGN; **Mt** engineering experience ..... "

You say "have also made it my business to be an expert on viruses,
malware and antispam measures". A friend of mine thinks he might have a
Rootkit and both he and I have played around with HiJackThis on his
computer (without really knowing what we're doing!). We knows there are
lots of 'help' sites on-line but as I'm here I thought I'd ask if you
have a favourite forum you could recommend. Thanks.

John



"Guy Macon" <http://www.GuyMacon.com/> wrote in message
news:...
>
>
>
> John D wrote:
>
>> ............ that this is, in fact, a 'Spoof' email request?
>
> You can tell from the headers (paypal18.com is not Paypal,
> paypal.com.ssupda883844.org is not paypal...) but you don't
> need to. This line...
>
>>We now need you to re-confirm your account information to us.
>
> ...tells you all you need to know. Paypal never asks for your
> account information in an email. No reputable vendor does.
>
>
> --
> Guy Macon
> <http://www.GuyMacon.com/>
>

John D

OK -bts.

I Googled for "ssupda883844.org" but found nothing useful.

Thanks for confirming it was a bad email.

John


"Beauregard T. Shagnasty" <> wrote in message
news:gk8m72$ks6$...
> In alt.computer.security, John D wrote:
>
>> ............ that this is, in fact, a 'Spoof' email request?
>
> The answer is right there in the body of the message.
>
>> http://www2.paypal.com.ssupda883844....=_login-submit
>
> Do you think a paypal email would come from "ssupda883844.org" ?
>
> --
> -bts
> -Friends don't let friends drive Windows

John D

I appreciate all the trouble you've taken to make me think about
matters.

You are obviously very clever and know lots about this kind of thing.
I've got lots to learn. My friend uses PayPal and told me to watch out
for spoof emails - now I guess I've reall had one!

Thanks for help.

John


"VanguardLH" <> wrote in message
news:gk937j$etl$...
> John D wrote:
>
> NOTE: The OP cross-posted to UNRELATED and INAPPROPRIATE newsgroups.
> The following newsgroups were removed from my reply:
> microsoft.public.nntp.test
> microsoft.public.test.here
>
>> ............ that this is, in fact, a 'Spoof' email request?
>
> Provide a Subject that actually means something. Or do you
> deliberately
> speed in alluring spamspeak?
>
>> *I* think it is. (In my Windows Live mailbox today)
>
> So do YOU even have a PayPal account? If not then why would you think
> any e-mails from them were legit?
>
>> Received:
>> from 104747-web1.www.NinthVector.com ([72.3.253.24])
>> by bay0-mc5-f17.bay0.hotmail.com
>
> That Received header was prepended by your e-mail provider (Hotmail).
> 72.3.253.24 is allocated to Backspace.com, Texas, USA.
>
>> Received: (qmail 30449 invoked from network); ...
>
> Some internal routing that you don't care about.
>
>> Received:
>> from 246.009.dsl.nsw.iprimus.net.au (HELO User) (210.50.162.246)
>> by 72.32.234.251 ...
>
> Normally the host in the 'by' header in one Received header added by a
> prior e-mail provider should be in the 'from' header in the next
> e-mail
> hop; i.e., the hop identifies itself as the source and the next hop
> identifies that source. The internal routing can obliterate that
> tracing.
>
> The 'from' header here has "User" as the sending mail host claiming
> that
> is its hostname which already makes it suspect. Could be a stupid
> e-mail admin that thinks "User" is cutsy. Could be a bogus Received
> header inserted by the spammer/scammer. That 'from' header already
> identifies the sender is using a DSL connection (...dsl...). Do you
> think PayPal really uses DSL connections to their Internet provider?
> That's some joker's home account.
>
> The 72.32.234.251 for the sender's IP address is allocated to
> NinthVector. You could complain to them about the phish mail.
>
>> From: "Support"<>
>
> So just because it has "paypal" somewhere in the domain makes you
> think
> that PayPal is involved? The paypal18.com domain is registered
> through
> HostMonster.com who has elected to hide the actual registrant. ICANN
> requires the responsibility party be identified in domain registration
> records. Registration service providers (who really are not ICANN-
> authorized registrars) get around the requirement by accepting
> responsibility for the domain (for which their "responsibility" will
> be
> to kill the domain, along with keeping the money the registrant paid).
>
>
>> Subject: You have (1) Message from PayPal
>
> Again, do you actually have a PayPal account? Or are we to guess that
> you do and the only reason why you would even consider that you would
> get legit e-mails from PayPal?
>
>> Message-ID:
>> <BAY0-MC5->
>
> Um, so you get an e-mail purporting to come from PayPal. Do you
> really
> believe PayPal can't afford their own e-mail services and instead have
> to use Hotmail? Look in the domain portion of the Message-ID. The
> sender is somehow spewing their crap out through a Hotmail account
> through some DSL account at NinthVector in Australia. You think
> PayPal
> would really be jumping around like that?
>
>> ... Account records click on the following link:
>>
>> http://www2.paypal.com.ssupda883844....=_login-submit
>
> Again, you think because "paypal" is somewhere in the URL means it
> came
> from PayPal? You think PayPal is at ssupda883844.org? That domain
> isn't registered anymore. If it did exist, it doesn't now so the
> phish
> site has been killed.
>
> Did you copy the *source* of the e-mail to copy here? Or was it an
> HTML-formatted e-mail and you simply copied what was rendered on the
> screen (and which may not match the actual URL underlying the link on
> which you click)?
>
>> Thank you for your patience in this matter.
>> PayPal Customer Service.
>> Please do not reply to this e-mail as this is only a notification.
>> Mail sent to this address cannot be answered.
>
> So did you go to paypal.com, login, and change your password - to a
> STRONG password - as a precaution against someone trying to hack into
> it
> as evidenced by this phish mail?

John D

John D wrote:

> .. My friend uses PayPal and told me to watch out for spoof emails -
> now I guess I've reall had one!

They are actually rather common. Congratulations on your first!

Actually, virtually any email you receive that invites you to log in
somewhere and provide 'account details' is a phishing email. Beware.

--
-bts
-Friends don't let friends drive Windows

Beauregard T. Shagnasty

See below please

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news: ...
> From: "John D" <John_D@Ican playgames.too>
>
> | Thanks for your reply, Guy. I've got the message!
>
> | Interesting CV, btw. FYI, there's a 'typo' in the second paragraph:
> "
> | HARDWARE DESIGN; **Mt** engineering experience ..... "
>
> | You say "have also made it my business to be an expert on viruses,
> | malware and antispam measures". A friend of mine thinks he might
> have a
> | Rootkit and both he and I have played around with HiJackThis on his
> | computer (without really knowing what we're doing!). We knows there
> are
> | lots of 'help' sites on-line but as I'm here I thought I'd ask if
> you
> | have a favourite forum you could recommend. Thanks.
>
> | John
>
>
> http://www.thespykiller.co.uk/index.php?board=3.0
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>


I'd hoped that Guy would respond, but thanks anyway.

I went to that site and explored a bit.

If I scroll down, towards the bottom of the page, on the RHS, is a 'box'
marked 'Backups'.

In the second paragraph it says "We are working with .... (link)
Backupanswers.com That link takes *me* to a page saying HTTP Error
404 - File or directory not found. A dead link?

Where does it take you? (I'd appreciate an answer!)

I also noticed that when I hover over that link, at the bottom of my
screen I see this:-

http://regnow.com/softsell/visitor.cgi?affiliate = 37989&...

--

A little below that is another 'box' entitled WinBackup. If I click in
that box I'm taken here:
http://www.liutilities.com/products/...te/general/rb/

........ to:- Uniblue Registry Booster offering a "Free System Scan".

I didn't press the large green "Instant Scan" button!

What does that have to do with 'WinBackup'?

Hovering over the WinBackup 'box' I see this:

http://regnow.com/softsell/visitor.cgi?affiliate = 37989&action... (note
extra word - action!)

If I go directly to http://www.liutilities.com/products/freescans/ a
range of free scans is available, but nowhere do I see the exact same
page as in the link above. I'm now wondering if it is a spoof site.

You will appreciate that I can only tell you what I can see here on my
machine(s). Perhaps you too will explore these pages and tell me what
you find. I do understand that it might be my computers which have a
problem.

I also noticed that when I hover over that link, at the bottom of my
screen I see this:-

http://regnow.com/softsell/visitor.cgi?affiliate = 37989&...

Something doesn't seem quite right. Could it be my computers at fault or
can anyone else here see the same things?

Thanks

John

John D

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:-...
> From: "John D" <John_D@Ican playgames.too>
>
> | See below please
>
> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> | news: ...
>>> From: "John D" <John_D@Ican playgames.too>
>
>>> | Thanks for your reply, Guy. I've got the message!
>
>>> | Interesting CV, btw. FYI, there's a 'typo' in the second
>>> paragraph:
>>> "
>>> | HARDWARE DESIGN; **Mt** engineering experience ..... "
>
>>> | You say "have also made it my business to be an expert on viruses,
>>> | malware and antispam measures". A friend of mine thinks he might
>>> have a
>>> | Rootkit and both he and I have played around with HiJackThis on
>>> his
>>> | computer (without really knowing what we're doing!). We knows
>>> there
>>> are
>>> | lots of 'help' sites on-line but as I'm here I thought I'd ask if
>>> you
>>> | have a favourite forum you could recommend. Thanks.
>
>>> | John
>
>
>>> http://www.thespykiller.co.uk/index.php?board=3.0
>
>
>>> --
>>> Dave
>>> http://www.claymania.com/removal-trojan-adware.html
>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>
>
> | I'd hoped that Guy would respond, but thanks anyway.
>
> | I went to that site and explored a bit.
>
> | If I scroll down, towards the bottom of the page, on the RHS, is a
> 'box'
> | marked 'Backups'.
>
> | In the second paragraph it says "We are working with .... (link)
> | Backupanswers.com That link takes *me* to a page saying HTTP
> Error
> | 404 - File or directory not found. A dead link?
>
> | Where does it take you? (I'd appreciate an answer!)
>
> | I also noticed that when I hover over that link, at the bottom of my
> | screen I see this:-
>
> | http://regnow.com/softsell/visitor.cgi?affiliate = 37989&...
>
> | --
>
> | A little below that is another 'box' entitled WinBackup. If I click
> in
> | that box I'm taken here:
> | http://www.liutilities.com/products/...te/general/rb/
>
> | ........ to:- Uniblue Registry Booster offering a "Free System
> Scan".
>
> | I didn't press the large green "Instant Scan" button!
>
> | What does that have to do with 'WinBackup'?
>
> | Hovering over the WinBackup 'box' I see this:
>
> | http://regnow.com/softsell/visitor.cgi?affiliate = 37989&action...
> (note
> | extra word - action!)
>
> | If I go directly to http://www.liutilities.com/products/freescans/
> a
> | range of free scans is available, but nowhere do I see the exact
> same
> | page as in the link above. I'm now wondering if it is a spoof site.
>
> | You will appreciate that I can only tell you what I can see here on
> my
> | machine(s). Perhaps you too will explore these pages and tell me
> what
> | you find. I do understand that it might be my computers which have a
> | problem.
>
> | I also noticed that when I hover over that link, at the bottom of my
> | screen I see this:-
>
> | http://regnow.com/softsell/visitor.cgi?affiliate = 37989&...
>
> | Something doesn't seem quite right. Could it be my computers at
> fault or
> | can anyone else here see the same things?
>
> | Thanks
>
> | John
>
> The objective is to register and create a thread.
>
> Have you done that or not ?
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

No, not yet. I've said I'm suspicious of the site.

I don't know who you are or why you have recommended a specific site
which seems to have misleading links.

I'll wait a while and see if anyone else sees the same errors.

Can you tell me why you think this site is the best one for my friend to
use?

Thank you

John

John D

Thanks for responding with the links, Guy. Much appreciated.

It's quite late here in the UK so I'll have a look tomorrow.

Thanks again!

John


"Guy Macon" <http://www.GuyMacon.com/> wrote in message
news:...
>
>
>
> John D wrote:
>>
>>I'd hoped that Guy would respond,
>
> You didn't wait long enough. <grin> At times I am too busy at
> work to keep up with Usenet posts, but eventually I catch up.
>
> It is difficult to give good advice without knowing how advanced
> your present knowledge is, so if the follwing is too technical
> or too basic, let me know and I can adjust my advice accordingly.
>
> For learning more about general security issues, you might like the
> RISKS Forum. comp.risks and [ http://catless.ncl.ac.uk/Risks ] are
> good places to start.
>
> For more specific advice for Windows, here are some sites with good
> advice: [ http://www.security.ku.edu/docs/doc-viewer.jsp?id=3 ]
> and [ http://tweakhound.com/xp/security/page_1.htm ] and of course
> the Usenet newsgroups alt.computer.security and alt.privacy.
>
> I also really like the free online scan that Kaspersky offers:
> [ http://www.kaspersky.com/virusscanner ] ...so much so that I
> am willing to put up with it requiring Internet Explorer.
> In fact, Kaspersky and Windows Update are the only sites I use
> IE for. Please note that the scan takes a *long* time to load
> and to run, so be prepared to leave your PC on overnight.
>
> I would like to be able to say "switch to Linux", but, Alas,
> there are still a few programs that are not available on Linux,
> so I have to either dual-boot, useb VMWAre, or run two PCs.
>
> ...
>
> "I want every spammer to consider spamming to be the
> single most terrible mistake he ever made. I want
> every spammer to have to change his name, move to
> another state or country, and get plastic surgery,
> as the best way to gradually get his reputation
> back through years of menial labor, after being
> simultaneously fired, divorced, sued, fined, shunned,
> and kicked out of his apartment within 48 hours of
> his first spam." -Keith Lynch
>
>
> "Keith Lynch is soft on spammers." -Guy Macon
>
>
> Guy Macon
> <http://www.GuyMacon.com/>
>

John D

Look below please:

"Guy Macon" <http://www.GuyMacon.com/> wrote in message
news:...
>
>
>
> John D wrote:
>>
>>I'd hoped that Guy would respond,
>
> You didn't wait long enough. <grin> At times I am too busy at
> work to keep up with Usenet posts, but eventually I catch up.
>
> It is difficult to give good advice without knowing how advanced
> your present knowledge is, so if the follwing is too technical
> or too basic, let me know and I can adjust my advice accordingly.
>
> For learning more about general security issues, you might like the
> RISKS Forum. comp.risks and [ http://catless.ncl.ac.uk/Risks ] are
> good places to start.
>
> For more specific advice for Windows, here are some sites with good
> advice: [ http://www.security.ku.edu/docs/doc-viewer.jsp?id=3 ]
> and [ http://tweakhound.com/xp/security/page_1.htm ] and of course
> the Usenet newsgroups alt.computer.security and alt.privacy.
>
> I also really like the free online scan that Kaspersky offers:
> [ http://www.kaspersky.com/virusscanner ] ...so much so that I
> am willing to put up with it requiring Internet Explorer.
> In fact, Kaspersky and Windows Update are the only sites I use
> IE for. Please note that the scan takes a *long* time to load
> and to run, so be prepared to leave your PC on overnight.
>
> I would like to be able to say "switch to Linux", but, Alas,
> there are still a few programs that are not available on Linux,
> so I have to either dual-boot, useb VMWAre, or run two PCs.
>
> ...
>
> "I want every spammer to consider spamming to be the
> single most terrible mistake he ever made. I want
> every spammer to have to change his name, move to
> another state or country, and get plastic surgery,
> as the best way to gradually get his reputation
> back through years of menial labor, after being
> simultaneously fired, divorced, sued, fined, shunned,
> and kicked out of his apartment within 48 hours of
> his first spam." -Keith Lynch
>
>
> "Keith Lynch is soft on spammers." -Guy Macon
>
>
> Guy Macon
> <http://www.GuyMacon.com/>
>


Hello Guy

I've spent quite a while exploring the links you gave me - loads of very
interesting 'stuff' (I hate that word!!)

Today , from another source ('ask Leo') I've again been directed to
'Uniblue' - here:
http://www1.uniblue.com/products/cam...brary/ask-leo/

Do you know anything about this organisation? Are they Genuine? Is it
some sort of 'con'?

I really appreciate your help and guidance. Thank you.

John

John D