Can one determine from this Header .....

Discussion in 'Computer Security' started by John D, Jan 9, 2009.

  1. John D

    John D Guest

    ............ that this is, in fact, a 'Spoof' email request?

    *I* think it is. (In my Windows Live mailbox today)

    Thanks for any comment.


    X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9Mw==
    X-Message-Status: n:0
    X-SID-PRA: Support <>
    Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.2668);
    Fri, 9 Jan 2009 07:03:16 -0800
    Received: (qmail 30449 invoked from network); 9 Jan 2009 07:27:08 -0600
    Received: from (HELO User)
    by with SMTP; 9 Jan 2009 07:27:07 -0600
    From: "Support"<>
    Subject: You have (1) Message from PayPal
    Date: Sat, 10 Jan 2009 00:31:03 +1100
    MIME-Version: 1.0
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Message-ID: <>
    X-OriginalArrivalTime: 09 Jan 2009 15:03:17.0041 (UTC)

    Dear PayPal Member ,

    We recently have determined that different computers have logged onto
    your PayPal account, and multiple password failures were present before
    the logins. We now need you to re-confirm your account information to
    If this is not completed by January 08, 2009, we will be forced to
    your account indefinitely, as it may have been used for fraudulent
    We thank you for your cooperation in this manner. To confirm your
    records click on the following link:

    Thank you for your patience in this matter.
    PayPal Customer Service.
    Please do not reply to this e-mail as this is only a notification.
    Mail sent to this address cannot be answered.

    2009 PayPal. All rights reserved.
    John D, Jan 9, 2009
    1. Advertisements

  2. Beauregard T. Shagnasty, Jan 9, 2009
    1. Advertisements

  3. John D

    John D Guest

    Thanks for your reply, Guy. I've got the message!

    Interesting CV, btw. FYI, there's a 'typo' in the second paragraph: "
    HARDWARE DESIGN; **Mt** engineering experience ..... "

    You say "have also made it my business to be an expert on viruses,
    malware and antispam measures". A friend of mine thinks he might have a
    Rootkit and both he and I have played around with HiJackThis on his
    computer (without really knowing what we're doing!). We knows there are
    lots of 'help' sites on-line but as I'm here I thought I'd ask if you
    have a favourite forum you could recommend. Thanks.

    John D, Jan 10, 2009
  4. John D

    John D Guest

    OK -bts.

    I Googled for "" but found nothing useful.

    Thanks for confirming it was a bad email.

    John D, Jan 10, 2009
  5. John D

    John D Guest

    I appreciate all the trouble you've taken to make me think about

    You are obviously very clever and know lots about this kind of thing.
    I've got lots to learn. My friend uses PayPal and told me to watch out
    for spoof emails - now I guess I've reall had one!

    Thanks for help.


    John D, Jan 10, 2009
  6. They are actually rather common. Congratulations on your first!

    Actually, virtually any email you receive that invites you to log in
    somewhere and provide 'account details' is a phishing email. Beware.
    Beauregard T. Shagnasty, Jan 10, 2009
  7. John D

    John D Guest

    See below please

    I'd hoped that Guy would respond, but thanks anyway.

    I went to that site and explored a bit.

    If I scroll down, towards the bottom of the page, on the RHS, is a 'box'
    marked 'Backups'.

    In the second paragraph it says "We are working with .... (link) That link takes *me* to a page saying HTTP Error
    404 - File or directory not found. A dead link?

    Where does it take you? (I'd appreciate an answer!)

    I also noticed that when I hover over that link, at the bottom of my
    screen I see this:- = 37989&...


    A little below that is another 'box' entitled WinBackup. If I click in
    that box I'm taken here:

    ........ to:- Uniblue Registry Booster offering a "Free System Scan".

    I didn't press the large green "Instant Scan" button!

    What does that have to do with 'WinBackup'?

    Hovering over the WinBackup 'box' I see this: = 37989&action... (note
    extra word - action!)

    If I go directly to a
    range of free scans is available, but nowhere do I see the exact same
    page as in the link above. I'm now wondering if it is a spoof site.

    You will appreciate that I can only tell you what I can see here on my
    machine(s). Perhaps you too will explore these pages and tell me what
    you find. I do understand that it might be my computers which have a

    I also noticed that when I hover over that link, at the bottom of my
    screen I see this:- = 37989&...

    Something doesn't seem quite right. Could it be my computers at fault or
    can anyone else here see the same things?


    John D, Jan 11, 2009
  8. John D

    John D Guest

    No, not yet. I've said I'm suspicious of the site.

    I don't know who you are or why you have recommended a specific site
    which seems to have misleading links.

    I'll wait a while and see if anyone else sees the same errors.

    Can you tell me why you think this site is the best one for my friend to

    Thank you

    John D, Jan 11, 2009
  9. John D

    John D Guest

    Thanks for responding with the links, Guy. Much appreciated.

    It's quite late here in the UK so I'll have a look tomorrow.

    Thanks again! :)


    John D, Jan 11, 2009
  10. John D

    John D Guest

    Look below please:

    Hello Guy

    I've spent quite a while exploring the links you gave me - loads of very
    interesting 'stuff' (I hate that word!!)

    Today , from another source ('ask Leo') I've again been directed to
    'Uniblue' - here:

    Do you know anything about this organisation? Are they Genuine? Is it
    some sort of 'con'?

    I really appreciate your help and guidance. Thank you.

    John D, Jan 13, 2009
  11. John D

    John D Guest

    You have gone to a great deal of trouble to look at this, Guy. I really
    do appreciate it. Thank you.

    You said "That's enough for me to conclude that I don't like it". I
    don't like it either. Just a hinky feeling - no concrete evidence!

    I still have a feeling that all is not quite as it appears to be on the
    surface. Hmmm!

    It's late here in the UK right now. I'll check back here tomorrow.

    Thanks for caring.

    John D, Jan 14, 2009
  12. John D

    John D Guest

    Thanks for checking and letting me know, Guy

    I find this interesting.

    This link
    goes to a 'Free Process Scan' (green button)

    If I simply remove the '1' after www in my browser address bar - the URL
    instantly changes to (why? -
    scratching head!) No matter where I've looked on /this/ version on the
    Uniblue page I cannot see a page which looks like the one above.

    I'm still getting a feeling that something doesn't quite add up.

    Any further comments?
    John D, Jan 15, 2009
  13. John D

    John D Guest

    I've just noticed that if I hover my mouse cursor over the scan 'button'
    on this URL (found
    from the link under 'Solutions' (products/registry booster 2009) in the
    centre of this page - the information
    showning at the bottom of my window ...

    .... is different to that showing if I hover my mouse curser over the
    green button here
    This time it has a number included - /opt05308/

    The size of the download is 1.6Mb in each case, but if one site is /not/
    legitimate, I might be downloading malware onto my machine! True?
    John D, Jan 15, 2009
  14. John D

    John D Guest

    I've just noticed, too, that one Download is named
    "registryboosterppcg14.exe" whilst the other is simply

    I have no idea if that matters!
    John D, Jan 15, 2009
  15. John D

    John D Guest

    I've downloaded and run the programme you recommended, Guy.

    All seems OK if I type in (as an example) ......... with
    results I might expect.

    However, if I paste in the URL's used in this thread, things *don't*
    seem to indicate correctly. I'm just a novice! Perhaps if you can find a
    few moments, maybe *you* will explore just a little further.

    From past investigations, *I* think Uniblue is a *bad* site!

    How much do I have to pay you to explain how I can arrange to recover
    'from anything' - quickly? ;)
    John D, Jan 16, 2009
  16. John D

    John D Guest

    Hello Guy

    First, may I apologise for my failure to thank you for all the help and
    advice which you gave me in this thread.

    There was much to read (I have now read everything you sent me) and am
    now far more likely to purchase Acronis True Image than another version
    of Norton Ghost (a copy of which I did purchase and have used - version

    I have experimented a little more with WebBug but cannot be sure that I
    am interpreting the results correctly.

    You may be aware that I joined a small bulletin board after my forced
    departure from - operated by Jenn (once a moderator at
    Annexcafe). Jenn also has a web site . When I type that URL
    into WebBug, results are just as expected. However, when I type in the
    URL of the BB things (here on my PC) do not look
    right. Indeed, I get "HTTP/1.1 404 Not Found".

    I was introduced to Jenn's BB by 'Leo' - a prolific poster at Annexcafe
    newsgroups *and* on Jenn's BB. He runs a web site as Webmaster for his
    (somewhat on the fringe) church, here: If I
    post that URL into WebBug I end up with "HTTP/1.1 400 Bad Request".

    I'm fairly sure that I must be doing something wrong. If you do find a
    moment to see if you get the same or different results, I'd be most
    grateful if you would let me know. Thanks
    John D, Feb 3, 2009
  17. John D

    Bear Bottoms Guest

    What is that postal address again?
    Bear Bottoms, Feb 3, 2009
  18. John D

    ~BD~ Guest

    Thank you for taking a look, Guy. Much appreciated.

    I did as you suggested (I hadn't even noticed the choice before -

    All seems fine with but this is what was returned
    with regard to the BB:-

    HTTP/1.1 301 Moved Permanently
    Date: Wed, 04 Feb 2009 18:05:03 GMT
    Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b
    mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/
    Content-Length: 402
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    <title>301 Moved Permanently</title>
    <h1>Moved Permanently</h1>
    <p>The document has moved <a
    <address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b
    mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ Server
    at Port 80</address>


    I'm way outside my comfort zone with this but maybe it is of interest to
    the gurus!
    ~BD~, Feb 4, 2009
  19. John D

    John D Guest

    I wouldn't choose him as *my* lawyer if he'd not bothered to even look!
    (I think Mr Bottoms was actually joking though!)
    John D, Feb 4, 2009
  20. John D

    John D Guest

    I appreciate your help and advice, Guy. There is just SO much to learn!!

    Can you tell me - in simplistic terms - what this really means. Please.

    Is the content anything I need to know about?


    When you will understand the following then you will have a grasp on
    reading IP
    addresses. But first you will need a server like W2K3 or similar to do
    it correctly
    (reading Kerberos)

    Windows XP did not use Kerberos when using IP address
    to visit websites. The Vista has the same behave with your client, it
    didn¡¯t use Kerberos when using IP address.

    I have found a similar case about Kerberos not working with IP Address.
    Below is summary of their conclusion:

    "Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check
    the target server name is one IP address. If it is, the function will
    return true and System will deny to Kerberos in this situation with

    The reason that IP address worked in Windows 2003/XP is that the old
    logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is
    like ¡°http/ipaddress¡± in your situation, this implicitly workarounds

    However, in Vista, the KerbIsIpAddress function has been improved and
    ip address used in SPN will be filtered out and denied before Kerberos
    Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it
    by design.

    In fact, for previous system, the description of Kerberos behavior when
    using IP Address has been provided as below (although it doesn't mention
    "http/ipaddress" pattern):

    322979 Kerberos is not used when you connect to SMB shares by using IP

    From the article "Improving Web Proxy Client Authentication Performance
    ISA Server 2006"

    We can find:
    "Although in the first scenario (see figure 1) we have a Windows Server
    2003 Domain and the native support to use Kerberos, NTLM will still be
    preferred authentication method for Internet Explorer 6 while browsing
    Internet through a Proxy."

    Many application will control also control the authentication method.

    There is also Group Policy for Kerberos.

    Configure Kerberos policy


    This was posted for my attention (I have NO doubt!) in the newsgroup - be careful if following the links

    I'm intrigued be the errors in the font's in parts - probably a simple

    John D, Feb 4, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.