Can one determine from this Header .....

............ that this is, in fact, a 'Spoof' email request?

*I* think it is. (In my Windows Live mailbox today)

Thanks for any comment.

****************************************

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9Mw==
X-Message-Status: n:0
X-SID-PRA: Support <>
X-Message-Info:
JGTYoYF78jEao6QhsKvDqeHDqSnuw1ToOJRO6EbP1LpNJoLPAp8zdRSqtjh3QjY1s6FpVkfoguM2LjVjBdhQYgq4OfCrBDR/
Received: from 104747-web1.www.NinthVector.com ([72.3.253.24]) by
bay0-mc5-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Fri, 9 Jan 2009 07:03:16 -0800
Received: (qmail 30449 invoked from network); 9 Jan 2009 07:27:08 -0600
Received: from 246.009.dsl.nsw.iprimus.net.au (HELO User)
(210.50.162.246)
by 72.32.234.251 with SMTP; 9 Jan 2009 07:27:07 -0600
From: "Support"<>
Subject: You have (1) Message from PayPal
Date: Sat, 10 Jan 2009 00:31:03 +1100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path:
Message-ID: <0.hotmail.com>
X-OriginalArrivalTime: 09 Jan 2009 15:03:17.0041 (UTC)
FILETIME=[66E96A10:01C9726B]

Dear PayPal Member ,

We recently have determined that different computers have logged onto
your PayPal account, and multiple password failures were present before
the logins. We now need you to re-confirm your account information to
us.
If this is not completed by January 08, 2009, we will be forced to
suspend
your account indefinitely, as it may have been used for fraudulent
purposes.
We thank you for your cooperation in this manner. To confirm your
Account
records click on the following link:


http://www2.paypal.com.ssupda883844.org/webscr/login.htm?cmd=_login-submit

Thank you for your patience in this matter.
PayPal Customer Service.
Please do not reply to this e-mail as this is only a notification.
Mail sent to this address cannot be answered.

2009 PayPal. All rights reserved.

 

The answer is right there in the body of the message.

Do you think a paypal email would come from "ssupda883844.org" ?

 

Thanks for your reply, Guy. I've got the message!

Interesting CV, btw. FYI, there's a 'typo' in the second paragraph: "
HARDWARE DESIGN; **Mt** engineering experience ..... "

You say "have also made it my business to be an expert on viruses,
malware and antispam measures". A friend of mine thinks he might have a
Rootkit and both he and I have played around with HiJackThis on his
computer (without really knowing what we're doing!). We knows there are
lots of 'help' sites on-line but as I'm here I thought I'd ask if you
have a favourite forum you could recommend. Thanks.

John

 

OK -bts.

I Googled for "ssupda883844.org" but found nothing useful.

Thanks for confirming it was a bad email.

John

 

I appreciate all the trouble you've taken to make me think about
matters.

You are obviously very clever and know lots about this kind of thing.
I've got lots to learn. My friend uses PayPal and told me to watch out
for spoof emails - now I guess I've reall had one!

Thanks for help.

John

 

They are actually rather common. Congratulations on your first!

Actually, virtually any email you receive that invites you to log in
somewhere and provide 'account details' is a phishing email. Beware.

 

See below please

I'd hoped that Guy would respond, but thanks anyway.

I went to that site and explored a bit.

If I scroll down, towards the bottom of the page, on the RHS, is a 'box'
marked 'Backups'.

In the second paragraph it says "We are working with .... (link)
Backupanswers.com That link takes *me* to a page saying HTTP Error
404 - File or directory not found. A dead link?

Where does it take you? (I'd appreciate an answer!)

I also noticed that when I hover over that link, at the bottom of my
screen I see this:-

http://regnow.com/softsell/visitor.cgi?affiliate = 37989&...

--

A little below that is another 'box' entitled WinBackup. If I click in
that box I'm taken here:
http://www.liutilities.com/products/campaigns/affiliate/general/rb/

........ to:- Uniblue Registry Booster offering a "Free System Scan".

I didn't press the large green "Instant Scan" button!

What does that have to do with 'WinBackup'?

Hovering over the WinBackup 'box' I see this:

http://regnow.com/softsell/visitor.cgi?affiliate = 37989&action... (note
extra word - action!)

If I go directly to http://www.liutilities.com/products/freescans/ a
range of free scans is available, but nowhere do I see the exact same
page as in the link above. I'm now wondering if it is a spoof site.

You will appreciate that I can only tell you what I can see here on my
machine(s). Perhaps you too will explore these pages and tell me what
you find. I do understand that it might be my computers which have a
problem.

I also noticed that when I hover over that link, at the bottom of my
screen I see this:-

http://regnow.com/softsell/visitor.cgi?affiliate = 37989&...

Something doesn't seem quite right. Could it be my computers at fault or
can anyone else here see the same things?

Thanks

John

 

No, not yet. I've said I'm suspicious of the site.

I don't know who you are or why you have recommended a specific site
which seems to have misleading links.

I'll wait a while and see if anyone else sees the same errors.

Can you tell me why you think this site is the best one for my friend to
use?

Thank you

John

 

Thanks for responding with the links, Guy. Much appreciated.

It's quite late here in the UK so I'll have a look tomorrow.

Thanks again!

John

 

Look below please:

Hello Guy

I've spent quite a while exploring the links you gave me - loads of very
interesting 'stuff' (I hate that word!!)

Today , from another source ('ask Leo') I've again been directed to
'Uniblue' - here:
http://www1.uniblue.com/products/campaigns/ppc/rb/google/uk/stl/process-library/ask-leo/

Do you know anything about this organisation? Are they Genuine? Is it
some sort of 'con'?

I really appreciate your help and guidance. Thank you.

John

 

You have gone to a great deal of trouble to look at this, Guy. I really
do appreciate it. Thank you.

You said "That's enough for me to conclude that I don't like it". I
don't like it either. Just a hinky feeling - no concrete evidence!

I still have a feeling that all is not quite as it appears to be on the
surface. Hmmm!

It's late here in the UK right now. I'll check back here tomorrow.

Thanks for caring.

John

 

Thanks for checking and letting me know, Guy

I find this interesting.

This link
http://www1.uniblue.com/products/campaigns/ppc/rb/google/uk/stl/process-library/ask-leo/
goes to a 'Free Process Scan' (green button)

If I simply remove the '1' after www in my browser address bar - the URL
instantly changes to http://www.liutilities.com/products/ (why? -
scratching head!) No matter where I've looked on /this/ version on the
Uniblue page I cannot see a page which looks like the one above.

I'm still getting a feeling that something doesn't quite add up.

Any further comments?

 

I've just noticed that if I hover my mouse cursor over the scan 'button'
on this URL http://www.liutilities.com/products/registrybooster/ (found
from the link under 'Solutions' (products/registry booster 2009) in the
centre of this page http://www.liutilities.com/) - the information
showning at the bottom of my window ...

.... is different to that showing if I hover my mouse curser over the
green button here
http://www1.uniblue.com/products/campaigns/ppc/rb/google/uk/stl/process-library/ask-leo/
This time it has a number included - /opt05308/

The size of the download is 1.6Mb in each case, but if one site is /not/
legitimate, I might be downloading malware onto my machine! True?

 

I've just noticed, too, that one Download is named
"registryboosterppcg14.exe" whilst the other is simply
"registrybooster.exe"

I have no idea if that matters!

 

I've downloaded and run the programme you recommended, Guy.

All seems OK if I type in www.google.com (as an example) ......... with
results I might expect.

However, if I paste in the URL's used in this thread, things *don't*
seem to indicate correctly. I'm just a novice! Perhaps if you can find a
few moments, maybe *you* will explore just a little further.

From past investigations, *I* think Uniblue is a *bad* site!

How much do I have to pay you to explain how I can arrange to recover
'from anything' - quickly?

 

Hello Guy

First, may I apologise for my failure to thank you for all the help and
advice which you gave me in this thread.

There was much to read (I have now read everything you sent me) and am
now far more likely to purchase Acronis True Image than another version
of Norton Ghost (a copy of which I did purchase and have used - version
10).

I have experimented a little more with WebBug but cannot be sure that I
am interpreting the results correctly.

You may be aware that I joined a small bulletin board after my forced
departure from Annexcafe.com - operated by Jenn (once a moderator at
Annexcafe). Jenn also has a web site www.pqlr.org . When I type that URL
into WebBug, results are just as expected. However, when I type in the
URL of the BB www.pqlr.org/bbs things (here on my PC) do not look
right. Indeed, I get "HTTP/1.1 404 Not Found".

I was introduced to Jenn's BB by 'Leo' - a prolific poster at Annexcafe
newsgroups *and* on Jenn's BB. He runs a web site as Webmaster for his
(somewhat on the fringe) church, here: http://www.1usachurch.com/ If I
post that URL into WebBug I end up with "HTTP/1.1 400 Bad Request".

I'm fairly sure that I must be doing something wrong. If you do find a
moment to see if you get the same or different results, I'd be most
grateful if you would let me know. Thanks
--

 

What is that postal address again?

 

Thank you for taking a look, Guy. Much appreciated.

I did as you suggested (I hadn't even noticed the choice before -
Ooops!)

All seems fine with www.1usachurch.com but this is what was returned
with regard to the BB:-

HTTP/1.1 301 Moved Permanently
Date: Wed, 04 Feb 2009 18:05:03 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Location: http://www.pqlr.org/bbs/
Content-Length: 402
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a
href="http://www.pqlr.org/bbs/">here</a>.</p>
<hr>
<address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server
at www.pqlr.org Port 80</address>
</body></html>

****************************************

I'm way outside my comfort zone with this but maybe it is of interest to
the gurus!

 

I wouldn't choose him as *my* lawyer if he'd not bothered to even look!
(I think Mr Bottoms was actually joking though!)

 

I appreciate your help and advice, Guy. There is just SO much to learn!!

Can you tell me - in simplistic terms - what this really means. Please.

Is the content anything I need to know about?

***************************************************

When you will understand the following then you will have a grasp on
reading IP
addresses. But first you will need a server like W2K3 or similar to do
it correctly
(reading Kerberos)


Windows XP did not use Kerberos when using IP address
to visit websites. The Vista has the same behave with your client, it
didn¡¯t use Kerberos when using IP address.

I have found a similar case about Kerberos not working with IP Address.
Below is summary of their conclusion:

"Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check
if
the target server name is one IP address. If it is, the function will
return true and System will deny to Kerberos in this situation with
SEC_E_TARGET_UNKNOWN.

The reason that IP address worked in Windows 2003/XP is that the old
system
logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is
like ¡°http/ipaddress¡± in your situation, this implicitly workarounds
the
limitation.

However, in Vista, the KerbIsIpAddress function has been improved and
all
ip address used in SPN will be filtered out and denied before Kerberos
Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it
is
by design.

In fact, for previous system, the description of Kerberos behavior when
using IP Address has been provided as below (although it doesn't mention
"http/ipaddress" pattern):

322979 Kerberos is not used when you connect to SMB shares by using IP
address http://support.microsoft.com/default.aspx?scid=kb;EN-US;322979

From the article "Improving Web Proxy Client Authentication Performance
on
ISA Server 2006"
http://technet.microsoft.com/en-us/library/bb984870.aspx

We can find:
"Although in the first scenario (see figure 1) we have a Windows Server
2003 Domain and the native support to use Kerberos, NTLM will still be
preferred authentication method for Internet Explorer 6 while browsing
the
Internet through a Proxy."

Many application will control also control the authentication method.

There is also Group Policy for Kerberos.

Configure Kerberos policy
http://technet.microsoft.com/en-us/library/cc776647.aspx

--
Peter
************************************************

This was posted for my attention (I have NO doubt!) in the
microsoft.public.test.here newsgroup - be careful if following the links
Guy!

I'm intrigued be the errors in the font's in parts - probably a simple
explanation!

Cheers