John, I think my last post answered that. FWIW, also check out the SPF record:
nslookup -type=TXT email.paypal.com Which allows postdirect.com as a mailer. In this case, it's not needed, because they also allow SPF from the PTR records that match. Andrew 8) > -----Original Message----- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > Sent: Wednesday, May 24, 2006 9:45 AM > To: Message Sniffer Community > Subject: Re: [sniffer]Possible Paypal Phishing > > But how is PayPal's DNS involved in this as at what point are > the Paypal DNS servers queried? > > John T > eServices For You > > "Seek, and ye shall find!" > > > > -----Original Message----- > > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On > > Behalf > Of > > Colbeck, Andrew > > Sent: Wednesday, May 24, 2006 9:38 AM > > To: Message Sniffer Community > > Subject: Re: [sniffer]Possible Paypal Phishing > > > > It's really from PostDirect.com aka YesMail.com ... > > > > You can tell that it's authorized because the reverse DNS > which ends > > in PayPal.com (ok, that does set off alarm bells when it's someone > > else's > > netblock) matches the forward lookup of the resulting > address at PayPal. > > > > Therefore, PayPal is deliberately allowing that reverse IP > in someone > > else's netblock. > > > > That, or both the netblock and PayPal's DNS have been p0wned. > > > > Andrew 8) > > > > > > > > > -----Original Message----- > > > From: Message Sniffer Community > > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > > > Sent: Wednesday, May 24, 2006 9:31 AM > > > To: Message Sniffer Community > > > Subject: [sniffer]Possible Paypal Phishing > > > > > > Attached are the headers to an e-mail I am suspecting as a clever > > > phising that has me worried. > > > > > > It looks like a legit message sent on behalf of Paypal, > however, it > > > is sent from an IP address not owned by Paypal BUT which has a > > > REVDNS that ends in paypal.com. > > > > > > The message is full of links to images.postdirect.com but > does have > > > legit links to paypal.com. > > > > > > John T > > > eServices For You > > > > > > "Seek, and ye shall find!" > > > > > > > > > > > > ##################################################### > > ######## > > This message is sent to you because you are subscribed to > > the mailing list <[email protected]>. > > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To > switch to > > the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch > > to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send > > administrative queries to <[EMAIL PROTECTED]> > > > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[email protected]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To > switch to the DIGEST mode, E-mail to > <[EMAIL PROTECTED]> To switch to the INDEX mode, > E-mail to <[EMAIL PROTECTED]> Send administrative > queries to <[EMAIL PROTECTED]> > > ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
