Just got a thing that claims to come from "email-109.paypal.com". It
backtracks to there, too.
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK
0.0 DK_SIGNED Domain Keys: message has a signature
-0.0 DK_VERIFIED Domain Keys: signature passes verification
0.2 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5007]
1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
10 CLAMAV Clam AntiVirus detected a virus
-0.0 SARE_LEGIT_PAYPAL Has signs it's from paypal, from, headers, uri
0.6 HELO_MISMATCH_COM HELO_MISMATCH_COM
Clam seems to think it is a phish. I think it is a phish. It looks like a
phish.
The disturbing thing is it seems to have come from the real Paypal servers,
AND, it has my correct name in the body of the email.
Now, they don't actually ask me to "log on" to a link in the email. They
just say "click here to win" with a link with a tracking id.
I have to wonder if they have been taking lessons on how to make spam look
and feel like week-old dead phish, or if they just brilliantly came up with
the idea all on their own.
Loren
