Loren Wilton wrote:
The disturbing thing is it seems to have come from the real Paypal
servers, AND, it has my correct name in the body of the email.
Now, they don't actually ask me to "log on" to a link in the email.
They just say "click here to win" with a link with a tracking id.
I have to wonder if they have been taking lessons on how to make spam
look and feel like week-old dead phish, or if they just brilliantly came
up with the idea all on their own.
Funny, my reaction to seeing (I assume) the same message was that they'd
learned how *not* to look like a phish.
In particular, they used their own domain name for *everything*,
including the sending server, the return address, matching forward &
reverse DNS on the sending server (mine came from 206.165.246.86, which
has a PTR to email-86.paypal.com, which resolves to 206.165.246.86), all
the hyperlinks (with matching rDNS), and nearly all the images. Not to
mention validating DomainKeys and SPF.
The only thing I found that didn't point to something.paypal.com were
two references to the same one-pixel image on postdirect.com, used for
spacing and possibly also for tracking.
I've seen way too many messages from, say, financial institutions,
stores, or even security software companies (*cough*symantec*cough*)
where they use multiple domain names, sometimes including that of their
third-party list manager, for everything -- even the click-tracked
links. Back when I used to shop at what was then DeepDiscountDVD, I'd
actually get order confirmations with a return address at their ISP,
instead of at their domain. The problem with these companies is that
they're training their users to trust mail from and linking to random
domains -- not to mention making it harder for us admins to prevent
false positives through whitelisting.
It was nice to see a sender that had learned to not make that mistake.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>