Comments on: Yet another Paypal phishing scam http://blogs.mcafee.com/mcafee-labs/yet-another-paypal-phishing-scam Sat, 12 May 2012 04:55:36 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Abhinav Singh http://blogs.mcafee.com/mcafee-labs/yet-another-paypal-phishing-scam/comment-page-1#comment-18225 Abhinav Singh Wed, 09 Jul 2008 14:45:15 +0000 http://www.labs.com/research/blog/?p=683#comment-18225 Nice post, well I recieved an email yesterday itself asking me to update my card information as it has been deactivated and finally realized its a phishing site. Read more and see the screen shots of the same here: http://abhinavsingh.com/blog/2008/07/fake-email-from-paypal-cloned-sites/ Nice post, well I recieved an email yesterday itself asking me to update my card information as it has been deactivated and finally realized its a phishing site.

Read more and see the screen shots of the same here:

http://abhinavsingh.com/blog/2008/07/fake-email-from-paypal-cloned-sites/

]]> By: King http://blogs.mcafee.com/mcafee-labs/yet-another-paypal-phishing-scam/comment-page-1#comment-18224 King Wed, 02 Jul 2008 20:59:41 +0000 http://www.labs.com/research/blog/?p=683#comment-18224 The X-WEBC-Mail-From-Script isn't even the *real* giveway. That would be the line that shows which Internet host gave it to your SMTP server: Received: from 213.193.2.228 (EHLO mcorep06.live.webc.lyceu.net) (213.193.2.228) by mta324.mail.re4.yahoo.com with SMTP; Fri, 27 Jun ... 17:51:25 -0700 This line says the mail came from a machine in the lyceu.net domain. THIS is the dead giveaway because all mail from Paypal comes from a host in the paypal.com domain. That X-WEBC header might or might not be real. The spammer might have put it in to make something look legit if they've noticed that filters tend to pass messages containing those headers. You can't believe any header line after the one added by YOUR SMTP server, since any other header line could have been faked by the spammer. The X-WEBC-Mail-From-Script isn’t even the *real* giveway. That would be the line that shows which Internet host gave it to your SMTP server:

Received: from 213.193.2.228 (EHLO mcorep06.live.webc.lyceu.net) (213.193.2.228) by mta324.mail.re4.yahoo.com with SMTP; Fri, 27 Jun … 17:51:25 -0700

This line says the mail came from a machine in the lyceu.net domain. THIS is the dead giveaway because all mail from Paypal comes from a host in the paypal.com domain.

That X-WEBC header might or might not be real. The spammer might have put it in to make something look legit if they’ve noticed that filters tend to pass messages containing those headers. You can’t believe any header line after the one added by YOUR SMTP server, since any other header line could have been faked by the spammer.

]]>