[CentOS] Paypal phishing warning

m.roth at 5-cent.us m.roth at 5-cent.us
Thu Jun 9 13:17:56 UTC 2011


Robert Heller wrote:
> At Thu, 9 Jun 2011 11:00:27 +0200 CentOS mailing list <centos at centos.org>
> wrote:
>> On Thu, June 9, 2011 10:51, Rudi Ahlers wrote:
>> > On Thu, Jun 9, 2011 at 8:39 AM, MR ZenWiz <mrzenwiz at gmail.com> wrote:
>> >> Sorry for the cross-post, and off-topic at that, but:
>> >>
>> >> This morning I received a very authentic looking email from
>> >> info.paypal.com, claiming that Paypal wanted me to update my browser.
>> >> (Really.)
>> >>
>> >> It had my name in it and all the right graphics and colors and
>> >> everything.

Ah, *bing*: colors and graphics. First suggestion: TURN OFF HTML EMAIL,
*always*. Looking at it in plain text makes it trivially obvious that the
link doesn't point to paypal.

There are reasons that most mailing lists (at least all that I'm on),
either reject HTML email, or deliver it as plain text, larded with garbage
chars.
<snip>
>> I imagine he means that the mail had a "From:" or even "Reply-To:"
>> header that came from info.paypal.com. Both these headers are trvially
>> forged

As, for the last three weeks or so, I've gotten a *bunch* of bounced
emails, or notifications that something couldn't be delivered, because
some scumbag has forged my email, putting it into the Reply-To: for their
spam.
<snip>
> The important headers in question are the 'Received:' headers, paying
> close attention to the one that identifies where the mail entered
> a legitimate server -- eg one's inbound mail server.

Yep. Look at the chain of them, and mostly at the bottom, or the bottom
two, and the Message-ID. If the IP's bogus (as in, 355.x.x.x, or the
MessageID is something completely different than where it claims to be
from, that's your givaway.

        mark




More information about the CentOS mailing list