Sorry for the cross-post, and off-topic at that, but:
This morning I received a very authentic looking email from info.paypal.com, claiming that Paypal wanted me to update my browser. (Really.)
It had my name in it and all the right graphics and colors and everything.
Except that the from site was info.paypal.com (whoever they are: hint - not paypal.com) and the links all had long obfuscated links in them.
I verified with paypal that it was not legitimate, so I though you might all be warned as well.
You may now return to the appropriate technical discussions....
MR ZenWiz wrote:
Sorry for the cross-post, and off-topic at that, but:
This morning I received a very authentic looking email from info.paypal.com, claiming that Paypal wanted me to update my browser. (Really.)
It had my name in it and all the right graphics and colors and everything.
Except that the from site was info.paypal.com (whoever they are: hint
- not paypal.com) and the links all had long obfuscated links in them.
I verified with paypal that it was not legitimate, so I though you might all be warned as well.
You may now return to the appropriate technical discussions....
I receive similar mails all the time. Last was from Yahoo, something about some problem. In headers there was info that it was sent from some Indian domain. SMTP server it self is legitimate (Reverse DNS and all) so my server allowed the mail.
If I haven't asked for that mail (activation, etc.) I do not click on it, and even when it should be legitimate I always check the link.
Ljubomir
On Thu, Jun 9, 2011 at 8:39 AM, MR ZenWiz mrzenwiz@gmail.com wrote:
Sorry for the cross-post, and off-topic at that, but:
This morning I received a very authentic looking email from info.paypal.com, claiming that Paypal wanted me to update my browser. (Really.)
It had my name in it and all the right graphics and colors and everything.
Except that the from site was info.paypal.com (whoever they are: hint
- not paypal.com) and the links all had long obfuscated links in them.
I verified with paypal that it was not legitimate, so I though you might all be warned as well.
You may now return to the appropriate technical discussions.... _______________________________________________
If the mail came from info.paypal.com then I would suspect a "rogue insider job", OR their servers could be compromised. No-one but the network / domain adminstrator(s) of paypal.com can actually setup a subdomain on their own server called info.paypal.com
Even if I setup a domain called info.paypal.com on one of our servers, the links won't work and the phishing attempt would be void to start with.
Are / were those links clickable? If So then I would raise it to their attention again that their servers could probably have been compromised
On Thu, June 9, 2011 10:51, Rudi Ahlers wrote:
On Thu, Jun 9, 2011 at 8:39 AM, MR ZenWiz mrzenwiz@gmail.com wrote:
Sorry for the cross-post, and off-topic at that, but:
This morning I received a very authentic looking email from info.paypal.com, claiming that Paypal wanted me to update my browser. (Really.)
It had my name in it and all the right graphics and colors and everything.
Except that the from site was info.paypal.com (whoever they are: hint
- not paypal.com) and the links all had long obfuscated links in them.
I verified with paypal that it was not legitimate, so I though you might all be warned as well.
You may now return to the appropriate technical discussions.... _______________________________________________
If the mail came from info.paypal.com then I would suspect a "rogue insider job", OR their servers could be compromised. No-one but the network / domain adminstrator(s) of paypal.com can actually setup a subdomain on their own server called info.paypal.com
Even if I setup a domain called info.paypal.com on one of our servers, the links won't work and the phishing attempt would be void to start with.
Are / were those links clickable? If So then I would raise it to their attention again that their servers could probably have been compromised
I imagine he means that the mail had a "From:" or even "Reply-To:" header that came from info.paypal.com. Both these headers are trvially forged and bear no connection to the origin of the mail. The only headers you can trust on an email are the ones that have been inserted or changed by your own mail servers.
At Thu, 9 Jun 2011 11:00:27 +0200 CentOS mailing list centos@centos.org wrote:
On Thu, June 9, 2011 10:51, Rudi Ahlers wrote:
On Thu, Jun 9, 2011 at 8:39 AM, MR ZenWiz mrzenwiz@gmail.com wrote:
Sorry for the cross-post, and off-topic at that, but:
This morning I received a very authentic looking email from info.paypal.com, claiming that Paypal wanted me to update my browser. (Really.)
It had my name in it and all the right graphics and colors and everything.
Except that the from site was info.paypal.com (whoever they are: hint
- not paypal.com) and the links all had long obfuscated links in them.
I verified with paypal that it was not legitimate, so I though you might all be warned as well.
You may now return to the appropriate technical discussions.... _______________________________________________
If the mail came from info.paypal.com then I would suspect a "rogue insider job", OR their servers could be compromised. No-one but the network / domain adminstrator(s) of paypal.com can actually setup a subdomain on their own server called info.paypal.com
Even if I setup a domain called info.paypal.com on one of our servers, the links won't work and the phishing attempt would be void to start with.
Are / were those links clickable? If So then I would raise it to their attention again that their servers could probably have been compromised
I imagine he means that the mail had a "From:" or even "Reply-To:" header that came from info.paypal.com. Both these headers are trvially forged and bear no connection to the origin of the mail. The only headers you can trust on an email are the ones that have been inserted or changed by your own mail servers.
The important headers in question are the 'Received:' headers, paying close attention to the one that identifies where the mail entered a legitimate server -- eg one's inbound mail server.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Robert Heller wrote:
At Thu, 9 Jun 2011 11:00:27 +0200 CentOS mailing list centos@centos.org wrote:
On Thu, June 9, 2011 10:51, Rudi Ahlers wrote:
On Thu, Jun 9, 2011 at 8:39 AM, MR ZenWiz mrzenwiz@gmail.com wrote:
Sorry for the cross-post, and off-topic at that, but:
This morning I received a very authentic looking email from info.paypal.com, claiming that Paypal wanted me to update my browser. (Really.)
It had my name in it and all the right graphics and colors and everything.
Ah, *bing*: colors and graphics. First suggestion: TURN OFF HTML EMAIL, *always*. Looking at it in plain text makes it trivially obvious that the link doesn't point to paypal.
There are reasons that most mailing lists (at least all that I'm on), either reject HTML email, or deliver it as plain text, larded with garbage chars. <snip>
I imagine he means that the mail had a "From:" or even "Reply-To:" header that came from info.paypal.com. Both these headers are trvially forged
As, for the last three weeks or so, I've gotten a *bunch* of bounced emails, or notifications that something couldn't be delivered, because some scumbag has forged my email, putting it into the Reply-To: for their spam. <snip>
The important headers in question are the 'Received:' headers, paying close attention to the one that identifies where the mail entered a legitimate server -- eg one's inbound mail server.
Yep. Look at the chain of them, and mostly at the bottom, or the bottom two, and the Message-ID. If the IP's bogus (as in, 355.x.x.x, or the MessageID is something completely different than where it claims to be from, that's your givaway.
mark
On Thu, 9 Jun 2011, m.roth@5-cent.us wrote:
As, for the last three weeks or so, I've gotten a *bunch* of bounced emails, or notifications that something couldn't be delivered, because some scumbag has forged my email, putting it into the Reply-To: for their spam.
Yes, me too.
It seems a regular thing here for my email addresses.
I did have a catch-all email address, ie whatever@my-domain.net, but that is just *asking* for spam!
Kind Regards,
Keith Roberts
<snip> > The important headers in question are the 'Received:' headers, paying > close attention to the one that identifies where the mail entered > a legitimate server -- eg one's inbound mail server.
Yep. Look at the chain of them, and mostly at the bottom, or the bottom two, and the Message-ID. If the IP's bogus (as in, 355.x.x.x, or the MessageID is something completely different than where it claims to be from, that's your givaway.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 6/9/11, MR ZenWiz mrzenwiz@gmail.com wrote:
Sorry for the cross-post, and off-topic at that, but:
This morning I received a very authentic looking email from info.paypal.com, claiming that Paypal wanted me to update my browser. (Really.)
It had my name in it and all the right graphics and colors and everything.
Except that the from site was info.paypal.com (whoever they are: hint
- not paypal.com) and the links all had long obfuscated links in them.
Did the link really go to info.paypal.com or was it just a link formatted to look like it goes to info.paypal.com e.g. <a href='somedubious.domain.com>info.paypal.com</a> ? Which is the usual case.
Otherwise, it would indicate that Paypal has been compromised.
-
Emmanuel Noobadmin -
Giles Coochey -
Keith Roberts -
Ljubomir Ljubojevic -
m.roth@5-cent.us -
MR ZenWiz -
Robert Heller -
Rudi Ahlers