On Thu, June 9, 2011 10:51, Rudi Ahlers wrote: > On Thu, Jun 9, 2011 at 8:39 AM, MR ZenWiz <mrzenwiz at gmail.com> wrote: >> Sorry for the cross-post, and off-topic at that, but: >> >> This morning I received a very authentic looking email from >> info.paypal.com, claiming that Paypal wanted me to update my browser. >> (Really.) >> >> It had my name in it and all the right graphics and colors and >> everything. >> >> Except that the from site was info.paypal.com (whoever they are: hint >> - not paypal.com) and the links all had long obfuscated links in them. >> >> I verified with paypal that it was not legitimate, so I though you >> might all be warned as well. >> >> You may now return to the appropriate technical discussions.... >> _______________________________________________ > > > > If the mail came from info.paypal.com then I would suspect a "rogue > insider job", OR their servers could be compromised. No-one but the > network / domain adminstrator(s) of paypal.com can actually setup a > subdomain on their own server called info.paypal.com > > Even if I setup a domain called info.paypal.com on one of our servers, > the links won't work and the phishing attempt would be void to start > with. > > Are / were those links clickable? If So then I would raise it to their > attention again that their servers could probably have been > compromised > I imagine he means that the mail had a "From:" or even "Reply-To:" header that came from info.paypal.com. Both these headers are trvially forged and bear no connection to the origin of the mail. The only headers you can trust on an email are the ones that have been inserted or changed by your own mail servers.