[ale] new email scam: Paypal forgery

Fulton Green ale at FultonGreen.com
Wed Nov 5 09:12:32 EST 2003 

Um, "microsoft.com" isn't compromised, and that's not MindSpring doing a
reverse-lookup.  Instead, "microsoft.com" is what the spamming relay
reported to MindSpring as its HELO value during the beginning of the SMTP
session, and the IP address in brackets (which is most likely the actual
address of the spamming relay) is within CableVision's cable modem network:

	$ host 24.188.106.56
	56.106.188.24.in-addr.arpa domain name pointer ool-18bc6a38.dyn.optonline.net.
	$ whois optonline.net
	(yadda yadda)
	(contacts with CableVision.com addresses)

Consumer broadband PCs infected with trojans are now the primary delivery
systems of choice for rogue spammers everywhere.  Swedish ISP Telia
recently stepped up its efforts against this type of attack (look through
this week's Slashdot headlines for more info).

On Wed, Nov 05, 2003 at 08:53:36AM -0500, James P. Kinney III wrote:
> What a scam!!! The really interesting part is the source according to
> mindspring dns service is microsoft.com. So it looks like a M$ machine
> has been compromised!! I especially like the deliberate mis-spelling of
> Paypal to use the "I" instead of "l".
> 
> 
> Return-Path: <usersupports4 at paypal.com>
> Received: from holt.mail.atl.earthlink.net (holt.mail.mindspring.net
>         [207.69.200.187]) by moat.localnetsolutions.com (8.12.8/8.12.8)
> with ESMTP
>         id hA52UHEE032685 for <jkinney at castle.localnetsolutions.com>;
> Tue, 4 Nov
>         2003 21:30:17 -0500
> Received: from carus-z.mspring.net ([207.69.231.92]
> helo=carus.mspring.net)
>         by holt.mail.atl.earthlink.net with smtp (Exim 3.33 #1) id
> 1AHDR4-000399-00
>         for jkinney at castle.localnetsolutions.com; Tue, 04 Nov 2003
> 21:30:18 -0500
> X-MindSpring-Loop: jkinney at localnetsolutions.com
> Received: from microsoft.com ([24.188.106.56]) by carus.mspring.net
>         (Earthlink Mail Service) with SMTP id 1ahdr33h3Nl5tW0 for
>         <jkinney at localnetsolutions.com>; Tue, 4 Nov 2003 21:30:17 -0500
> (EST)
> Date: Wed, 05 Nov 2003 02:51:15 +0000
> From: PayPal <usersupports4 at paypal.com>
> Subject: PayPaI officiaI notice

(rest of spam deleted for brevity)

More information about the Ale mailing list