The Knitting Fiend

Every two days, a phisher throws me a hook. Today’s hook was an email disguised PayPal; it informed me that someone tried to add an email address to my PayPal account.

I couldn’t prevent myself from looking at either the email headers or the raw source^1.; it was good for a laugh!

Ok, so I looked at the raw source. My email contained a link might suggest it goes here:
https://www.paypal.com/

But, anyone who has created even one web page knows the web author can make the text match the link or not, as they prefer. Phishers prefer they don’t match. Examining the HTML, what do I see? If I clicked on it, the browser would send me :

http://www.google.de/url?sa=U&start=4&q=
http://218.158.9.7/webmail/java/index.php

Surely that’s not a mismatch! Of course PayPal’s security team would send me to visit Google to resolve a security issue. Not just Google, but Google’s German language web site, (note the .de ending). Not just the German language web site, but they’d tack on some sort of Google redirect to send me servers with this IP address: 218.158.9.7.

All that redirection is so much simpler than just writing a link that sends me straight to PayPal’s site!

So, who or where is IP 218.158.9.7?

Well, I ran a “whois”, which resulted in a fairly uninformative record. “Whois” usually tells you a lot about who owns an IP address; the only thing I could tell was the company owning this servers is located Korea.

Now, who would doubt this email came from PayPal?

As Ron Popeil might say, “But Wait! There’s more!”

The headers say the message originated from a Yahoo address:

Received: from unknown (HELO User) (3@datengatumati.info@69.74.45.97 with login) by smtp101.biz.mail.re2.yahoo.com with SMTP; 11 Aug 2005 12:49:46 -0000

See the “by smtp101.biz.mail.re2.yahoo.com”? Of course, a teeny-tiny company like PayPal would send their mail through a free, likely nearly untraceable Yahoo email account! I’ll admit I don’t know what everything in the string I pasted means, but I couldn’t help running a “whois” on datengatumati.info, which sounds hauntingly similar to “paypal.com”, right? “Datengatumati.info” is registered some guy who claims he lives in New Jersey, bit gives California Yahoo as his billing address.

Of course teeny-tiny company like PayPal would send out their security warnings by way of a company with a Yahoo billing address!

But, let’s look at the spam status to find the kicker:

X-Spam-Status: No, score=4.3 required=5.0 tests=AWL,BAYES_05, FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,HTML_30_40,HTML_MESSAGE, HTML_TITLE_EMPTY,MIME_HTML_ONLY,MISSING_HEADERS,NORMAL_HTTP_TO_IP, NO_REAL_NAME,URI_REDIRECTOR autolearn=no version=3.0.4

Of course Paypal would send me an email with “MISSING_HEADERS”, with repeated appearances of the word “FORGED”, and provided “NO_REAL_NAME” as the contact.

My only real question is why didn’t my spam filter didn’t just delete this? Oh well.

What did I do?
Well, I wrote this article. I did not clink any links in the email; I just hit “delete”.

Yes. I’m lazy. If I’d wanted to be a really good girl, I’d have opened my browser, typed “http://www.paypal.com” by hand, found the real PayPal’s complaint department and sent them a copy of the email, including the headers.

Chances are, someone will be a good girl and tell PayPal. Maybe PayPal will shut this particular phisher down; then he’ll pop up again. And I’m sure, from time to time, some of these spammy-phising emails will make it through my spam filter, and warn me about problems with my Pay Pal account!

Gotta love the internet!

---

1. I use “mail” which comes with my Imac. To see the headers, I pull down “view”, then “view long headers”; to see the source, I select “raw source” All mail software has some method to let you see these things.