# Another Paypal Scammer



## Pudsey_Bear (Sep 25, 2008)




----------



## talogon (Aug 12, 2009)

Kev you can be sure this will catch plenty out. that's why they keep on coming.
Brian


----------



## pippin (Nov 15, 2007)

Since when has there ever been a plural form of "information*s*"?!!

Send it straight to spoof at paypal dot co dot uk.


----------



## Pudsey_Bear (Sep 25, 2008)

My Gmail spam filter caught it a few days ago, I was just looking through to ensure I wasn't deleting any important messages before clearing the lot.


----------



## listerdiesel (Aug 3, 2012)

We get plenty of them, most get reported back to [email protected] with full header information so that the sites can be traced and shut down.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 18 Jan 2016 12:42:31 +0000
Received: from [212.135.6.206] (port=37399 helo=mailfilter3.mail.uk.easynet.net)
by store0.mail.uk.easynet.net with esmtp (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1aL98h-0004XJ-6q
for [email protected]; Mon, 18 Jan 2016 12:42:31 +0000
Received: from mx2.mail.uk.easynet.net ([212.135.6.28]:33420)
by mailfilter3.mail.uk.easynet.net with esmtps (TLSv1HE-RSA-AES256-SHA:256)
(Exim 4.80.1)
(envelope-from <[email protected]>)
id 1aL99q-00072I-CB
for [email protected]; Mon, 18 Jan 2016 12:43:42 +0000
Received: from [188.40.242.147] (port=43632 helo=q1-147.quad-srv.de)
by mx2.mail.uk.easynet.net with esmtp (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1aL99p-0006Sz-TA
for [email protected]; Mon, 18 Jan 2016 12:43:41 +0000
Received: from [155.133.64.178] (unknown [155.133.64.178])
by q1-147.quad-srv.de (Postfix) with ESMTPSA id 5EB1527168D
for <[email protected]>; Mon, 18 Jan 2016 13:17:41 +0100 (CET)
Content-Type: multipart/alternative; boundary="===============0813739018=="
MIME-Version: 1.0
Subject: *** PHISHING ***Multiple login attempt to your PayPal Account!
To: [email protected]
From: "PayPal" <[email protected]>
Date: Mon, 18 Jan 2016 13:39:06 +0100
Message-Id: <[email protected]>
Original-recipient: [email protected]
X-Easyfilter-Spam-Score: 3.0
X-Easyfilter-Spam-Report: tests=
* 1.2 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
*  [URIs: paypalverifynow.altervista.org]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5%
* [score: 0.0258]
* 2.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
X-Antispam: phishing, score=90
X-Antivirus: avast! (VPS 160118-0, 18/01/2016), Inbound message
X-Antivirus-Status: Clean
X-Agent-Received: from easynet (pop3.easynet.co.uk); Mon, 18 Jan 2016 12:56:31 +0000
X-Agent-Train-Legitimate: 0
X-Agent-Junk-Probability: 0
Mail message body

Dear Customer: 
This email was sent automatically by our system because we noticed multiple login attempt to your PayPal account from an unrecognized device on Saturday, Jan 16, 2016 1:57 PM from Calgary, Alberta Canada . Was this you? If this wasn't you, please follow the link below and review your account profile settings to make sure no changes have been made.

To start review your PayPal account profile settings please click here: Review Account Now!

If you did the login attempt, please ignore this email.

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response. 
Copyright 2016 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131. 
PayPal Email ID PP1469

*http://paypalverifynow.altervista.org/signin*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

That last link is the hidden url from the "Review Account Now" button. I tried to colour it red but the forum software default for a url is blue.

As we don't view emails in html, we get the plain text version which makes it easier to sort out the details.

Peter


----------

