I received an email today, supposedly from PayPal. Although the content was legit, with no fake/spoofed domains and no instructions to do anything silly, when I examined the header I was convinced it was a phish. Take a look:
Code: Select all
Received: from mx0.slc.paypal.com (mx0.slc.paypal.com [173.0.84.225])
by redacted (Postfix) with ESMTP id 6120840E15
for <redacted>; Thu, 21 Feb 2013 11:09:29 +0000 (GMT)
MaxCode-Template: appeals-request-more-info
content-type: text/plain; charset=utf-8
X-XPT-XSL-Name: email_attack/default/en_GB/account/security/AppealsRequestMoreInfo.xsl
X-Email-Type-Id: PP821
X-managedapps-av01-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=-4.585, required 6, FILL_THIS_FORM_FRAUD_PHISH 0.40,
RCVD_IN_DNSWL_HI -5.00, SPF_PASS -0.00, T_DKIM_INVALID 0.01,
T_FILL_THIS_FORM_SHORT 0.01)
Received-SPF: pass(paypal.co.uk: domain of
pp._spf.paypal.com designates 173.0.84.225 as permitted sender)
The key thing that rang all my alarm bells was this line:
Code: Select all
X-XPT-XSL-Name: email_attack/default/en_GB/account/security/AppealsRequestMoreInfo.xsl
But as a precaution, I logged in to PayPal (using normal methods -- no files were opened, no links clicked, even the email I'm quoting wasn't actually opened -- I was examining the raw text form of it while it was still in the mailbox) and what do you know -- I get a message saying they want more information, with the same reference as in the email. Eveything about the site was legit -- it had all my account history, my details, EV cert in place, etc etc. I then checked on my mobile (mobile network, different DNS etc etc, has different AV) and got the same message on login. So for this to be a spoof then ... boy oh boy am I in trouble, because I'm absolutely fooled and they have managed to get malware on two PCs and on my mobile, all just to get photo ID from me.
Even so, I just can't see any way to explain away the
email_attack/default/en_GB/account/security/AppealsRequestMoreInfo.xsl
Any suggestions?