An
Email with the Subject "You or someone had used your account from different locations" was
received in one of Scamdex's honeypot email accounts on Mon, 05 Mar 2012 01:09:03 -0800
and has been classified as a Phishing, ID Theft Scam Email.
The sender shows as PayPal <security@onlineupdate.com>.
The email address was probably spoofed. Do not reply to or contact any persons or organizations referenced in
this email, or follow any URLs as you may expose yourself to scammers and, at the very least, you will be
added to their email address lists for spam purposes.
This a (redacted) view of the raw email headers of this scam email.
Personally Identifiable Information (PII) has been suppressed, but can be
supplied as received to appropriate investigating or law enforcement agencies on request.
EEEEEstdClass Object
(
[return-path:] =>
[envelope-to:] => mxw@scamdex.com
[delivery-date:] => Mon, 05 Mar 2012 01:09:05 -0800
[received:] => Array
(
[0] => from mail.e-mice.net ([202.85.49.90] helo=emicemail.e-mice.net)by lester.newsblaze.com with esmtp (Exim 4.69)(envelope-from )id 1S4Tuc-0007ES-W5for mxw@scamdex.com; Mon, 05 Mar 2012 01:09:03 -0800
[1] => from onlineupdate.com ([74.120.43.171]) by emicemail.e-mice.net with Microsoft SMTPSVC(5.0.2195.7381); Mon, 5 Mar 2012 17:02:55 +0800
)
[from:] => PayPal
[to:] => mxw@scamdex.com
[subject:] => You or someone had used your account from different locations
[date:] => 05 Mar 2012 04:05:15 -0500
[message-id:] => <20120305040515.5D98CB3046349DE2@onlineupdate.com>
[mime-version:] => 1.0
[content-type:] => text/html;charset="iso-8859-1"
[content-transfer-encoding:] => quoted-printable
[x-originalarrivaltime:] => 05 Mar 2012 09:02:56.0218 (UTC) FILETIME=[C15BE3A0:01CCFAAE]
[x-spam-status:] => No, score=3.5
[x-spam-score:] => 35
[x-spam-bar:] => +++
[x-ham-report:] => Spam detection software, running on the system "lester.newsblaze.com", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: You or someone had used your account from different locationsDear PayPal Member, We recently reviewed your account, and we are suspectingthat your PayPal account may have been accessed from an unauthorized computer.[...] Content analysis details: (3.5 points, 4.0 required)pts rule name description---- ---------------------- --------------------------------------------------1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT[202.85.49.90 listed in bb.barracudacentral.org]0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words0.0 HTML_MESSAGE BODY: HTML included in message1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars0.0 T_REMOTE_IMAGE Message contains an external image
[x-spam-flag:] => NO
)
Domain Names used for collecting scam email ("Honeypot email accounts") have been obscured and replaced with the token 'HUN1P0T'
Community Action - SPAM/non-Scam Report
Occasionally, incorrectly categorized emails get into the Scamdex Scam Email Database and need to be removed. If this
email has Personally Identifiable Information (PII), or is, in your opinion, from a bona-fide entity, let us know.
Scamdex will, as soon as is practicable, take-down any emails that in our opinion should not
be in our database. Note that ALL emails in the Scamdex Scam Email Database were received as Unsolicited Commercial Email, aka UCE or
SPAM, via unpublished 'Honeypot' email addresses.