An
Email with the Subject "Your PayPal account has been limited" was
received in one of Scamdex's honeypot email accounts on Thu, 15 Mar 2012 04:17:33 -0700
and has been classified as a Generic Scam Email.
The sender shows as PayPal <security@onlineupdate.com>.
The email address was probably spoofed. Do not reply to or contact any persons or organizations referenced in
this email, or follow any URLs as you may expose yourself to scammers and, at the very least, you will be
added to their email address lists for spam purposes.
This a (redacted) view of the raw email headers of this scam email.
Personally Identifiable Information (PII) has been suppressed, but can be
supplied as received to appropriate investigating or law enforcement agencies on request.
EEEEEstdClass Object
(
[return-path:] =>
[envelope-to:] => cj@scamdex.com
[delivery-date:] => Thu, 15 Mar 2012 04:17:33 -0700
[received:] => Array
(
[0] => from sophosfilter.brownwoodisd.org ([72.21.97.132])by lester.newsblaze.com with esmtp (Exim 4.69)(envelope-from )id 1S88gV-0002A9-Hrfor cj@scamdex.com; Thu, 15 Mar 2012 04:17:33 -0700
[1] => from sophosFilter.brownwoodisd.org (localhost.localdomain [127.0.0.1])by localhost (Email Security Appliance) with SMTP id B74C69F3DEA_F61CFC8Bfor ; Thu, 15 Mar 2012 11:17:28 +0000 (GMT)
[2] => from onlineupdate.com (unknown [74.120.43.171])by sophosFilter.brownwoodisd.org (Sophos Email Appliance) with ESMTP id 757269F7570_F61CFC2Ffor ; Thu, 15 Mar 2012 11:17:22 +0000 (GMT)
)
[from:] => PayPal
[to:] => cj@scamdex.com
[subject:] => Your PayPal account has been limited
[date:] => 15 Mar 2012 07:18:05 -0400
[message-id:] => <20120315071805.294D643C492E6640@onlineupdate.com>
[mime-version:] => 1.0
[content-type:] => text/html;charset="iso-8859-1"
[content-transfer-encoding:] => quoted-printable
[x-sea-spam:] => Gauge=XXXXXXXXXX, Probability=100%, Report='KNOWN_SPAM_CONTENT 8, URI_CLASS_SCAM_DOMAIN 8, PHISH_PAYPAL_FROM_NO_RECEIVED 5.5, PHISH_IP_2 4, PHISH_SUBJ_HIGH 1.75, KNOWN_PHISHING_FROM_AND_URL_IP 1.5, PHISH_PHRASE_X3 1.5, PHISH_SUBJ_MED 1.25, CTYPE_JUST_HTML 0.848, PHISH_SUBJ_LOW 0.5, HTML_50_70 0.1, FROM_NAME_ONE_WORD 0.05, SUPERLONG_LINE 0.05, BODYTEXTH_SIZE_10000_LESS 0, BODY_SIZE_6000_6999 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, IP_HTTP_ADDR 0, LINK_TO_IMAGE 0, URI_ENDS_IN_PHP 0, __ANY_URI 0, __CANPHARM_COPYRIGHT 0, __CT 0, __CTE 0, __CTYPE_HTML 0, __CTYPE_IS_HTML 0, __HAS_HTML 0, __HAS_MSGID 0, __MIME_HTML 0, __MIME_HTML_ONLY 0, __MIME_VERSION 0, __PHISH_FROM 0, __PHISH_FROM2 0, __PHISH_PAYPAL_FROM 0, __PHISH_PHRASE2 0, __PHISH_PHRASE5 0, __PHISH_PHRASE7 0, __PHISH_SPEAR_GREETING 0, __PHISH_SPEAR_SUBJECT 0, __PHISH_SUBJ_PHRASE1 0, __PHISH_SUBJ_PHRASE2 0, __PHISH_SUBJ_PHRASE4 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0,__TAG_EXISTS_HTML 0, __TEXT_SIG_ANY 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_CLASS_ANY 0, __URI_NO_MAILTO 0'
[x-spam-status:] => No, score=1.9
[x-spam-score:] => 19
[x-spam-bar:] => +
[x-ham-report:] => Spam detection software, running on the system "lester.newsblaze.com", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Notice of Limited Account Access Dear PayPal Member, Unfortunatelyone of your recent transaction with PayPal is not successful because yourPayPal account has been limited. It is a measure taken to protect your accountand help ensure the safety of the PayPal platform. We want to help removethis limitation as soon as possible so he can continue to take advantageof the benefits of PayPal. [...] Content analysis details: (1.9 points, 4.0 required)pts rule name description---- ---------------------- --------------------------------------------------0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL0.0 HTML_MESSAGE BODY: HTML included in message1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars0.3 FROM_12LTRDOM From a 12-letter domain0.5 SINGLE_HEADER_1K A single header contains 1K-2K characters
[x-spam-flag:] => NO
)
Domain Names used for collecting scam email ("Honeypot email accounts") have been obscured and replaced with the token 'HUN1P0T'
Community Action - SPAM/non-Scam Report
Occasionally, incorrectly categorized emails get into the Scamdex Scam Email Database and need to be removed. If this
email has Personally Identifiable Information (PII), or is, in your opinion, from a bona-fide entity, let us know.
Scamdex will, as soon as is practicable, take-down any emails that in our opinion should not
be in our database. Note that ALL emails in the Scamdex Scam Email Database were received as Unsolicited Commercial Email, aka UCE or
SPAM, via unpublished 'Honeypot' email addresses.
Notice of Limited Account Access
Dear PayPal Member,
Unfortunately one of your recent transaction with PayPal is not successful because your PayPal account has been limited. It is a measure taken to protect your account and help ensure the safety of the PayPal platform. We want to help remove this limitation as soon as possible so he can continue to take advantage of the benefits of PayPal.
How To remove the restriction
To remove the restriction on the account, to know why and know what
features are not used at the time, just 3 easy steps:
We apologize for the inconvenience and thank you for your cooperation.
If you need help logging in, go to our Help Center by clicking the Help link located in the upper right-hand corner of any PayPal page.
Sincerely,
PayPal
Please do not reply to this email. We are unable to respond to inquiries sent to this address. For immediate answers to your questions, visit our Help Center by clicking "Help" at the top of any PayPal page.
