hundreds of paypal user names/emails

zapcojake · 06-09-2007, 11:16 PM

Hello, I received and email from paypal today that was supposed to have information about my account. It instead contained hundreds of usernames and or emails. I have contacted paypal about this but received no response.

St.Jimmy · 06-09-2007, 11:31 PM

are you sure it's from paypal?

zapcojake · 06-09-2007, 11:38 PM

The address checks out, the subject line was restore your account and my account had been limited, and the email didn't ask me for any information and there are no links to follow only hundreds of email addresses from legitimate email providers. Hotmail, and hushmail just to name a couple. Over 36,000 characters in all. There are also some linux.org addresses in it.

pixellany · 06-10-2007, 08:15 AM

Sounds for sure to be a scam.

When you say "the address checks out", how did you determine that?

zapcojake · 06-10-2007, 08:31 AM

Its the same address as they have been using to contact me. Plus the email doesn't ask for any of my information or have any links to follow. I have been checking some of the addresses it contains and they are valid. Some of them are addresses tied to websites.
I would be glad to post a snippet from it if I know its legal/moral to do so. I'm trying to cry wolf here I just want to make people aware of what happened. There are some addresses from places like linux.org and linuxmafia in it. I have googled some of the ones that sounded like websites and they are real.

pixellany · 06-10-2007, 08:40 AM

Can you forward the e-mail to me? (Use the address in my website(link below)--in the "about" link at the bottom of each page.)

zapcojake · 06-10-2007, 08:59 AM

Its done. I have contacted some of the mail providers but haven't heard back.

masonm · 06-10-2007, 09:22 AM

You should probably forward the entire email to Paypal's fraud department.

pixellany · 06-10-2007, 09:30 AM

<<Time out while we look at the headers which OP will be sending me>>

zapcojake · 06-10-2007, 09:44 AM

1539 addresses.

pixellany · 06-10-2007, 10:05 AM

It's a scam alright---OP can publish the details if he chooses.....

zapcojake · 06-10-2007, 10:26 AM

Bingo!!--it is a scam. The tipoff is this line:

Received: from server1.ddf.com.br ([67.15.60.8])

Here is the result of a whois search:

mherring@1[grub]$ whois server1.ddf.com.br

% Copyright (c) Nic.br
% The use of the data below is only permitted as described in
% full by the terms of use (http://registro.br/termo/en.html),
% being prohibited its distribution, comercialization or
% reproduction, in particular, to use it for advertising or
% any similar purpose.
% 2007-06-10 10:55:39 (BRT -03:00)

% Query rate limit exceeded. Reduced information.
% Use https://registro.br/cgi-bin/avail/ for domain availability.

domain: ddf.com.br
owner: Daniel de Melo Franqueira ME (682010)

% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/, respectivelly to cert@cert.br
% and mail-abuse@cert.br
%
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), ticket, provider, ID, CIDR
% block, IP and ASN.

Going to registro.br confirms that they are in fact in Brazil.

I would definitely pass this on to Paypal (use an address for them that
you know to be good)

jiml8 · 06-10-2007, 02:40 PM

Stupid phishers can't even get their scam emails constructed properly...

sheesh.

zapcojake · 06-10-2007, 02:58 PM

I'd rather deal with a poor attempt than a good one.

Dragineez · 06-11-2007, 05:32 PM

Always forward paypal phishing attempts (including full header) to spoof at paypal.com. Nothing may happen in the short term, but it this scumbag ever does come before the bar paypal will make sure he gets the hammer award - or perhaps the sledgehammer award.