eBay spoof using Linus servers
 

alexu.org.previewyoursite.com

The above site is the source (according to NeoTrace) of the latest "spoof" email I got that tries to get you to give up your eBay information. I have noticed a number of Linux test servers are now used for spoofing.

What's up with this? Are the servers being hacked or are these folks somehow building servers for the purpose of spoofing?

If that was simply the "from" address of the email, then those are extremely easy to forge. To get a better idea of the source, look at the full email header for the originating address (still spoofable) or even better, if the phishing email contains html, look at the page source for the links to the hax0red site. From my experience, the "from header" is always forged, the originating address is usually a blacklisted spam-friendly machine, and the actual website that the html links point to is the only truly hacked server.

But to answer your original question, mote than likely these are servers that are being p0wned. Why would you want to spend money on a server when there are plenty of boneheads on the net running unpatched servers that can be owned with minimal effort?