Re: WARNING: New scam Message #2 Posted by Howard Owen on 13 Jan 2006, 10:50 p.m., in response to message #1 by Vassilis Prevelakis
I've been getting a lot of these. They usually ask questions such as "what forms of payment do you accept for your item?" Aside from the fact that the reply URL, as you point out, is spoofed, and actually points to some other site than eBay, the mail headers should also show a spoof in the last Received: header listed. The last header listed should be the first one generated. But sometimes the miscreants add phony Received: headers so the first real one isn't the last one listed. Regardless, the first real Received: header usually contains a spoof of the originating system's name. Knowing this can be helpful in identifying malicious mail when other clues are inconclusive.
For example, here's a sample from a virus laden mail that hit my mailbox a couple of weeks back:
Received: from vansbro.se (ASt-Lambert-151-1-23-237.w82-120.abo.wanadoo.fr [82.120.234.237]) by [...]
So this one claimed to be from 'vansbro.se' but actually originated from 'ASt-Lambert-151-1-23-237.w82-120.abo.wanadoo.fr'.
|