posted on December 26, 2006 10:36:33 PM new
Received this a few minutes ago. I clicked on the link, didn't enter any info, & the address showed up with https & the padlock was in the lower left corner.
The email was not in My eBay.
If it's a spoof then how did they get the https & padlock to show.
Thought someone could tell by the headers where it came from.
I have nothing listed & didn't bid on anything so have no idea what activity they are talking about.
I hope it's a spoof, I want to list tomorrow.
Subj: Account Review: 94446
Date: 12/26/2006 11:14:14 PM Eastern Standard Time
From: [email protected]
Dear eBay Member,
We are contacting you to inform you our Account Review Team
identified some unusual activity in your account.
In accordance with our rules and to ensure that your account
has not been compromised, access to your account was limited.
Your account access will remain limited until this issue is
resolved.
To secure your account and quickly restore full access we will
require some additional information from you.
Please, click the link bellow in order to fulfill the Security
Team requirements:
e B a y - C u s t o m e r S e r v i c e
The process is mandatory, and if not completed, your account
will be subject to temporary suspension.
Regards,
Chasity Pope
eBay Inc - Security.
----------------------- Headers --------------------------------
Return-Path: <[email protected]>
Received: from rly-yb06.mx.aol.com (rly-yb06.mail.aol.com [172.18.205.138]) by air-yb01.mail.aol.com (v114.2) with ESMTP id MAILINYB13-6934591f2fc2a0; Tue, 26 Dec 2006 23:14:12 -0500
Received: from smtp-4.orange.nl (smtp-4.orange.nl [193.252.22.249]) by rly-yb06.mx.aol.com (v114.2) with ESMTP id MAILRELAYINYB61-6934591f2fc2a0; Tue, 26 Dec 2006 23:13:49 -0500
Received: from smtp-4.orange.nl (mwinf6307 [10.232.3.37])
by mwinf6310.orange.nl (SMTP Server) with ESMTP id 24725700EC1E
for <[email protected]>; Wed, 27 Dec 2006 04:54:32 +0100 (CET)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf6307.orange.nl (SMTP Server) with ESMTP id 9A4237000089
for <[email protected]>; Wed, 27 Dec 2006 04:54:23 +0100 (CET)
Received: from c3eea34f7.cable.wanadoo.nl (c514751ac.cable.wanadoo.nl [81.71.81.172])
by mwinf6307.orange.nl (SMTP Server) with SMTP id E74C87000084
for <[email protected]>; Wed, 27 Dec 2006 04:54:22 +0100 (CET)
X-ME-UUID: [email protected]
From: <[email protected]>
Subject: Account Review: 94446
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
Date: Tue, 26 Dec 2006 22:45:25 -0500
Message-Id: <[email protected]>
To: undisclosed-recipients: ;
X-AOL-IP: 193.252.22.249
X-AOL-SCOLL-SCORE: 1:2:486145364:13421772
X-AOL-SCOLL-URL_COUNT: 3
posted on December 26, 2006 10:54:37 PM new
Sounds like a spoof - I think the bad guys can make padlocks show and dummy up the https. Before you get too far in listing tomorrow, try launching one listing (do it directly through ebay) to make sure it goes through. If you really are having problems with your account, I think you will see warnings when you try to launch and can deal with it then.
I am not an expert in reading the path but it looks to me like that one is coming from the Netherlands (.nl) - not ebay
-------------------------------------
posted on December 26, 2006 11:21:17 PM new
neglus, thanks for the help, really needed it.
I will list my first auction through eBay & see how it goes.
I had no idea anyone could mess with the https or padlock. Nothing sacred anymore, thought that was the gold standard for security.
Won't be long before spoofs figure out how to get messages into your My eBay.
posted on December 26, 2006 11:44:45 PM new
That header is full of bogus stuff and shows it to be NOT from ebay. The IP all that stuff is dead giveaway it is bogus mail
WHOIS Record For
81.71.81.172
Record Type: IP Address
NetRange: 81.0.0.0 - 81.255.255.255
CIDR: 81.0.0.0/8
NetName: 81-RIPE
NetHandle: NET-81-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2005-07-27
**************
Check it out
[ edited by irked on Dec 26, 2006 11:53 PM ]
posted on December 27, 2006 01:19:10 AM new
Parsing header:
0: Received: from rly-yb06.mx.aol.com (rly-yb06.mail.aol.com [172.18.205.138]) by air-yb01.mail.aol.com (v114.2) with ESMTP id MAILINYB13-6934591f2fc2a0; Tue, 26 Dec 2006 23:14:12 -0500
Internal handoff or trivial forgery
1: Received: from smtp-4.orange.nl (smtp-4.orange.nl [193.252.22.249]) by rly-yb06.mx.aol.com (v114.2) with ESMTP id MAILRELAYINYB61-6934591f2fc2a0; Tue, 26 Dec 2006 23:13:49 -0500
Hostname verified: smtp-4.orange.nl
posted on December 27, 2006 11:30:27 AM new
McJane: "Chasity" is a very ignorant way of spelling "Chastity." Some southerners in this country spell it that way. Sounds VERY fishy to me.
posted on December 27, 2006 01:02:38 PM new
Thanks everyone,
I clicked on the email because I was going to enter a nasty bogus user ID & PW.
I see now it's a dumb thing to do, never again.
What made me think it was legit was the https & padlock. I didn't know anyone could do that if it was a scam.
I didn't enter any ID, but went to My eBay & the email was not there, and I really expected it to be, so came here where I know I would get some right answers.
irked & agitprop. Thanks for deciphering. Never could make sense of headers, all looks Greek to me.
toollady, I did run a scan, everything looks OK for now.
roadsmith, never noticed the incorrect spelling of Ms Pope's name, Chastity!
posted on December 27, 2006 06:00:46 PM new
Jack: I got one today from "paypal" that I knew was a spoof, asking me to click on links and give my password, LOL. Just to be safe, I forwarded it to eBay but it was REJECTED BECAUSE OF A VIRUS IN IT! Yikes. That's only happened once before. Sure glad I know better than to click on the links.
