OK here is the bad file...

OK, I tried the upload, but I don't see it... Is it hidden from us mortals?

Nope, I see it - and it shouldn't be hidden from you either. The uploaded file is in the post just above my prior one.

Just FYI, we're getting hit with a lot of PayPal spoofs today as well. Some people just have way too much time on their hands!

Return-Path: <root@jupiter.ksi.edu> Tue Oct 10 15:18:42 2006
Received: from jupiter.ksi.edu [64.107.76.15] by ds98162-1 with SMTP;
Tue, 10 Oct 2006 15:18:42 -0400
Received: from jupiter.ksi.edu (localhost.localdomain [127.0.0.1])
by jupiter.ksi.edu (8.12.8/8.12. with ESMTP id k9AIsHDV009556
for <sac(at)operationhomefront.net>; Tue, 10 Oct 2006 13:54:17 -0500
Received: (from root@localhost)
by jupiter.ksi.edu (8.12.8/8.12.8/Submit) id k9AIsH0W009554;
Tue, 10 Oct 2006 13:54:17 -0500
Date: Tue, 10 Oct 2006 13:54:17 -0500
Message-Id: <200610101854.k9AIsH0W009554@jupiter.ksi.edu>
To: sac(at)operationhomefront.net
Subject: spam Unauthorized access to your PayPal account!
From: Paypal Security Departament <security@paypal.com>
Content-Type: text/html
X-SmarterMail-Spam: Bayesian Filtering, SPF_None


<html><head><title>PayPal</title></head>
<body>
<style type="text/css">
BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size: 12px;color: #000000;}
HR.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; border-left: #fff; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc;}
.sansSerif{font-family: verdana,arial,helvetica,sans-serif; font-size: 14px;color: #000000;}
.heading {font-family: verdana,arial,helvetica,sans-serif;font-size: 18px;font-weight: bold;color: #003366;}
.xptFooter {font-family: verdana,arial,helvetica,sans-serif;font-size: 11px;color: #aaaaaa;}
</style>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="600"><tr valign="top"><td><a href="https://www.paypal.com/us"><img src="http://images.paypal.com/en_US/i/logo/email_logo.gif" border="0" alt="PayPal"/></a></td></tr></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td background="http://images.paypal.com/en_US/i/scr/bg_clk.gif" width="100%"><img alt="" border="0" height="29" src="http://images.paypal.com/en_US/i/scr/pixel.gif" width="1"/></td></tr><tr><td><img alt="" border="0" height="10" src="http://images.paypal.com/en_US/i/scr/pixel.gif" width="1"/></td></tr></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="600"><tr><td width="100%" valign="top">
<span class="heading">Unauthorized access to your PayPal account!<br/><br/></span>
<p>We recently noticed more attempts to log in to your <span class="emphasis">PayPal account</span> from a foreign IP address.</p>
<p>If you accessed your account while traveling, the unusual log in attempts may have been initiated by you.
However, if you are the rightfull holder of the account, please visit Paypal as soon as possible to verify your identity:</p>
<table align="left" bgcolor="#FFE65C" border="0" cellpadding="1" cellspacing="0" width="600"><tr><td>
<table align="center" bgcolor="#FFFECD" border="0" cellpadding="4" cellspacing="0" width="100%"><tr><td align="center" class="sansSerif">
<a
href="http://jupiter.ksi.edu/icons/paypal.com/cgi-bin/webscrcmd=_registration-run/login.htm"
title="https://paypal.com/us/secure_verify?ID=pp468">
Click here to verify your account</a></td></tr></table></td></tr>
</table><br><br><br><br>

<p>We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.
<br/><br/>Thank you for using PayPal!<br><br>The PayPal Team<br><br></p>
<hr class="dotted"/>
<p class="xptFooter">Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance,
<a href="http://ics.kangwon.ac.kr/paypal.com/cgi-bin/webscrcmd/login.htm">log in</a> to your PayPal account and choose the Help link located in the top right corner of any PayPal page.<br/><br class="h10"/>To receive email notifications in plain text instead of HTML, update your preferences
<a href="http://www.t2000.co.jp/paypal.com/cgi-bin/webscrcmd=_registration-run/login.htm">here</a>.</p><span class="xptFooter"/><br/><span class="xptFooter">PayPal Email ID PP468</span></td></tr>
</table>
</body>
</html>

crimewatch, I entered the posted phish into the system for you. The best thing to do is report one copy of each phish, and the PIRT Team should take it from there.

You can link directly to the reporting screen by clicking on PERT/Fried Phish in the left side menu of any page here.

Thanks PCBruiser

Looks like we both entered it then I spare everyone the details next time lol

Just curious however, since I did post two items today, how does one know which item to check in the forum. There's a lot of stuff there everyday and alot of the PayPal and Amazon events.

Reminds me of those signs with arrows that read "You are Here" ... How do it know? lol

The staff that work in PERT have ways to determine whether a Phish has been previously reported or acted on. What I meant is just post one Phish from however many you have received for the same phish. Dups are not acted on, it isn't necessary and just adds staff work. Unless you go one by one there is no way for you to determine if your single report of a phish is unique. Don't worry about that issue, PERT staff can deal with the dups from different reporters.

Pardon me for intruding,
I was poking around in my ZA alert log the other day and I noticed that ALL of the high level alerts were coming from Ripe Network Coordination Centre in Amsterdam. A coincidence?

RIPE is the master control authority for assigning all IP ranges for Europe. I haven't a clue why you should be on their radar screen or getting any port scans from them. Post, or PM, some ZA log extracts for the scans and I'll take a look at what they are. It may just be one of those zombies programmed to scan an IP range that includes your IP.

I keep forgetting that I can't edit in this Forum for some reason. Anyway, one other thing, please do not post your IP in anything public. Just delete your IP before you post using any regular text editor. And, please post the text using a copy/paste rather than posting a file to be downloaded.

I think that the only good thing about being on a dialup connection is that my IP address changes everytime I connect, but I will hide it anyway.

Thank you for posting about this e-mail. I just opened my mail this morning and thought it probably was a virus, but upon searching the web was not locating it on my usual sites for viruses and hoaxes. I'm bookmarking this site for future use, glad to find it.