Can VE help me to prevent giving out infos to fake paypal pages?

This is not the first time i met with fake PayPal page, here’s the letter i just got:

X-Message-Status: s3:0
X-SID-Result: SoftFail
X-Message-Info: txF49lGdW43nC1NXcRqIm5P58J7eJTyosfg34G30957gmEoKhdnj90oxy1yD0edd
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.2668);
Tue, 17 Apr 2007 09:31:43 -0700
Received: from ( [])
by (8.11.6/8.11.6) with ESMTP id l3HGVl302601;
Tue, 17 Apr 2007 18:31:47 +0200
Received: from User ([]) by with Microsoft SMTPSVC(6.0.3790.211);
Tue, 17 Apr 2007 18:27:45 +0200
From: "PayPal"
Subject: Dispute Transaction
Date: Tue, 17 Apr 2007 10:26:45 -0600
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-OriginalArrivalTime: 17 Apr 2007 16:27:45.0500 (UTC) FILETIME=[547721C0:01C7810D]

Dear PayPal Member,

This email confirms that you have sent an eBay payment of $47.85 USD to for an eBay item.

Payment Details

Amount: $47.85 USD

Transaction ID: 2LC956793J776333Y

Subject: Digimax 130

If you haven’t authorized this charge ,click the link below to dispute transaction
and get full refund

Dispute transaction (Encrypted Link )

*SSL connection:
PayPal automatically encrypts your confidential information
in transit from your computer to ours using the Secure
Sockets Layer protocol (SSL) with an encryption key length
of 128-bits (the highest level commercially available)

Item Information

eBay User ID: scratchandgnaw2

Edward Harrell’s UNCONFIRMED Address

Edward Harrell
211 David St.
Springtown, TX 76082
United States

Important Note: Edward Harrell has provided an Unconfirmed Address. If
you are planning on shipping items to Edward Harrell, please check the
Transaction Details page of this payment to find out whether you will
be covered by the PayPal Seller Protection Policy.

This payment was sent using your bank account.

By using your bank account to send money, you just:

  • Paid easily and securely

  • Sent money faster than writing and mailing paper checks

  • Paid instantly – your purchase won’t show up on bills at the end of
    the month.

Thanks for using your bank account!

Thank you for using PayPal!
The PayPal Team
PayPal Email ID PP118


Yes. Just hold your mouse over the logo - if it doesn’t go green, it isn’t Paypal.

Thanks :■■■■!

It’s also fairly easy to read the header info and see right away that this is NOT Paypal ( []) - is not paypal

A better understanding of how to (first) get the entire header information to show (usually called "blah-blah), and then of how to find where the REAL sender info is, will go a long way in helping you figure out what’s legit and what isn’t.


Why on earth would spammers send emails containing links to the real Paypal website?

The message:

Dear PayPal Customer,

This email is to inform you, that we had to block your PayPal Account
access because we had to upgrade our servers in order to remove online

Our terms and conditions you agreed to state that your account must
be under your control or those you designate at all times. We have
some unusual activity related to our servers that indicates that other
parties may have access and, or control of your informations in your

Please follow this link to confirm your account access information :

Please be aware that until we can verify your identity no further access
your account will be allowed and we will have no other liability for
account or any transactions that may have occurred as a result of your
failure to upgrade your account as instructed above.

Thank you for your time and consideration in this matter .

PayPal Account Departement.

It was clearly not the real thing, which was confirmed by Paypal after I forwarded the message to them:
“Thank you for taking the time to contact The email you
reported was not sent by PayPal and is a phishing (fraudulent) email.”

Isn’t it odd that the link in this spam points to the genuine Paypal website (confirmed by VEngine)?

One of three things I can think of, user4 ~

  1. The phishers are idiots and don’t understand what it is they’re actually hoping to accomplish
  2. The phishers have/had hijacked the legit site in some way to capture login information
  3. The phishers are so darn good that they recreated a fake version of paypal’s site down to authentication factors

Given the stereotypical email message, I’d have to think that #3 is out of the running, thus leaving us with #1 or 2.

Maybe there’s a #4. The phishers are so cunning and devious that what they’re trying to accomplish is something that is beyond comprehension… ;D


I don’t think it is option 1.
These guys may be crazy, but they are not stupid. :smiley:

In case option 2 applies, VEngine should have detected that… at least I hope so.
In general, would\could VEngine detect a hacked or perfectly imitated\copied website?

It must be option 4. (:LGH)

In my limited knowledge, I don’t see how a false paypal website could be so well duplicated that the authentication (ie, the Certificate) could get past VE. Since VE looks at site’s Certificate and verifies that; it’s not based on who the website say it is, but the actual SSL Cert. Maybe it’s possible; I don’t know how, though.

If it was option 2, I don’t think there’s a way for VE to tell. I know there have been a number of security stories recently about the number of legit sites that are compromised daily, and running false content. So the site’s still legit, but the content is not. Could be illegitimate scripts running, etc. I know I’ve read that this has happened to a number of big-name sites, so I guess it’s possible with paypal as well. From major companies, I would expect them to catch and resolve it quickly; maybe in the meantime the scammers are hoping to catch a few suckers…


Is that the message source or what you’ve copied from the user interface?
Usually, if users make the mistake of reading email in html, the actual destination url is “hidden” by the html code.
For instance, from one I caught today, you’d have to be watching the url display at the bottom on mouse over to see the real url:

[attachment deleted by admin]