If you receive an email that looks like it is a phishing email, please post it here. Matrixwatch will then find the correct place to report the scam, and will report it. And results from the report will be publicly posted as well.

Instructions

Click "Post Reply" for this thread
Ensure that your email client is set to display full email headers
Paste the entire email into the post
Consider editing out your personal email address



If you don't know how to post the complete email header, feel free to forward the phioshing email to mercinary@matrixwatch.org. I will then post the email here.

-Merc

One concern... And feel free to delete this post after we deal with it..

Won't the full headers also contain the recipient's IP address? I wonder if having their IP address posted publically would hurt them in any way. Just wondering...

Otherwise, this phisher-scam report thread is a very good idea, Merc.

Unless the user has a static IP, then no. I would venture a guess that 99% of the internet population has dynamic IPs. If you dialup, you always have dymanic IPs. If you have broadband, you have to specifically request (and pay for) a static IP.

Regardless of all of that, email is routed to your email server, not your home PC....long story short, the user is at virtually no risk I believe. Someone can correct me if I am wrong though.

-Merc

I see a problem, even if you have a dynamic IP. If they display their IP address here, then the scammers (oops, I mean Matrix business owners) will be able to cross reference those IP addresses with their databases to determine if they are some of their scam victims (oops, I mean disgruntled customers) posting here in disguise.

Let me reiterate:

Regardless of all of that, email is routed to your email server, not your home PC....long story short, the user is at virtually no risk I believe. Someone can correct me if I am wrong though.

The IPs of your home machine are never displayed.

-Merc

Not everyone logs in from home. Many people login from work, where their email server resides.

That much is true. Although if you are using work email for personal use, and you're receiving phishing emails through that account, you might have your hands full with your employer. At my place of employment, spam is detected if it comes into the servers. IT starts asking questions if you even get a handful of them.

-Merc

On a related note, I plan on posting phishing emails here myself (to prove a point). I haven't received one since I started this thread though.

-Merc

Or perhaps we could just give some simple instructions on how to locate the recipient's IP address within the headers and encourage people to delete it.

I know that I've seen my IP address in the full headers.

These are just a few preliminary concerns though, and I wouldn't want these issues to discourage the effort, Merc. :) It really is a good idea, and one that could be amazingly productive, especially given what you've accomplished on the auction-fraud front.

Here is a phishing email I received the other day.


From: <eBay@reply82347.ebay.com>
To: personal email addy removed
Subject: Message ID 429716884 - Message from eBay Member (eBay)
Date: Mon, 10 Oct 2005 12:50:43 -0600
MIME-Version: 1.0
Received: from www.essencemm.com ([166.70.18.2]) by mc11-f2.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Mon, 10 Oct 2005 11:47:42 -0700
Received: from apache by www.essencemm.com with local (Exim 4.50)id 1EP2jT-0000bP-0Ffor personal email addy removed; Mon, 10 Oct 2005 12:50:43 -0600
X-Message-Info: JGTYoYF78jFgcPhkj/aUoXVshvUDIsho7MyVh7cZvSU=
Return-Path: slreia@slreia.com
X-OriginalArrivalTime: 10 Oct 2005 18:47:42.0672 (UTC) FILETIME=[18B86500:01C5CDCB]


eBay sent this message to eBay member).

Your registered name is included to show this message originated from eBay. Learn more.

Ebay Security Service

Dear eBay Member

For the User Agreement, Section
9, we may immediately issue a warning, temporarily suspend, indefinitely
suspend or terminate your membership and refuse to provide our
services to you if we believe that your actions may cause financial
loss or legal liability for you, our users or us. We may also
take these actions if we are unable to verify or authenticate
any information you provide to us.

We regret to inform you that your eBay account could be suspended
if you don't re-update your account information. To resolve this
problems please use the link below and re-enter your account information.
If your problems could not be resolved your account will be suspended
for a period of 24 hours, after this period your account will
be terminated.

Due to the suspension of this account, please be advised you are
prohibited from using eBay in any way. This includes the registering
of a new account. Please note that this suspension does not relieve
you of your agreed-upon obligation to pay any fees you may owe
to eBay.

To update your record please click here:

Some
Items on eBay


10 SKS LONG EYELASH FANCY KNITTING YARN LIGHT BROWN

$9.99

10 SKS EYELASH FANCY KNITTING YARN BEIGE

$9.99


See more items...


Marketplace Safety Tip


Visit my eBay to manage all of your transactions (including Second Chance Offers). That way, you can be confident these transactions have been listed on eBay.
Protect yourself from spoof (fake) emails and Web sites. Take the Spoof Tutorial to learn about eBay Toolbar with Account Guard, which warns you when you are on a known spoof site.


This email appears in the language of the eBay site where you are registered.


Learn how you can protect yourself from spoof (fake) emails at:

http://pages.ebay.com/education/spooftutorial

This eBay notice was sent to member
from eBay International AG based on your account preferences. Your
account is registered on www.ebay.com.
As outlined in our User Agreement, eBay will periodically send you
information about site changes and enhancements. To unsubscribe
from this notice, change your notification
preferences. Please note that it may take up to 14 days to process
your request. If you would like to receive this email in text format,
change your notification
preferences.



See our Privacy Policy and User Agreement if you have questions about eBay's communication policies.

Privacy Policy: http://pages.ebay.com/help/community/png-priv.html


User Agreement: http://pages.ebay.com/help/community/png-user.html

Copyright © 2005 eBay, Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc.


Note the lack of personal IP addresses. I'm reporting this one here:

http://pages.ebay.com/help/contact_us/_base/result_5_1_1.html

All eBay spoof emails should be reported at the above link!

-Merc

P.S. Note that the links displayed in the email above, are the correct eBay links. The email's links directed me elsewhere. In terms of security, I chose to NOT post the redirection links.

From: AOL Service <service@aol.com>
To: personal email info removed
Subject: Update Billing Address
Date: Fri, 14 Oct 2005 07:19:03 +0200 (CEST)
MIME-Version: 1.0
Received: from mcore.webc.lyceu.net ([212.78.206.18]) by mc2-f5.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 13 Oct 2005 22:19:04 -0700
Received: from wmphpp04.st2.lyceu.net (wmphpp04.st2.lyceu.net [212.78.206.124])by mcore.webc.lyceu.net (Postfix) with ESMTP id 5DD165304E8for <personal email info removed>; Fri, 14 Oct 2005 07:19:03 +0200 (CEST)
Received: by wmphpp04.st2.lyceu.net (Postfix, from userid 1425059)id 376DCB700; Fri, 14 Oct 2005 07:19:03 +0200 (CEST)
X-Message-Info: JGTYoYF78jHgEVTY9NUAUX4GzQbK4PQkHiTavPhhrdk=
X-WEBC-Mail-Request-IP: 82.114.72.58
X-WEBC-Mail-From-Script: http://www.merliniks.biz/index.php
X-Lycos-AS: 43.00
X-Lycos-AV: OK
Return-Path: webmaster@merliniks.biz
X-OriginalArrivalTime: 14 Oct 2005 05:19:04.0597 (UTC) FILETIME=[CB58AC50:01C5D07E]

SECOND NOTICE

Dear Valued Member,

We were unable to process your last two billing transactions and your account is now past due. To ensure that your service is not interrupted, please update your billing information today by clicking here. Or call AOL Member Services toll-free at 1-877-773-4462. We're available 24 hours a day, 7 days a week.

If you have recently updated your billing information, please disregard this message as we are processing the changes you have made.

Sincerely,

AOL Member Services Team

P.S. AOL has several pricing options to meet your needs. Please call AOL Member Services to ensure that you are on the optimal pricing plan and to update your payment information today!


Another phishing email. Easily identified, as I have no AOL account!!!

AOL instructs people to foward these messages to TOSEmail1@aol.com which I have done.

-Merc

A different version of an eBay one.

They also recommend forwarding these to
spoof@ebay.com

From aw-confirm@ebay.com Sat Oct 15 07:24:13 2005
X-Apparently-To: my email removed via 68.142.206.159; Sat, 15 Oct 2005 06:16:28 -0700
X-YahooFilteredBulk: 66.36.241.62
X-Originating-IP: [66.36.241.62]
Return-Path: <respondez1@aaaonlinux.com>
Authentication-Results: mta150.mail.mud.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 66.36.241.62 (EHLO aaaonlinux.com) (66.36.241.62) by mta150.mail.mud.yahoo.com with SMTP; Sat, 15 Oct 2005 06:16:28 -0700
Received: (qmail 3864 invoked by uid 1103); 15 Oct 2005 14:24:13 -0000
Date: 15 Oct 2005 14:24:13 -0000
Message-ID: <20051015142413.3863.qmail@aaaonlinux.com>
To: my email removed
Subject: Notice of account temporary suspension
From: aw-confirm@ebay.com Add to Address BookAdd to Address Book Add Mobile Alert ,
Content-Type: text/html
Content-Length: 3539


eBay Security Measures
Notice of account temporary suspension

Stimated eBay member :

# We regret to inform you that your eBay account, has been temporarily suspended due to various login attempts from diffrent global locations.

NOTE
# This is a preventive Warning message for our users to be able to avoid fraudulent activity and future inconveniences.

# As Romania is one of the most high rated fraudulent countries , we temporarily suspended your account to avoid future problems or misusage of your eBay account.

# Here are the last 3 login attempts :

1. IP address : 193.105.3.173
ISP host : st13.i-cafe.orizont.net
Location : Romania

2. IP address : 80.97.171.22
ISP host : rds-net.bistrita.net
Location : Romania

3. IP address : 62.177.188.59
ISP host : adsl.bbeyond.ro
Location : Romania


# If you are traveling and made these login attempts yourself or borrowed your eBay account to someone else , please log in below.

Travelling confirmation Here



# If you want to re-activate your eBay account , please follow our instructions.

Re-activate your account Here




# If this situation is not solved in the next 24 hours your account will be permanently suspended.


Sincerely, eBay
This is an automated email, please do not respond to it as your inquiry would not be received.

Email Id : PP458
Copyright . 1995-2005 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay Privacy Policy.

How to protect your account
# Make sure you never give away your eBay id and password. to someone you don`t know.

# Please respect eBay policy and privacy statements.
For more information on how to protect your account, please visit our security center. https://www.ebay.com/securitytips
Increase your security
# Become
a Verified eBay member. Examine all privacy and security seals before doing business with a particular website and make sure they are legitimate.
eBay is a licensee of the
TRUSTe Privacy Program.
Protect your password
# Never
give away your password and always choose a combination of letters, numbers, and symbols.
For example, $coo!place2l!ve or 2Barry5Bonds#1. Avoid choosing obvious words or dates such as a nickname or your birth date.

# Don't use the same password for eBay and other online services such as AOL, eBay, MSN, or Yahoo.
Using the same password for multiple websites increases the likelihood that someone could learn your password and gain access to your account.

Received this one the other day:


From: "PayPal" <management@paypal.com>
Reply-To: <management@paypal.com>
Subject: Your Account Will Be Suspended
Date: Sat, 15 Oct 2005 13:51:21 +0200
MIME-Version: 1.0
Received: from mail.com ([84.36.7.246]) by mc5-f29.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Sat, 15 Oct 2005 04:51:28 -0700
X-Message-Info: mzxw1fS161zNh/jmZG+rg4cDUzPlfOJMHI7R5cvOG00=
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
Return-Path: management@paypal.com
X-OriginalArrivalTime: 15 Oct 2005 11:51:29.0233 (UTC) FILETIME=[C774C410:01C5D17E]


PayPal

Notice of security problems !


Dear PayPal Customer,

This e-mail is the notification of recent innovations taken by PayPal to prevent security attacks at our servers. From now on all transactions of money will go through secure web server with SSL - Secure Sockets Layer support.

Click here to log into your account

Please confirm your email address and credit card information by logging in to your PayPal account and check if everything is ok with your acc. If you notice that some one has transfer money from you acc, informe paypal service.

Thank you for using PayPal!

The PayPal Team

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and choose the Help link located in the top right corner of any PayPal page.

To receive email notifications in plain text instead of HTML, update your preferences here.

PayPal Email ID PP468


Paypal suggests the following when you encounter one of these emails:


If you think you have received a fraudulent email, forward the entire email to spoof@paypal.com and then delete it from your email account.

If you already replied to a fake email with your personal information, please Contact Us (http://www.paypal.com/us/cgi-bin/webscr?cmd=_contact-general) right away. You may also want to contact your financial institution to alert them of possible suspicious activity.


I have forwarded the message to spoof@paypal.com as suggested.

-Merc

Here is another one I reported to spoof@paypal.com:


From: "PayPal" <service@paypal.com>
Reply-To: "PayPal" <service@paypal.com>
To: email addy removed
Subject: PayPal Account Limited email addy removed
Date: Tue, 25 Oct 2005 15:29:27 -0700
MIME-Version: 1.0
Received: from mail3.mygisol.com ([64.27.20.131]) by mc9-f42.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 25 Oct 2005 17:24:47 -0700
Received: (qmail 17234 invoked by uid 399); 26 Oct 2005 00:24:05 -0000
Received: from unknown (HELO info4) (80.97.188.251) by mail3.mygisol.com with SMTP; 26 Oct 2005 00:24:05 -0000
X-Message-Info: 6sSXyD95QpXxDsPCfpvWNDE1dQqJ+C1UNdwPi1+zTmU=
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Return-Path: service@paypal.com
X-OriginalArrivalTime: 26 Oct 2005 00:24:47.0561 (UTC) FILETIME=[ABE3CB90:01C5D9C3]

Dear valued email addy removed member:

It has come to our attention that your PayPal® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.

However, failure to update your records will result in account suspension.
Please update your records in maximum 24 hours.

Once you have updated your account records, your PayPal® session will not be
interrupted and will continue as normal.
To update your PayPal® records click on the following link:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Thanks for using PayPal!

This PayPal notification was sent to your mailbox. Your PayPal account is set up to receive the PayPal Periodical newsletter and product updates when you create your account. To modify your notification

preferences and unsubscribe, go to
https://www.paypal.com/PREFS-NOTI and log in to your account. Changes to your preferences may take several days to be reflected in our mailings. Replies to this email will not be processed.

If you previously asked to be excluded from Providian product offerings and solicitations, they apologize for this e-mail. Every effort was made to ensure that you were excluded from this e-mail. If you do not wish to receive promotional e-mail from Providian, go to http://removeme.providian.com.

Copyright© 2005 PayPal Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners.


-Merc

One concern... And feel free to delete this post after we deal with it..

Won't the full headers also contain the recipient's IP address? I wonder if having their IP address posted publically would hurt them in any way. Just wondering...

Otherwise, this phisher-scam report thread is a very good idea, Merc.

Your Personal static or dynamic IP address is Not in email headers

THe IP addresses in headers are from the mail servers the email passes through
Spammers usually try to fake them

PS: You should hilight all the signs in these emails that point to them being fakes
Bad grammar
Misspellings
Not addressing you by name
etc

That is a good idea, Ferret, and one that could be the subject of a new thread with some cool pictures attached to visualize everything.

If it is done well, and there is some good collaboration from the members, it will probably get a sweet google ranking. Hopefully it will help lots of people.!

I just got this today
I don't have a Citibank account :p

Already reported to spoofemail@citigroup.com which I got from calling 1-800-374-9700 that was provided by the phishers in the email

I bolded words and grammar that seemed suspicious to me

• privacy • citibusiness.com

ATM/Debit card ending in: verify

CitiBusiness E-mail & Security Banking Alerts
--------------------------------------------------------------------------------

Online Security Token will be introduced from April, 1

What is a CitiBusiness Online Security Token?
A CitiBusiness Online Security Token is a small handheld device that dynamically generates and displays a one-time use password. All active CitiBusiness Online users will receive information about its use shortly.

If your token is out of order or lost, you can receive a new temporary password for your online banking work.

Please click here to confirm the information asked for phone banking authorization to be able to receive a new temporary password.

If you do not confirm your details until 04/01/2006 your account will be SUSPENDED for security reasons and we will send you an Activation Code by post which you will need to renew your online banking service access. You will receive this within seven days if your current address is not confirmed.



--------------------------------------------------------------------------------


At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you verify that the e-mail was indeed sent by Citibank. If you have questions, please call 1-800-374-9700. To learn more about fraud visit Citibank.com and click "about e-mail fraud" at the bottom of the screen.



ABOUT THIS MESSAGE
This message is for information purposes only. Please do not reply to this customer service e-mail. For deposit account specific inquiries, kindly call 1-800-374-9700 or visit citibankonline.com. For credit card account specific inquiries, please call 1-800-950-5114.

--------------------------------------------------------------------------------
Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB, Citibank Texas, N.A. Member FDIC.
Copyright @ 2005 Citicorp