I got the following message in email today. The "phishing" detector in my brain went off immediately, but on further inspection it appears that this message really did come from Paypal.
This message seems non-phishy due to the following aspects:
- My full name is used, not something derived from my email address
- There are no links to click on (ie. "click here to visit the Resolutions Center")
- The message headers (below) indicate no evidence of forgery
- The IP address it was sent from matches the SPF record at paypal.com
Paypal is in the unenviable position of having to fight with all the phishers when they really do want to email a notification to their customers. It appears that this is the best they can do, and of course the phishers will imitate this style of message as closely as possible, which makes Paypal's original message look like junk mail. It's an uphill battle for them.
Now I'm curious about what they've done with my account.
Return-Path: <email@example.com> Received: by occam.hewgill.net (Postfix, from userid 12349) id E6FF922DF1B; Mon, 20 Feb 2006 17:17:43 +0000 (GMT) Received: from smtp-outbound.nix.paypal.com (smtp-outbound.nix.paypal.com [22.214.171.124]) by occam.hewgill.net (Postfix) with ESMTP id E45CE22DF02 for <firstname.lastname@example.org>; Mon, 20 Feb 2006 17:17:40 +0000 (GMT) Received: from dentmail1.den.paypal.com (dentmail1.den.paypal.com [10.191.28.242]) by smtp-outbound.nix.paypal.com (Postfix) with ESMTP id 34B66820020 for <email@example.com>; Mon, 20 Feb 2006 09:17:40 -0800 (PST) Received: from denadmin10.den.paypal.com (denadmin10.den.paypal.com [10.191.20.86]) by dentmail1.den.paypal.com (Postfix) with SMTP id 0001F27C05A for <firstname.lastname@example.org>; Mon, 20 Feb 2006 09:17:39 -0800 (PST) Received: (qmail 21414 invoked by uid 99); 20 Feb 2006 17:17:39 -0000 Date: Mon, 20 Feb 2006 09:17:39 -0800 Message-Id: <email@example.com> Subject: Notification of Limited Account Access X-MaxCode-Template: email-restrict-issue-notification To: Greg Hewgill <firstname.lastname@example.org> From: "email@example.com" <firstname.lastname@example.org> X-Email-Type-Id: PP522 X-XPT-XSL-Name: /default/en_US/account/security/RestrictIssueNotification.xsl Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 MIME-Version: 1.0
Update: I logged on to Paypal and they appear to only have expired my password. No other outstanding issues were to be found in their "Resolution Center" after logging on. I've found that Paypal seems to expire my password frequently (once every month or two), and asks that I supply a new, different password plus configure two new security questions. Perhaps I've been getting a message like this every time they expire my password but this is the first time I noticed it wasn't a phishing message.
I just checked my mail and one second after receiving confirmation of changing my password and security questions, I also got:
Thanks Paypal. Hardly a pleasure doing business with you.