Greg Hewgill (ghewgill) wrote,
Greg Hewgill

paypal and phishing

I got the following message in email today. The "phishing" detector in my brain went off immediately, but on further inspection it appears that this message really did come from Paypal.

Subject: Notification of Limited Account Access

Dear Greg Hewgill,

As part of our security measures, we regularly screen activity in the PayPal system.
For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us".
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

PayPal Account Review Department

PayPal Email ID PP522

This message seems non-phishy due to the following aspects:

  • My full name is used, not something derived from my email address
  • There are no links to click on (ie. "click here to visit the Resolutions Center")
  • The message headers (below) indicate no evidence of forgery
  • The IP address it was sent from matches the SPF record at

Paypal is in the unenviable position of having to fight with all the phishers when they really do want to email a notification to their customers. It appears that this is the best they can do, and of course the phishers will imitate this style of message as closely as possible, which makes Paypal's original message look like junk mail. It's an uphill battle for them.

Now I'm curious about what they've done with my account.

Return-Path: <>
Received: by (Postfix, from userid 12349)
        id E6FF922DF1B; Mon, 20 Feb 2006 17:17:43 +0000 (GMT)
Received: from ( [])
        by (Postfix) with ESMTP id E45CE22DF02
        for <>; Mon, 20 Feb 2006 17:17:40 +0000 (GMT)
Received: from ( [])
        by (Postfix) with ESMTP id 34B66820020
        for <>; Mon, 20 Feb 2006 09:17:40 -0800 (PST)
Received: from ( [])
        by (Postfix) with SMTP id 0001F27C05A
        for <>; Mon, 20 Feb 2006 09:17:39 -0800 (PST)
Received: (qmail 21414 invoked by uid 99); 20 Feb 2006 17:17:39 -0000
Date: Mon, 20 Feb 2006 09:17:39 -0800
Message-Id: <>
Subject: Notification of Limited Account Access
X-MaxCode-Template: email-restrict-issue-notification
To: Greg Hewgill <>
From: "" <>
X-Email-Type-Id: PP522
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=windows-1252
MIME-Version: 1.0

Update: I logged on to Paypal and they appear to only have expired my password. No other outstanding issues were to be found in their "Resolution Center" after logging on. I've found that Paypal seems to expire my password frequently (once every month or two), and asks that I supply a new, different password plus configure two new security questions. Perhaps I've been getting a message like this every time they expire my password but this is the first time I noticed it wasn't a phishing message.

I just checked my mail and one second after receiving confirmation of changing my password and security questions, I also got:

Subject: Your PayPal Account has been Restored

Dear Greg Hewgill,

We have completed our review and have restored your account.

Thank you for your patience during this process and for helping to make PayPal the safest and most trusted online payment solution.

PayPal Account Review Department

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.

PayPal Email ID PP203

Thanks Paypal. Hardly a pleasure doing business with you.

Tags: spam

  • 2013 in review

    2013 is the year when everything changed. The biggest event was the birth of our daughter Lily. She was born prematurely in Shanghai while we…

  • 2012 in review

    2012 has been fairly quiet. Maybe it just seems that way because I haven't actually written anything new in this blog since last year's annual…

  • new photo galleries

    I've been busy processing photo galleries from the last year (or two) and putting them online for your perusal. Vancouver 2010 Northland…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded