More Phish in the Sea

Yet another PayPal phishing scam:

This one has a few clues as to its nefarious origins.

1. Its ‘Reply-to’ header reads ‘no-replay@paypal.com’ (No replay?)

2. If you cursor over its link, it displays  213.130.21.170  instead of PayPal’s address.

Checking the email’s headers (Ctrl-u in Thunderbird) shows more aberrations:

1. X-Mailer: Microsoft Outlook Express 6.00.2600.0000

PayPal doesn’t use Outlook Express to email its customers.

2. Received: from User ([72.4.204.201]) by grahamserv.grahamfamilylaw.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 21 Oct 2006 00:33:03 -0700
My guess?  The computer ‘grahamserv’ at grahamfamilylaw.com has either been compromised by a trojan, or its email server is open for the world to email through.
In any event, should you find yourself the recipient of this or any phishing email, report it here (US Computer Emergency Readiness Team) and/or here (antiphishing.org)