Devdude’s Weblog

Occasionally I dissect spam emails that find their ways through the spamfilter. Very oftenis some kind of paypal or ebay info saying that the account expired or they suspect some problem information with the account and ask you to login and verify. The login link is always in the email. It always looks ok on the first sight but if you look at the spelling of sender, words and so on you can see the spam.

Todays dissection (original is german): Paypal Security

Wichtige Sicherheits-Hinweise Ihr Konto Zugriff hat nur begrenztem Umfang (Transl: Important security note, limited account access)

Sender: sicherheit_@_paypall_de (see, the double ll at the end) paypall.de is registred by (check here)

Text: PayPal arbeitet ständig an der Gewährleistung der Sicherheit durch regelmäßige Screening/Kontrollen der Konten in unserem System. Wir haben vor kurzem Ihr Konto überprüft, und wir brauchen mehr Informationen, die uns helfen sollen Sie mit sicheren Service anbieten. Bis wir diese Informationen sammeln, Ihren Zugang zu sensiblen Konto-Funktionen werden begrenzt oder beendet werden. Wir möchten Ihren Zugang Wiederherstellen so schnell wie möglich, und wir entschuldigen uns für die Unannehmlichkeiten.

The german text contains quite a number of errors.

Paypall.de points to merchntaccount.com which is a misspelled version (missing ‘a’) of merchantaccount.com (a creditcard/online commerce service provider).  merchntaccount.com is registred by (check here), same person or organziation.

The fake login page is not accessible (anymore ?) at this bogus address (some characters removed to stop anyone from stumbling upon it)

http: / / smokylake. com/www. paypal .de/de/_xxxxxxxxxxx_ = _login-submit/webscr.php

Why does spam work ? Because someone sends out this email to 100.000 recipients. If only 1 falls into the trap it worth his effort to fake everything.