We were mildly surprised when SiteOfTheWeek@ziffdavis.com received an e-mail asking for confirmation of its password, credit card number, and other PayPal account details (Figure 1) . PayPal is the online transaction and bill-paying service favored by millions of eBay auction users (eBay now owns the service). But our SiteOfTheWeek isnt a person and to the best of our knowledge owns neither a credit card nor a PayPal account. The message looked legitimate—the return address was firstname.lastname@example.org, and all of the visible links pointed to pages on the PayPal Web site. But the fact that the e-mail asked for a credit card number and password roused our suspicions.
Combing through the source code of the message, we discovered that its Log In button sent data not to paypal.com but to the URL http://email@example.com/pp.php, which proved to be hosted by the legitimate site http://www.portland.co.uk. The URL in question was defunct by the time we checked it, but we notified both PayPal and the hosting site anyway. PayPal verified that it never under any circumstances sends e-mail asking you to enter private information. In fact, there is no legitimate reason for any site to ask that you verify or update private information via e-mail. You might be asked to log in to a secure site to prove your continued interest or update your profile—but thats all. Never supply your credit card number or other personal information in a direct response to an e-mail message!
If scam sleuthing piques your interest, you can hunt for clues as we did. The first step is to peruse the HTML source code of the message. In Outlook, right-click in the message body and choose View Source, which will open the messages source code in Notepad. In Outlook Express, open the message and choose Properties from the File menu. Click on the Details tab in the resulting dialog, click on the Message Source button, then copy and paste the message source into Notepad. Now search for http:// and verify that each URL in the message has a reasonable connection with the alleged source. You may find some .gif or .jpg links that go to advertising sites; dont worry about those. But if a links URL doesnt go where its text says it does, or if a FORM tags action connects to a site other than the alleged source, something is rotten. You can also check the message header as explained in our recent article "Heading Off Spam". Using the techniques from that article, we discovered a spoofed IP address in the header. The header line listed compuserve.com as the source, but the IP address actually belonged to a company in Beijing.