They share the same ownership. So it’s only logical that PayPal and ebay would share phishers… And the phishers would share ISPs.

Pitch #1 was snagged by one of our honeypots this week:

From: service@paypal.com
Subject: Account limited

Protect Your Account Info
————————-
Dear customer,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Why is my account access limited?

Your account access has been limited for the following reason(s):

May. 10, 2005: We would like to ensure that your account was not accessed by an unauthorized third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but
please understand that this temporary limitation is for your protection.

(Your case ID for this reason is PP-061-979-349.)

Visit the Resolution Center and complete the “Steps to Remove Limitations.” Please resolve your account limitations on or before May 16, 2005.

Completing all of the checklist items will automatically restore your account access.
————————-
Thank you for using PayPal! The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered.

PayPal Email ID PP23807

Compelling pitch isn’t it? Much more convincing than the earlier phishing campaign that ended in mid-February:

From: aw-confirm@ebay.com
Subject: TKO Notice: Account Alert

Dear (your_email@address.here),

In an effort to protect your eBay account security, we have suspended your account until such time that it can be safely restored to you. We have taken this action because your password may have been compromised. Although we cannot disclose our investigative procedures that led to this conclusion, please know that we took this action in order to maintain the safety of your account. However, your account is marked for too many failure logins since February 05, 2005. It is interesting that the hostnames are from different countries:

United States (c-24-4-60-31.client.comcast.net)
Japan (u183194.ppp.dion.ne.jp)
Australia (gspp-p-144-134-57-104.prem.tmns.net.au)
Canada (kitchener-hse-ppp3569890.sympatico.ca)

Please authorize your registration information on or before February 14, 2005. Currently registration information will be screened when you login.

Follow the link to make sure you are on our secure page. https://signin.ebay.com/don’t/eBaynolink.dll?SignIn

Thank you for using eBay!
————————-

Copyright 1995-2005 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners.

eBay and the eBay logo are trademarks of eBay Inc.

A quick review of the message headers, shows that Pitch #1 comes from ev1s-216-127-92-36.ev1servers.net (216.127.92.36). The sending server for Pitch #2? Unknown (HELO PayPal-Server3) (207.44.210.27). PayPal-Server3???

Hmmm… Time for a whois check. Surprise! Both IP addresses belong to an ISP in Houston: Everyones Internet. Inc. While the blacklist status of 216.127.92.36 is clear for now, ORDB.ORG reports that 207.44.210.27 “mail was handled by an open relay” in February and May.

A call to Everyones Internet at the listed phone number 713-400-5400 led to another number, 713-333-7873, which led to a lot of waiting on hold while the voice on the other end talked to “somebody.”

The voice finally instructed the caller to send the offending messages to abuse@ev1.net. Great. Help the abuser navigate around your honeypots. No deal.

So what’s the takeaway? Some may be tempted to block the ranges: 216.127.64.0 - 216.127.95.255 and 207.44.128.0 - 207.44.255.255. On the other hand, you may want to let your email border security appliance kill it, label it, and/or mangle its phishing urls, and enjoy the show.

But keep an eye out for Everyones Internet. They seem to be on the verge of becoming a bad habit.