At first glance, with a Subject line like “Ten Ways to Spot Fake Emails,” you must admit, the PayPal email message looks like the perfect phishing ploy. Promise a cure, then wham ‘em when they least expect it.

But this HTML message from PayPal is legit, though fairly lame. Before plodding through PayPal’s salient points, conduct the autopsy, step-by-step.

Message Header: Find the first Received: from line that doesn’t include any of your organization’s servers. This is the server that actually handed the message to you, and the only Received: entry you can trust:

Received: from email-86.paypal.com (206.165.246.86)

Perform a whois on email-86.paypal.com, and you get PAYPAL.com. When you do the reverse IP, you’ll see it’s owned by Global Crossing… and listed in the SORBS reverse black list database. Don’t worry too much about the spammer listing. That’s just PayPal.

Message Source: You see a lot of legit, though unnecessary hyperlinks, like to images.postdirect.com and link.p0.com for gifs and whatnot. Phishers often link to lend legitimacy to their HTML. A whois confirms these as OK. Embedded links, while stringy and phishy looking, are real, too.

Result: The message really came from PayPal. Too bad PayPal and its master, eBay haven’t learned to stop sending phishy-looking HTML messages that are easy to fake. Instead, they send you a bunch of retread links like Ten Ways to Spot Fake Emails.

You can help your users avoid phishing scams by setting your anti-spam, anti-virus email border security appliance to mangle suspicious HTML content. It should already handle any of the zillions of phishing viruses. If you don’t have one, never click on the links in HTML-formatted messages.

Still want to see what PayPal has to say about phishing? Knock yourself out: