Date: Sat, 26 Mar 2005 04:09:02 +0100
From: eBay Billing Team <Service@eBay.com>
Reply-To: Support@eBay.com
To: email removed
Subject: You'r Account Need To Verify

Dear eBay valued member,
We recently have determined that different computers have logged onto your eBay account, and multiple password failures were present before the
logons. We now need you to re-confirm your account information to us. If this is not completed by March 29, 2005, we will be forced to suspend your
account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.

To confirm your eBay records click here:
http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?UPdate

We appreciate your support and understanding, as we work together to keep eBay a safe place to trade.
Thank you for your patience in this matter.

Trust and Safety Department
eBay Inc.

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

Copyright 1995-2005 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this Web site
constitutes acceptance of the eBay User Agreement and Privacy Policy. Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are trademarks of eBay Inc. eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125.

___________________________

NOTE: Above link actually points to http://portsaid-shop.com/shop/ebay/acounts/memb/avncenter/dll87443/.BayISAPI.dll/hgdas676bsda6gwcv7zfcwfcwf34gfwf23g235f134f3fg3f&bhdfahva68532hbhwseBayISAPI.dllPaymentLanding&ssPageName=hhpayUSf&=userhgads&secure&ssl7r2vbd7d5b.html
___________________________
Headers from the email:

Return-Path: <webserver@aruba.it>
Received: from webs151.aruba.it (webs151.aruba.it [62.149.130.161])
by bugsbunny.castlecops.com (8.13.2/8.13.2) with ESMTP id j2Q38gNk019408
for <email removed>; Fri, 25 Mar 2005 22:08:45 -0500
Received: from webs151 ([127.0.0.1]) by webs151.aruba.it with Microsoft SMTPSVC(6.0.3790.211);
Sat, 26 Mar 2005 04:09:02 +0100
Date: Sat, 26 Mar 2005 04:09:02 +0100
Subject: You'r Account Need To Verify
To: email removed
From: eBay Billing Team <Service@eBay.com>
Reply-To: Support@eBay.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-ID: <WEBS151vjvxo6AmX3qr000011a1@webs151.aruba.it>
X-OriginalArrivalTime: 26 Mar 2005 03:09:02.0231 (UTC) FILETIME=[29549A70:01C531B1]
X-NOD32Result: clean
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
bugsbunny.castlecops.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.0 required=5.6 tests=BAYES_99,HTML_MESSAGE,
HTML_NONELEMENT_00_10,MIME_HTML_ONLY,RCVD_IN_NJABL_SPAM,RCVD_IN_SBL
autolearn=no version=3.0.2
X-Spam-DCCB: SIHOPE-DCC-3
X-Spam-DCCR: bugsbunny.castlecops.com 1085; Body=1 Fuz1=1 Fuz2=110

This one was still live as of 0400UTC 26 Mar but was dead by 0800UTC.

_________________
MS MVP Security 2006-2008

Thanks for keeping track

Here is another one ...

Date: Sat, 26 Mar 2005 18:14:24 +0100
From: eBay Billing Department <aw-confirm@ebay.com>
To: email removed
Subject: Please Verify Your eBay Identity


From collectibles to cars, buy and sell all kinds of items on eBay

Dear valued eBay member

It has come to our attention that your eBay billing updates are
out of order. If you could please take 5-10 minutes out of your
online experience and update your billing records you will not run
into any future problems with the online service.

Once you have updated your account records your eBay session will not be
interrupted and will continue as normal. Failure to update will result in
cancellation of your account, Terms of Service (TOS) violations or future billing
problems.

To update your eBay records click here:

https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=?UPdate

--------Please do not reply to this message--------

eBay Support team
http://www.eBay.com
_________________________
Sign in link actually points to http://www.vertify.net/

A whois on the domain name brings up the following
http://dnsstuff.com/tools/whois.ch?ip=http%3A%2F%2Fwww.vertify.net%2F



_________________________
Headers:

Return-Path: <nobody@ns62.hosteur.com>
Received: from ns62.hosteur.com (ns62.hosteur.com [70.85.36.26])
by bugsbunny.castlecops.com (8.13.2/8.13.2) with ESMTP id j2QHEGDX006055
for <paul@computercops.biz>; Sat, 26 Mar 2005 12:14:17 -0500
Received: from nobody by ns62.hosteur.com with local (Exim 4.44)
id 1DFErg-0005lK-QH
for email removed; Sat, 26 Mar 2005 18:14:24 +0100
To: email removed
Subject: Please Verify Your eBay Identity
From: eBay Billing Department <aw-confirm@ebay.com>
Reply-To: aw-confirm@ebay.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1DFErg-0005lK-QH@ns62.hosteur.com>
Date: Sat, 26 Mar 2005 18:14:24 +0100
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ns62.hosteur.com
X-AntiAbuse: Original Domain - computercops.biz
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - ns62.hosteur.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-NOD32Result: clean
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
bugsbunny.castlecops.com
X-Spam-Level: **
X-Spam-Status: No, score=2.1 required=5.6 tests=BAYES_50,HTML_50_60,
HTML_FONT_BIG,HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,
RCVD_IN_BL_SPAMCOP_NET autolearn=no version=3.0.2
X-Spam-DCCB: dcc.uncw.edu
X-Spam-DCCR: bugsbunny.castlecops.com 1201; Body=1 Fuz1=1 Fuz2=1

Okay, the stakes have just gone up dramatically! This is obviously a fraud from a number of standpoints. Still, while I was attempting to access the URL in IE I was asked to accept a cookie from ebay.com! I really want to understand how they did that. I have never seen that one before.

_________________
MS MVP Security 2006-2008

When I loaded it up on firefox, it said that it was downloading from Ebay. Let me see what I can pull up here.

Source shows it is pulling info from here http://sides-sos.org/

Check out the aw-cgi/ folder.

What are you using to look at the folder?

_________________
MS MVP Security 2006-2008

Just firefox.

OMG! I hadn't looked at the link earlier. It is like you are in their CP filemanager!

_________________
MS MVP Security 2006-2008

yep... nothing like security

Oh, that is funny!

_________________
MS MVP Security 2006-2008