eBay Safeharbor Department Notice
Fraud Alert ID : xxxxxxxx
Dear eBay member,
You have received this email because you or someone else had used your identity to make false purchases on eBay. For security reasons, we are required to open an investigation on this matter. We treat online fraud seriously and all cases which cannot be resolved between eBay and the other involved party are forwarded for further investigations to the proper authorities. To speed up this process, you are required to verify your personal information against the eBay account registration data we have on file by following the link below.
The English is a little off, but not glaringly so.
Now normally I would immediately throw this in the trash after hovering over the link. Thunderbird usually shows the actual destination of the link and it usually has nothing to do with eBay.
In this case, the URL shown when hovering over it actually says that it goes to eBay. Hmm.
Next, I looked at the headers in detail. Who is this "web24k" and why are they sending me email using:
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Surely eBay would use something other than Outlook Express for emails like this...
I scroll down into the HTML source, and what do I see:
FORM action=http://xxx.xx.xx.xx/.ebay/saw-cgi/eBayISAPIdllSignIn.php
a href="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn"
(I had to mangle that a little to get it past z's https filter.)
Ah, there it is. It looks like it's an https link to eBay, but it's actually a nonsecure link to somewhere else.
Be careful out there....
Cheers,
Scott.