Breakdown of a phishing email

Updated: November 6th 2013Published: September 28th 2012by Orde Saunders

Mail from ppver.net is not genuine, it is a PayPal phishing scam. Analysis of what makes up a phising email can provide guidance on what should be avoided when creating a legitimate email.

I recently received a PayPal phishing email that escaped the immediate deletion threshold of my spam filter (SpamAssassin). The full source of the email is shown here:

To: redacted
Subject: Account Information
Reply-To: service@ppver.net
From: PayPal <service@ppver.net>
Organization: PayPal
Content-Type: text/html; charset=utf-8
Message-Id: <20120927231513.E8D2E524665@204354.vps-10.com>
Date: Thu, 27 Sep 2012 23:57:22 +0100 (BST)

<html>
  <body>
    <p>
      There has been several attempts to access your account on the 26/09/2012.
    </p>
    <p>
      Please can you confirm your identity by following the link below.
    </p>


    <p>
      <a href="http://26228paypal2360.finityi.com/96280825304324692880?cmd=u5f6u516j4m6v586r5c6d636x526f6i4i5c636" target="_blank">
        http://www.paypal.co.uk/88720009051773530312781824003793240413654778848581
      </a>
    </p>
    <p>
      Yours Sincerely,
    </p>
    <p>
      PayPal Security Department
    </p>
  </body>
</html>

HTML content

The first test is how it looks in an email client. With very basic formatting it's clearly not a branded email from PayPal but it could pass for a plain text email:

There has been several attempts to access your account on the 26/09/2012.

Please can you confirm your identity by following the link below.

http://www.paypal.co.uk/88720009051773530312781824003793240413654778848581

Yours Sincerely,

PayPal Security Department

Probably the best point of this email is the link to the phishing site using the anchor text of a genuine PayPal domain. It's downhill from there, though. The first line contains a grammar mistake ("has" rather than "have") and it uses "yours sincerely" when "yours faithfully" would have been more appropriate but, based on the low standard of copy writing that seems to prevail these days, that's no real indicator of a scam or genuine email.

Text content

Whilst this might possibly have passed off as an HTML email, with an email client set to always show messages as text only the scam starts to break down. As shown below, the real source of the link is much more obvious.

There has been several attempts to access your account on the 26/09/2012.

Please can you confirm your identity by following the link below.

http://www.paypal.co.uk/88720009051773530312781824003793240413654778848581
<http://26228paypal2360.finityi.com/96280825304324692880?cmd=u5f6u516j4m6v586r5c6d636x526f6i4i5c636>

Yours Sincerely,

PayPal Security Department

This is a good advertisement for using a mail client that can be configured to showing all emails as text only and enabling that setting.

SpamAssassin

Now we get into the more technical analysis of the SpamAssassin report and this is where we find the real things to avoid.

  *  0.0 HTML_MESSAGE BODY: HTML included in message
  *  1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
  *  0.3 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
  *      [URIs: finityi.com]
  *  1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
  *  2.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
  *      headers

HTML message

With the current configuration this has not been given a weighting but shows that HTML content is a signal used by spam filters so for the best chance of an important email getting though you should use a text only email.

Mime only body

If a message only contains text/html MIME parts - that's to say it does not contain a text only message component - it receives a significant penalty. Not providing an text only alternative version of an HTML message is a fairly common omission from many emails and probably the biggest single change most legitimate emails could make to improve their chances of escaping spam filters.

New domain URI

Day Old Bread is a DNS Black List that contains domains registered in the previous five days. New domains are often used by scamers as they have not had the chance to make their way into many security systems as known scam domains. This should not be a problem for established domains.

No reverse DNS

This message was initially received from a host which does not have a reverse DNS entry. This often indicates that the sender's email server was not correctly configured. When setting up an email server that sends directly rather than working through a correctly configured relay at an ISP it is important that the public IP address has a registered reverse DNS entry.

Missing MIME header

This email contains HTML content as set in the Content-Type header but the message does not contain the correct MIME header within the body of the message. This should normally be set correctly by mail clients but if building emails to be sent by a script it is important to check that the message is correctly formatted.

Summary

There are a number of key points when sending messages to bear in mind to minimise the chances of it being marked as spam. Many of these are frequently overlooked when sending emails.

For the best chance of avoiding spam filters send plain text only emails.
Ensure that the message body is in the correct format.
If sending an HTML message then ensure there is a valid text only component to the message.
Ensure that any links within the email are to legitimate domains.
Ensure that the originating mail server has a valid reverse DNS entry.