OT: Ebay scam?

G

gruntfuggly

Newbie
Credits
0CR
[ukvac] OT: Ebay scam?
Sorry for the OT post, but you guys on here all seem to have some in
depth knowledge of eBay so I figure it's a pretty good place to ask.

I recently got stitched up by a seller in the states (no goods, no
emails but took my money) which I referred to the eBay fraud dept.

I have just received the attached email:

Does it look genuine to you?
I did a google search for the address eubpp@ebay.com which turned up a
thread on a spanish forum about some sort of eBay scam, although the
babelfish didn't do a fantastic job of translation...

I have replied asking for the amount awarded and the ID of the
auction...

Nige

Return-Path: <eubpp@ebay.com>
Delivered-To: 972-nige@zaonce.com
Received: (qmail 48294 invoked from network); 8 May 2004 13:38:53 -0000
Received: from outbound1.smf.ebay.com (HELO smf-klm-02.corp.ebay.com)
(66.135.215.134)
by deepthought.34sp.com with SMTP; 8 May 2004 13:38:53 -0000
Received: from [66.135.215.176] (HELO smf-kas-14.corp.ebay.com)
by smf-klm-02.corp.ebay.com (CommuniGate Pro SMTP 4.1.5)
with SMTP id 17584828 for nige@zaonce.com; Sat, 08 May 2004 06:38:22
-0700
Date: Sat, 08 May 2004 06:38:22 -0700
To: <nige@zaonce.com>
Subject: eBay Fraud Protection Claim 175312 - md
(KMM90171725V23428L0KM)
From: eBay Europe Fraud <eubpp@ebay.com>
Reply-To: eBay Europe Fraud <eubpp@ebay.com>
MIME-Version: 1.0
Content-Type: text/plain; charset = "us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: KANA Response 6.5.0.309
Message-ID: <auto-000017584828@smf-klm-02.corp.ebay.com>

Hello,

Thank you for your cooperation during the investigation of the Fraud
Protection Claim # 175312. I am pleased to inform you that this claim
has been found on your behalf in the amount of =A3Please enter Payout
Amount in =A3.

Our Accounts Payable offices have notified us that they will send
reimbursement to you via wire transfer.

For the wire transfer to be sent, please fill out the information =
below
and reply directly to this email:

Name:
Street Address:
Town:
County:
Country:
Post Code:

Bank Name:
Bank Address:
Bank City:
Bank Country:
Bank Postal Code:
Account Number:
Bank SWIFT/SORT/BLZ code:

If you are uncomfortable in providing the above details in email form, =

please fax the information to us at the number below:

0049 30 69088294

Please make it to my attention and please include your Claim Number.

Please reply to this email with the above information as soon as you =
can
so that I can then forward this information to the Accounts Payable
department.

Thank you for your patience and cooperation.

Regards,

Manon De Koninck
Claims Adjuster
standard purchase protection programme
eBay Trust and Safety

______________________________
eBay
Your Personal Trading Community (tm)

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Looking for some tips on how to use eBay? Beginning in January we will =

be holding a series of workshops on the boards to answer any questions =

that you may have. The subjects of the workshops will vary from "How =
to
complete the Sell Your Item Form" to "Shops - All you need to know!",
"Direct Debit" and "Seller Verification". To find the Workshops Board, =

click "Community", then "Chat" in the top Navigation Bar. The dates of =

the workshops will be published here, and on the day itself, scroll
down, and you'll find the link to the threaded Workshop board on the
left side of the page.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 
G

galaxip79

Active member
Credits
34CR
Re: [ukvac] OT: Ebay scam?
> Sorry for the OT post, but you guys on here all seem to have some in
> depth knowledge of eBay so I figure it's a pretty good place to ask.
>
> Return-Path: <eubpp@ebay.com>
> Delivered-To: 972-nige@zaonce.com
> Received: (qmail 48294 invoked from network); 8 May 2004 13:38:53 -0000
> Received: from outbound1.smf.ebay.com (HELO smf-klm-02.corp.ebay.com)
> (66.135.215.134)
> by deepthought.34sp.com with SMTP; 8 May 2004 13:38:53 -0000
> Received: from [66.135.215.176] (HELO smf-kas-14.corp.ebay.com)
> by smf-klm-02.corp.ebay.com (CommuniGate Pro SMTP 4.1.5)
> with SMTP id 17584828 for nige@zaonce.com; Sat, 08 May 2004 06:38:22
> -0700
> Date: Sat, 08 May 2004 06:38:22 -0700
> To: <nige@zaonce.com>
> Subject: eBay Fraud Protection Claim 175312 - md
> (KMM90171725V23428L0KM)
> From: eBay Europe Fraud <eubpp@ebay.com>
> Reply-To: eBay Europe Fraud <eubpp@ebay.com>
> MIME-Version: 1.0
> Content-Type: text/plain; charset = "us-ascii"
> Content-Transfer-Encoding: quoted-printable
> X-Mailer: KANA Response 6.5.0.309
> Message-ID: <auto-000017584828@smf-klm-02.corp.ebay.com>
>

I'd say it was genuine, yes. Consider the header:

> Received: from outbound1.smf.ebay.com (HELO smf-klm-02.corp.ebay.com)
> (66.135.215.134)

Now, the (HELO smf-klm-02.corp.ebay.com) can easilly be forged, but it's
not easy to forge the IP which the connection came from (66.135.215.134).

Now if you do a reverse DNS lookup on the IP, you will see the following:

dragon@linux2:~$ host 66.135.215.134
134.215.135.66.in-addr.arpa domain name pointer outbound1.smf.ebay.com.

So, the hostname does not match exactly, but the IP does belong in ebay's
IP space.

If you then lookup the orignal host:

dragon@linux2:~$ dig smf-klm-02.corp.ebay.com any

; <<>> DiG 9.2.3 <<>> smf-klm-02.corp.ebay.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45676
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;smf-klm-02.corp.ebay.com. IN ANY

;; AUTHORITY SECTION:
corp.ebay.com. 300 IN SOA sjc-dns-02.corp.ebay.com.
jddavids.corp.ebay.com. 2004030113 14400 3600 604800 300

;; Query time: 171 msec
;; SERVER: 62.232.81.2#53(62.232.81.2)
;; WHEN: Sat May 8 16:35:09 2004
;; MSG SIZE rcvd: 98

The host doesn't really exist in DNS, but you can see that corp.ebay.com is
a valid DNS record

If you then lookup the mail host with DIG, you will also see it matches up:

; <<>> DiG 9.2.3 <<>> outbound1.smf.ebay.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9374
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;outbound1.smf.ebay.com. IN ANY

;; ANSWER SECTION:
outbound1.smf.ebay.com. 3600 IN A 66.135.215.134

;; AUTHORITY SECTION:
smf.ebay.com. 3600 IN NS crocodile.ebay.com.
smf.ebay.com. 3600 IN NS algebra.ebay.com.

;; ADDITIONAL SECTION:
algebra.ebay.com. 3600 IN A 216.32.120.31
crocodile.ebay.com. 11944 IN A 216.32.120.21

;; Query time: 188 msec
;; SERVER: 62.232.81.2#53(62.232.81.2)
;; WHEN: Sat May 8 16:33:10 2004

Finally, you can check the IP really exists within ebay IP space:

whois whois.arin.net 66.135.215.134:

OrgName: eBay, Inc
OrgID: EBAY
Address: 2145 Hamilton Ave
City: San Jose
StateProv: CA
PostalCode: 95008
Country: US

NetRange: 66.135.192.0 - 66.135.223.255
CIDR: 66.135.192.0/19
NetName: EBAY-1
NetHandle: NET-66-135-192-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: SJC-DNS1.EBAYDNS.COM
NameServer: SJC-DNS2.EBAYDNS.COM
NameServer: SMF-DNS1.EBAYDNS.COM
Comment:
RegDate: 2001-07-13
Updated: 2003-02-20

OrgTechHandle: EBAYN-ARIN
OrgTechName: eBay Network
OrgTechPhone: +1-408-376-7400
 
guddler

guddler

Busting vectors like it's 1982!
vacBacker
Feedback
10 (100%)
Credits
4,054CR
Re: [ukvac] OT: Ebay scam?
> I'd say it was genuine, yes. Consider the header:

I'd be VERY suspicious of anything asking for me to fill in bank details
online without giving a phone number to actually speak to someone.

Mail them back and ask them to send a cheque / money order or something to
your address.

Ebay is now a european company as well as a US one, there's therefore no
reason why they wouldn't be able to do just that and post payment to you is
there?

Martin.
 
G

galaxip79

Active member
Credits
34CR
Re: [ukvac] OT: Ebay scam?
> > I'd say it was genuine, yes. Consider the header:
>
> I'd be VERY suspicious of anything asking for me to fill in bank details
> online without giving a phone number to actually speak to someone.

Me too, but the question was about whether the mail was genuine,
not whether it's content was a good practice or not ;-)

The mail most certainly has come from ebay, but as has been said,
if you dont like the content, then call ebay up on their published
support numbers and ask them to confirm the procedure...
 
D

drallsopp

User
Credits
3CR
Re: [ukvac] OT: ebay scam?
Yup, another Phishing attempt, I had the same today. I know for certain they
are scams as 1. they are not sent to my registered ebay address
(ebay@asteroids.......) 2. They are sent to my ISP email (NTL) which I
never ever use beyond checking system messages (invoices) from NTL. I get a
few phishinh attempts a week to my spam trap NTL acct from paypal, western
union, barclays, halifax, washington mutual e.t.c e.t.c

I forward them to spoof@ebay.com for what it's worth.

Cheers.

On 09/05/2005 20:35:52, ukvac@yahoogroups.com wrote:
> http://61.247.252.51/.eBay/index.htm
>
>
>
> this is a scam right?
>
> i keep getting them recently.
>
> thanks for your help.
>
>
>
> GaRy:)
>
 
You must log in or register to reply here.
Top