If you look at the received headers, it came from
exprod6ob55.obsmtp.com (64.18.1.190).
The domain obsmtp.com is Postini, and
64.18.1.190 is in netblock 64.18.0.0/20 which is assigned to Postini.
There is no question it came directly from them.
The source 66.123.63.227 is a Pacbell DSL line assigned to a patent law
firm, presumably a Postini customer, that appears to have a zombie
problem.
But I am mostly wondering how a
company which, the last I heard, claims to do spam filtering, sends out
phishes so obvious that when I run them through spamassassin they score 17.0.
Return-Path: <admin@paypal.com>
Received: (qmail 16875 invoked from network); 5 Feb 2007 16:10:40 -0000
Received: from exprod6ob55.obsmtp.com (64.18.1.190)
by mail2.iecc.com with SMTP; 5 Feb 2007 16:10:39 -0000
Received: from source ([66.123.63.227]) by exprod6ob55.postini.com
([64.18.5.12]) with SMTP;
Mon, 05 Feb 2007 08:10:36 PST
Received: from User ([216.211.25.83]) by ntfs1.domain1.local with Microsoft
SMTPSVC(6.0.3790.1830);
Mon, 5 Feb 2007 08:09:30 -0800
From: "PayPal" <admin@paypal.com>
Subject: Please Verify Your Account !
Date: Mon, 5 Feb 2007 11:09:30 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <NTFS15euwdUTaGmvSVM000023f0@ntfs1.domain1.local>
X-OriginalArrivalTime: 05 Feb 2007 16:09:31.0112 (UTC)
FILETIME=[04D48680:01C74940]
Original-sender: admin@paypal.com
<IMG src="https://www.paypal.com/en_US/i/logo/paypal_logo.gif"
border=0></A>� <TABLE cellSpacing=0 cellPadding=0 width=600 align=center
border=0>
<TBODY>
<TR>
<TD colSpan=3><IMG height=2 src="pp.files/pixel.gif"
width=2></TD></TR></TBODY></TABLE>
<P><FONT size=2><FONT face=Verdana>Dear valued�<STRONG><STRONG><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana">PayPal<SUP>�</SUP></SPAN></STRONG>�</STRONG>member</FONT>
:�<BR></FONT><BR></P>
<P><FONT face=Verdana size=2>It has come to our attention that your�<SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>�</SUP></STRONG></SPAN> account information
needs to be�<BR>updated as part of our continuing commitment to protect your
account and to�<BR>reduce the instance of fraud on our website.�</FONT><FONT
face=Verdana size=2><FONT face=Verdana size=2> If you could please take 5-10
minutes�<BR>out of your </FONT><FONT face=Verdana size=2>online </FONT><FONT
face=Verdana size=2>experience and update your personal records you will not
run into�<BR>any future </FONT><FONT face=Verdana size=2>problems with the
online service.
</FONT></P>
<P><FONT face=Verdana size=2>However, failure to update your records will
result in account suspension.�<BR>Please update your records�on or
before�<FONT color=red><STRONG>December 15,
2007</STRONG>.</FONT>�<BR><BR>Once you have updated your account records,
your�<SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>�</SUP></STRONG></SPAN> session will not
be�<BR>interrupted and will continue as normal. </FONT></P>
<P><FONT face=Verdana size=2>To update your <SPAN style="FONT-SIZE: 10pt;
COLOR: black; FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>�</SUP></STRONG></SPAN> records click on the
following link:�<BR></FONT><br><a target="_parent"
href="http://216.169.155.89/~bosco/start.html" target=_self><FONT
face=Verdana
size=2>http://www.paypal.com/cgi-bin/webscr?cmd=_login-run</FONT></A>
<P><FONT face=Verdana size=2></FONT>�</P>
<P><FONT face=Verdana size=2>Thank You. �<BR><SPAN style="FONT-SIZE: 10pt;
COLOR: black; FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>� </SUP><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana">UPDATE
</SPAN></STRONG><SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana"><STRONG>TEAM</STRONG></SPAN></SPAN> �����</P>
<P><FONT face=Verdana size=2>Accounts Management As outlined in our User
Agreement, <SPAN style="FONT-SIZE: 10pt COLOR: black FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>�</SUP></STRONG></SPAN> will�<BR>periodically
send you information about site changes and enhancements. </FONT></P>
<P><FONT face=Verdana size=2>Visit our Privacy Policy </FONT><FONT
face=Verdana size=2>and User Agreement if you have any
questions.�<BR></FONT><a target="_parent"
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-
outside"><FONT face=Verdana
size=2>http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy
-outside</FONT></A></P>
<P>�</P></FORM></FONT></FONT>