It sure looks like it came from PayPal, doesn't it. In fact all but one of the links on the page will take you to an actual page on the PayPal site. And even the link marked "Click Here" appears to take you to the PayPal site, but the HTML code uses a trick which will actually send you to a specific IP address: 66.17.135.28.
Unfortunately there was no server online at 66.17.135.28 when I first tried to trace it, so I could not find out exactly where the server was located, and discover other information about it, nor could I see exactly how much of the PayPal site they duplicated. Crooks send out these spam messages, and then put their server online for a short period of time, capturing as much information as they can, but they don't leave them online for long, because they would rather miss out on capturing even more data, than allow the authorities the ability to find out where they are.
I can tell you this: the email seems to have originated on a server in Houston, Texas, and PayPal is in San Jose, California.
I was just getting ready to put this article to bed, and thought I would try 66.17.135.28 one more time, and very interestingly I got "No web site is configured at this address." I did a Visual Route trace on it, and got "Analysis: Node '66.17.135.28' was found in 16 hops (TTL=117). It is a HTTP server (running Microsoft-IIS/5.0)."
They apparently don't like tools like Visual Route looking at their server. I have never before had any problems with Visual Route, but while it was looking at 66.17.135.28, all of a sudden I started having all sort of problems with my computer, particularly related to the display from Visual Route.
Using http://www.ip-to-location.com/free.asp to try to trace 66.17.135.28 it appears they are in Indianapolis, Indiana.
http://www.urgentclick.com/address_trace.php shows the number traces to itself, which means there is not currently a domain name server that points to that IP address
http://www.arin.net/whois/ traces 66.17.135.28 and shows
| Yipes Communications, Inc. YIPES-BLK7 (NET-66-17-128-0-1) | |
| 66.17.128.0 - 66.17.255.255 | |
| DSL Indiana YIPS-DSLIND-S032103 (NET-66-17-135-0-1) | |
| 66.17.135.0 - 66.17.135.127 | |
which says that Yipes's router directs all traffic for IP addresses from 66.17.128.0 to 66.17.255.255 (one half of a Class B license), and that specifically the router in Indiana routes traffic from IP addresses 66.17.135.0 to 66.17.135.127 (one half of a Class C license)
I checked 209.120.155.46, which is the router that VisualRoute told me was the router upstream from 66.17.135.28, and http://www.arin.net/whois/ traces 209.120.155.46 to Yipes Communications in San Francisco and shows both a technical and abuse email address for Yipes, so I sent a report to both hostmaster@yipes.com and abuse@yipes.com.
I did further checking, using the IP-address Filters of http://www.alltheweb.com/advanced?advanced=1 and http://www.whois.sc/ to identify IP addresses in the 66.17.135.0 - 66.17.135.127 which it appears is controlled by DSLindiana and identified two IP addresses which host servers that have Domain Names associated with them. 66.17.135.10 appears to be a Linux server running Apache/1.3.27 (Unix) PHP/4.2.3 mod_ssl/2.8.12 OpenSSL/0.9.7-beta3) with 2 websites:
They have servers at
As far as I can tell, there are no registered domain names on any but the 66.17.135.10 and the 66.17.135.30 servers. That does not necessarilly mean that all of the other services are up to no good. They could be private servers just referenced by IP address, or they could be servers with websites currently being developed, and either without registered domain names, or domain names that have not yet been spidered by http://www.alltheweb.com, but it certainly looks suspicious.
The Real PayPal site has this page to provide various Security Tips to warn users about how to avoid getting fooled.
There are a number of different PayPal Scams. The message I received was not one of these, but here is information about other PayPal Scams:
Here are reports about this particular scam: