PayPal - phish or foul?

[Farelf]

Last time I got one like this I forwarded it (inline, not as an attachment as PayPal requires) to spoof[at]paypal (etc.) and eventually got a response from them that it was legitimate:

http://www.spamcop.net/sc?id=z5088776192zc...18198081530b24z

Someone - not sure if it was PayPal or found elsewhere - suggested turning off the "Policies" notifications in the "Notification and Information Sharing choices" section of my profile. Which I did. Months later, this new one arrives. And I clicked the link! And the message doesn't even say anything about following the link (so why is it there?). Aaargh ... insufficient caffeine to activate brain - I NEVER click unsolicited links.

But I did click. And I logged in. And I got a non-critical "Out of date page - change your bookmarks if you came via external link," OWTTE. So I logged out and came back in my usual way and changed my password. And saw-confirmed my profile still has policy notifications turned off. So I reported it to SpamCop. Not the above tracker - my actual report contained a little bit of personal identification in the body (STILL not enough caffeine!).

The SC parse doesn't go all the way to the origin which it dismisses as "Internal handoff or trivial forgery." Well, maybe, I don't know. It's a phish or a foul, one or the other. Sent again to spoof[at] too (they don't want to hear from SC). If they say it's legitimate again ... well, they're still sending unsolicited commercial emails - worse than unsolicited in fact. They DID have a policy change today, by the way. Oh well ...

[cwg]

They got a new system in place in which you are going to get an email message from then that you cannot opt out of, AFAIK.

[Farelf]

Well, that's interesting - IMO they should then modify the account options (unilaterally, if they're going to be like that) to remove the ineffective opt-out election and, ideally, they should quit sending notifications that look look phishes in a system they've now made more vulnerable to "human engineering" attacks.

That "mail-out" sub-domain (presumably that's what it is), https://email-edg.paypal.com, has the lamest home/landing page - but at least it has one, which is slightly reassuring I suppose.

I just got something from spoof[at] in response to my submission there - consisted of headers only, no body, no attachments, just headers. But it was e-Bay and PayPal, "all the way down," to borrow a phrase. I'm not sure what to infer from all of that but at least they weren't screaming "danger".

They make it easy to give other people my money, I concede that willingly, and that is their valuable function. But they seem to have some problems with the peripheral parts of the account interface and that allows extra "headroom" for scamming. If I ever get too worried I will just close my account - the ultimate security. Well, almost, I would have to close a bank account or two as well for it to be an absolute safeguard.