'Hocus Pocus 2' Review Wi-Fi 6 Router With Built-In VPN Sleep Trackers Capital One Claim Deadline Watch Tesla AI Day Student Loan Forgiveness Best Meal Delivery Services Vitamins for Flu Season
Want CNET to notify you of price drops and the latest stories?
No, thank you

Defending against a phishing e-mail message

Who sent that e-mail message? Where is the link in the message really taking you?

I previously made the case that Windows users should use Thunderbird for email. When I got a fraudulent e-mail message on Saturday claiming to come from PayPal, Thunderbird offered two lines of defense.

The first was the big warning that the message might be a scam. Indeed it was.

The body of the message was a pretty standard phishing scam, with the usual typos and the true destination of the link hidden.

Please Update Your Account
Dear valued PayPal member:
It has come to out attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online services.
However, failure to update your records will result in account suspension. Please update your records on or before Nov 02, 2007.
Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal.
To update your PayPal records click on the following link: https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Thunderbird's second line of defense was not falling prey to the common practice of using hidden JavaScript code to hide the real destination of a link embedded in the message. In the screen shot below you see that the blue link appears to go to a secure PayPal login page.

This, however, is not the real destination of the link. When the mouse hovers over this link, Thunderbird shows the true destination in the status bar (shown above), a page at mardur.net. Some other e-mail programs reinforce the scam by showing the phony destination in the status bar. They willingly obey hidden JavaScript code. In this case, the code was:

<a onmouseover="window.status=
"https://www.paypal.com/cgi-bin/webscr?cmd=_login-run";return true"
onmouseout="window.status="" target="_blank" href=

The formula, so to speak, for the above trickery is this:

<a onmouseover="window.status="phony-destination"";

The phony link destination is displayed initially. When the mouse is moved over the link, the "onmouseover" code is executed to modify the status line and make it show the phony link destination. When the mouse moves off the link, the "onmouseout" code resets the status line to not show anything.


Everyone using e-mail needs to be aware that the FROM address of an e-mail message is easily forged. Very, very easily. To see where it really came from requires looking at the normally hidden header of the message. In this case, the header showed that it originated from HostGator.com. Specifically, it showed:

from innovas by gator133.hostgator.com with local (Exim 4.68)
  (envelope-from <innovas@gator133.hostgator.com>)

The header also shows the originating IP address. This particular message came from a computer with an IP address of According to dnsstuff.com the machine is in Dallas, Texas, and owned by The Planet. In this case, not very helpful information.


Unlike the FROM address and the link, the ultimate Web page destination is reliable. In this case the true destination was unusually obvious--a page at mardur.net. Who is mardur.net? There are two things about a domain that can be traced--the Web site and the domain name.

Based on the publicly available DNS servers for mardur.net, it's obvious the Web site is hosted at HostGator. Only HostGator knows who is paying for the account.

The public contact information for the domain mardur.net is

David Hayter (kgoodsoft@gmail.com)
Fax: +1.565434534
South Street
Loave Sowna
Colombo, P 4543343

I know of no way to verify this information. However, the domain was registered by NameCheap.com and they would know who paid for it. At times good Web sites get hijacked by the bad guys for these phishing scams, so we can't assume that David Hayter is a bad guy. It's a safe bet, however, that neither he nor mardur.net is PayPal.

Be careful out there.

Update. October 28, 2007: See my next posting Test your email program for more on this.