Spoof eBay email Hoax and fake web page scam. Click to go to home page.


Date of Distribution
6th June 2003

Apparent Sender

ebaY Contest

Senders Address (spoof)

invitation to enter a prize draw to win a Ford Explorer

Spoofed Web page/site?

Web page/site


Web page/site origin

Identity Theft method




email hoax

Bank Email Hoax

See our guide to
email hoaxes


See our guides to

First Edition
Book Guide

Book Collecting

Free Utilities...

Worldwide Currency

Auction Watcher

List of
Auction Sites




Spoof eBay email Hoax and fake web page scam
reported & distributed from 6th June 2003


This spoof eBay email was reported and in distribution from 6th June 2003 and we also have an image of the spoof email. These are just image snapshots of the originals, so there is absolutely no code included and none of the links or buttons will now work. The images shown here have been reduced to 80% of the original size

This is an image of the spoof email, so all links will not work as they were intended to. If you would have clicked on the link provided, you would have entered a Spoof website which not only looked very genuine, but it also gleened any sensitive information entered into it (including your user name and password)...

The Email Hoax ...

  Hoax Email Scam Alert
Your name

Your email

Privacy Policy

click here to
use our online
report form
Spoof eBay email Hoax and fake web page scam.

Let's take a look at this email's header. To see the header, you'll need to view the properties of the email. To do this in MS Outlook Express for instance, you'll need to open the email, then select 'Properties' from the 'File' menu. This brings up the properties window, then select the 'Details' tab - this shows the header only information (by selecting 'Message Source', you will see the header and email source code which can be copied and pasted into any report you need to make to us - spoof@millersmiles.co.uk).

Here is a comparison between the headers of a spoofed and a genuine eBay email (parts are highlighted to aid comparison, but the yellow highlights are the important pieces)...

The spoof header:

Return-Path: <info@ebay.com>
Delivered-To: webmaster@millersmiles.co.uk
Received: (qmail 21262 invoked from network); 6 Jun 2003 21:21:49 -0000
Received: from unknown (HELO mail.almtal.net) (
by server16.donhost.co.uk with SMTP; 6 Jun 2003 21:21:49 -0000
Received: from localhost (mail.almtal.net [])
by mail.almtal.net (8.11.6/8.8.7) with SMTP id h56LRD008495
for <auctions@millersmiles.co.uk>; Fri, 6 Jun 2003 23:27:16 +0200
Message-Id: <200306062127.h56LRD008495@mail.almtal.net>
From: <info@ebay.com>
To: <auctions@millersmiles.co.uk>
Subject: ebaY Contest
Date: Fri, 6 Jun 2003 23:27:13 +0200
X-Mailer: sendEmail-1.40
Content-Type: text/html;
Content-Transfer-Encoding: 7bit

The genuine header: (see a copy of this email)

Return-Path: <spoof@ebay.co.uk>
Delivered-To: millersmiles-auctions@millersmiles.co.uk
Received: (qmail 36907 invoked from network); 9 Jun 2003 10:22:29 -0000
Received: from unknown (HELO mx5.smf.ebay.com) (
by server16.donhost.co.uk with SMTP; 9 Jun 2003 10:22:29 -0000
Received: from miami.smf.ebay.com (miami.smf.ebay.com [])
by mx5.smf.ebay.com (8.12.3/8.12.3) with ESMTP id h59AMQG9000488
for <auctions@millersmiles.co.uk>; Mon, 9 Jun 2003 03:22:26 -0700
Received: from rhv-kas-03.corp.ebay.com (rhv-kas-03.corp.ebay.com [])
by miami.smf.ebay.com (8.11.6+Sun/8.11.6) with SMTP id h59AMfZ10198
for <auctions@millersmiles.co.uk>; Mon, 9 Jun 2003 03:22:41 -0700 (PDT)
Message-Id: <200306091022.h59AMfZ10198@miami.smf.ebay.com>
Date: Mon, 09 Jun 2003 03:22:28 -0700
To: millersmiles <auctions@millersmiles.co.uk>
Subject: Re: (KMM72404455V54089L0KM)
From: eBay United Kingdom Customer Support <spoof@ebay.co.uk>
Reply-To: eBay United Kingdom Customer Support <spoof@ebay.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset = "us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Kana 6.0


See the differences in the highlighted text.....

The 'Received: from Unknown (HELO xxx.xxxx.xxx) part tells us the details of the machine that the email was sent from. In this case, the spoof shows a machine with the ID 'mail.almtal.net' with IP address, whereas eBay's genuine email has come from a machine with the ID mx5.smf.ebay.com and IP address When querying a whois lookup (aka DNS look up, or reverse look up) it is clear that the genuine email has originated from eBay's mail server at IP (eBay, San Jose, CA), whereas the spoof has come from a different machine at an IP address that is owned by someone in Wien, Austria.

The handling mail server has further added an identifier for the sending server, in the case of the spoof, Received: from localhost (mail.almtal.net []) which is either an internal mail server, or a mail server running on the same machine. Whereas, eBay's genuine email, correctly shows that the sending server was identified as miami.smf.ebay.com [ (which again proves to be owned by eBay when conducting a whois lookup).

The email server and mail software version are shown by the handling server as the email is relayed from ISP to ISP, and the spoof shows by mail.almtal.net (8.11.6/8.8.7), which is again NOT eBay's mail server which is shown correctly in the genuine email as by mx5.smf.ebay.com (8.12.3/8.12.3).


This is a mere comparison of an actual spoof email received and a genuine eBay email received, the problem can be more intricat though, and you should also read this document - Identitfy Theft Part 3.


Go to top of page.


Spoof eBay email Hoax and fake web page scam.
© Copyright MillerSmiles.co.uk. All Rights Reserved. .