The text of the message was as follows:
Date: Mon, 4 Apr 2005 18:37:36 +0200
Subject: Warning ,update your account
Dear PayPal . valued member,
Due to concerns we have for the safety and integrity of the PayPal community we have issued this message.
It has come to our attention that your PayPal account information needs to be updated. If you could please take 5-10 minutes out of your online experience and update your records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records by 8 April 2005.
Once you have updated your account records your PayPal will not be interrupted and will continue as normal. Please follow the link below and update your account information. https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
PayPal Accounts Department
One suspicious sign is that the email message, though showing a "from" address of email@example.com, had an originating IP address associated with the amen-pro.com domain name.
Received: from mail.com (vds-345642.amen-pro.com [22.214.171.124])
And looking at the HTML code for the message showed the link that appeared to point to www.paypal.com actually pointed to http://www.paypal.com.sdll.us/webscr/index.html, which is not a PayPal website.
So this message is a phishing attempt. If anyone is unfamiliar with phishing, there is an explanation of the term at http://csharpcomputing.com/Security/phishing.htm. It is basically an attempt to dupe unsuspecting users into revealing sensitive information, such as userids, passwords, and bank account numbers.
I reported the spoofed site to PayPal over 5 hours ago,but the site is still up at the moment, though. I understand that PayPal likely has to deal with a great many reports of spoofed sites, though, since it is one of the most popular Internet payment methods, especially for the eBay auction site. And it is also likely difficult for PayPal to locate an entity with authority to shut down the site and get such an entity to take immediate action.
There is an anti-phishing site, the Anti-Phishing Working Group where you can submit phishing email and pharming sites used for phishing schemes.
Some antivirus programs will catch some phishing attempts, i.e. Norton AntiVirus reports this one as JS.Trojan.Blinder, which it reports was discovered by Symantec on March 4, 2005, but not all such phishing attempts will be caught by antivirus software.
Sometimes such email scams are sent through mail servers configured as open relays, meaning anyone can send email through them. But when I checked the originating email server for the messages, vds-345642.amen-pro.com [126.96.36.199], with rlytest, it did not appear to be an open relay.