Anyone whose email address is posted on a web site probably doesn’t bother to identify who sent them viruses anymore. With faked return addresses and the high probability that your only connection to the sender is the fact that they visited your web page sometime in the last month, there really isn’t much point.

Every once in a while, you’ll see something weird.

Today I received what looked like a classic credit-card theft scam: a notice supposedly from PayPal claiming that my account would be canceled unless I re-entered all my credit card information into the linked web page. Right. Normally I just report it to PayPal and delete it, but this one had an attachment instead of a link, and that attachment had been defanged. With a name like www.paypal.com.scr, it was pretty obviously a virus. (The .scr extension, normally used for screen savers on Windows, is often used by viruses because it will be run just like any other program, but it’s less obvious than naming it .exe.)

The really odd part was that it was sent to an address I only use on eBay and PayPal, and they make it really difficult to pick up email addresses these days. I realized that only two groups of people would have that address: people who really did work for eBay or PayPal, or people whom I had recently bought from or sold to on eBay.

A quick search through my email history, and I found two messages sent from the same IP address, both from a seller I had bought from last month.

By the time I got around to searching, two things had happened: I had received two more copies from the same source, and Symantec had posted a description of what they were calling W32.Paylap@mm [ed: W32.Mimail.I@mm]. I sent a note to the seller about the virus, suggesting also that he contact his credit card company if he actually filled out the form.

With luck, he’ll catch it before any financial damage is added to the infected computer.