#0 - Dec. 18, 2009, 5:06 p.m.
The embedded URL looks like this (with the HTML linkages removed so nobody can click on it)
account [DOT]] <<removed >> [DOT] net [SLASH] support [SLASH] login.html?ref=
The ref goes to HTML formatted text that makes it look like an apparent Blizz URL added to the URL so your mouseover shows the Blizz link, not the actual one where you'd go if you clicked on it. Your IT guys may want to look at this, they apparently bypassed any domain keys you may have (see the header info posted at the bottom of this message) -- or else you should set them up if you have not! That's very serious, because it means in the eyes of Yahoo, they can legitimately (as far as Yahoo can tell) send emails as YOU!
Here is the text.
Q u o t e:
Greetings,
An investigation of your World of Warcraft account has found strong evidence that the account in question is being sold or traded. As you may not be aware of, this conflicts with Blizzard's EULA under section 4 Paragraph B which can be found here: WoW -> Legal -> End User License Agreement
and Section 8 of the Terms of Use found here: WoW -> Legal -> Terms of Use
The investigation will be continued by Blizzard administration to determine the action to be taken against your account. If your account is found violating the EULA and Terms of Use, your account can, and will be suspended/closed/or terminated. In order to keep this from occurring, you should immediately verify that you are the original owner of the account.
To verify your identity please visit the following webpage:
[DELETED]
Only Account Administration will be able to assist with account retrieval issues. Thank you for your time and attention to this matter, and your continued interest in World of Warcraft.
Sincerely,
Kennalith
Account Administration
Blizzard Entertainment
Based on the IP addres in the header, it was sent from a likely pwned host in NY (212 area code):
Hostname: static-70-107-228-162.ny325.east.verizon.net
ISP: Verizon Internet Services
Type: Cable/DSL
Here is the header (its where you get all the real data to catch these jerks)
[NOTE: I chopped this up to avoid a page busting string]
Q u o t e:
From noreply@blizzard.com Fri Dec 18 01:36:33 2009
X-Apparently-To: **********@yahoo.com via 66.163.178.156; Thu, 17 Dec 2009 17:36:37 -0800
Return-Path: <noreply@blizzard.com>
X-YMailISG:f6ynYtsWLDv6LjQbjbCnoXcydaTjpnxhuwyYDEKyoQbiN0.PT7C6hstA8C5ClmttQYyd1p
SkhMYof5u.4INZ2g6nZScu_yjR1GK63kHsh1YeLvIFgiwAdUjWoHPA72wM5FMmcRCZ
kn3hJ4JEP4sWoL3qKOg.Owm7kDHqWwhHT0BAm1m6UKJWx8wztNC0XudlnyNEjY
h1ecBet0.HOZp76voSyoGxCIomPriLgXqRst8U3o8YC6zojke.E6gfzRLjC70KdIVosyGk
DaDlEtPukQSfy6ZgVQz1fsw73YD8JrLYKgBcV9hCsHE4yR3A6db96oXTJisFZB4dS6m
v5V1b1Jiv0BEVDi731ivlDVDrA5i71tbpfYVwtovLL6GIlGQr0GzESgs8jjIJ5mYxgm9IIJ_gi
M6dkAr2
X-Originating-IP: [70.107.228.162]
Authentication-Results: mta1053.mail.ac4.yahoo.com from=blizzard.com;
domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO PC-200908040406) (70.107.228.162)
by mta1053.mail.ac4.yahoo.com with SMTP; Thu, 17 Dec 2009 17:36:37 -0800
From: "noreply@blizzard.com" <noreply@blizzard.com>
Subject: Account Verification Needed
To: "********" <********@yahoo.com>
Content-Type: multipart/alternative; charset="utf-8";boundary="xyWf9C5Cj7ksGX5De=_msYG6KpZyuLhHut"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Organization: noreply@blizzard.com
Date: Fri, 18 Dec 2009 09:36:33 +0800
Content-Length: 6614