Have seen a few spams that has all the paypal images (even gets the images from the real paypal site) and lists a bunch of dummy IP addresses that my paypal (I don't have one) account was apparently used from recently, and encourages me to click on the given URL, which goes to [http://www.paypal.update-user-form.com/] Any request to *.update-user-form.com gets redirected to [http://www.paypal.update-user-form.com/webscr.php?cmd=LogIn], and the domain resolves to the following six IP addresses: 68.142.234.[52..57], which all seem to belong to Yahoo. God knows how people get away with registering DNS entries for sites that couldn't be used for anything other than phishing attempts.. I guess someone thought update-user-form.com looked innocent enough.