You can see the entire scam message here with its headers. The body is a forged message from PayPal formatted in HTML, which i've posted here in case you want to check it out.
The second Received line shows the message being sent from xxx.lugardesexo.com. The IP address on that line checks out: xxx.lugardesexo.com resolves to 188.8.131.52, and 184.108.40.206 reverse-resolves to ns0.lugardesexo.com.
The message body asks me to log in on a scam page at http://paypal.l8t.com/, which is actually a frame around the real scam page at http://www.sexohuanuco.com/. And where is sexohuanuco.com? It resolves to the same address as the source of the message — 220.127.116.11.
A quick call to traceroute reveals that ev1.net hosts the site:
% traceroute www.sexohuanuco.comI called EV1's customer service number to report abuse. After getting through the touch-tone menu, i finally got a person and explained about the problem. He told me to send my complaint to email@example.com instead. So i wrote a message explaining the whole thing and mailed it off at 4:24 pm.
traceroute to sexohuanuco.com (18.104.22.168), 30 hops max, 38 byte packets
9 216-54-253-2.gen.twtelecom.net (22.214.171.124) 11.643 ms 11.568 ms 11.597 ms
10 ivhou-207-218-245-28.ev1.net (126.96.36.199) 11.553 ms 11.630 ms 11.534 ms
11 ivhou-207-218-245-126.ev1.net (188.8.131.52) 11.636 ms 11.542 ms 11.568 ms
12 ns0.lugardesexo.com (184.108.40.206) 11.659 ms 11.830 ms 11.823 ms
Both domains, lugardesexo.com and sexohuanuco.com, are registered at Go Daddy. So i called Go Daddy as well. I got through to a person pretty quickly, but she couldn't help me either, and told me to send my report to firstname.lastname@example.org instead. This i did, at 4:34 pm.
At 4:46 pm, i received a reply from the "Ev1servers.net Abuse Team" thanking me for my report.
Dear Sir or Madam,It is now 2:00 am. That's over 9 hours since EV1 said the issue was "being investigated". Go Daddy has not responded. And the scam site is still up, collecting PayPal passwords.
We appreciate you bringing this to our attention. This issue is currently being investigated. Due to privacy policies we will most likely not be able to provide you with information regarding the outcome of our investigation.
Why hasn't anyone at either company spared the two minutes necessary to glance at the site, recognize that it's an obvious scam, and shut off its network connection?