Trojan from paypal?

I receive various spoof emails purporting to be from paypal and containing trojans, but one today has the following header :

Return-Path: <spoof-review@paypal.com>
Delivered-To: my email address
Received: (qmail 12027 invoked from network); 24 Jun 2008 00:32:32 -0000
Received: from smtp-a01.internal.boltblue.com (HELO smtp-a01.boltblue.com) ([172.20.8.85])
(envelope-sender <spoof-review@paypal.com>)
by email.backend.boltblue.com (qmail-ldap-1.03) with SMTP
for <my email address>; 24 Jun 2008 00:32:32 -0000
Received: from phx01imail02.phx.paypal.com (mx0.phx.paypal.com [66.211.168.230])
by smtp-a01.boltblue.com (Postfix) with ESMTP id 2BADC76608
for <my email address>; Tue, 24 Jun 2008 01:32:27 +0100 (BST)
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Received:thread-index:Received:Message-IDate:From:To:
Subject:MIME-Version:Content-Type:
Content-Transfer-Encoding:X-Mailer:Content-Class:
Importanceriority:X-MimeOLE:Return-Path:
X-OriginalArrivalTime;

Kaspersky threw up the following alert

Infected: Trojan program Trojan-Spy.HTML.Paylap.cf [From:<spoof-review@paypal.com>][Subject:Thank you for your email... ZACVL (KMM58152391I96L0KM) pk1][Time:2008/06/24 01:32:32]\text/plain 1.3 KB

The ip address 66.211.168.230 is from ebay, has this been spoofed as well?

OrgName: eBay, Inc
OrgID: EBAY
Address: 2145 Hamilton Ave
City: San Jose
StateProv: CA
PostalCode: 95008
Country: US

NetRange: 66.211.160.0 - 66.211.191.255
CIDR: 66.211.160.0/19
NetName: EBAY-2

Strangely I had only just forwarded a spoof email header to paypal - minus the trojan in the guts - a few minutes previously.
An inside job?

 

My real question is how did they spoof the ip address in the header?
I didn't realise that was possible.

 

Thanks for the links, there's a lot to read there. I never respond to the emails, or download them,just send them on to paypal or whoever ( header only). That one just happened to get through my manual filtering at my email provider. So if I send that header to paypal themselves is there any way that the spammer can "sniff" it as mentioned in one of those links?

 

http://www.pronetworks.org/forum/post-766559.html

In the above post it claims that this type of email did in fact originate at paypal and they are looking into it. This was last May, I'm still getting them - every time I send a report. I get no replies from paypal, however. Could the emails be intercepted?

 

Latest from them has this in the message :
Thread-Topic: follow up on phone call (KMM22142349I96L0KM) pk4
and I've no doubt that Kaspersky will flag it as a trojan in there somewhere.
So is Kaspersky flagging up a false positive or is something nasty coming from paypal? The message is definitely from them as it's in response to a phone call I made.

 

I downloaded the email with the ppk4 identifier and no problem with Kaspersky. The one with the ppk1 identifier was identified as the paylap trojan and Kaspersky has put it in the backup rather than quarantine, so I can't submit it to them without restoring it.