The best way to tell a spoof from the real thing is to look at the link that is in the email. It may appear to go to ebay, but if you look in the source of the email, you will find the html code that creates the link can point somewhere else entirely, like this:
http://thebubbler.com. If you click that link it will take you to my personal homepage, not to the front page of theBubbler. In the message source, you can find the link that the text is actually pointing to by looking for "a href=". The link immediately after the = is where you would go if you clicked on the link. This link may contain the word "ebay" or "paypal" but if the domain part doesn't _end_ with ebay.com or paypal.com, then odds are good it's a spoof and you should report it as noted above.
It's important when forwarding the email to make sure you're including the "Headers" of the email, as that information is necessary to connect the email with a real person. Some email programs retain the headers when an email is forwarded, but most don't. You can make sure those headers are available to the person at the other end by viewing the "Message Source" and copying all the information above the message content, and then pasting that into the message you're forwarding. They will look something like this, which I took from a spam I got this morning (I've changed the domain and ip numbers for our servers for security reasons):
From:
hansen@thebubbler.com
Subject: Your eBay account has been suspended
Date: February 11, 2007 6:57:43 AM CST
To:
hansen@thebubbler.com
Reply-To:
hansen@thebubbler.com
Return-Path: <cedric.chauveau@imagostudies.com>
Received: from qrtsm.com (prod9mx100.postini.com [xx.xx.x.xx]) by mail.servername.com (x.xx.x/x.xx.x) with SMTP id l1BCkLj83774; Sun, 11 Feb 2007 06:46:26 -0600 (CST) (envelope-from
cedric.chauveau@imagostudies.com)
Received: from source ([60.214.25.64]) by prod9mx100.postini.com ([xx.xx.x.xx]) with SMTP; Sun, 11 Feb 2007 04:57:28 PST
X-Originating-Ip: 136.114.126.11 by smtp.60.214.25.64; Sun, 11 Feb 2007 07:57:43 -0500
Message-Id: <hvnvmcNVXPAhansen@thebubbler.com>
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit
X-Pstn-Levels: (S: 0.00000/ 0.39852 R:95.9108 P:95.9108 M:97.0282 C:65.6198 )
X-Uidl: /Kk"!bi%#!Kd("!bf5"!
You can also use this information to determine whether or not the email is genuine. See that last "received"? That was received by a server I trust, so I can be moderately sure that the source (60.214.25.62) is correct. You can look up the location of that IP at
http://ws.arin.net/cgi-bin/whois.pl. Doing so tells me it comes from the Asia Pacific area. Following it further back tells me it's sent from Beijing through a network owned by China Network Communications Group Corporation. Odds are good, it's therefore not a legit email from ebay or paypal.
