There is a huge amount of replay going on right now with domains that are p=reject. Venmo is getting hit - and it’s coming through various infrastructures.
There was also a Microsoft one recently that actually came out of Microsoft space - so the originating IP was in Microsoft’s SPF record as well as the message being validly DKIM signed as microsoft.com <http://microsoft.com/>. laura > On 10 Dec 2024, at 16:33, Michael Peddemors via mailop <mailop@mailop.org> > wrote: > > Ouch.. getting even harder for recipient spam protections to catch this guy, > given that o365 is also a 'too big to block'.. > > Standard Paypal Phone Scam we have seen coming from PayPal's own > infrastructure.. But now via o365.. redaccted headers below.. > > (PayPal should have stopped this at the source long ago) > > Maybe someone from o365 can confirm this.. > > (Also, a duplicate Return-Path problem) > > Return-Path: <bounces+srs=9yaro=td@highlandspark.store> > Received: from mail-psaapc01lp2042.outbound.protection.outlook.com (HELO > APC01-PSA-obe.outbound.protection.outlook.com) (104.47.26.42) > by be.cityemail.com with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS > (8698d6c0-b705-11ef-8ed5-4730eb8cb971); Tue, 10 Dec 2024 06:46:24 -0800 > Received: from SEZPR04MB6682.apcprd04.prod.outlook.com (2603:1096:101:e3::14) > by KL1PR0401MB6465.apcprd04.prod.outlook.com (2603:1096:820:9d::8) with > Microsoft SMTP Server (version=TLS1_2, > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.24; Tue, 10 Dec > 2024 14:46:10 +0000 > Received: from JH0PR04MB7411.apcprd04.prod.outlook.com (2603:1096:990:47::6) > by SEZPR04MB6682.apcprd04.prod.outlook.com (2603:1096:101:e3::14) with > Microsoft SMTP Server (version=TLS1_2, > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.18; Tue, 10 Dec > 2024 14:45:59 +0000 > Received: from JH0PR04MB7411.apcprd04.prod.outlook.com > ([fe80::f384:c663:7c1c:c4f1]) by JH0PR04MB7411.apcprd04.prod.outlook.com > ([fe80::f384:c663:7c1c:c4f1%2]) with mapi id 15.20.8230.016; Tue, 10 Dec 2024 > 14:45:58 +0000 > Received: from SG2PR02CA0015.apcprd02.prod.outlook.com (2603:1096:3:17::27) by > KL1PR04MB7210.apcprd04.prod.outlook.com (2603:1096:820:fe::7) with Microsoft > SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id > 15.20.8230.19; Tue, 10 Dec 2024 13:40:13 +0000 > Received: from SG2PEPF000B66CA.apcprd03.prod.outlook.com > (2603:1096:3:17:cafe::8a) by SG2PR02CA0015.outlook.office365.com > (2603:1096:3:17::27) with Microsoft SMTP Server (version=TLS1_3, > cipher=TLS_AES_256_GCM_SHA384) id 15.20.8230.15 via Frontend Transport; Tue, > 10 Dec 2024 13:40:13 +0000 > Authentication-Results: spf=pass (sender IP is 173.0.84.234) > smtp.mailfrom=paypal.com; dkim=pass (signature was verified) > header.d=paypal.com;dmarc=pass action=none header.from=paypal.com; > Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates > 173.0.84.234 as permitted sender) receiver=protection.outlook.com; > client-ip=173.0.84.234; helo=mx10.slc.paypal.com; pr=C > Received: from mx10.slc.paypal.com (173.0.84.234) by > SG2PEPF000B66CA.mail.protection.outlook.com (10.167.240.22) with Microsoft > SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id > 15.20.8230.7 via Frontend Transport; Tue, 10 Dec 2024 13:40:12 +0000 > DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; > c=relaxed/relaxed; > q=dns/txt; i=@paypal.com; t=1733837110; > h=From:From:Subject:Date:To:MIME-Version:Content-Type; > bh=4Bo+xEAj0oIFcgcXBsH4ZnETeria/8Hb5NVyfSlIlRE=; > b=J9gaiwmVtu2IwmWXt/DLX1M2PT1cqg2QgfzcQL0bjGpEjM+qf1bZKNquNonM0yUy > A5kq/qTWa0nVF74UCu4H+fPmmPfCEZ8ay8c30nA8l8s4CTVgg1arwjUHxeO60ZZ7 > feTp3T41+M6qrsgFAGkGU6FGrmwucVCgtvhONS0vq3cNMwXvm7nMAuaSE45MPRsN > 22JVgGMW3zMAQZEMgz1euMlXcmlwFoI5rnXo28E6usdq/jpZR/jq2Cq9k5QJPEvF > XE5QUY1yA4CwEy+awtojNwsm/B22e7sKozUkWpJPRaElrkKIGUuSadGkk07c+oCM > ECqgrKIHXb8KaospjDRdag==; > Content-Transfer-Encoding: quoted-printable > Content-Type: text/html; charset="UTF-8" > Date: Tue, 10 Dec 2024 05:25:10 -0800 > Message-ID: <FD.55.64208.63148576@ccg13mail10> > MIME-Version: 1.0 > From: "serv...@paypal.com" <serv...@paypal.com> > To: "noreplies2@highlandspark. store" <noreplies2@highlandspark.store> > Subject: Invoice from JOHN WILLIAMS (0137) > X-MaxCode-Template: RT000238 > X-PP-Priority: 0-none-true > PP-Correlation-Id: f930175d3bf65 > X-PP-Email-transmission-Id: 2e2f0ff2-b6fa-11ef-bdeb-0580ea13bcaa > X-PP-REQUESTED-TIME: 1733837106251 > X-Email-Type-Id: RT000238 > AMQ-Delivery-Message-Id: nullval > X-XPT-XSL-Name: nullval > Return-Path: serv...@paypal.com > ..... > > > -- > "Catch the Magic of Linux..." > ------------------------------------------------------------------------ > Michael Peddemors, President/CEO LinuxMagic Inc. > Visit us at http://www.linuxmagic.com @linuxmagic > A Wizard IT Company - For More Info http://www.wizard.ca > "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. > ------------------------------------------------------------------------ > 604-682-0300 Beautiful British Columbia, Canada > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://wordtothewise.com/blog
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
