I've been getting these as well. They get DKIM signed messages and then resend
them to another recipient. Could be automatic forwarding, but they could also be
manually resending it. They do not alter the message, so DKIM passes. So, what's
the deal, you ask?
Inside the "seller's note" is a text about contacting PayPal at some phone
number if you don't recognize the transaction, which is where you'll get
phished. As at that point you're calling the phisher.
So yes, it's phishing. No, DKIM isn't at fault here. If PayPal didn't allow user
generated content in these emails, this issue would not exist. It's completely
on PayPal side. I've already reported this instance to them on Thursday, but I
remember many months ago we had the exact topic. PayPal must be aware, they're
just not doing anything about it.
Groetjes,
Louis
On Tuesday, December 10, 2024 10:20 PM, Michael Denney via mailop
<mailop@mailop.org> wrote:
> Are they modifying the message as a part of the relay to adjust the phone
> number?
>
>
> Isn’t DKIM supposed to prevent in-flight modification of emails?
>
>
> It looks like based upon the headers provided - the original message is dkim
> signed.
>
>
> Maybe it’s being stripped out when it’s relayed?
>
>
> Regardless - when we reached out to PayPal we couldn’t manage to get anyone to
> understand what was happening. Microsoft has been even less helpful.
>
>
> Thank you,
>
> Michael Denney
> MDDHosting LLC
> https://www.mddhosting.com/ [https://www.mddhosting.com/]
>
>
>
> > On Dec 10, 2024, at 2:18 PM, Faisal Misle via mailop <mailop@mailop.org
> > [mailop@mailop.org]> wrote:
>
> > No, as far as I understand, that's the name of the forwarder address.
> > Whether a mailbox or a distribution list.
> >
> > Best,
> > Faisal
> >
> >
> >
> > > On Dec 10, 2024, at 7:54 PM, Alessandro Vesely via mailop
> > > <mailop@mailop.org [mailop@mailop.org]> wrote:
> >
> > >
> >
> > > On Tue 10/Dec/2024 17:49:38 +0100 Laura Atkins wrote:
> >
> > > > There is a huge amount of replay going on right now with domains that
> > > > are p=reject. Venmo is getting hit - and it’s coming through various
> > > > infrastructures.
> >
> > >
> >
> > >
> >
> > > So the To: "noreplies2@highlandspark [noreplies2@highlandspark]. store"
> > > <noreplies2@highlandspark.store [noreplies2@highlandspark.store]> line was
> > > bogus?
> >
> > >
> >
> > >
> >
> > > Best
> >
> > > Ale
> >
> > > --
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > _______________________________________________
> >
> > > mailop mailing list
> >
> > > mailop@mailop.org [mailop@mailop.org]
> >
> > > https://list.mailop.org/listinfo/mailop
> > > [https://list.mailop.org/listinfo/mailop]
> >
> >
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org [mailop@mailop.org]
> > https://list.mailop.org/listinfo/mailop
> > [https://list.mailop.org/listinfo/mailop]
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
