Aha! That makes perfect sense - and I'm not sure how I overlooked that detail.
Much appreciated for clarifying that. I too have had no luck getting PayPal to do anything about it, although I didn't point out the phishing part as I honestly hadn't noticed that. I just looked at the headers to see if the email was legitimately from PayPal and not the content... rookie mistake. Thank you, Michael Denney MDDHosting LLC http://www.mddhosting.com/ > On Dec 10, 2024, at 5:00 PM, Louis via mailop <mailop@mailop.org> wrote: > > I've been getting these as well. They get DKIM signed messages and then > resend them to another recipient. Could be automatic forwarding, but they > could also be manually resending it. They do not alter the message, so DKIM > passes. So, what's the deal, you ask? > > Inside the "seller's note" is a text about contacting PayPal at some phone > number if you don't recognize the transaction, which is where you'll get > phished. As at that point you're calling the phisher. > > So yes, it's phishing. No, DKIM isn't at fault here. If PayPal didn't allow > user generated content in these emails, this issue would not exist. It's > completely on PayPal side. I've already reported this instance to them on > Thursday, but I remember many months ago we had the exact topic. PayPal must > be aware, they're just not doing anything about it. > > > Groetjes, > Louis > > > On Tuesday, December 10, 2024 10:20 PM, Michael Denney via mailop > <mailop@mailop.org> wrote: > > Are they modifying the message as a part of the relay to adjust the phone > number? > > Isn’t DKIM supposed to prevent in-flight modification of emails? > > It looks like based upon the headers provided - the original message is dkim > signed. > > Maybe it’s being stripped out when it’s relayed? > > Regardless - when we reached out to PayPal we couldn’t manage to get anyone > to understand what was happening. Microsoft has been even less helpful. > > Thank you, > > Michael Denney > MDDHosting LLC > https://www.mddhosting.com/ > >> On Dec 10, 2024, at 2:18 PM, Faisal Misle via mailop <mailop@mailop.org >> <mailto:mailop@mailop.org>> wrote: >> >> No, as far as I understand, that's the name of the forwarder address. >> Whether a mailbox or a distribution list. >> >> Best, >> Faisal >> >>> On Dec 10, 2024, at 7:54 PM, Alessandro Vesely via mailop >>> <mailop@mailop.org <mailto:mailop@mailop.org>> wrote: >>> >>> On Tue 10/Dec/2024 17:49:38 +0100 Laura Atkins wrote: >>>> There is a huge amount of replay going on right now with domains that are >>>> p=reject. Venmo is getting hit - and it’s coming through various >>>> infrastructures. >>> >>> >>> So the To: "noreplies2@highlandspark <mailto:noreplies2@highlandspark>. >>> store" <noreplies2@highlandspark.store >>> <mailto:noreplies2@highlandspark.store>> line was bogus? >>> >>> >>> Best >>> Ale >>> -- >>> >>> >>> >>> >>> _______________________________________________ >>> mailop mailing list >>> mailop@mailop.org <mailto:mailop@mailop.org> >>> https://list.mailop.org/listinfo/mailop >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org <mailto:mailop@mailop.org> >> https://list.mailop.org/listinfo/mailop > > _______________________________________________ > mailop mailing list > mailop@mailop.org <mailto:mailop@mailop.org> > https://list.mailop.org/listinfo/mailop > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
