Interesting! I'm surprised they forward email that fails SPF at all. Is that
mostly a legacy thing? You don't see much legitimate email that fails SPF
nowadays.
Groetjes,
Louis
On Friday, December 13, 2024 10:01 PM, Mark Alley via mailop <mailop@mailop.org>
wrote:
> Based on what I'm seeing in those headers, SRS did not happen because it did
> not satisfy the conditions to have it apply.
>
>
> SRS will only apply if SPF passed authentication at the time Exchange Online
> (EXO) received it. If it failed SPF auth, EXO won't rewrite the
> RFC5321.mailfrom to preserve the failed result.
>
> - Mark Alley
>
>
> On 12/13/2024 2:36 PM, Jarland Donnell via mailop wrote:
>
>
> > Sorry if I missed part of the discussion, but now they're circumventing the
> > SRS headers and Microsoft is straight up spoofing PayPal envelope senders.
> > First catch of this for me was today. Here's a look: https://mxbin.io/89sXAc
> > [https://mxbin.io/89sXAc]
> >
> > The logs showing the envelope sender quite clearly as well:
> >
> > 2024-12-13 19:22:25 1tMBF2-0000000F7eV-386r <= serv...@paypal.com
> > [serv...@paypal.com]
> > H=mail-koreacentralazlp17013079.outbound.protection.outlook.com
> > (SEYPR02CU001.outbound.protection.outlook.com) [40.93.138.79] P=esmtps
> > X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no S=51168 DKIM=paypal.com
> > id=CE.66.22381.7B87C576@ccg01mail10 [id=CE.66.22381.7B87C576@ccg01mail10]
> > T="You've got a money request" from <serv...@paypal.com>
> > [serv...@paypal.com] for jarl...@mxroute.com [jarl...@mxroute.com]
> >
> > Someone at Microsoft needs to get on this ASAP, and PayPal needs to have
> > more faith in their SPF record and trade that soft fail. This is looking
> > pretty bad. I'm considering this a friendly nudge to anyone watching this
> > mailing list from both companies.
> >
> > On 2024-12-10 10:33, Michael Peddemors via mailop wrote:
> >
> >
> > > Ouch.. getting even harder for recipient spam protections to catch this
> > > guy, given that o365 is also a 'too big to block'..
> > >
> > > Standard Paypal Phone Scam we have seen coming from PayPal's own
> > > infrastructure.. But now via o365.. redaccted headers below..
> > >
> > > (PayPal should have stopped this at the source long ago)
> > >
> > > Maybe someone from o365 can confirm this..
> > >
> > > (Also, a duplicate Return-Path problem)
> > >
> > > Return-Path: <bounces+srs=9yaro=td@highlandspark.store>
> > > [bounces+srs=9yaro=td@highlandspark.store]
> > > Received: from mail-psaapc01lp2042.outbound.protection.outlook.com (HELO
> > > APC01-PSA-obe.outbound.protection.outlook.com) (104.47.26.42)
> > > by be.cityemail.com with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS
> > > (8698d6c0-b705-11ef-8ed5-4730eb8cb971); Tue, 10 Dec 2024 06:46:24
> > > -0800
> > > Received: from SEZPR04MB6682.apcprd04.prod.outlook.com
> > > (2603:1096:101:e3::14)
> > > by KL1PR0401MB6465.apcprd04.prod.outlook.com (2603:1096:820:9d::8) with
> > > Microsoft SMTP Server (version=TLS1_2,
> > > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.24; Tue, 10
> > > Dec
> > > 2024 14:46:10 +0000
> > > Received: from JH0PR04MB7411.apcprd04.prod.outlook.com
> > > (2603:1096:990:47::6)
> > > by SEZPR04MB6682.apcprd04.prod.outlook.com (2603:1096:101:e3::14) with
> > > Microsoft SMTP Server (version=TLS1_2,
> > > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.18; Tue, 10
> > > Dec
> > > 2024 14:45:59 +0000
> > > Received: from JH0PR04MB7411.apcprd04.prod.outlook.com
> > > ([fe80::f384:c663:7c1c:c4f1]) by JH0PR04MB7411.apcprd04.prod.outlook.com
> > > ([fe80::f384:c663:7c1c:c4f1%2]) with mapi id 15.20.8230.016; Tue, 10 Dec
> > > 2024
> > > 14:45:58 +0000
> > > Received: from SG2PR02CA0015.apcprd02.prod.outlook.com
> > > (2603:1096:3:17::27) by
> > > KL1PR04MB7210.apcprd04.prod.outlook.com (2603:1096:820:fe::7) with
> > > Microsoft
> > > SMTP Server (version=TLS1_2,
> > > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
> > > 15.20.8230.19; Tue, 10 Dec 2024 13:40:13 +0000
> > > Received: from SG2PEPF000B66CA.apcprd03.prod.outlook.com
> > > (2603:1096:3:17:cafe::8a) by SG2PR02CA0015.outlook.office365.com
> > > (2603:1096:3:17::27) with Microsoft SMTP Server (version=TLS1_3,
> > > cipher=TLS_AES_256_GCM_SHA384) id 15.20.8230.15 via Frontend Transport;
> > > Tue,
> > > 10 Dec 2024 13:40:13 +0000
> > > Authentication-Results: spf=pass (sender IP is 173.0.84.234)
> > > smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
> > > header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
> > > Received-SPF: Pass (protection.outlook.com: domain of paypal.com
> > > designates
> > > 173.0.84.234 as permitted sender) receiver=protection.outlook.com;
> > > client-ip=173.0.84.234; helo=mx10.slc.paypal.com; pr=C
> > > Received: from mx10.slc.paypal.com (173.0.84.234) by
> > > SG2PEPF000B66CA.mail.protection.outlook.com (10.167.240.22) with
> > > Microsoft
> > > SMTP Server (version=TLS1_2,
> > > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
> > > 15.20.8230.7 via Frontend Transport; Tue, 10 Dec 2024 13:40:12 +0000
> > > DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
> > > c=relaxed/relaxed;
> > > q=dns/txt; i=@paypal.com [i=@paypal.com]; t=1733837110;
> > > h=From:From:Subject:Date:To:MIME-Version:Content-Type;
> > > bh=4Bo+xEAj0oIFcgcXBsH4ZnETeria/8Hb5NVyfSlIlRE=;
> > > b=J9gaiwmVtu2IwmWXt/DLX1M2PT1cqg2QgfzcQL0bjGpEjM+qf1bZKNquNonM0yUy
> > > A5kq/qTWa0nVF74UCu4H+fPmmPfCEZ8ay8c30nA8l8s4CTVgg1arwjUHxeO60ZZ7
> > > feTp3T41+M6qrsgFAGkGU6FGrmwucVCgtvhONS0vq3cNMwXvm7nMAuaSE45MPRsN
> > > 22JVgGMW3zMAQZEMgz1euMlXcmlwFoI5rnXo28E6usdq/jpZR/jq2Cq9k5QJPEvF
> > > XE5QUY1yA4CwEy+awtojNwsm/B22e7sKozUkWpJPRaElrkKIGUuSadGkk07c+oCM
> > > ECqgrKIHXb8KaospjDRdag==;
> > > Content-Transfer-Encoding: quoted-printable
> > > Content-Type: text/html; charset="UTF-8"
> > > Date: Tue, 10 Dec 2024 05:25:10 -0800
> > > Message-ID: <FD.55.64208.63148576@ccg13mail10
> > > [FD.55.64208.63148576@ccg13mail10]>
> > > MIME-Version: 1.0
> > > From: "serv...@paypal.com" [serv...@paypal.com] <serv...@paypal.com>
> > > [serv...@paypal.com]
> > > To: "noreplies2@highlandspark. store" [noreplies2@highlandspark.store]
> > > <noreplies2@highlandspark.store> [noreplies2@highlandspark.store]
> > > Subject: Invoice from JOHN WILLIAMS (0137)
> > > X-MaxCode-Template: RT000238
> > > X-PP-Priority: 0-none-true
> > > PP-Correlation-Id: f930175d3bf65
> > > X-PP-Email-transmission-Id: 2e2f0ff2-b6fa-11ef-bdeb-0580ea13bcaa
> > > X-PP-REQUESTED-TIME: 1733837106251
> > > X-Email-Type-Id: RT000238
> > > AMQ-Delivery-Message-Id: nullval
> > > X-XPT-XSL-Name: nullval
> > > Return-Path: serv...@paypal.com [serv...@paypal.com]
> > > .....
> >
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org [mailop@mailop.org]
> > https://list.mailop.org/listinfo/mailop
> > [https://list.mailop.org/listinfo/mailop]
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
