In part because headers added by servers not trusted by local SA may be
considered advisory but not trusted for hard local judgements.
IE a remote MTA server can put anything in the headers that they want, only
trust what you find from your local trusted MTA
On Wed, 29 Jan 2025, Tom Williams
Hi! Casual observer here, but I have a question about the headers.
On 1/29/25 12:23 AM, Niamh Holding wrote:
(snip)
Authentication-Results: spf=softfail (sender IP is 2a01:111:f403:48::209)
smtp.mailfrom=euroland.fr; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action
On 1/29/2025 07:28:13, Greg Troxel wrote:
Niamh Holding writes:
Given the From: address can be so easily faked is a rule testing its validity a
great idea?
This seems tricky to figure out.
The message's routing is obviously very sketchy.
But, it also appears that spamassassin has validated
Mark London writes:
> Alan, you’ve pointed out the issue with the scam emails. Specifically
> with the phone number. Venmo emails are doing something similar. I’m
> sure thst PayPal and Venmo will not do anything to stop these. PayPal
> knows about it. They have warnings on their website abou
Alan, you’ve pointed out the issue with the scam emails. Specifically with
the phone number. Venmo emails are doing something similar. I’m sure thst
PayPal and Venmo will not do anything to stop these. PayPal knows about it.
They have warnings on their website about the scams. That’s all t
The examples of this scam that I've seen use that same PayPal comment tactic but
then route it to an Office-365 mailbox which has a redirect to the victim's
address.
So the resultant message has both PayPal & O-365 valid DKIM signatures; not to
mention the multiple KB of O-365 header cruft whi
On Wed, 2025-01-29 at 11:23 -0500, Alan via users wrote:
>
> As far as I can tell, they're valid notifications from PayPal, and
> probably useful for legitimate purposes. What the messages are
> doing is attempting to trigger sufficient anxiety that the
> recipient calls the phone number in the m
As far as I can tell, they're valid notifications from PayPal, and
probably useful for legitimate purposes. What the messages are doing is
attempting to trigger sufficient anxiety that the recipient calls the
phone number in the message, which connects them to a scammer. It will
get worse, and
Niamh Holding writes:
> Given the From: address can be so easily faked is a rule testing its validity
> a great idea?
This seems tricky to figure out.
The message's routing is obviously very sketchy.
But, it also appears that spamassassin has validated the DKIM signature
from paypal.com. So
This my pet peeve. I set USER_IN_DEF_DKIM_WL to 0.001 a long time
ago, and it hasn't affected me at all.
But my view is probably not mainstream.
As an aside, I've added rules to filter for the recent fake requests for
money, that abuse that feature, which exists on PAYPAL and VENMO.
Rule
Hello
Given the From: address can be so easily faked is a rule testing its validity a
great idea?
Headers-
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on iron.holtain.net
X-Spam-Level:
X-Spam-Status: No, score=-6.5 required=4.5 autolearn=no autolearn_force=no
X-Spa
11 matches
Mail list logo
