Benny,

There are a few holes in your theory/assertions:

(1) I know for a fact that this came from PayPal's official transactional servers, in PayPal's IP space. And while the sender (PayPal's customer) was a "bad actor", this wasn't PayPal's actual email server getting hacked. Instead, it was PayPal's deliberate notification they sent on purpose, with all the proper authentication that normally is sent in ALL legit PayPal emails.

(2) I'm about 99.9% certain that all the validations that fail now - passed when it was originally sent/received. It's actually common for such large senders to expire DKIM record validation either quickly (to make spoofing harder!) and/or to manually expire it when they find fraud in recently-sent spams. One or the other, or both, likely happened here. I'm very confident that some (probably all!) of the validation failures that caused some portion of your bad scoring - weren't there if SA had been run against this soon after it was sent.

(3) I'm using SA 4.x, and a few minutes ago, I ran this against SA, and I ran a legit PayPal notification from this SAME IP address, that was sent today - both against SA. "FROM_PAYPAL_SPOOF" never had a hit on either one - but I also have RBLs and URI-lists set to not run in my SA, since I'm doing all that elsewhere - so maybe that disabled FROM_PAYPAL_SPOOF in my system? Or maybe FROM_PAYPAL_SPOOF isn't in SA4? Nevertheless, if this rule is so great and definitive, why is it only scoring 1.2 points? 1.2 points suggests that it might not be 100% immune to false positives! And if your argument is so great, why was your overall SA score ONLY 1.2 points? Do you really think that everyone using SA should "know" to magically block all messages that ONLY score 1.3 points, but have a hit on this rule? Should other SA users have this magical insight about other such SA rules?

I think you destroyed your own argument, with your own evidence. And you seem to be overlooking the fact that these are sent from PayPal servers that also send a MASSIVE amount of legit and transactional emails, including from this actual same IP. For example, in the past 24 hours, my small-ish mail hosting system has 6 legit not-spam PayPal notifications sent from this SAME ip address - all 6 of those were legit.

Rob McEwen, invaluement



------ Original Message ------
From "Benny Pedersen" <m...@junc.eu>
To users@spamassassin.apache.org
Date 2/21/2023 4:03:31 PM
Subject Re: May I get to 0 phishing?

Rob McEwen skrev den 2023-02-21 20:37:

https://pastebin.com/v80qMF99

Content preview:  Invoice from Apple. com (0005) xxx...@example.com, here are
   your invoice details Hello, xxx...@example.com Here's your invoice

Content analysis details:   (1.2 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                            [173.0.84.227 listed in wl.mailspike.net]
 1.8 DKIM_ADSP_DISCARD      No valid author signature, domain signs all mail
                            and suggests discarding the rest
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily 
valid
 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
-2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
                            medium trust
                            [173.0.84.227 listed in list.dnswl.org]
-2.0 RCVD_IN_HOSTKARMA_W    RBL: Sender listed in HOSTKARMA-WHITE
                        [173.0.84.227 listed in hostkarma.junkemailfilter.com]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.4 KAM_REALLYHUGEIMGSRC   RAW: Spam with image tags with ridiculously huge
                             http urls
 0.0 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76 chars
 0.0 LONG_IMG_URI           Image URI with very long path component - web bug?
 1.0 MSGID_NOFQDN2          Message-ID without a fully-qualified domain name
 0.5 LONGLINE               Line length exceeds 998 character limit, RFC 5322
 1.2 FROM_PAYPAL_SPOOF      From PayPal domain but matches SPOOFED
 0.2 KAM_HUGEIMGSRC         Message contains many image tags with huge http urls
 0.1 DMARC_REJECT           DMARC reject policy
 0.0 LOTS_OF_MONEY          Huge... sums of money
 0.0 T_REMOTE_IMAGE         Message contains an external image

dont know more, but dnswl ? ;)

DMARC_REJECT && FROM_PAYPAL_SPOOF why accept it ?

Reply via email to