Hi,
I received a paypal scam invoice using paypal servers that passed DKIM and
sent through paypal servers but has the return path of some other server
after it went through paypal.
Return-Path: <bounces+SRS=/OJZX=s...@cvoedukempen.be>
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
66.211.170.93 as permitted sender) receiver=protection.outlook.com;
client-ip=66.211.170.93; helo=mx9.phx.paypal.com; pr=C
Received: from mx9.phx.paypal.com (66.211.170.93) by
DU6PEPF0000A7E1.mail.protection.outlook.com (10.167.8.40) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.8137.17 via Frontend Transport; Wed, 6 Nov 2024 16:03:32 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1730909010;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
From: "serv...@paypal.com" <serv...@paypal.com>
To: billingdepartmen...@cvoedukempen.onmicrosoft.com
Subject: Reminder: You've still got a money request
It's intended for the victim to call the toll-free number to fake paypal
immediately or they will be charged.
Note from Berkshire Hathaway:
Don't recognize the seller? Please contact PayPal Support Team immediately
at .... If you have any issues, you can also contact +... (Toll Free). If
you do not reach out, we will proceed with the transaction.
I tried the trick of first adding *@paypal.com to the welcomelist then
blocking all of paypal.com, but it didn't work. Both were blocked.
welcomelist_auth *@paypal.com
blocklist_from *@paypal.com
None of the KAM paypal rules are effective here, either.
I can add the phone number and perhaps some body rules and the envelope
sender, but is there a more durable way to block these?
