One of my clients was sent this yesterday:
Return-Path: <bounces+SRS=NC2wj=s...@esbmk.onmicrosoft.com>
Received: from mail.tbi.net
by mail.tbi.net with LMTP
id IDNsDitYLmfjLA0AVPRGcQ
(envelope-from <bounces+SRS=NC2wj=s...@esbmk.onmicrosoft.com>)
for <MUNGED>; Fri, 08 Nov 2024 13:27:55 -0500
Received: from localhost (localhost [127.0.0.1])
by amavis.tbi.net (tbi.net) with ESMTP id 2C585AA951
for <MUNGED>; Fri, 8 Nov 2024 13:27:55 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at mail.tbi.net
X-Spam-Flag: YES
X-Spam-Score: 13.469
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.469 tagged_above=-9999 required=10
tests=[DKIMWL_WL_HIGH=-0.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
HTML_MESSAGE=0.001, JR_EXCHANGE=0.01, JR_PHISH_PPAL5=20,
LOTS_OF_MONEY=0.001, MIME_HTML_ONLY=0.1, POSSIBLE_PAYPAL_PHISH_02=1,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, SYSTEM_INFO=0.01,
T_JR_BODY_ANYPHONE=0.01, T_JR_EXPLOIT_BAD_URL=0.01,
T_REMOTE_IMAGE=0.01, T_TBI_MX_CSI_OUTLOOK=0.01,
USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: mail.tbi.net (amavisd-new); dkim=pass (2048-bit key)
header.d=paypal.com
Received: from amavis-in.tbi.net ([127.0.0.1])
by localhost (mail.tbi.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id qK8ezV5YyzJM for <MUNGED>;
Fri, 8 Nov 2024 13:27:54 -0500 (EST)
Received: from APC01-TYZ-obe.outbound.protection.outlook.com
(mail-tyzapc01lp2046.outbound.protection.outlook.com [104.47.110.46])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)
server-digest SHA256)
(No client certificate requested)
by mail.tbi.net (tbi.net) with ESMTPS id 2D2DDAA90F
for <MUNGED>; Fri, 8 Nov 2024 13:27:53 -0500 (EST)
Authentication-Results: spf=pass (sender IP is 66.211.170.94)
smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
66.211.170.94 as permitted sender) receiver=protection.outlook.com;
client-ip=66.211.170.94; helo=mx10.phx.paypal.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1731081873;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=/SU9ybBUg9+1fwAHSljwojN3W89qQlbWTtk6a9kjKmM=;
b=cw29yjWqHWZ95AgcBipOut+bx+OSc4Yd70loAVcAuufnmlZz5VaoOGz2Rd+JycC2
EsYLZ94w81GiVQVmIsiLZlCszPKhuOIP/F1i3Xsa0q4hZMDtuZCJ/qVUWxlPH5xS
n1HcBuD53mkTwYmEMRJiE3TpMtJdbyyeUKlR7ISztYBsIY+ghhGh+NwsNbawn4q8
lsMrlYIpdMDJvnyy3bnF1hLON+j4fDfpYKllYx2Gx0B0AsAcGf3yXiBMN4KbKZt9
so+LfonP5anDBKyvIsEWhAB6E3gwov7znumX+54CCdWOMI8B7a3uUEuobd2mz0QF
mHE7dWReFbeyNaixUPjnxg==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Fri, 08 Nov 2024 08:04:33 -0800
Message-ID: <3C.B3.02911.1963E276@ccg01mail10>
MIME-Version: 1.0
From: "serv...@paypal.com" <serv...@paypal.com>
To: billingdepartmen...@esbmk.onmicrosoft.com
Subject: ***SPAM*** This money request has been updated
Same as the OP's spample - no MsgID signing. Indeed interesting.
And what is up with: USER_IN_DEF_DKIM_WL=-7.5? I see what Benny is
saying; good for
SA, but doesn't help PayPal at all.
Shame that PayPal, *probably* the largest online financial processor,
doesn't have
it's act together; bad SPF records and Microsoft Exchange
(66.211.170.93/.94) systems that
are Pwned.
Just FYI,
-- Jared Hall
