This my pet peeve. I set USER_IN_DEF_DKIM_WL to 0.001 a long time
ago, and it hasn't affected me at all.
But my view is probably not mainstream.
As an aside, I've added rules to filter for the recent fake requests for
money, that abuse that feature, which exists on PAYPAL and VENMO.
Rules can be easily created to detect these fake requests, if you look
at some the examples that come through. They aren't very sophisticated.
FWIW.
Now I'll go back into hiding, - Mark
On 1/29/2025 3:23 AM, Niamh Holding wrote:
Hello
Given the From: address can be so easily faked is a rule testing its validity a
great idea?
Headers-
Return-Path: <bounces+SRS=4A6bc=u...@smpn7wonogiri.sch.id>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on iron.holtain.net
X-Spam-Level:
X-Spam-Status: No, score=-6.5 required=4.5 autolearn=no autolearn_force=no
X-Spam-Report:
* 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.93.128.29 listed in wl.mailspike.net]
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
* mail domains are different
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM
* welcome-list
* 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author's domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
* https://senderscore.org/blocklistlookup/
* [40.93.128.29 listed in bl.score.senderscore.com]
* -0.0 T_SCC_BODY_TEXT_LINE No description available.
* 1.0 POSSIBLE_PAYPAL_PHISH_03 Claims to be from paypal, sent to
* Microsoft365 domain - likely fraud if you don't use MSFT365!
* 0.0 T_REMOTE_IMAGE Message contains an external image
* -1.3 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
X-Spam-Relays-Untrusted: [ ip=40.93.128.29
rdns=mail-eastasiaazlp17011029.outbound.protection.outlook.com
helo=HK3PR03CU002.outbound.protection.outlook.com by=iron.holtain.net
ident= envfrom= intl=0 id=8EA1DC000546 auth= msa=0 ] [
ip=2603:1096:405:8e::12 rdns=TYSPR04MB8220.apcprd04.prod.outlook.com
helo=TYSPR04MB8220.apcprd04.prod.outlook.com
by=TYZPR04MB7906.apcprd04.prod.outlook.com ident= envfrom= intl=0
id=15.20.8377.21 auth= msa=0 ] [ ip=2603:1096:820:11b::9
rdns=KL1PR04MB7539.apcprd04.prod.outlook.com
helo=KL1PR04MB7539.apcprd04.prod.outlook.com
by=TYSPR04MB8220.apcprd04.prod.outlook.com ident= envfrom= intl=0
id=15.20.8377.21 auth= msa=0 ] [ ip=fe80::b078:df3:b558:4f13 rdns=
helo=KL1PR04MB7539.apcprd04.prod.outlook.com
by=KL1PR04MB7539.apcprd04.prod.outlook.com ident= envfrom= intl=0 id=
auth= msa=0 ] [ ip=2603:1096:4:b8::34
rdns=SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM
helo=SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM
by=TYZPR04MB7271.apcprd04.prod.outlook.com ident= envfrom= intl=0
id=15.20.8377.21 auth= msa=0 ] [ ip=2603:1096:4:b8:cafe::6f
rdns=SG2PEPF000B66CE.apcprd03.prod.outlook.com
helo=SG2PEPF000B66CE.apcprd03.prod.outlook.com
by=SGXP274CA0022.outlook.office365.com ident= envfrom= intl=0
id=15.20.8398.17 auth= msa=0 ] [ ip=2a01:111:f403:48::209
rdns=EUR03-VI1-obe.outbound.protection.outlook.com
helo=EUR03-VI1-obe.outbound.protection.outlook.com
by=SG2PEPF000B66CE.mail.protection.outlook.com ident= envfrom= intl=0
id=15.20.8398.14 auth= msa=0 ] [ ip=2603:10a6:5:10::31
rdns=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
helo=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
by=AS8P192MB2065.EURP192.PROD.OUTLOOK.COM ident= envfrom= intl=0
id=15.20.8377.22 auth= msa=0 ] [ ip=fe80::306f:e2a6:6620:fff0 rdns=
helo=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
by=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM ident= envfrom= intl=0 id=
auth= msa=0 ] [ ip=2603:10a6:10:120::12
rdns=DB8PR06CA0038.eurprd06.prod.outlook.com
helo=DB8PR06CA0038.eurprd06.prod.outlook.com
by=PAWP192MB2250.EURP192.PROD.OUTLOOK.COM ident= envfrom= intl=0
id=15.20.8377.22 auth= msa=0 ] [ ip=2603:10a6:10:120:cafe::e9
rdns=DU2PEPF00028CFD.eurprd03.prod.outlook.com
helo=DU2PEPF00028CFD.eurprd03.prod.outlook.com
by=DB8PR06CA0038.outlook.office365.com ident= envfrom= intl=0
id=15.20.8377.22 auth= msa=0 ] [ ip=66.211.170.90
rdns=mx4.phx.paypal.com helo=mx4.phx.paypal.com
by=DU2PEPF00028CFD.mail.protection.outlook.com ident= envfrom= intl=0
id=15.20.8398.14 auth= msa=0 ]
X-Spam-Language: en
X-Spam-DKIM-i: @paypal.com
X-Spam-DKIM-d: paypal.com
X-Original-To: ni...@fullbore.co.uk
Delivered-To: niamh.fullb...@iron.holtain.net
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=40.93.128.29;
helo=hk3pr03cu002.outbound.protection.outlook.com;
envelope-from=bounces+srs=4a6bc=u...@smpn7wonogiri.sch.id; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 iron.holtain.net 8EA1DC000546
Authentication-Results: iron.holtain.net; dmarc=pass (p=reject dis=none)
header.from=paypal.com
Authentication-Results: iron.holtain.net; spf=pass
smtp.mailfrom=smpn7wonogiri.sch.id
DKIM-Filter: OpenDKIM Filter v2.11.0 iron.holtain.net 8EA1DC000546
Authentication-Results: iron.holtain.net;
dkim=pass (2048-bit key, unprotected) header.d=paypal.com
header.i=@paypal.com header.a=rsa-sha256 header.s=pp-dkim1 header.b=Ti5ZlN8t
Received: from HK3PR03CU002.outbound.protection.outlook.com
(mail-eastasiaazlp17011029.outbound.protection.outlook.com [40.93.128.29])
by iron.holtain.net (Postfix) with ESMTPS id 8EA1DC000546
for <ni...@fullbore.co.uk>; Tue, 28 Jan 2025 18:08:36 +0000 (GMT)
Received: from TYSPR04MB8220.apcprd04.prod.outlook.com (2603:1096:405:8e::12)
by TYZPR04MB7906.apcprd04.prod.outlook.com (2603:1096:405:a9::11) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.21; Tue, 28 Jan
2025 18:08:28 +0000
Received: from KL1PR04MB7539.apcprd04.prod.outlook.com (2603:1096:820:11b::9)
by TYSPR04MB8220.apcprd04.prod.outlook.com (2603:1096:405:8e::12) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.21; Tue, 28 Jan
2025 18:08:00 +0000
Received: from KL1PR04MB7539.apcprd04.prod.outlook.com
([fe80::b078:df3:b558:4f13]) by KL1PR04MB7539.apcprd04.prod.outlook.com
([fe80::b078:df3:b558:4f13%3]) with mapi id 15.20.8377.021; Tue, 28 Jan 2025
18:07:59 +0000
Received: from SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM (2603:1096:4:b8::34) by
TYZPR04MB7271.apcprd04.prod.outlook.com (2603:1096:400:44f::6) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.8377.21; Tue, 28 Jan 2025 17:50:17 +0000
Received: from SG2PEPF000B66CE.apcprd03.prod.outlook.com
(2603:1096:4:b8:cafe::6f) by SGXP274CA0022.outlook.office365.com
(2603:1096:4:b8::34) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.17 via Frontend Transport; Tue,
28 Jan 2025 17:50:17 +0000
Authentication-Results: spf=softfail (sender IP is 2a01:111:f403:48::209)
smtp.mailfrom=euroland.fr; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
euroland.fr discourages use of 2a01:111:f403:48::209 as permitted sender)
Received: from EUR03-VI1-obe.outbound.protection.outlook.com
(2a01:111:f403:48::209) by SG2PEPF000B66CE.mail.protection.outlook.com
(2603:1096:f:fff5:0:1:0:5) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.14 via Frontend Transport; Tue,
28 Jan 2025 17:50:16 +0000
Received: from DB7P192MB0331.EURP192.PROD.OUTLOOK.COM (2603:10a6:5:10::31) by
AS8P192MB2065.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:5bd::19) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.8377.22; Tue, 28 Jan 2025 17:50:13 +0000
Received: from DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
([fe80::306f:e2a6:6620:fff0]) by DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
([fe80::306f:e2a6:6620:fff0%5]) with mapi id 15.20.8377.021; Tue, 28 Jan 2025
17:50:13 +0000
Received: from DB8PR06CA0038.eurprd06.prod.outlook.com (2603:10a6:10:120::12)
by PAWP192MB2250.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:34e::21) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.22; Tue, 28 Jan
2025 17:49:51 +0000
Received: from DU2PEPF00028CFD.eurprd03.prod.outlook.com
(2603:10a6:10:120:cafe::e9) by DB8PR06CA0038.outlook.office365.com
(2603:10a6:10:120::12) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.8377.22 via Frontend Transport; Tue,
28 Jan 2025 17:49:51 +0000
Authentication-Results-Original: spf=pass (sender IP is 66.211.170.90)
smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
66.211.170.90 as permitted sender) receiver=protection.outlook.com;
client-ip=66.211.170.90; helo=mx4.phx.paypal.com; pr=C
Received: from mx4.phx.paypal.com (66.211.170.90) by
DU2PEPF00028CFD.mail.protection.outlook.com (10.167.242.181) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.8398.14 via Frontend Transport; Tue, 28 Jan 2025 17:49:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1738086589;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=x4gXgJPzgMJS4s6SslPDX50DN37l6UgxYv1Fke0blj4=;
b=Ti5ZlN8t9vOP4oHPw6S7EFSv5qCloXAAcGFhN1UUYPh8b+kHEbenBvfdHtOlBzCF
7lCfc0LH2NGC6vIhFkmbmn490P6XkzLMgQwi9IcUaQTZrUIeD8r5YPRT5b/Y4RmA
VqAbuOE/7S20QxDlpoCqOprRhS/39AvB5W/QuCyzPn6uf+IjwQjyd7f8imwXsGGD
O+hiNma12uuMIgpeuAdk5PNYrZJv9UZA6Ta9OZP1LyowQPFIdPaIJf4ACHUkBGaa
fChq5r8wr7lBUGY/5ft8dfpmzcj3QiEcytLWYQ4niDlTJAMZcPI3OSuoyiwXjFJq
yuYqt5ZZhMyeauUvreQNbw==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Tue, 28 Jan 2025 09:49:49 -0800
Message-ID: <AD.CB.51299.DB819976@ccg01mail06>
MIME-Version: 1.0
From: "serv...@paypal.com" <serv...@paypal.com>
To: Sharon Turner <order_stat...@euroland.onmicrosoft.com>
Subject: You've sent a money request
X-MaxCode-Template: RT000241
X-PP-Priority: 0-paypal-false
PP-Correlation-Id: f388091b585de
X-PP-Email-transmission-Id: 44cd845b-dda0-11ef-bbbe-0f3c32714b27
X-PP-REQUESTED-TIME: 1738086577206
X-Email-Type-Id: RT000241
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
X-EOPAttributedMessage: 1
X-MS-TrafficTypeDiagnostic:
DU2PEPF00028CFD:EE_|PAWP192MB2250:EE_|AS8P192MB2065:EE_|SG2PEPF000B66CE:EE_|TYZPR04MB7271:EE_|TYSPR04MB8220:EE_|TYZPR04MB7906:EE_
X-MS-Office365-Filtering-Correlation-Id: 198a6f79-7e5b-4b79-7cbb-08dd3fc43981
X-Moderation-Data: 1/28/2025 5:50:06 PM
X-LD-Processed: 597638ac-1f39-416f-b8b6-2a57af6395fe,ExtAddr
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P192MB2065
X-EOPTenantAttributedMessage: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted:
SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
5c11a4de-9c64-4aae-d96a-08dd3fc42a48
X-Moderation-Data: 1/28/2025 6:07:58 PM
X-LD-Processed: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf,ExtAddr,ExtAddr
X-OriginatorOrg: smpn7wonogiri.sch.id
X-MS-Exchange-CrossTenant-Network-Message-Id:
198a6f79-7e5b-4b79-7cbb-08dd3fc43981
X-MS-Exchange-CrossTenant-Id: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf
X-MS-Exchange-CrossTenant-AuthSource: SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jan 2025 18:07:59.9852
(UTC)
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR04MB790