This my pet peeve.   I set USER_IN_DEF_DKIM_WL  to 0.001 a long time ago, and it hasn't affected me at all.

But my view is probably not mainstream.

As an aside, I've added rules to filter for the recent fake requests for money, that abuse that feature, which exists on  PAYPAL and VENMO.  Rules can be easily created to detect these fake requests, if you look at some the examples that come through.  They aren't very sophisticated. FWIW.

Now I'll go back into hiding, - Mark

On 1/29/2025 3:23 AM, Niamh Holding wrote:
Hello

Given the From: address can be so easily faked is a rule testing its validity a 
great idea?


Headers-

Return-Path: <bounces+SRS=4A6bc=u...@smpn7wonogiri.sch.id>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on iron.holtain.net
X-Spam-Level:
X-Spam-Status: No, score=-6.5 required=4.5 autolearn=no autolearn_force=no
X-Spam-Report:
         *  0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
         *      [40.93.128.29 listed in wl.mailspike.net]
         * -0.0 SPF_PASS SPF: sender matches SPF record
         *  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
         *      mail domains are different
         * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
         * -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM
         *      welcome-list
         *  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
         *  0.0 HTML_MESSAGE BODY: HTML included in message
         *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
         *       valid
         * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
         *      author's domain
         * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
         *  1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
         *      https://senderscore.org/blocklistlookup/
         *      [40.93.128.29 listed in bl.score.senderscore.com]
         * -0.0 T_SCC_BODY_TEXT_LINE No description available.
         *  1.0 POSSIBLE_PAYPAL_PHISH_03 Claims to be from paypal, sent to
         *      Microsoft365 domain - likely fraud if you don't use MSFT365!
         *  0.0 T_REMOTE_IMAGE Message contains an external image
         * -1.3 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
X-Spam-Relays-Untrusted: [ ip=40.93.128.29
         rdns=mail-eastasiaazlp17011029.outbound.protection.outlook.com
         helo=HK3PR03CU002.outbound.protection.outlook.com by=iron.holtain.net
         ident= envfrom= intl=0 id=8EA1DC000546 auth= msa=0 ] [
         ip=2603:1096:405:8e::12 rdns=TYSPR04MB8220.apcprd04.prod.outlook.com
         helo=TYSPR04MB8220.apcprd04.prod.outlook.com
         by=TYZPR04MB7906.apcprd04.prod.outlook.com ident= envfrom= intl=0
         id=15.20.8377.21 auth= msa=0 ] [ ip=2603:1096:820:11b::9
         rdns=KL1PR04MB7539.apcprd04.prod.outlook.com
         helo=KL1PR04MB7539.apcprd04.prod.outlook.com
         by=TYSPR04MB8220.apcprd04.prod.outlook.com ident= envfrom= intl=0
         id=15.20.8377.21 auth= msa=0 ] [ ip=fe80::b078:df3:b558:4f13 rdns=
         helo=KL1PR04MB7539.apcprd04.prod.outlook.com
         by=KL1PR04MB7539.apcprd04.prod.outlook.com ident= envfrom= intl=0 id=
         auth= msa=0 ] [ ip=2603:1096:4:b8::34
         rdns=SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM
         helo=SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM
         by=TYZPR04MB7271.apcprd04.prod.outlook.com ident= envfrom= intl=0
         id=15.20.8377.21 auth= msa=0 ] [ ip=2603:1096:4:b8:cafe::6f
         rdns=SG2PEPF000B66CE.apcprd03.prod.outlook.com
         helo=SG2PEPF000B66CE.apcprd03.prod.outlook.com
         by=SGXP274CA0022.outlook.office365.com ident= envfrom= intl=0
         id=15.20.8398.17 auth= msa=0 ] [ ip=2a01:111:f403:48::209
         rdns=EUR03-VI1-obe.outbound.protection.outlook.com
         helo=EUR03-VI1-obe.outbound.protection.outlook.com
         by=SG2PEPF000B66CE.mail.protection.outlook.com ident= envfrom= intl=0
         id=15.20.8398.14 auth= msa=0 ] [ ip=2603:10a6:5:10::31
         rdns=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
         helo=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
         by=AS8P192MB2065.EURP192.PROD.OUTLOOK.COM ident= envfrom= intl=0
         id=15.20.8377.22 auth= msa=0 ] [ ip=fe80::306f:e2a6:6620:fff0 rdns=
         helo=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
         by=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM ident= envfrom= intl=0 id=
         auth= msa=0 ] [ ip=2603:10a6:10:120::12
         rdns=DB8PR06CA0038.eurprd06.prod.outlook.com
         helo=DB8PR06CA0038.eurprd06.prod.outlook.com
         by=PAWP192MB2250.EURP192.PROD.OUTLOOK.COM ident= envfrom= intl=0
         id=15.20.8377.22 auth= msa=0 ] [ ip=2603:10a6:10:120:cafe::e9
         rdns=DU2PEPF00028CFD.eurprd03.prod.outlook.com
         helo=DU2PEPF00028CFD.eurprd03.prod.outlook.com
         by=DB8PR06CA0038.outlook.office365.com ident= envfrom= intl=0
         id=15.20.8377.22 auth= msa=0 ] [ ip=66.211.170.90
         rdns=mx4.phx.paypal.com helo=mx4.phx.paypal.com
         by=DU2PEPF00028CFD.mail.protection.outlook.com ident= envfrom= intl=0
         id=15.20.8398.14 auth= msa=0 ]
X-Spam-Language: en
X-Spam-DKIM-i: @paypal.com
X-Spam-DKIM-d: paypal.com
X-Original-To: ni...@fullbore.co.uk
Delivered-To: niamh.fullb...@iron.holtain.net
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=40.93.128.29; 
helo=hk3pr03cu002.outbound.protection.outlook.com; 
envelope-from=bounces+srs=4a6bc=u...@smpn7wonogiri.sch.id; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 iron.holtain.net 8EA1DC000546
Authentication-Results: iron.holtain.net; dmarc=pass (p=reject dis=none) 
header.from=paypal.com
Authentication-Results: iron.holtain.net; spf=pass 
smtp.mailfrom=smpn7wonogiri.sch.id
DKIM-Filter: OpenDKIM Filter v2.11.0 iron.holtain.net 8EA1DC000546
Authentication-Results: iron.holtain.net;
         dkim=pass (2048-bit key, unprotected) header.d=paypal.com 
header.i=@paypal.com header.a=rsa-sha256 header.s=pp-dkim1 header.b=Ti5ZlN8t
Received: from HK3PR03CU002.outbound.protection.outlook.com 
(mail-eastasiaazlp17011029.outbound.protection.outlook.com [40.93.128.29])
         by iron.holtain.net (Postfix) with ESMTPS id 8EA1DC000546
         for <ni...@fullbore.co.uk>; Tue, 28 Jan 2025 18:08:36 +0000 (GMT)
Received: from TYSPR04MB8220.apcprd04.prod.outlook.com (2603:1096:405:8e::12)
  by TYZPR04MB7906.apcprd04.prod.outlook.com (2603:1096:405:a9::11) with
  Microsoft SMTP Server (version=TLS1_2,
  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.21; Tue, 28 Jan
  2025 18:08:28 +0000
Received: from KL1PR04MB7539.apcprd04.prod.outlook.com (2603:1096:820:11b::9)
  by TYSPR04MB8220.apcprd04.prod.outlook.com (2603:1096:405:8e::12) with
  Microsoft SMTP Server (version=TLS1_2,
  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.21; Tue, 28 Jan
  2025 18:08:00 +0000
Received: from KL1PR04MB7539.apcprd04.prod.outlook.com
  ([fe80::b078:df3:b558:4f13]) by KL1PR04MB7539.apcprd04.prod.outlook.com
  ([fe80::b078:df3:b558:4f13%3]) with mapi id 15.20.8377.021; Tue, 28 Jan 2025
  18:07:59 +0000
Received: from SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM (2603:1096:4:b8::34) by
  TYZPR04MB7271.apcprd04.prod.outlook.com (2603:1096:400:44f::6) with Microsoft
  SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
  15.20.8377.21; Tue, 28 Jan 2025 17:50:17 +0000
Received: from SG2PEPF000B66CE.apcprd03.prod.outlook.com
  (2603:1096:4:b8:cafe::6f) by SGXP274CA0022.outlook.office365.com
  (2603:1096:4:b8::34) with Microsoft SMTP Server (version=TLS1_3,
  cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.17 via Frontend Transport; Tue,
  28 Jan 2025 17:50:17 +0000
Authentication-Results: spf=softfail (sender IP is 2a01:111:f403:48::209)
  smtp.mailfrom=euroland.fr; dkim=pass (signature was verified)
  header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
  euroland.fr discourages use of 2a01:111:f403:48::209 as permitted sender)
Received: from EUR03-VI1-obe.outbound.protection.outlook.com
  (2a01:111:f403:48::209) by SG2PEPF000B66CE.mail.protection.outlook.com
  (2603:1096:f:fff5:0:1:0:5) with Microsoft SMTP Server (version=TLS1_3,
  cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.14 via Frontend Transport; Tue,
  28 Jan 2025 17:50:16 +0000
Received: from DB7P192MB0331.EURP192.PROD.OUTLOOK.COM (2603:10a6:5:10::31) by
  AS8P192MB2065.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:5bd::19) with Microsoft
  SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
  15.20.8377.22; Tue, 28 Jan 2025 17:50:13 +0000
Received: from DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
  ([fe80::306f:e2a6:6620:fff0]) by DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
  ([fe80::306f:e2a6:6620:fff0%5]) with mapi id 15.20.8377.021; Tue, 28 Jan 2025
  17:50:13 +0000
Received: from DB8PR06CA0038.eurprd06.prod.outlook.com (2603:10a6:10:120::12)
  by PAWP192MB2250.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:34e::21) with
  Microsoft SMTP Server (version=TLS1_2,
  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.22; Tue, 28 Jan
  2025 17:49:51 +0000
Received: from DU2PEPF00028CFD.eurprd03.prod.outlook.com
  (2603:10a6:10:120:cafe::e9) by DB8PR06CA0038.outlook.office365.com
  (2603:10a6:10:120::12) with Microsoft SMTP Server (version=TLS1_3,
  cipher=TLS_AES_256_GCM_SHA384) id 15.20.8377.22 via Frontend Transport; Tue,
  28 Jan 2025 17:49:51 +0000
Authentication-Results-Original: spf=pass (sender IP is 66.211.170.90)
  smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
  header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
  66.211.170.90 as permitted sender) receiver=protection.outlook.com;
  client-ip=66.211.170.90; helo=mx4.phx.paypal.com; pr=C
Received: from mx4.phx.paypal.com (66.211.170.90) by
  DU2PEPF00028CFD.mail.protection.outlook.com (10.167.242.181) with Microsoft
  SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
  15.20.8398.14 via Frontend Transport; Tue, 28 Jan 2025 17:49:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed;
         q=dns/txt; i=@paypal.com; t=1738086589;
         h=From:From:Subject:Date:To:MIME-Version:Content-Type;
         bh=x4gXgJPzgMJS4s6SslPDX50DN37l6UgxYv1Fke0blj4=;
         b=Ti5ZlN8t9vOP4oHPw6S7EFSv5qCloXAAcGFhN1UUYPh8b+kHEbenBvfdHtOlBzCF
         7lCfc0LH2NGC6vIhFkmbmn490P6XkzLMgQwi9IcUaQTZrUIeD8r5YPRT5b/Y4RmA
         VqAbuOE/7S20QxDlpoCqOprRhS/39AvB5W/QuCyzPn6uf+IjwQjyd7f8imwXsGGD
         O+hiNma12uuMIgpeuAdk5PNYrZJv9UZA6Ta9OZP1LyowQPFIdPaIJf4ACHUkBGaa
         fChq5r8wr7lBUGY/5ft8dfpmzcj3QiEcytLWYQ4niDlTJAMZcPI3OSuoyiwXjFJq
         yuYqt5ZZhMyeauUvreQNbw==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Tue, 28 Jan 2025 09:49:49 -0800
Message-ID: <AD.CB.51299.DB819976@ccg01mail06>
MIME-Version: 1.0
From: "serv...@paypal.com" <serv...@paypal.com>
To: Sharon Turner <order_stat...@euroland.onmicrosoft.com>
Subject: You've sent a money request
X-MaxCode-Template: RT000241
X-PP-Priority: 0-paypal-false
PP-Correlation-Id: f388091b585de
X-PP-Email-transmission-Id: 44cd845b-dda0-11ef-bbbe-0f3c32714b27
X-PP-REQUESTED-TIME: 1738086577206
X-Email-Type-Id: RT000241
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
X-EOPAttributedMessage: 1
X-MS-TrafficTypeDiagnostic:
         
DU2PEPF00028CFD:EE_|PAWP192MB2250:EE_|AS8P192MB2065:EE_|SG2PEPF000B66CE:EE_|TYZPR04MB7271:EE_|TYSPR04MB8220:EE_|TYZPR04MB7906:EE_
X-MS-Office365-Filtering-Correlation-Id: 198a6f79-7e5b-4b79-7cbb-08dd3fc43981
X-Moderation-Data: 1/28/2025 5:50:06 PM
X-LD-Processed: 597638ac-1f39-416f-b8b6-2a57af6395fe,ExtAddr
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P192MB2065
X-EOPTenantAttributedMessage: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: 
SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: 
SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
  5c11a4de-9c64-4aae-d96a-08dd3fc42a48
X-Moderation-Data: 1/28/2025 6:07:58 PM
X-LD-Processed: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf,ExtAddr,ExtAddr
X-OriginatorOrg: smpn7wonogiri.sch.id
X-MS-Exchange-CrossTenant-Network-Message-Id: 
198a6f79-7e5b-4b79-7cbb-08dd3fc43981
X-MS-Exchange-CrossTenant-Id: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf
X-MS-Exchange-CrossTenant-AuthSource: SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jan 2025 18:07:59.9852
  (UTC)
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR04MB790

Reply via email to