Re: Fake paypal email triggers -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM

Wed, 29 Jan 2025 08:25:41 -0800

As far as I can tell, they're valid notifications from PayPal, and probably useful for legitimate purposes. What the messages are doing is attempting to trigger sufficient anxiety that the recipient calls the phone number in the message, which connects them to a scammer. It will get worse, and then hopefully the folks at PayPal will find a way to eliminate it (they could refuse to send a phone number in the message, for example). 

On 2025-01-29 03:47, Mark London wrote:
This my pet peeve.   I set USER_IN_DEF_DKIM_WL  to 0.001 a long time ago, and it hasn't affected me at all. 

But my view is probably not mainstream.


As an aside, I've added rules to filter for the recent fake requests 
for money, that abuse that feature, which exists on PAYPAL and VENMO.  
Rules can be easily created to detect these fake requests, if you look 
at some the examples that come through.  They aren't very 
sophisticated. FWIW.


Now I'll go back into hiding, - Mark

On 1/29/2025 3:23 AM, Niamh Holding wrote:

Hello


Given the From: address can be so easily faked is a rule testing its 
validity a great idea?



Headers-

Return-Path: <bounces+SRS=4A6bc=u...@smpn7wonogiri.sch.id>

X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on 
iron.holtain.net

X-Spam-Level:

X-Spam-Status: No, score=-6.5 required=4.5 autolearn=no 
autolearn_force=no

X-Spam-Report:
         *  0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
         *      [40.93.128.29 listed in wl.mailspike.net]
         * -0.0 SPF_PASS SPF: sender matches SPF record

         *  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 
2nd level

         *      mail domains are different
         * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
         * -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM
         *      welcome-list

         *  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME 
parts

         *  0.0 HTML_MESSAGE BODY: HTML included in message

         *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not 
necessarily

         *       valid

         * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK 
signature from

         *      author's domain

         * -0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature

         *  1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
         * https://senderscore.org/blocklistlookup/
         *      [40.93.128.29 listed in bl.score.senderscore.com]
         * -0.0 T_SCC_BODY_TEXT_LINE No description available.

         *  1.0 POSSIBLE_PAYPAL_PHISH_03 Claims to be from paypal, 
sent to
         *      Microsoft365 domain - likely fraud if you don't use 
MSFT365!

         *  0.0 T_REMOTE_IMAGE Message contains an external image
         * -1.3 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
X-Spam-Relays-Untrusted: [ ip=40.93.128.29
rdns=mail-eastasiaazlp17011029.outbound.protection.outlook.com

         helo=HK3PR03CU002.outbound.protection.outlook.com 
by=iron.holtain.net

         ident= envfrom= intl=0 id=8EA1DC000546 auth= msa=0 ] [

         ip=2603:1096:405:8e::12 
rdns=TYSPR04MB8220.apcprd04.prod.outlook.com

         helo=TYSPR04MB8220.apcprd04.prod.outlook.com

         by=TYZPR04MB7906.apcprd04.prod.outlook.com ident= envfrom= 
intl=0

         id=15.20.8377.21 auth= msa=0 ] [ ip=2603:1096:820:11b::9
         rdns=KL1PR04MB7539.apcprd04.prod.outlook.com
         helo=KL1PR04MB7539.apcprd04.prod.outlook.com

         by=TYSPR04MB8220.apcprd04.prod.outlook.com ident= envfrom= 
intl=0
         id=15.20.8377.21 auth= msa=0 ] [ ip=fe80::b078:df3:b558:4f13 
rdns=

         helo=KL1PR04MB7539.apcprd04.prod.outlook.com

         by=KL1PR04MB7539.apcprd04.prod.outlook.com ident= envfrom= 
intl=0 id=

         auth= msa=0 ] [ ip=2603:1096:4:b8::34
         rdns=SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM
         helo=SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM

         by=TYZPR04MB7271.apcprd04.prod.outlook.com ident= envfrom= 
intl=0

         id=15.20.8377.21 auth= msa=0 ] [ ip=2603:1096:4:b8:cafe::6f
         rdns=SG2PEPF000B66CE.apcprd03.prod.outlook.com
         helo=SG2PEPF000B66CE.apcprd03.prod.outlook.com
         by=SGXP274CA0022.outlook.office365.com ident= envfrom= intl=0
         id=15.20.8398.17 auth= msa=0 ] [ ip=2a01:111:f403:48::209
         rdns=EUR03-VI1-obe.outbound.protection.outlook.com
         helo=EUR03-VI1-obe.outbound.protection.outlook.com

         by=SG2PEPF000B66CE.mail.protection.outlook.com ident= 
envfrom= intl=0

         id=15.20.8398.14 auth= msa=0 ] [ ip=2603:10a6:5:10::31
         rdns=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
         helo=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM

         by=AS8P192MB2065.EURP192.PROD.OUTLOOK.COM ident= envfrom= 
intl=0
         id=15.20.8377.22 auth= msa=0 ] [ 
ip=fe80::306f:e2a6:6620:fff0 rdns=

         helo=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM

         by=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM ident= envfrom= 
intl=0 id=

         auth= msa=0 ] [ ip=2603:10a6:10:120::12
         rdns=DB8PR06CA0038.eurprd06.prod.outlook.com
         helo=DB8PR06CA0038.eurprd06.prod.outlook.com

         by=PAWP192MB2250.EURP192.PROD.OUTLOOK.COM ident= envfrom= 
intl=0

         id=15.20.8377.22 auth= msa=0 ] [ ip=2603:10a6:10:120:cafe::e9
         rdns=DU2PEPF00028CFD.eurprd03.prod.outlook.com
         helo=DU2PEPF00028CFD.eurprd03.prod.outlook.com
         by=DB8PR06CA0038.outlook.office365.com ident= envfrom= intl=0
         id=15.20.8377.22 auth= msa=0 ] [ ip=66.211.170.90
         rdns=mx4.phx.paypal.com helo=mx4.phx.paypal.com

         by=DU2PEPF00028CFD.mail.protection.outlook.com ident= 
envfrom= intl=0

         id=15.20.8398.14 auth= msa=0 ]
X-Spam-Language: en
X-Spam-DKIM-i: @paypal.com
X-Spam-DKIM-d: paypal.com
X-Original-To: ni...@fullbore.co.uk
Delivered-To: niamh.fullb...@iron.holtain.net

Received-SPF: Pass (mailfrom) identity=mailfrom; 
client-ip=40.93.128.29; 
helo=hk3pr03cu002.outbound.protection.outlook.com; 
envelope-from=bounces+srs=4a6bc=u...@smpn7wonogiri.sch.id; 
receiver=<UNKNOWN>

DMARC-Filter: OpenDMARC Filter v1.4.2 iron.holtain.net 8EA1DC000546

Authentication-Results: iron.holtain.net; dmarc=pass (p=reject 
dis=none) header.from=paypal.com
Authentication-Results: iron.holtain.net; spf=pass 
smtp.mailfrom=smpn7wonogiri.sch.id

DKIM-Filter: OpenDKIM Filter v2.11.0 iron.holtain.net 8EA1DC000546
Authentication-Results: iron.holtain.net;

         dkim=pass (2048-bit key, unprotected) header.d=paypal.com 
header.i=@paypal.com header.a=rsa-sha256 header.s=pp-dkim1 
header.b=Ti5ZlN8t
Received: from HK3PR03CU002.outbound.protection.outlook.com 
(mail-eastasiaazlp17011029.outbound.protection.outlook.com 
[40.93.128.29])

         by iron.holtain.net (Postfix) with ESMTPS id 8EA1DC000546

         for <ni...@fullbore.co.uk>; Tue, 28 Jan 2025 18:08:36 +0000 
(GMT)
Received: from TYSPR04MB8220.apcprd04.prod.outlook.com 
(2603:1096:405:8e::12)

  by TYZPR04MB7906.apcprd04.prod.outlook.com (2603:1096:405:a9::11) with
  Microsoft SMTP Server (version=TLS1_2,

  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.21; 
Tue, 28 Jan

  2025 18:08:28 +0000

Received: from KL1PR04MB7539.apcprd04.prod.outlook.com 
(2603:1096:820:11b::9)

  by TYSPR04MB8220.apcprd04.prod.outlook.com (2603:1096:405:8e::12) with
  Microsoft SMTP Server (version=TLS1_2,

  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.21; 
Tue, 28 Jan

  2025 18:08:00 +0000
Received: from KL1PR04MB7539.apcprd04.prod.outlook.com

  ([fe80::b078:df3:b558:4f13]) by 
KL1PR04MB7539.apcprd04.prod.outlook.com
  ([fe80::b078:df3:b558:4f13%3]) with mapi id 15.20.8377.021; Tue, 28 
Jan 2025

  18:07:59 +0000

Received: from SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM 
(2603:1096:4:b8::34) by
  TYZPR04MB7271.apcprd04.prod.outlook.com (2603:1096:400:44f::6) with 
Microsoft
  SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

  15.20.8377.21; Tue, 28 Jan 2025 17:50:17 +0000
Received: from SG2PEPF000B66CE.apcprd03.prod.outlook.com
  (2603:1096:4:b8:cafe::6f) by SGXP274CA0022.outlook.office365.com
  (2603:1096:4:b8::34) with Microsoft SMTP Server (version=TLS1_3,

  cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.17 via Frontend 
Transport; Tue,

  28 Jan 2025 17:50:17 +0000

Authentication-Results: spf=softfail (sender IP is 
2a01:111:f403:48::209)

  smtp.mailfrom=euroland.fr; dkim=pass (signature was verified)
  header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning

  euroland.fr discourages use of 2a01:111:f403:48::209 as permitted 
sender)

Received: from EUR03-VI1-obe.outbound.protection.outlook.com
  (2a01:111:f403:48::209) by SG2PEPF000B66CE.mail.protection.outlook.com
  (2603:1096:f:fff5:0:1:0:5) with Microsoft SMTP Server (version=TLS1_3,

  cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.14 via Frontend 
Transport; Tue,

  28 Jan 2025 17:50:16 +0000

Received: from DB7P192MB0331.EURP192.PROD.OUTLOOK.COM 
(2603:10a6:5:10::31) by
  AS8P192MB2065.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:5bd::19) with 
Microsoft
  SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

  15.20.8377.22; Tue, 28 Jan 2025 17:50:13 +0000
Received: from DB7P192MB0331.EURP192.PROD.OUTLOOK.COM

  ([fe80::306f:e2a6:6620:fff0]) by 
DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
  ([fe80::306f:e2a6:6620:fff0%5]) with mapi id 15.20.8377.021; Tue, 
28 Jan 2025

  17:50:13 +0000

Received: from DB8PR06CA0038.eurprd06.prod.outlook.com 
(2603:10a6:10:120::12)

  by PAWP192MB2250.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:34e::21) with
  Microsoft SMTP Server (version=TLS1_2,

  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.22; 
Tue, 28 Jan

  2025 17:49:51 +0000
Received: from DU2PEPF00028CFD.eurprd03.prod.outlook.com
  (2603:10a6:10:120:cafe::e9) by DB8PR06CA0038.outlook.office365.com
  (2603:10a6:10:120::12) with Microsoft SMTP Server (version=TLS1_3,

  cipher=TLS_AES_256_GCM_SHA384) id 15.20.8377.22 via Frontend 
Transport; Tue,

  28 Jan 2025 17:49:51 +0000
Authentication-Results-Original: spf=pass (sender IP is 66.211.170.90)
  smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
  header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;

Received-SPF: Pass (protection.outlook.com: domain of paypal.com 
designates

  66.211.170.90 as permitted sender) receiver=protection.outlook.com;
  client-ip=66.211.170.90; helo=mx4.phx.paypal.com; pr=C
Received: from mx4.phx.paypal.com (66.211.170.90) by

  DU2PEPF00028CFD.mail.protection.outlook.com (10.167.242.181) with 
Microsoft
  SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

  15.20.8398.14 via Frontend Transport; Tue, 28 Jan 2025 17:49:50 +0000

DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; 
c=relaxed/relaxed;

         q=dns/txt; i=@paypal.com; t=1738086589;
         h=From:From:Subject:Date:To:MIME-Version:Content-Type;
         bh=x4gXgJPzgMJS4s6SslPDX50DN37l6UgxYv1Fke0blj4=;
b=Ti5ZlN8t9vOP4oHPw6S7EFSv5qCloXAAcGFhN1UUYPh8b+kHEbenBvfdHtOlBzCF
7lCfc0LH2NGC6vIhFkmbmn490P6XkzLMgQwi9IcUaQTZrUIeD8r5YPRT5b/Y4RmA
VqAbuOE/7S20QxDlpoCqOprRhS/39AvB5W/QuCyzPn6uf+IjwQjyd7f8imwXsGGD
O+hiNma12uuMIgpeuAdk5PNYrZJv9UZA6Ta9OZP1LyowQPFIdPaIJf4ACHUkBGaa
fChq5r8wr7lBUGY/5ft8dfpmzcj3QiEcytLWYQ4niDlTJAMZcPI3OSuoyiwXjFJq
         yuYqt5ZZhMyeauUvreQNbw==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Tue, 28 Jan 2025 09:49:49 -0800
Message-ID: <AD.CB.51299.DB819976@ccg01mail06>
MIME-Version: 1.0
From: "serv...@paypal.com" <serv...@paypal.com>
To: Sharon Turner <order_stat...@euroland.onmicrosoft.com>
Subject: You've sent a money request
X-MaxCode-Template: RT000241
X-PP-Priority: 0-paypal-false
PP-Correlation-Id: f388091b585de
X-PP-Email-transmission-Id: 44cd845b-dda0-11ef-bbbe-0f3c32714b27
X-PP-REQUESTED-TIME: 1738086577206
X-Email-Type-Id: RT000241
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
X-EOPAttributedMessage: 1
X-MS-TrafficTypeDiagnostic:
DU2PEPF00028CFD:EE_|PAWP192MB2250:EE_|AS8P192MB2065:EE_|SG2PEPF000B66CE:EE_|TYZPR04MB7271:EE_|TYSPR04MB8220:EE_|TYZPR04MB7906:EE_

X-MS-Office365-Filtering-Correlation-Id: 
198a6f79-7e5b-4b79-7cbb-08dd3fc43981

X-Moderation-Data: 1/28/2025 5:50:06 PM
X-LD-Processed: 597638ac-1f39-416f-b8b6-2a57af6395fe,ExtAddr
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P192MB2065
X-EOPTenantAttributedMessage: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf:0

X-MS-Exchange-Transport-CrossTenantHeadersStripped: 
SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: 
SG2PEPF000B66CE.apcprd03.prod.outlook.com

X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
  5c11a4de-9c64-4aae-d96a-08dd3fc42a48
X-Moderation-Data: 1/28/2025 6:07:58 PM
X-LD-Processed: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf,ExtAddr,ExtAddr
X-OriginatorOrg: smpn7wonogiri.sch.id

X-MS-Exchange-CrossTenant-Network-Message-Id: 
198a6f79-7e5b-4b79-7cbb-08dd3fc43981

X-MS-Exchange-CrossTenant-Id: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf

X-MS-Exchange-CrossTenant-AuthSource: 
SG2PEPF000B66CE.apcprd03.prod.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jan 2025 18:07:59.9852
  (UTC)
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR04MB790



--
For SpamAssassin Users List






















					Reply via email to