On Fri, 7 Feb 2025, Kris Deugau wrote:
Dave Funk wrote:
The examples of this scam that I've seen use that same PayPal comment
tactic but then route it to an Office-365 mailbox which has a redirect to
the victim's address.
So the resultant message has both PayPal & O-365 valid DKIM signatures;
not to mention the multiple KB of O-365 header cruft which makes it hard
to trace the original source.
Just to throw some extra, um, "joy" into this conversation...
I've just seen a sample, received directly by our spam filter tuning role
account, that first travelled through a Google account (probably GMail, if
I've unwound the headers right), which forwarded to the
compromised/scammer-owned M365 tenant, which forwarded to us (and who knows
who all else.
I'll report it to PayPal, Google, and MS, but watch as nothing happens...
GNGGNGNGNGNNNNNNNNNGGH.....
-kgd
These sort of shenanigans are fairly easy to spot, but... if the masscheck
corpora don't have sufficient examples of them, or potentially worse do
have examples of them that are misclassified as ham, then those rules will
never be published with scores high enough to make a difference unless the
scores are set manually, which increases their FP risk.
I'd ask all who are doing masschecks to review their corpora of Paypal
messages to see whether these messages, and Paypal messages with
obfuscated phone numbers, are misclassified as ham.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Win95: Where do you want to go today?
Vista: Where will Microsoft allow you to go today?
-----------------------------------------------------------------------
4 days until Abraham Lincoln's and Charles Darwin's 216th Birthdays
