For the record, just because it actually comes from the Paypal
infrastructure, doesn't mean it is good. Last couple of weeks they have
been struggling with scammers using actual Paypal accounts. Fake
orders, and using scammers telephone numbers to perpetrate the exfil..
Be on the lookout.
Hard for SA to catch them, but we do keep a list on known scammer
telephone numbers..
Wonder if it would be a good service to the community to have a database
of bad phone numbers that a query can be made to.. Of course, soon
enough they will move to obfuscating those numbers..
Just an idle thought to start the day..
On 2024-11-07 08:51, Kent Oyer wrote:
> Should all paypal email have a return-path/envelope sender address as
paypal.com <http://paypal.com/>?
Yes, unless the message was sent through a forwarder. Then the envelope
sender will be generated by the forwarding MTA. Also, remember that
PayPal has other domains besides paypal.com (paypal.co.uk,
paypal.com.mx, etc...)
> DKIM is based on the From address, so if it passes DKIM_VALID_AU,
doesn't that mean the From address ([email protected]
<mailto:[email protected]>) is authenticated?
Yes
> Can I use spamassassin -D on an email I've already received to
confirm DKIM signature?
Yes, as long as the sender hasn't changed their selectors/keys in the
meantime.
-Kent
On Thu, Nov 7, 2024 at 07:56 AM, Alex <[email protected]> wrote:
> welcomelist_auth *@ paypal.com [2] > blocklist_from *@ paypal.com
[2] the dkim is imho 100% invalid, there missing important headers
dkim signed, eg message-id, doh, reuse forgin
CAUTION: External email from: mysqlstudent@gmail.com
Use caution before clicking on links or opening attachments.
Protection by MXGuardian <https://mxguardian.net>
> welcomelist_auth *@paypal.com <http://paypal.com> [2]
> blocklist_from *@paypal.com <http://paypal.com> [2]
the dkim is imho 100% invalid, there missing important headers dkim
signed, eg message-id, doh, reuse forgin is very simple then
Should all paypal email have a return-path/envelope sender address
as paypal.com <http://paypal.com>?
DKIM is based on the From address, so if it passes DKIM_VALID_AU,
doesn't that mean the From address ([email protected]
<mailto:[email protected]>) is authenticated?
Can I use spamassassin -D on an email I've already received to
confirm DKIM signature?
for spamassassin we could add selector blacklistning to solve
thease
cases
if i get the whole email unedited i can make a yara rule to catch it
I will forward it to you separately. I'd be interested in hearing
more about blocking based on DKIM selector.
Do you have more information on this? I'm aware of yara rules, but
can you share more about how you would do this as it applies to SA
and how to create the signatures?
Is this really any better than reporting to DCC/pyzor/razor and/or
clamav or other signature services?
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
