PayPal is best positioned to solve this problem because it can police the logo images its customers upload. That being said, this type of platform abuse, while not entirely new, seems to be increasing.
Please get in touch with me if you are interested in testing our computer vision API that recognizes brand impersonation by rendering messages in headless browsers and then running a computer vision model. The API is experimental, but we are keen to get feedback from others. Regards, Ken (MailChannels) On Fri, Nov 18, 2022 at 2:53 PM Jarland Donnell via mailop < [email protected]> wrote: > Basically, you go here: > https://www.paypal.com/invoice/s/manage > > Click the gear symbol, Business Information, fill out what you want and > add a logo. Then click Save, create an invoice for someone, and PayPal > will send it to them. There's not much of anything that any of us can do > to filter it without risking false positives, because we'll never have > any consistent idea of what's real and fake when it all comes from such > a high reputation sender using a feature that we don't necessarily want > to block recipients from being able to use. > > On 2022-11-18 15:30, Michael Wise via mailop wrote: > > This .. is what I wanted to see. > > > > Did it really go to you, or did it stop off somewhere else first? > > > > To: zachery Rose <REDACTED> > > > > It does appear that it went direct, so my initial theory is off I > > guess. > > > > Aloha, > > > > Michael. > > > > -- > > > > Michael J Wise > > Microsoft Corporation| Spam Analysis > > > > "Your Spam Specimen Has Been Processed." > > > > Open a ticket for Hotmail [3] ? > > > > From: mailop <[email protected]> On Behalf Of Zach Rose via > > mailop > > Sent: Friday, November 18, 2022 11:38 AM > > Cc: [email protected] > > Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email > > this morning > > > > Yeah, that's my theory at the moment, very likely that the call is > > coming from inside the house, but they didn't find the person who made > > the call before it was made. > > > > Delivered-To: REDACTED > > Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id > > r1csp516216eiw; > > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > > X-Google-Smtp-Source: > > > AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N > > X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id > > b17-20020a6567d1000000b0047687ad9d78mr6785903pgs.169.1668781412334; > > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > > ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none; > > d=google.com [4]; s=arc-20160816; > > > > b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi > > > > OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh > > > > O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt > > > > EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q > > > > +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6 > > QFYQ== > > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; > > d=google.com [4]; s=arc-20160816; > > h=amq-delivery-message-id:mime-version:from:to:subject > > :pp-correlation-id:message-id:date:content-transfer-encoding > > :dkim-signature; > > bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; > > > > b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw > > > > QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43 > > > > ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG > > > > UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T > > > > tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA > > /azQ== > > ARC-Authentication-Results: i=1; mx.google.com [5]; > > dkim=pass [email protected] [6] header.s=pp-dkim1 > > header.b=i5V5Jd8P; > > spf=pass (google.com [4]: domain of [email protected] > > designates 66.211.170.89 as permitted sender) > > [email protected]; > > dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com > > [6] > > Return-Path: <[email protected]> > > Received: from mx1.phx.paypal.com [7] (mx3.phx.paypal.com [8]. > > [66.211.170.89]) > > by mx.google.com [5] with ESMTPS id > > c5-20020a655a85000000b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32 > > for <REDACTED> > > (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 > > bits=128/128); > > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > > Received-SPF: pass (google.com [4]: domain of [email protected] > > designates 66.211.170.89 as permitted sender) client-ip=66.211.170.89; > > Authentication-Results: mx.google.com [9]; > > dkim=pass [email protected] [10] header.s=pp-dkim1 > > header.b=i5V5Jd8P; > > spf=pass (google.com [11]: domain of [email protected] > > designates 66.211.170.89 as permitted sender) > > [email protected]; > > dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com > > [10] > > DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com [10]; s=pp-dkim1; > > c=relaxed/relaxed; > > q=dns/txt; [email protected] [10]; t=1668781410; > > h=From:From:Subject:Date:To:MIME-Version:Content-Type; > > bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; > > b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K > > BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6 > > RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd > > wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b > > PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB > > 0ujZJGDU7e4EtiOBfTM96g==; > > Content-Transfer-Encoding: quoted-printable > > Content-Type: text/html; charset="UTF-8" > > Date: Fri, 18 Nov 2022 06:23:30 -0800 > > Message-ID: <65.AC.09725.26597736@ccg01mail05> > > X-PP-REQUESTED-TIME: 1668781403501 > > X-PP-Email-transmission-Id: 917850f8-674c-11ed-96b4-3cecef6afc2b > > PP-Correlation-Id: f349957836b68 > > Subject: Invoice from Walmart (0067) > > X-MaxCode-Template: RT000238 > > To: zachery Rose <REDACTED> > > From: "[email protected]" <[email protected]> > > X-Email-Type-Id: RT000238 > > MIME-Version: 1.0 > > X-PP-Priority: 0-none-true > > AMQ-Delivery-Message-Id: nullval > > X-XPT-XSL-Name: nullval > > > > On Fri, Nov 18, 2022 at 1:44 PM Michael Wise > > <[email protected]> wrote: > > > >> Please share the headers; pictures are not forensic evidence. > >> > >> We've seen similar things, want to see if it's the same issue. > >> > >> Hint: it may have really come from PayPal. > >> > >> Aloha, > >> > >> Michael. > >> > >> -- > >> > >> Michael J Wise > >> Microsoft Corporation| Spam Analysis > >> > >> "Your Spam Specimen Has Been Processed." > >> > >> Open a ticket for Hotmail [1] ? > >> > >> From: mailop <[email protected]> On Behalf Of Zach Rose via > >> mailop > >> Sent: Friday, November 18, 2022 7:10 AM > >> To: [email protected] > >> Subject: [EXTERNAL] [mailop] Really good paypal phishing email this > >> morning > >> > >> https://www.screencast.com/t/dNPpByTSjrq [2] > >> > >> I rarely use paypal, if ever, and haven't shopped with Walmart in > >> over a decade, but I can see how this would fool a lot of people. > >> Passed DKIM/SPF/DMARC, and the code of the email itself referenced > >> their own static file CDN, so this feels like a scam account > >> internally rather than a spoofed email. > > > > -- > > > > All the best, > > > > Zach Rose - StitchedIn > > > > Links: > > ------ > > [1] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D614866&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=xDNpEMrmXYKeC3rjF5%2FYzbQpRUZSiCBtl%2B2hThB2k%2Bg%3D&reserved=0 > > [2] > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.screencast.com%2Ft%2FdNPpByTSjrq&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Owt4cCwSw5hZfMYpeAzCKxg8r%2BwjtEK%2BkUExq6o8XcQ%3D&reserved=0 > > [3] http://go.microsoft.com/fwlink/?LinkID=614866 > > [4] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D&reserved=0 > > [5] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx.google.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=sCTMRpUEXlwJAmJZh0XolMBLwQuZfhmqk2yrQjA9Q2Q%3D&reserved=0 > > [6] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=09574BVpNgKnTl7HLGX%2B02jBDctRQf0g4qjhKS7Vs0M%3D&reserved=0 > > [7] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx1.phx.paypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=6%2F3UDimZ9sAeZIpRp%2FB5jlnIJ2rmRtg78iPFjR38yEA%3D&reserved=0 > > [8] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx3.phx.paypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7tN9xdDY2iIdgWZx2eYoGCkp4lXC2EFwFJLHGRVXGXg%3D&reserved=0 > > [9] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx.google.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=dusUmT74RXLnlnrUBTo3siTgR%2BHEN0%2FOXkrMEmfHL6c%3D&reserved=0 > > [10] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7YNmu7u9TwooCL3VBmywMRai7PRo7d9KAIHhH8xqxrQ%3D&reserved=0 > > [11] > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=f6QDYTRF1fDwdfJvEUXZYxZc8ScKgif2dp3XchUOJnE%3D&reserved=0 > > _______________________________________________ > > mailop mailing list > > [email protected] > > https://list.mailop.org/listinfo/mailop > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop > -- Ken Simpson CEO, MailChannels <https://www.mailchannels.com/?utm_source=Email%20Signature&utm_medium=Ken%20Simpson&utm_campaign=Website> Facebook <http://bit.ly/2dnoP3K> | Twitter <http://bit.ly/2ehoWni> | LinkedIn <http://bit.ly/2dw87lU> | Help Center <https://mailchannels.zendesk.com/hc/en-us?utm_source=Email%20Signature&utm_medium=Ken%20Simpson&utm_campaign=Help%20Center> Our latest case study video: watch here! <https://www.youtube.com/watch?v=psb41xDIL9k>
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
