Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Benny Pedersen]

Shawn Iverson skrev den 2022-11-14 21:14:

How do I stop this?  paypal.com is in the default DKIM whitelist!



DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1668452569;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=o8/9XRPNBSb6rQV6HcDwELycPOzUJqxucQ/nMDyby+o=;
b=r6hmfVu3PlK5UN/X+kDNdo8TkUbOkfVn6+tT3VtTr30ic5BMR9vuyrZED4ARPF74
eywsS4yJTH3S3EB0IBX5yao3SN0WFNR23EUszb8LWgSpL0lz4+ZGqAfbjWP6UvI8
2XVzbjiT2tDP2ONkvM5e9g06CuC1VH2Bte5+S/Qke61W8OaagNu8sIcu6MNfoUiO
b/esckpPfghQtqDs693+pxDtuk9SBrbf14qZ2ih9eVV/38dRdz5B22pq8Kfws9yZ
hjvQlCDfovONXEEf6+lD1rs9p0NvKEIeIK/BFxbUmShXAyL3/LlYVLELEwzQ/mnl
zoIwzGQJ9u8i005oZVUnJA==;


double From, missing message-id, potentely forged msgs can be reused 
from a forgin standpoint


how to stop it ?, i can block dkim domains that makes pass on forged 
content


problem with dmarc is not ditating aligment, it would stop forwarding 
aswell


we all loose on forwarding emails

i give up for now :)

maybe hehe, need unmodifiede sample to help

to pmc members add funcs to test h= have minimal requered headers 
signed, or as above double from, with header was later removed ?

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Bill Cole]

On 2022-11-14 at 16:11:10 UTC-0500 (Mon, 14 Nov 2022 16:11:10 -0500)
Kevin A. McGrail 
is rumored to have said:

> I have also seen the PayPal ecosystem being abused by bad actors sending
> things like fake invoices.  I am also +1 to remove the domain from the dkim
> wl.

Same.

Paypal could fix this abuse by over-signing the Resent-From header.


> Regards, KAM
>
> On Mon, Nov 14, 2022, 16:01 Shawn Iverson  wrote:
>
>> Bottom line is I don't think paypal deserves to be default whitelisted in
>> recent history.  I've received a lot of spam actually from paypal and
>> judiciously report it to phish...@paypal.com with no apparent action or
>> response.
>>
>> On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
>> wrote:
>>
>>> So what I'm going to do is turn shortcircuit off for
>>> USER_IN_DKIM_WHITELIST
>>>
>>> Create a meta to catch papal.com as the from address and score
>>> appropriately
>>> Create a counter meta to score other deserving DKIM-signers appropriately
>>>
>>> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
>>> wrote:
>>>
 On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> How do I stop this?  paypal.com is in the default DKIM whitelist!
>

 That message really looks like it came from Paypal and then was
 forwarded by Microsoft to your server. Was it really a fake? That's a
 lot of headers to fake if so.

 If it was really fake and that paypal-supplied DKIM signature doesn't
 validate (I didn't check that), then checking DMARC when you receive
 mail and rejecting on p=reject failures would block it.

>>>


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

Thank you Giovanni, I'll give this rule a try. I think the bigger issue was
that the default welcomelist was shortcircuiting any further rule
evaluation. Now I'm able to score these emails with rules like this one :)

On Tue, Nov 15, 2022 at 2:44 AM  wrote:

> On 11/14/22 21:14, Shawn Iverson wrote:
> > How do I stop this? paypal.com  is in the default
> DKIM whitelist!
>
> Does this work on your sample ?
> The body you posted is only partial.
>
> uri__URI_IMG_PAYPAL
> /^https:\/\/www\.paypalobjects\.com\/(?:digitalassets|en_US|ui\-web)\/.{1,64}\.(?:gif|jpg|png)/
> meta   __PAYPAL_IMG_NOT_RCVD_PAYP__URI_IMG_PAYPAL &&
> !__HDR_RCVD_PAYPAL
> meta   GB_PAYPAL_IMG_NOT_RCVD_PAYP   __PAYPAL_IMG_NOT_RCVD_PAYP &&
> !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
> describe   GB_PAYPAL_IMG_NOT_RCVD_PAYP   Paypal hosted image but message
> not from Paypal
> score  GB_PAYPAL_IMG_NOT_RCVD_PAYP   2.500# limit
>
>   Giovanni
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

Thank you Matus.  I was not aware of an unwelcomelist_from_dkim option.
This helps immensely.

On Tue, Nov 15, 2022 at 4:35 AM Matus UHLAR - fantomas 
wrote:

> On 14.11.22 16:39, Shawn Iverson wrote:
> >Corrected...
> >
> >Default Whitelist Exceptions handling -- SJI 11/14/22
> >shortcircuit USER_IN_DKIM_WHITELIST off
> >score   USER_IN_DKIM_WHITELIST 0
> >score   USER_IN_DEF_DKIM_WL 0
> >
> >header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
> >metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
> >CUSTOM_FROM_PAYPAL
> >describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
> >whitelisting
> >score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001
> >
> >metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
> >!CUSTOM_DKIM_WL_EXCEPTIONS
> >describeCUSTOM_DKIM_OK All other whitelisted senders
> >score   CUSTOM_DKIM_OK -100
>
> I guess removing paypal from w*list should be easier:
>
> % pwd
> /var/lib/spamassassin/4.00
> % grep -Firh def_welcomelist_from_dkim | grep -i paypal
> def_welcomelist_from_dkim  *@*  paypal.com
> def_welcomelist_from_dkim  *@paypal.com
> def_welcomelist_from_dkim  *@*.paypal.com
> def_welcomelist_from_dkim  *@paypal.co.uk
> def_welcomelist_from_dkim  *@*.paypal.co.uk
> def_welcomelist_from_dkim  *@paypal.at
> def_welcomelist_from_dkim  *@*.paypal.at
> def_welcomelist_from_dkim  *@paypal.be
> def_welcomelist_from_dkim  *@*.paypal.be
> def_welcomelist_from_dkim  *@paypal.de
> def_welcomelist_from_dkim  *@*.paypal.de
> def_welcomelist_from_dkim  *@paypal.es
> def_welcomelist_from_dkim  *@*.paypal.es
> def_welcomelist_from_dkim  *@paypal.fr
> def_welcomelist_from_dkim  *@*.paypal.fr
> def_welcomelist_from_dkim  *@paypal.ie
> def_welcomelist_from_dkim  *@*.paypal.ie
> def_welcomelist_from_dkim  *@paypal.it
> def_welcomelist_from_dkim  *@*.paypal.it
> def_welcomelist_from_dkim  *@paypal.nl
> def_welcomelist_from_dkim  *@*.paypal.nl
> def_welcomelist_from_dkim  *@paypal.pt
> def_welcomelist_from_dkim  *@*.paypal.pt
> def_welcomelist_from_dkim  *@paypal.ca
> def_welcomelist_from_dkim  *@*.paypal.ca
>
> so it should be removed by:
>
> unwelcomelist_from_dkim  *@*paypal.com
> unwelcomelist_from_dkim  *@paypal.com
> unwelcomelist_from_dkim  *@*.paypal.com
> unwelcomelist_from_dkim  *@paypal.co.uk
> unwelcomelist_from_dkim  *@*.paypal.co.uk
> unwelcomelist_from_dkim  *@paypal.at
> unwelcomelist_from_dkim  *@*.paypal.at
> unwelcomelist_from_dkim  *@paypal.be
> unwelcomelist_from_dkim  *@*.paypal.be
> unwelcomelist_from_dkim  *@paypal.de
> unwelcomelist_from_dkim  *@*.paypal.de
> unwelcomelist_from_dkim  *@paypal.es
> unwelcomelist_from_dkim  *@*.paypal.es
> unwelcomelist_from_dkim  *@paypal.fr
> unwelcomelist_from_dkim  *@*.paypal.fr
> unwelcomelist_from_dkim  *@paypal.ie
> unwelcomelist_from_dkim  *@*.paypal.ie
> unwelcomelist_from_dkim  *@paypal.it
> unwelcomelist_from_dkim  *@*.paypal.it
> unwelcomelist_from_dkim  *@paypal.nl
> unwelcomelist_from_dkim  *@*.paypal.nl
> unwelcomelist_from_dkim  *@paypal.pt
> unwelcomelist_from_dkim  *@*.paypal.pt
> unwelcomelist_from_dkim  *@paypal.ca
> unwelcomelist_from_dkim  *@*.paypal.ca
>
> with SA3.4 replace "welcomelist" by "whitelist"
>
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Depression is merely anger without enthusiasm.
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Matus UHLAR - fantomas]

On 14.11.22 16:39, Shawn Iverson wrote:

Corrected...

Default Whitelist Exceptions handling -- SJI 11/14/22
shortcircuit USER_IN_DKIM_WHITELIST off
score   USER_IN_DKIM_WHITELIST 0
score   USER_IN_DEF_DKIM_WL 0

header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
CUSTOM_FROM_PAYPAL
describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
whitelisting
score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001

metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
!CUSTOM_DKIM_WL_EXCEPTIONS
describeCUSTOM_DKIM_OK All other whitelisted senders
score   CUSTOM_DKIM_OK -100


I guess removing paypal from w*list should be easier:

% pwd
/var/lib/spamassassin/4.00
% grep -Firh def_welcomelist_from_dkim | grep -i paypal
def_welcomelist_from_dkim  *@*  paypal.com
def_welcomelist_from_dkim  *@paypal.com
def_welcomelist_from_dkim  *@*.paypal.com
def_welcomelist_from_dkim  *@paypal.co.uk
def_welcomelist_from_dkim  *@*.paypal.co.uk
def_welcomelist_from_dkim  *@paypal.at
def_welcomelist_from_dkim  *@*.paypal.at
def_welcomelist_from_dkim  *@paypal.be
def_welcomelist_from_dkim  *@*.paypal.be
def_welcomelist_from_dkim  *@paypal.de
def_welcomelist_from_dkim  *@*.paypal.de
def_welcomelist_from_dkim  *@paypal.es
def_welcomelist_from_dkim  *@*.paypal.es
def_welcomelist_from_dkim  *@paypal.fr
def_welcomelist_from_dkim  *@*.paypal.fr
def_welcomelist_from_dkim  *@paypal.ie
def_welcomelist_from_dkim  *@*.paypal.ie
def_welcomelist_from_dkim  *@paypal.it
def_welcomelist_from_dkim  *@*.paypal.it
def_welcomelist_from_dkim  *@paypal.nl
def_welcomelist_from_dkim  *@*.paypal.nl
def_welcomelist_from_dkim  *@paypal.pt
def_welcomelist_from_dkim  *@*.paypal.pt
def_welcomelist_from_dkim  *@paypal.ca
def_welcomelist_from_dkim  *@*.paypal.ca

so it should be removed by:

unwelcomelist_from_dkim  *@*paypal.com
unwelcomelist_from_dkim  *@paypal.com
unwelcomelist_from_dkim  *@*.paypal.com
unwelcomelist_from_dkim  *@paypal.co.uk
unwelcomelist_from_dkim  *@*.paypal.co.uk
unwelcomelist_from_dkim  *@paypal.at
unwelcomelist_from_dkim  *@*.paypal.at
unwelcomelist_from_dkim  *@paypal.be
unwelcomelist_from_dkim  *@*.paypal.be
unwelcomelist_from_dkim  *@paypal.de
unwelcomelist_from_dkim  *@*.paypal.de
unwelcomelist_from_dkim  *@paypal.es
unwelcomelist_from_dkim  *@*.paypal.es
unwelcomelist_from_dkim  *@paypal.fr
unwelcomelist_from_dkim  *@*.paypal.fr
unwelcomelist_from_dkim  *@paypal.ie
unwelcomelist_from_dkim  *@*.paypal.ie
unwelcomelist_from_dkim  *@paypal.it
unwelcomelist_from_dkim  *@*.paypal.it
unwelcomelist_from_dkim  *@paypal.nl
unwelcomelist_from_dkim  *@*.paypal.nl
unwelcomelist_from_dkim  *@paypal.pt
unwelcomelist_from_dkim  *@*.paypal.pt
unwelcomelist_from_dkim  *@paypal.ca
unwelcomelist_from_dkim  *@*.paypal.ca

with SA3.4 replace "welcomelist" by "whitelist"



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[giovanni]

On 11/14/22 21:14, Shawn Iverson wrote:

How do I stop this? paypal.com  is in the default DKIM 
whitelist!


Does this work on your sample ?
The body you posted is only partial.

uri__URI_IMG_PAYPAL  
/^https:\/\/www\.paypalobjects\.com\/(?:digitalassets|en_US|ui\-web)\/.{1,64}\.(?:gif|jpg|png)/
meta   __PAYPAL_IMG_NOT_RCVD_PAYP__URI_IMG_PAYPAL && !__HDR_RCVD_PAYPAL
meta   GB_PAYPAL_IMG_NOT_RCVD_PAYP   __PAYPAL_IMG_NOT_RCVD_PAYP && !__HAS_ERRORS_TO && 
!__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
describe   GB_PAYPAL_IMG_NOT_RCVD_PAYP   Paypal hosted image but message not 
from Paypal
score  GB_PAYPAL_IMG_NOT_RCVD_PAYP   2.500# limit

 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Martin Gregorie]

On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> How do I stop this?  paypal.com is in the default DKIM whitelist!
> 
I'd treat it as spam because the domain name in the From header doesn't
match the domain name in the Message-ID header. 

That works for me, with virtually no false mail rejections.

Martin

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

Corrected...

Default Whitelist Exceptions handling -- SJI 11/14/22
shortcircuit USER_IN_DKIM_WHITELIST off
score   USER_IN_DKIM_WHITELIST 0
score   USER_IN_DEF_DKIM_WL 0

header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
CUSTOM_FROM_PAYPAL
describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
whitelisting
score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001

metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
!CUSTOM_DKIM_WL_EXCEPTIONS
describeCUSTOM_DKIM_OK All other whitelisted senders
score   CUSTOM_DKIM_OK -100

On Mon, Nov 14, 2022 at 4:38 PM Shawn Iverson 
wrote:

> For those fighting the same battles...
>
> # Default Whitelist Exceptions handling -- SJI 11/14/22
> shortcircuit USER_IN_DKIM_WHITELIST off
> score   USER_IN_DKIM_WHITELIST 0
> score   USER_IN_DEF_DKIM_WL 0
>
> header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
> metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
> ENA_FROM_PAYPAL
> describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
> whitelisting
> score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001
>
> metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
> !CUSTOM_DKIM_WL_EXCEPTIONS
> describeCUSTOM_DKIM_OK All other whitelisted senders
> score   CUSTOM_DKIM_OK -100
>
> On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
> wrote:
>
>> So what I'm going to do is turn shortcircuit off for
>> USER_IN_DKIM_WHITELIST
>>
>> Create a meta to catch papal.com as the from address and score
>> appropriately
>> Create a counter meta to score other deserving DKIM-signers appropriately
>>
>> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
>> wrote:
>>
>>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>>> >
>>>
>>> That message really looks like it came from Paypal and then was
>>> forwarded by Microsoft to your server. Was it really a fake? That's a
>>> lot of headers to fake if so.
>>>
>>> If it was really fake and that paypal-supplied DKIM signature doesn't
>>> validate (I didn't check that), then checking DMARC when you receive
>>> mail and rejecting on p=reject failures would block it.
>>>
>>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

For those fighting the same battles...

# Default Whitelist Exceptions handling -- SJI 11/14/22
shortcircuit USER_IN_DKIM_WHITELIST off
score   USER_IN_DKIM_WHITELIST 0
score   USER_IN_DEF_DKIM_WL 0

header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST && ENA_FROM_PAYPAL
describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
whitelisting
score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001

metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
!CUSTOM_DKIM_WL_EXCEPTIONS
describeCUSTOM_DKIM_OK All other whitelisted senders
score   CUSTOM_DKIM_OK -100

On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
wrote:

> So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST
>
> Create a meta to catch papal.com as the from address and score
> appropriately
> Create a counter meta to score other deserving DKIM-signers appropriately
>
> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
> wrote:
>
>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>> >
>>
>> That message really looks like it came from Paypal and then was
>> forwarded by Microsoft to your server. Was it really a fake? That's a
>> lot of headers to fake if so.
>>
>> If it was really fake and that paypal-supplied DKIM signature doesn't
>> validate (I didn't check that), then checking DMARC when you receive
>> mail and rejecting on p=reject failures would block it.
>>
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

Oh yeah?

[@x~]$ grep DEF_WHITELIST
/var/lib/spamassassin/3.004006/updates_spamassassin_org/*
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_de.cf:lang
de describe USER_IN_DEF_WHITELIST Absenderadresse steht in der allgemeinen
weien Liste
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_fr.cf:lang
fr describe USER_IN_DEF_WHITELISTExpditeur dans la liste OK par dfaut
de SpamAssassin
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_pl.cf:lang
pl describe USER_IN_DEF_WHITELISTUytkownik jest wymieniony w domylnej
white-list (biaej licie)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_pt_br.cf:lang
pt_BR describe USER_IN_DEF_WHITELIST Endereo do From: est na whitelist padro
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:#score
USER_IN_DEF_WHITELIST -15.000 - Moved to 60_whitelist.cf
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_shortcircuit.cf:priority
USER_IN_DEF_WHITELIST -1000
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   meta USER_IN_DEF_WHITELIST(USER_IN_DEF_WELCOMELIST)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   describe USER_IN_DEF_WHITELISTDEPRECATED: See USER_IN_WELCOMELIST
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   tflags USER_IN_DEF_WHITELIST  userconf nice noautolearn
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   score USER_IN_DEF_WHITELIST   -15.0
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 meta USER_IN_DEF_WHITELIST  (USER_IN_DEF_WELCOMELIST)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 describe USER_IN_DEF_WHITELIST  DEPRECATED: See
USER_IN_DEF_WELCOMELIST
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 tflags USER_IN_DEF_WHITELISTuserconf nice noautolearn
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 score USER_IN_DEF_WHITELIST -15.0
/var/lib/spamassassin/3.004004/updates_spamassassin_org/local.cf:#
shortcircuit USER_IN_DEF_WHITELIST   on

On Mon, Nov 14, 2022 at 4:34 PM Marc  wrote:

>
> There is no such thing as a default whitelist.
>
> > >>
> > >> How do I stop this?  paypal.com   is in the
> > default
> > >> DKIM whitelist!
> > >>
> > >
> > >
> > > score  USER_IN_DKIM_WHITELIST 0
> >
> > would affect *every* mail in the default whitelist and so be a knee-jerk
> > reaction without brain
>

RE: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Marc]

There is no such thing as a default whitelist.

> >>
> >> How do I stop this?  paypal.com   is in the
> default
> >> DKIM whitelist!
> >>
> >
> >
> > score  USER_IN_DKIM_WHITELIST 0
> 
> would affect *every* mail in the default whitelist and so be a knee-jerk
> reaction without brain

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Kevin A. McGrail]

I have also seen the PayPal ecosystem being abused by bad actors sending
things like fake invoices.  I am also +1 to remove the domain from the dkim
wl.

Regards, KAM

On Mon, Nov 14, 2022, 16:01 Shawn Iverson  wrote:

> Bottom line is I don't think paypal deserves to be default whitelisted in
> recent history.  I've received a lot of spam actually from paypal and
> judiciously report it to phish...@paypal.com with no apparent action or
> response.
>
> On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
> wrote:
>
>> So what I'm going to do is turn shortcircuit off for
>> USER_IN_DKIM_WHITELIST
>>
>> Create a meta to catch papal.com as the from address and score
>> appropriately
>> Create a counter meta to score other deserving DKIM-signers appropriately
>>
>> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
>> wrote:
>>
>>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>>> >
>>>
>>> That message really looks like it came from Paypal and then was
>>> forwarded by Microsoft to your server. Was it really a fake? That's a
>>> lot of headers to fake if so.
>>>
>>> If it was really fake and that paypal-supplied DKIM signature doesn't
>>> validate (I didn't check that), then checking DMARC when you receive
>>> mail and rejecting on p=reject failures would block it.
>>>
>>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

Bottom line is I don't think paypal deserves to be default whitelisted in
recent history.  I've received a lot of spam actually from paypal and
judiciously report it to phish...@paypal.com with no apparent action or
response.

On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
wrote:

> So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST
>
> Create a meta to catch papal.com as the from address and score
> appropriately
> Create a counter meta to score other deserving DKIM-signers appropriately
>
> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
> wrote:
>
>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>> >
>>
>> That message really looks like it came from Paypal and then was
>> forwarded by Microsoft to your server. Was it really a fake? That's a
>> lot of headers to fake if so.
>>
>> If it was really fake and that paypal-supplied DKIM signature doesn't
>> validate (I didn't check that), then checking DMARC when you receive
>> mail and rejecting on p=reject failures would block it.
>>
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST

Create a meta to catch papal.com as the from address and score appropriately
Create a counter meta to score other deserving DKIM-signers appropriately

On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
wrote:

> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> > How do I stop this?  paypal.com is in the default DKIM whitelist!
> >
>
> That message really looks like it came from Paypal and then was
> forwarded by Microsoft to your server. Was it really a fake? That's a
> lot of headers to fake if so.
>
> If it was really fake and that paypal-supplied DKIM signature doesn't
> validate (I didn't check that), then checking DMARC when you receive
> mail and rejecting on p=reject failures would block it.
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

The DKIM signature looks valid.

On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
wrote:

> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> > How do I stop this?  paypal.com is in the default DKIM whitelist!
> >
>
> That message really looks like it came from Paypal and then was
> forwarded by Microsoft to your server. Was it really a fake? That's a
> lot of headers to fake if so.
>
> If it was really fake and that paypal-supplied DKIM signature doesn't
> validate (I didn't check that), then checking DMARC when you receive
> mail and rejecting on p=reject failures would block it.
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Shawn Iverson]

Are you asking me to rescore these back to 0?  That will take some effort
to do, but if that's what it takes...

On Mon, Nov 14, 2022 at 3:42 PM Marc  wrote:

> >
> > How do I stop this?  paypal.com   is in the default
> > DKIM whitelist!
> >
> >
>
>
> score  USER_IN_DKIM_WHITELIST 0
>
> ?
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Alan Hodgson]

On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> How do I stop this?  paypal.com is in the default DKIM whitelist!
> 

That message really looks like it came from Paypal and then was
forwarded by Microsoft to your server. Was it really a fake? That's a
lot of headers to fake if so.

If it was really fake and that paypal-supplied DKIM signature doesn't
validate (I didn't check that), then checking DMARC when you receive
mail and rejecting on p=reject failures would block it.

RE: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Marc]

> 
> How do I stop this?  paypal.com   is in the default
> DKIM whitelist!
> 
> 


score  USER_IN_DKIM_WHITELIST 0

?