Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

Mon, 20 Mar 2023 11:55:47 -0700 

On 2023-03-20 at 13:17:25 UTC-0400 (Mon, 20 Mar 2023 13:17:25 -0400)
Mark London <m...@psfc.mit.edu>
is rumored to have said:
Can someone tell me why this paypal phishing email, managed to trigger USER_IN_DEF_SPF_WL?
Hard to be sure, since you didn't include any indication of the envelope sender address (a.k.a. Return-Path) which is what SPF validates.
IF the envelope sender was a dropbox.com address (as implied by the From header and one of the DKIM headers) then SPF passed because the SPF TXT record for dropbox.com includes the AmazonSES machine that this came from. USER_IN_DEF_SPF_WL passed because at some point in the past someone with commit permission deemed Dropbox to be a sender of substantial amounts of predominantly wanted non-spam that occasionally was being classified as spam AND that they had a useful SPF record.
This appears to be actual mail from a Dropbox service. In that sense, it is not a phish. It seems to want you to think that it is a PayPal invoice, and I'm not sure that SA can detect that sort of recursive phish without hardcoding concrete details like "PayPal does not send invoices using Dropbox" that we don't really have any way to know reliably.
Or put it another way. Why wasn't it detected as a phishing email? Thanks.
Because as of right now, SpamAssassin does not know that PayPal does not use a Dropbox service to send invoices. As of this moment, I also can't say for sure that they do not, although I strongly doubt that they would do so.
And that Dropbox service does not seem to protect itself from fraudulent customers. That seems like a bad idea. We may need to reconsider Dropbox's presence in the distributed "default welcomelist."
Received: from a39-208.smtp-out.amazonses.com (a39-208.smtp-out.amazonses.com [54.240.39.208]) 
    by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id 32KGQHFm099160
    (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NOT)
    for <mar...@psfc.mit.edu>; Mon, 20 Mar 2023 12:26:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=rid2v4iwdmeb26wntc7bqs5dnqgasdul; d=dropbox.com; t=1679329577;
h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To;
    bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
b=JZDgJOd2uPgAFKgSkAHeZ91+AJxLr/Rl231qxeOFdeMpeSo3NYG+WyedzpPWJneI
IkTEHtDYWQMhQf5bAJYJB+3hEF0n6t9MnmQzaF8xDlRK269ILVw/pfn8NHiNW7XR5R5
    S/Y1XQpbvN8ezTWvCqiedTTQ/ubqm9KPXljCyPF4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1679329577;
h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To:Feedback-ID;
    bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
b=WvG6JHQ5+a4w8pq7gZNZYz/ph2i13+NZaJqfqWqnQYRewLpSyhcx5a5AeaJ+JPd+
xwwriSGEl5bNes3b0gkdp/oYd9niSty0sZy/Vquwx5tQiZWVr6zWXzhyBMyqHvWbkh0
    sK3+fUdnhNigDX3wqE7/W3+ccK+XgH7ab5pstqb0=
Content-Type: multipart/alternative; boundary="===============1633481412880569064==" 
MIME-Version: 1.0
From: PayPal Support <no-re...@dropbox.com>
To: x...@psfc.mit.edu
CC:
Subject: =?utf-8?q?Your_invoice_from_PayPal_Support_=28=23038989SL43=29?= 
Date: Mon, 20 Mar 2023 16:26:17 +0000
Message-ID: <01000186ffd7c860-2ed35238-7287-4f0b-b752-22466377b187-000...@email.amazonses.com> 
X-Dropbox-Message-ID: 3637112534418604150
Reply-To: no-re...@paypal.com
Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES 
X-SES-Outgoing: 2023.03.20-54.240.39.208

--===============1633481412880569064==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
New invoice $629.00 Paid on March 20, 2023 View invoice[1] To PayPal= Billing Bot invoice_rece...@paypal.com From PayPal Support no-reply@P= ayPal.com Issued March 20, 2023 Title wish to request a refund, please co= ntact our support team at : +1 (833) 465-5681 Your recent purchase of Te= ther (USDT) for $629.00 via PayPal has been confirmed. The funds will be re= flected in your account within 24 hours. If you require any assistance or w= ish to request a refund, please contact our support team at : <br>+1 (833) = 465-5681 PayPal Support sent you an invoice using Dropbox, Inc. PO Box 77= 
767, San Francisco, CA 94107 View Privacy Policy[2] =20
[1]: https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt1l= 
3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_medium=
=3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice
[2]: https://www.dropbox.com/l/AABfXvXi7J31sSfCfcEcmcs-kdTvg1Al_EE/privacy 
--===============1633481412880569064==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w= 
3.org/TR/REC-html40/loose.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml";>
<head>
<meta content=3D"text/html; charset=3Dutf-8" http-equiv=3D"Content-Type"> 
<style></style>
</head> <body marginheight=3D"0" marginwidth=3D"0" style=3D"width: 100% !im= portant; margin: 0 auto; padding: 0; -webkit-text-size-adjust: 100%; -ms-te= xt-size-adjust: 100%; background-color: #FFF;"><table align=3D"center" cell= padding=3D"0" cellspacing=3D"0" role=3D"presentation" style=3D"margin: 0 au= 
to; width: 100% !important; max-width: 720px; border: 0px;">
<tr></tr>
<tr><td><table cellpadding=3D"0" cellspacing=3D"0" role=3D"presentation" wi= dth=3D"100%"><tr><td style=3D"color: #000; font-family: Atlas Grotesk, Open= Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica= , Arial, Lucida Grande, sans-serif; font-size: 20px; font-weight: 300; line= -height: 1.45em; padding: 15px 0; width: 720px;"><table cellpadding=3D"0" c= ellspacing=3D"0" role=3D"presentation" style=3D"max-width:720px;" width=3D"= 100%"><tr style=3D"text-align: center;"><td><table style=3D"max-width: 480p= 
x; min-width: 375px; margin: 0px auto;" width=3D"480px">
<tr><td style=3D"background-color: #F7F5F2; background-color: #FFFFFF;"><di= v style=3D"max-width:480px;"><div style=3D"margin: 40px;"><img src=3D"https= 
://uc23f69e513a7b1b17ccc7d1f588.previews.dropboxusercontent.com/p/thumb/AB2=
3Sfr6KTspBYwEohQjThbkp-M4jII6ln2wNWy3TcHmMXTUSDA97iY8eWy1jRN0gfSoGc_Da3FeQ6=
PfGho_Z_i9gCidyjb8mZOIhwpcWlSJkenlzGQNmSBgSCYW5vSLkXT1ZDtILzVQO6V8IvAS9UGN0=
_3iwE0viFseqwnjc1-Y6rEX287bpvuAz7dvvzCQvjdtKc62DOK19_RoPDsmTyk8pskVlF8-1f6J=
_lh5Y3xhMQf1FgBDq8s60tJMbf9_fI8PfI3-T-msJ8bEitVA0MsbMoH3S8pvyRJBdcDcVEd77LW=
OlNw_yG43-lIhxWiDKbw/p.jpeg" style=3D"height: 64px; object-fit: contain;"><= 
/div></div></td></tr>
<tr><td style=3D"padding: 27px 32px 24px;"><table style=3D"width: 100%; min= 
-width:375px; margin: 0px auto;"><tr>
<td style=3D"text-align: center; width: 30%;"><span style=3D"display: block= 
; height: 1px; background-color: #A69E92"></span></td>
<td style=3D"text-align: center; width: 40%;"><p style=3D"color: #524A3E; f= ont-size: 16px; line-height: 26px; font-family: Sharp Grotesk DB Book, Atla= s Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica = Neue, Helvetica, Arial, Lucida Grande, sans-serif; opacity: 82%; margin: 0;= 
">New invoice</p></td>
<td style=3D"text-align: center; width: 30%;"><span style=3D"display: block= 
; height: 1px; background-color: #A69E92"></span></td>
</tr></table></td></tr>
<tr style=3D"text-align: center"><td><h2 style=3D"color: #1E1919; font-size= : 56px; line-height: 64px; font-family: Sharp Grotesk DB Book, Atlas Grotes= k, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, He= lvetica, Arial, Lucida Grande, sans-serif; margin: 0 0 8px; font-weight: no= 
rmal; max-width:480px;">$629.00</h2></td></tr>
<tr><td style=3D"text-align: center; padding: 4px 0 24px;"><table border=3D= "0" cellpadding=3D"0" cellspacing=3D"0" style=3D"height: 32px; margin: 0 au= to; padding: 0 12px; border-radius: 50px; background-color: #F7F5F2;"><tr> <td style=3D"width: 24px; margin-right: 2px;"><img height=3D"24px" src=3D"h= ttps://www.dropbox.com/static/images/fbm/email/calendar_2x.png" style=3D"ve= 
rtical-align: middle" width=3D"24px"></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; font-fa= mily: Atlas Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, = Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; margin: 0; ">P= 
aid on March 20, 2023</p></td>
</tr></table></td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px 40px;"><a h= 
ref=3D"https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt=
1l3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&amp;utm_me=
dium=3Demail&amp;utm_source=3Ddropbox&amp;utm_term=3Dview_invoice" style=3D= "text-decoration: none; background-color: #0061FE; color: white; font-size:= 16px; line-height: 20px; margin: 0 auto; width: 100%; padding: 10px 0; dis= play: block; background-color: #002C8A; color:#f7f5f2; ">View invoice</a></= 
td></tr>
<tr><td style=3D"padding: 0px 32px 32px;"><table style=3D"background-color:= #F7F5F2; width: 100%; min-width:375px; margin: 0px auto; padding: 16px 20p= x 20px; font-size: 12px; line-height: 20px; font-weight: 400; text-align: = 
left;">
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi= 
n: 0; font-weight: 500;">To</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:= 
 0;">PayPal Billing Bot</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi= 
n: 0;"></p></td>
<td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0; padding-bottom: 1= 
6px;">invoice_rece...@paypal.com</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi= 
n: 0; font-weight: 500;">From</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:= 
 0;">PayPal Support</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi= 
n: 0;"></p></td>
<td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0; padding-bottom: 1= 
6px;">no-re...@paypal.com</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi= 
n: 0; font-weight: 500;">Issued</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:= 
 0;">March 20, 2023</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi= 
n: 0; font-weight: 500;">Title</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:= 0;">wish to request a refund, please contact our support team at : +1 (83= 
3) 465-5681</p></td>
</tr>
</table></td></tr>
<tr><td style=3D"padding: 0px 32px 0px; text-align: left;"><p style=3D"font= -size:14px; line-height:22px; color:#1E1919">Your recent purchase of Tether= (USDT) for $629.00 via PayPal has been confirmed. The funds will be reflec= ted in your account within 24 hours. If you require any assistance or wish = to request a refund, please contact our support team at : <br>+1 (833) 465-= 
5681</p></td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px;">
<p style=3D"font-size: 12px; line-height:28px; color:#524A3E; opacity: 0.82= 
; margin: 0;">PayPal Support sent you an invoice using</p>
<img height=3D"20px" src=3D"https://www.dropbox.com/static/images/fbm/invoi= 
ce_wordmark_2x.png">
</td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px 52px;"> <p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity: 0.82= 
; margin: 0;">Dropbox, Inc. PO Box 77767, San Francisco, CA 94107</p>
<p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity: 0.82= ; margin: 0;"><a href=3D"https://www.dropbox.com/l/AABu1cd-4liBqZhM00gH24g3= HtVHu7tb9rc/privacy" style=3D"text-decoration: none; margin-left: 12px">Vie= 
w Privacy Policy</a></p>
</td></tr>
</table></td></tr></table></td></tr></table></td></tr>
</table></body>
</html><img height=3D"1" src=3D"https://www.dropbox.com/l/AACSvyNy75C_S_pXf= 
DFRWnzE6wulAbspDwg" width=3D"1" />
--===============1633481412880569064==--



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Reply via email to