The examples of this scam that I've seen use that same PayPal comment tactic but
then route it to an Office-365 mailbox which has a redirect to the victim's
address.
So the resultant message has both PayPal & O-365 valid DKIM signatures; not to
mention the multiple KB of O-365 header cruft which makes it hard to trace the
original source.
They tend to fall into two general themes:
1) call us NOW or we're going to auto-charge your account
2) Oopsies, you were miss-charged, call us to get this charge refunded to your
account.
In most cases all the usual PayPal & O-365 checks pass with flying colors, it's
just the text comment that has the scam payload.
As our organization is heavily invested in Microsoft/O-365 we get tons of valid
necessary communications from O-365 so I cannot block/penalize O-365 messages.
Thus even Bayes training on this scam garbage doesn't help me, I get 1000x legit
O-365 messages to each such scam.
Ugg.
On Wed, 29 Jan 2025, Alan via users wrote:
As far as I can tell, they're valid notifications from PayPal, and probably
useful for legitimate purposes. What the messages are
doing is attempting to trigger sufficient anxiety that the recipient calls the
phone number in the message, which connects them
to a scammer. It will get worse, and then hopefully the folks at PayPal will
find a way to eliminate it (they could refuse to
send a phone number in the message, for example).
On 2025-01-29 03:47, Mark London wrote:
This my pet peeve. I set USER_IN_DEF_DKIM_WL to 0.001 a long time ago,
and it hasn't affected me at all.
But my view is probably not mainstream.
As an aside, I've added rules to filter for the recent fake requests for
money, that abuse that feature, which exists
on PAYPAL and VENMO. Rules can be easily created to detect these fake
requests, if you look at some the examples
that come through. They aren't very sophisticated. FWIW.
Now I'll go back into hiding, - Mark
On 1/29/2025 3:23 AM, Niamh Holding wrote:
Hello
Given the From: address can be so easily faked is a rule testing
its validity a great idea?
Headers-
Return-Path: <bounces+SRS=4A6bc=u...@smpn7wonogiri.sch.id>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
iron.holtain.net
X-Spam-Level:
X-Spam-Status: No, score=-6.5 required=4.5 autolearn=no
autolearn_force=no
X-Spam-Report:
* 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.93.128.29 listed in wl.mailspike.net]
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom
2nd level
* mail domains are different
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -7.5 USER_IN_DEF_DKIM_WL From: address is in the default
DKIM
* welcome-list
* 0.1 MIME_HTML_ONLY BODY: Message only has text/html
MIME parts
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK
signature from
* author's domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or
DK signature
* 1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
* https://senderscore.org/blocklistlookup/
* [40.93.128.29 listed in bl.score.senderscore.com]
* -0.0 T_SCC_BODY_TEXT_LINE No description available.
* 1.0 POSSIBLE_PAYPAL_PHISH_03 Claims to be from paypal,
sent to
* Microsoft365 domain - likely fraud if you don't use
MSFT365!
* 0.0 T_REMOTE_IMAGE Message contains an external image
* -1.3 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
X-Spam-Relays-Untrusted: [ ip=40.93.128.29
rdns=mail-eastasiaazlp17011029.outbound.protection.outlook.com
helo=HK3PR03CU002.outbound.protection.outlook.com
by=iron.holtain.net
ident= envfrom= intl=0 id=8EA1DC000546 auth= msa=0 ] [
ip=2603:1096:405:8e::12
rdns=TYSPR04MB8220.apcprd04.prod.outlook.com
helo=TYSPR04MB8220.apcprd04.prod.outlook.com
by=TYZPR04MB7906.apcprd04.prod.outlook.com ident= envfrom=
intl=0
id=15.20.8377.21 auth= msa=0 ] [ ip=2603:1096:820:11b::9
rdns=KL1PR04MB7539.apcprd04.prod.outlook.com
helo=KL1PR04MB7539.apcprd04.prod.outlook.com
by=TYSPR04MB8220.apcprd04.prod.outlook.com ident= envfrom=
intl=0
id=15.20.8377.21 auth= msa=0 ] [
ip=fe80::b078:df3:b558:4f13 rdns=
helo=KL1PR04MB7539.apcprd04.prod.outlook.com
by=KL1PR04MB7539.apcprd04.prod.outlook.com ident= envfrom=
intl=0 id=
auth= msa=0 ] [ ip=2603:1096:4:b8::34
rdns=SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM
helo=SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM
by=TYZPR04MB7271.apcprd04.prod.outlook.com ident= envfrom=
intl=0
id=15.20.8377.21 auth= msa=0 ] [ ip=2603:1096:4:b8:cafe::6f
rdns=SG2PEPF000B66CE.apcprd03.prod.outlook.com
helo=SG2PEPF000B66CE.apcprd03.prod.outlook.com
by=SGXP274CA0022.outlook.office365.com ident= envfrom=
intl=0
id=15.20.8398.17 auth= msa=0 ] [ ip=2a01:111:f403:48::209
rdns=EUR03-VI1-obe.outbound.protection.outlook.com
helo=EUR03-VI1-obe.outbound.protection.outlook.com
by=SG2PEPF000B66CE.mail.protection.outlook.com ident=
envfrom= intl=0
id=15.20.8398.14 auth= msa=0 ] [ ip=2603:10a6:5:10::31
rdns=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
helo=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
by=AS8P192MB2065.EURP192.PROD.OUTLOOK.COM ident= envfrom=
intl=0
id=15.20.8377.22 auth= msa=0 ] [
ip=fe80::306f:e2a6:6620:fff0 rdns=
helo=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
by=DB7P192MB0331.EURP192.PROD.OUTLOOK.COM ident= envfrom=
intl=0 id=
auth= msa=0 ] [ ip=2603:10a6:10:120::12
rdns=DB8PR06CA0038.eurprd06.prod.outlook.com
helo=DB8PR06CA0038.eurprd06.prod.outlook.com
by=PAWP192MB2250.EURP192.PROD.OUTLOOK.COM ident= envfrom=
intl=0
id=15.20.8377.22 auth= msa=0 ] [
ip=2603:10a6:10:120:cafe::e9
rdns=DU2PEPF00028CFD.eurprd03.prod.outlook.com
helo=DU2PEPF00028CFD.eurprd03.prod.outlook.com
by=DB8PR06CA0038.outlook.office365.com ident= envfrom=
intl=0
id=15.20.8377.22 auth= msa=0 ] [ ip=66.211.170.90
rdns=mx4.phx.paypal.com helo=mx4.phx.paypal.com
by=DU2PEPF00028CFD.mail.protection.outlook.com ident=
envfrom= intl=0
id=15.20.8398.14 auth= msa=0 ]
X-Spam-Language: en
X-Spam-DKIM-i: @paypal.com
X-Spam-DKIM-d: paypal.com
X-Original-To: ni...@fullbore.co.uk
Delivered-To: niamh.fullb...@iron.holtain.net
Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=40.93.128.29;
helo=hk3pr03cu002.outbound.protection.outlook.com;
envelope-from=bounces+srs=4a6bc=u...@smpn7wonogiri.sch.id;
receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 iron.holtain.net 8EA1DC000546
Authentication-Results: iron.holtain.net; dmarc=pass (p=reject
dis=none) header.from=paypal.com
Authentication-Results: iron.holtain.net; spf=pass
smtp.mailfrom=smpn7wonogiri.sch.id
DKIM-Filter: OpenDKIM Filter v2.11.0 iron.holtain.net 8EA1DC000546
Authentication-Results: iron.holtain.net;
dkim=pass (2048-bit key, unprotected) header.d=paypal.com
header.i=@paypal.com
header.a=rsa-sha256 header.s=pp-dkim1 header.b=Ti5ZlN8t
Received: from HK3PR03CU002.outbound.protection.outlook.com
(mail-eastasiaazlp17011029.outbound.protection.outlook.com
[40.93.128.29])
by iron.holtain.net (Postfix) with ESMTPS id 8EA1DC000546
for <ni...@fullbore.co.uk>; Tue, 28 Jan 2025 18:08:36
+0000 (GMT)
Received: from TYSPR04MB8220.apcprd04.prod.outlook.com
(2603:1096:405:8e::12)
by TYZPR04MB7906.apcprd04.prod.outlook.com (2603:1096:405:a9::11)
with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.21;
Tue, 28 Jan
2025 18:08:28 +0000
Received: from KL1PR04MB7539.apcprd04.prod.outlook.com
(2603:1096:820:11b::9)
by TYSPR04MB8220.apcprd04.prod.outlook.com (2603:1096:405:8e::12)
with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.21;
Tue, 28 Jan
2025 18:08:00 +0000
Received: from KL1PR04MB7539.apcprd04.prod.outlook.com
([fe80::b078:df3:b558:4f13]) by
KL1PR04MB7539.apcprd04.prod.outlook.com
([fe80::b078:df3:b558:4f13%3]) with mapi id 15.20.8377.021; Tue,
28 Jan 2025
18:07:59 +0000
Received: from SGXP274CA0022.SGPP274.PROD.OUTLOOK.COM
(2603:1096:4:b8::34) by
TYZPR04MB7271.apcprd04.prod.outlook.com (2603:1096:400:44f::6)
with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.8377.21; Tue, 28 Jan 2025 17:50:17 +0000
Received: from SG2PEPF000B66CE.apcprd03.prod.outlook.com
(2603:1096:4:b8:cafe::6f) by SGXP274CA0022.outlook.office365.com
(2603:1096:4:b8::34) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.17 via Frontend
Transport; Tue,
28 Jan 2025 17:50:17 +0000
Authentication-Results: spf=softfail (sender IP is
2a01:111:f403:48::209)
smtp.mailfrom=euroland.fr; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: SoftFail (protection.outlook.com: domain of
transitioning
euroland.fr discourages use of 2a01:111:f403:48::209 as permitted
sender)
Received: from EUR03-VI1-obe.outbound.protection.outlook.com
(2a01:111:f403:48::209) by
SG2PEPF000B66CE.mail.protection.outlook.com
(2603:1096:f:fff5:0:1:0:5) with Microsoft SMTP Server
(version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.8398.14 via Frontend
Transport; Tue,
28 Jan 2025 17:50:16 +0000
Received: from DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
(2603:10a6:5:10::31) by
AS8P192MB2065.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:5bd::19)
with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.8377.22; Tue, 28 Jan 2025 17:50:13 +0000
Received: from DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
([fe80::306f:e2a6:6620:fff0]) by
DB7P192MB0331.EURP192.PROD.OUTLOOK.COM
([fe80::306f:e2a6:6620:fff0%5]) with mapi id 15.20.8377.021; Tue,
28 Jan 2025
17:50:13 +0000
Received: from DB8PR06CA0038.eurprd06.prod.outlook.com
(2603:10a6:10:120::12)
by PAWP192MB2250.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:34e::21)
with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.22;
Tue, 28 Jan
2025 17:49:51 +0000
Received: from DU2PEPF00028CFD.eurprd03.prod.outlook.com
(2603:10a6:10:120:cafe::e9) by DB8PR06CA0038.outlook.office365.com
(2603:10a6:10:120::12) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.8377.22 via Frontend
Transport; Tue,
28 Jan 2025 17:49:51 +0000
Authentication-Results-Original: spf=pass (sender IP is
66.211.170.90)
smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: Pass (protection.outlook.com: domain of paypal.com
designates
66.211.170.90 as permitted sender)
receiver=protection.outlook.com;
client-ip=66.211.170.90; helo=mx4.phx.paypal.com; pr=C
Received: from mx4.phx.paypal.com (66.211.170.90) by
DU2PEPF00028CFD.mail.protection.outlook.com (10.167.242.181) with
Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.8398.14 via Frontend Transport; Tue, 28 Jan 2025 17:49:50
+0000
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1738086589;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=x4gXgJPzgMJS4s6SslPDX50DN37l6UgxYv1Fke0blj4=;
b=Ti5ZlN8t9vOP4oHPw6S7EFSv5qCloXAAcGFhN1UUYPh8b+kHEbenBvfdHtOlBzCF
7lCfc0LH2NGC6vIhFkmbmn490P6XkzLMgQwi9IcUaQTZrUIeD8r5YPRT5b/Y4RmA
VqAbuOE/7S20QxDlpoCqOprRhS/39AvB5W/QuCyzPn6uf+IjwQjyd7f8imwXsGGD
O+hiNma12uuMIgpeuAdk5PNYrZJv9UZA6Ta9OZP1LyowQPFIdPaIJf4ACHUkBGaa
fChq5r8wr7lBUGY/5ft8dfpmzcj3QiEcytLWYQ4niDlTJAMZcPI3OSuoyiwXjFJq
yuYqt5ZZhMyeauUvreQNbw==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Tue, 28 Jan 2025 09:49:49 -0800
Message-ID: <AD.CB.51299.DB819976@ccg01mail06>
MIME-Version: 1.0
From: "serv...@paypal.com" <serv...@paypal.com>
To: Sharon Turner <order_stat...@euroland.onmicrosoft.com>
Subject: You've sent a money request
X-MaxCode-Template: RT000241
X-PP-Priority: 0-paypal-false
PP-Correlation-Id: f388091b585de
X-PP-Email-transmission-Id: 44cd845b-dda0-11ef-bbbe-0f3c32714b27
X-PP-REQUESTED-TIME: 1738086577206
X-Email-Type-Id: RT000241
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
X-EOPAttributedMessage: 1
X-MS-TrafficTypeDiagnostic:
DU2PEPF00028CFD:EE_|PAWP192MB2250:EE_|AS8P192MB2065:EE_|SG2PEPF000B66CE:EE_|TYZPR04MB7271:EE_|TYSPR04MB8220:EE_|TYZPR04MB7906:EE
_
X-MS-Office365-Filtering-Correlation-Id:
198a6f79-7e5b-4b79-7cbb-08dd3fc43981
X-Moderation-Data: 1/28/2025 5:50:06 PM
X-LD-Processed: 597638ac-1f39-416f-b8b6-2a57af6395fe,ExtAddr
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P192MB2065
X-EOPTenantAttributedMessage: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted:
SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
5c11a4de-9c64-4aae-d96a-08dd3fc42a48
X-Moderation-Data: 1/28/2025 6:07:58 PM
X-LD-Processed: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf,ExtAddr,ExtAddr
X-OriginatorOrg: smpn7wonogiri.sch.id
X-MS-Exchange-CrossTenant-Network-Message-Id:
198a6f79-7e5b-4b79-7cbb-08dd3fc43981
X-MS-Exchange-CrossTenant-Id: 7ab5503a-6b18-41b1-ab89-bb02ef5b5daf
X-MS-Exchange-CrossTenant-AuthSource:
SG2PEPF000B66CE.apcprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jan 2025
18:07:59.9852
(UTC)
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR04MB790
--
For SpamAssassin Users List
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
