37

This mail that got through has me stumped. It appeared to me as being from PayPal <unclaimedproperty@paypal.com> in my Inbox. I happened to look at the original and it says SPF, DKIM and DMARC all passed.

If I'm reading this right, 74.112.67.243 connected to mail2550.paypal-notification.com and sent the mail. They used a Return-Path: <blahblah@bounce.paypal.mkt2944.com>.

bounce.paypal.mkt2944.com (currently) has a SPF record of v=spf1 a ip4:208.85.50.137 ip4:74.112.67.243 -all. So OK, they setup a spam mailer and worked it so SPF passes (the mail server paypal-notification.com is gone, seemingly owned by MarkMonitor now, so somebody else noticed this).

But then the DKIM signature has

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=spop1024; d=paypal.com; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type: X-CSA-Complaints:List-Unsubscribe;

Is this not saying "I'm signing all these headers with the key who's public portion is in a TXT record at spop1024._domainkey.paypal.com" (which exists)?

This passes, to my surprise

Authentication-Results: mx.google.com;
       dkim=pass

I've looked over and over to see if it's a close-cousin typo thing, or unicode address, etc. But it really seems to be signed by that paypal.com key...?

After that, it's still unclear to me why DMARC then passes -- I thought the From: address had to be "aligned" with the Return-Path:?

Delivered-To: <me@gmail.com>
Received: by 2002:a4a:804a:0:0:0:0:0 with SMTP id y10csp7519296oof;
        Mon, 22 Nov 2021 12:45:16 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyxHoL8oksdcw38NnmHlTdPo1UfJoTCZ/wFDToSgMfRPG6WgHlKDtKbSjMXNh5t44nHazym
X-Received: by 2002:a25:4543:: with SMTP id s64mr27510605yba.304.1637613916462;
        Mon, 22 Nov 2021 12:45:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1637613916; cv=none;
        d=google.com; s=arc-20160816;
        b=OvsnJASmnJT63M3MSQlcKCnmxHpmorUbQJk3lIVXRyjM6CXvrRuJ2J1TDvDEOlt3lu
         EzKQHgL++dswppXvJFLxkPxHq8cwPy4JBpvYmk1y1kqcuAE+tB2UJjjm+g2Fv1akRO9N
         iie60J6CAhOYz+6w/1bnJ7K0AIVdy9OKVTt1KECqGLzrB7/HFtPZ5i/BFObcP9tC53Ok
         ULyOlVLCM+iLNvmS9xFfz1YAzR+TDj5/OKUxdT0N96Ut+sVScBF2heLQvceZPv5nw9j0
         VCQjSS/e38koGlh+14We/6o74OHuGkF+pwgaRwfiW3hZtOx0echGxgMUMKB+E+bpV0JB
         PvhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:mime-version:subject:message-id:to:reply-to:from
         :date:dkim-signature;
        bh=CXo6gpd99q61PdtNQYL0HweNp45DQK9gDadq1QHszOQ=;
        b=AndF29ToqFkXaC88xiijwW2WKaK/3o+FURvx6HVtLghatUDEyVEr4VymEzez9Ijtrf
         Jogh9LH/sqLdrLTBN3oVgNoQlGUrf131M5aK5wrf18hCk54LrIHW1v1BA8Gsl4cO7PZ2
         I+kgLQJY+85mIA1L/NZXKvViNlehHXTjwQCHtnfcdWCuIbrb7OTpDu3SW1kFQ+Wjy6Xt
         Jnm/LXZyT6bexBCXJsISEywM8EwuyD7uz0Rm7O+Pw+AU1pYVt2qArFk2hRHiXeTrB57I
         Yp6n2JM79y420UIVv9o/oPJloQcFdnp45sDxv85tr6DhZpvHlH3v3o3doiy2kC6vaBQU
         aXkQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paypal.com header.s=spop1024 header.b=NSAupQiY;
       spf=pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) smtp.mailfrom=v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Return-Path: <v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com>
Received: from mail2550.paypal-notification.com ([74.112.67.243])
        by mx.google.com with ESMTPS id n184si7359975ybn.210.2021.11.22.12.45.16
        for <me@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Nov 2021 12:45:16 -0800 (PST)
Received-SPF: pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) client-ip=74.112.67.243;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paypal.com header.s=spop1024 header.b=NSAupQiY;
       spf=pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) smtp.mailfrom=v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=spop1024; d=paypal.com; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type: X-CSA-Complaints:List-Unsubscribe; i=unclaimedproperty@paypal.com; bh=CXo6gpd99q61PdtNQYL0HweNp45DQK9gDadq1QHszOQ=; b=NSAupQiYb884cGVqugiXkhz/FlcoddCqXJLcD+gwE2xFNP+27ZRQFCGOL61uEai1EdgqXLS0FKSV
   1ttmHVRu1H/So/7kxAm93NuGJGDe0K5/t9LK3QQF1bTQv7OHjBOi3FhmFvhSs1roN2q4r+8FxhmR
   HBqxI9Sbw63gjSDL7C8=
Received: by mail2550.paypal-notification.com id hjg0lo2r7aoj for <me@gmail.com>; Mon, 22 Nov 2021 20:37:22 +0000 (envelope-from <v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com>)
Date: Mon, 22 Nov 2021 20:37:22 +0000 (GMT)
From: PayPal <unclaimedproperty@paypal.com>
Reply-To: unclaimedproperty@paypal.com
To: me@gmail.com
Message-ID: <432115452.269147071637613442797.JavaMail.app@rbg41.atlis1>
Subject: Notice of Unclaimed PayPal Funds
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1300052_1672151020.1637613438245"
x-mid: 70903810
X-CSA-Complaints: csa-complaints@eco.de
x-rpcampaign: sp70903810
x-job: 70903810
x-orgId: 35487
List-Unsubscribe: <http://links.paypal.mkt2944.com/luoo/v1/...>, <mailto:v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com?subject=Unsubscribe>

Am I missing something obvious?!

update

It really does seem to pass DKIM.

$ opendkim-testmsg < Notice\ of\ Unclaimed\ PayPal\ Funds.eml
$ echo $?
0

update 2

Almost definitely a compromise of/via Acoustic, which was apparently once called "silverpop"

We're 10-year Acoustic Campaign veterans - original beta testers and daily users of the marketing automation tool for the last decade, since it was called Silverpop and then IBM Watson Campaign Automation.

The DKIM key -- spop1024._domainkey.paypal.com, from googling, refers to "silverpop 1024" (here's Wikimedia getting rid of it https://phabricator.wikimedia.org/T214525). This is a legitimate key, but old. The classic "it's an older code, Sir, but it checks out" attack with a forgotten host, maybe?

74.112.67.243 is owned by "acoustic.co". It sent the message and signed it. Not sure where the mail2550.paypal-notification.com bit comes from, it's now owned by MarkMonitor.

Also, the List-Unsubscribe: <http://links.paypal.mkt2944.com/luoo/v1/...> link seems legitimate. http://links.paypal.mkt2944.com still has some landing page branded with silverpop. This suggests to me the service actually "constructed" this mail, rather than say an plain open-relay situation.

As noted below, this does not include any obvious phishing login links. The idea must be that you log into your account legitimately, and can't find your "unclaimed funds" and call the phone number at the bottom of the email with your "client id".

This PayPal account is actually closed, but was registered in California when I lived there (this fact, and that it made it into my inbox, was what got me looking at it closely). "Send this message to old accounts in California" seems like the type of thing this Acoustic marketing mail stuff does, so maybe that is related.

Dastardly ... I wonder how many hits they got from this ...

ianw
  • 401
  • 1
  • 2
  • 6
  • Your analysis so far looks good, i.e. the strange part is the valid DKIM signature with the domain of paypal.com. In theory the message could be originated by Paypal and simply be forwarded through some other system - in which case DKIM would still pass by design. If the content of the message is definitely not originated by Paypal and the DKIM signature is still valid it might be a compromised private key. But it is impossible to tell if the signature is really correct without having the full and unedited raw message. – Steffen Ullrich Nov 24 '21 at 03:32
  • Isn't the "Authentication-Results: mx.google.com; dkim=pass header.i=@paypal" bit confirming that Gmail at least was convinced the message passed? – ianw Nov 24 '21 at 03:52
  • If this header is really added by google then it shows that google was convinced that the signature is valid. Note though that this header is not protected in any way, i.e. somebody with access to the mail might have added this header. While this is unlikely it is also unlikely that the DKIM key from Paypal was compromised. – Steffen Ullrich Nov 24 '21 at 05:54
  • 1
    You say: "After that, it's still unclear to me why DMARC then passes -- I thought the From: address had to be "aligned" with the Return-Path:?" That is the SPF part of the DMARC check. But, only one check needs to pass, SPF or DKIM, aligned with the FROM in order for DMARC to pass. If the header is faked, than there should be a second Authentication-Results header among those headers. But also it is unlikely Google would have trusted it. Indeed, the DKIM selector record exists, so it looks like a compromised private key. You should at least report this to Paypal, so they can have a look. – Reinto Nov 24 '21 at 08:25
  • 2
    In addition the possibilities mentioned above by @SteffenUllrich, it's also possible that this may actually be a legitimate message from Paypal. I viewed the message source in a mail client, and curiously there are no links in the message (phishing or otherwise). Also, a quick Google search for 'paypal california unclaimed property' returns several results referencing similar messages that seem to indicate that these messages are in fact legitimate. OP, have you considered replying to replying to `unclaimedproperty@paypal.com` to inquire? – mti2935 Nov 24 '21 at 12:41
  • Definitely not legitimate. The two clues are that paypal-notification.com has been claimed by markmonitor.com now, and the phone number at the bottom 1-866-XXX-5854 appears to be the "attack vector". You are right though, they don't provide any obvious misdirect links. I think the play must be to get you to legitimately log in and look around trying to find the "claim" button. When you don't find it, you call the number at the bottom... – ianw Nov 24 '21 at 21:55
  • 2
    @ianw, Interesting. So, your theory is that the private key for `spop1024._domainkey.paypal.com` has been 'hijacked', and is now being used to send these fraudulent emails with valid DKIM signatures for paypal.com. It also seems like Paypal might need to clean up their SPF records as well. Have you [reported this to Paypal](https://www.paypal.com/us/webapps/mpp/security/report-problem)? – mti2935 Nov 26 '21 at 16:00
  • 1
    Your analysis looks solid to me - I can't see any other way that this would occur without a compromised key, and it certainly wouldn't be the first time that a third party's lack of security hygiene has impacted a large vendor whose security posture is usually strong. I'd echo mti's suggestion of reporting this to PayPal. – Polynomial Nov 26 '21 at 17:28
  • 1
    Yes I have reported to PayPal. http://links.paypal.mkt2944.com/ -- which appears to be a genuine Acoustic server, lists abuse@silverpop.com which no longer receives mail... – ianw Nov 27 '21 at 17:59
  • @mti2935 just guessing, but the unsubscribe link etc. look genuine. This suggests to me more like someone sent the mail via Acoustic (compromised account/API endpoint/etc.) which then constructed these bits. Of course just a guess. – ianw Nov 27 '21 at 18:02
  • 1
    @ianw I also took the liberty of sending a heads-up to spoof@paypal.com and unclaimedproperty@paypal.com with brief summary of this thread, along with the link to it. – mti2935 Nov 27 '21 at 18:23

2 Answers2

2

"Spoofing" is generally considered to be some form of forged message, usually through taking advantage of something within the DNS records, messaging system, or other aspect outside of the standardized methods for authentication.

This email:

✅ Legitimately passes SPF authentication check
✅ Legitimately passes DKIM authentication check
✅ Legitimately passes DMARC authentication check
✅ DNS records for sending domain appear correctly configured.

It is authenticated, therefore not spoofed.

Generally, when a message is from: a server that has been hacked, an account with compromised credentials, a rogue vendor, etc., it can be said to be fraudulent, but not spoofed.

However, the email described in the question otherwise appears legitimate because it is a commonly sent email from PayPal that is also commonly misinterpreted as a phishing attempt.

You can go to the California State Controller's Office to find and claim your unclaimed property PayPal is informing you about.

https://sco.ca.gov/upd_msg.html

In the off-chance that going to this site and entering every address you can recall having while living in California does not reveal your hidden treasure, you can try contacting PayPal through some communications channel you can verify independent of the message and ask them where to find out about this information that they have on record.

Paul
  • 89
  • 11
  • I mentioned above. Admittedly I have redacted the mail as it has my personal details! The two clues are that paypal-notification.com has been claimed by markmonitor.com now, and the phone number at the bottom 1-866-XXX-5854 appears to be the "attack vector". They don't provide any obvious misdirect links. I think the play must be to get you to legitimately log in and look around trying to find the "claim" button. When you don't find it, you call the number at the bottom... It is certainly a level above usual phising efforts – ianw Nov 27 '21 at 18:03
  • Please expand the MarkMonitor claim, because it has only been stated, not explained, and the last update to the domain registry was six months prior to your email. Since you don't provide the phone number, there is no way to verify it as a scam number. Generally, you don't provide any information other than confirmation that all authentication tests pass, which means this isn't a spoofed email. Additionally, searches on the 'net reveal this is a commonly misinterpreted legitimate PayPal message. My experience is that most people I know have unclaimed property, but not necessarily from PayPal. – Paul Nov 27 '21 at 18:17
  • OP briefly posted the full source of the email in question. From that, I copied the phone number, which was: 866-648-5854. But, there is something else squirrelly about this message. The envelope sender is xxx@bounce.paypal.mkt2944.com. The SPF record for bounce.paypal.mkt2944.com designates 74.112.67.243 as a permitted sender for mail from xxx@bounce.paypal.mkt2944.com. The message was in fact sent from 74.112.67.243, so it passes the SPF check. Now, 74.112.67.243 reverses to mail2550.paypal-notification.com. But, mail2550.paypal-notification.com does not forward to 74.112.67.243. – mti2935 Nov 29 '21 at 15:29
  • Normally the hostname of a legitimate mail server forwards to its ip, and its ip reverses back to that same hostname. Spam filters will often block messages sent from hosts that do not pass this test, as this is often the case with systems that have been compromised and are being used to send spam. See https://serverfault.com/questions/45272/how-does-a-reverse-dns-lookup-work-with-regards-to-spam-filters for more info. This might be what OP is alluding to with his claim about MarkMonitor, as MarkMonitor seems to be the registrar for paypal-notification.com. – mti2935 Nov 29 '21 at 15:29
  • A sender can fail FCrDNS forever and forever pass SPF. These aren't related and misconfigurations are common, which is why it's optional and many admins, including the ones at Google, don't strictly enforce. Not to mention there is no published standard stating FCrDNS MUST pass and FCrDNS definitions originate in informational [RFC1912](https://datatracker.ietf.org/doc/html/rfc1912). – Paul Nov 29 '21 at 16:26
  • SPF is passing based on the IP address being included within the (expanded) `paypal.com` SPF record, not anything related to `paypal-notifications.com`. We do not know why `paypal-notifications.com` domain is configured in PTR record of 74.112.67.243 and we do not know how it was configured the moment the message was sent as the question is posted two days later. – Paul Nov 29 '21 at 16:26
  • MarkMonitor is also the registrar of paypal.com, so PayPal likely uses them for the various and sundry mark protection services they offer, which include registrar services. – Paul Nov 29 '21 at 16:26
  • We still arrive at legitimate authentication and speculations of forgery that can only be verified by a) original poster doing what I put in my answer and checking for unclaimed property with the state of California or b) PayPal confirms the message is authentic or a phishing attempt. – Paul Nov 29 '21 at 16:27
2

This is a legitimate email that Paypal has been sending for over a decade, there is nothing suspicious about it.

Here's a post from 2012 with exactly the same email https://www.flickr.com/groups/olympus-e500/discuss/72157630856927736/