This mail that got through has me stumped. It appeared to me as being from PayPal <unclaimedproperty@paypal.com>
in my Inbox. I happened to look at the original and it says SPF, DKIM and DMARC all passed.
If I'm reading this right, 74.112.67.243
connected to mail2550.paypal-notification.com
and sent the mail. They used a Return-Path: <blahblah@bounce.paypal.mkt2944.com>
.
bounce.paypal.mkt2944.com
(currently) has a SPF record of v=spf1 a ip4:208.85.50.137 ip4:74.112.67.243 -all
. So OK, they setup a spam mailer and worked it so SPF passes (the mail server paypal-notification.com
is gone, seemingly owned by MarkMonitor now, so somebody else noticed this).
But then the DKIM signature has
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=spop1024; d=paypal.com; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type: X-CSA-Complaints:List-Unsubscribe;
Is this not saying "I'm signing all these headers with the key who's public portion is in a TXT record at spop1024._domainkey.paypal.com
" (which exists)?
This passes, to my surprise
Authentication-Results: mx.google.com;
dkim=pass
I've looked over and over to see if it's a close-cousin typo thing, or unicode address, etc. But it really seems to be signed by that paypal.com
key...?
After that, it's still unclear to me why DMARC then passes -- I thought the From:
address had to be "aligned" with the Return-Path:
?
Delivered-To: <me@gmail.com>
Received: by 2002:a4a:804a:0:0:0:0:0 with SMTP id y10csp7519296oof;
Mon, 22 Nov 2021 12:45:16 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyxHoL8oksdcw38NnmHlTdPo1UfJoTCZ/wFDToSgMfRPG6WgHlKDtKbSjMXNh5t44nHazym
X-Received: by 2002:a25:4543:: with SMTP id s64mr27510605yba.304.1637613916462;
Mon, 22 Nov 2021 12:45:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1637613916; cv=none;
d=google.com; s=arc-20160816;
b=OvsnJASmnJT63M3MSQlcKCnmxHpmorUbQJk3lIVXRyjM6CXvrRuJ2J1TDvDEOlt3lu
EzKQHgL++dswppXvJFLxkPxHq8cwPy4JBpvYmk1y1kqcuAE+tB2UJjjm+g2Fv1akRO9N
iie60J6CAhOYz+6w/1bnJ7K0AIVdy9OKVTt1KECqGLzrB7/HFtPZ5i/BFObcP9tC53Ok
ULyOlVLCM+iLNvmS9xFfz1YAzR+TDj5/OKUxdT0N96Ut+sVScBF2heLQvceZPv5nw9j0
VCQjSS/e38koGlh+14We/6o74OHuGkF+pwgaRwfiW3hZtOx0echGxgMUMKB+E+bpV0JB
PvhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:mime-version:subject:message-id:to:reply-to:from
:date:dkim-signature;
bh=CXo6gpd99q61PdtNQYL0HweNp45DQK9gDadq1QHszOQ=;
b=AndF29ToqFkXaC88xiijwW2WKaK/3o+FURvx6HVtLghatUDEyVEr4VymEzez9Ijtrf
Jogh9LH/sqLdrLTBN3oVgNoQlGUrf131M5aK5wrf18hCk54LrIHW1v1BA8Gsl4cO7PZ2
I+kgLQJY+85mIA1L/NZXKvViNlehHXTjwQCHtnfcdWCuIbrb7OTpDu3SW1kFQ+Wjy6Xt
Jnm/LXZyT6bexBCXJsISEywM8EwuyD7uz0Rm7O+Pw+AU1pYVt2qArFk2hRHiXeTrB57I
Yp6n2JM79y420UIVv9o/oPJloQcFdnp45sDxv85tr6DhZpvHlH3v3o3doiy2kC6vaBQU
aXkQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@paypal.com header.s=spop1024 header.b=NSAupQiY;
spf=pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) smtp.mailfrom=v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Return-Path: <v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com>
Received: from mail2550.paypal-notification.com ([74.112.67.243])
by mx.google.com with ESMTPS id n184si7359975ybn.210.2021.11.22.12.45.16
for <me@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 22 Nov 2021 12:45:16 -0800 (PST)
Received-SPF: pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) client-ip=74.112.67.243;
Authentication-Results: mx.google.com;
dkim=pass header.i=@paypal.com header.s=spop1024 header.b=NSAupQiY;
spf=pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) smtp.mailfrom=v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=spop1024; d=paypal.com; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type: X-CSA-Complaints:List-Unsubscribe; i=unclaimedproperty@paypal.com; bh=CXo6gpd99q61PdtNQYL0HweNp45DQK9gDadq1QHszOQ=; b=NSAupQiYb884cGVqugiXkhz/FlcoddCqXJLcD+gwE2xFNP+27ZRQFCGOL61uEai1EdgqXLS0FKSV
1ttmHVRu1H/So/7kxAm93NuGJGDe0K5/t9LK3QQF1bTQv7OHjBOi3FhmFvhSs1roN2q4r+8FxhmR
HBqxI9Sbw63gjSDL7C8=
Received: by mail2550.paypal-notification.com id hjg0lo2r7aoj for <me@gmail.com>; Mon, 22 Nov 2021 20:37:22 +0000 (envelope-from <v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com>)
Date: Mon, 22 Nov 2021 20:37:22 +0000 (GMT)
From: PayPal <unclaimedproperty@paypal.com>
Reply-To: unclaimedproperty@paypal.com
To: me@gmail.com
Message-ID: <432115452.269147071637613442797.JavaMail.app@rbg41.atlis1>
Subject: Notice of Unclaimed PayPal Funds
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1300052_1672151020.1637613438245"
x-mid: 70903810
X-CSA-Complaints: csa-complaints@eco.de
x-rpcampaign: sp70903810
x-job: 70903810
x-orgId: 35487
List-Unsubscribe: <http://links.paypal.mkt2944.com/luoo/v1/...>, <mailto:v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com?subject=Unsubscribe>
Am I missing something obvious?!
update
It really does seem to pass DKIM.
$ opendkim-testmsg < Notice\ of\ Unclaimed\ PayPal\ Funds.eml
$ echo $?
0
update 2
Almost definitely a compromise of/via Acoustic, which was apparently once called "silverpop"
We're 10-year Acoustic Campaign veterans - original beta testers and daily users of the marketing automation tool for the last decade, since it was called Silverpop and then IBM Watson Campaign Automation.
The DKIM key -- spop1024._domainkey.paypal.com
, from googling, refers to "silverpop 1024" (here's Wikimedia getting rid of it https://phabricator.wikimedia.org/T214525). This is a legitimate key, but old. The classic "it's an older code, Sir, but it checks out" attack with a forgotten host, maybe?
74.112.67.243
is owned by "acoustic.co". It sent the message and signed it. Not sure where the mail2550.paypal-notification.com
bit comes from, it's now owned by MarkMonitor.
Also, the List-Unsubscribe: <http://links.paypal.mkt2944.com/luoo/v1/...>
link seems legitimate. http://links.paypal.mkt2944.com still has some landing page branded with silverpop. This suggests to me the service actually "constructed" this mail, rather than say an plain open-relay situation.
As noted below, this does not include any obvious phishing login links. The idea must be that you log into your account legitimately, and can't find your "unclaimed funds" and call the phone number at the bottom of the email with your "client id".
This PayPal account is actually closed, but was registered in California when I lived there (this fact, and that it made it into my inbox, was what got me looking at it closely). "Send this message to old accounts in California" seems like the type of thing this Acoustic marketing mail stuff does, so maybe that is related.
Dastardly ... I wonder how many hits they got from this ...