Hacker News new | past | comments | ask | show | jobs | submit login
How did this PayPal spoof email pass SPF, DKIM and DMARC (stackexchange.com)
269 points by mkj 58 days ago | hide | past | favorite | 36 comments

For many weeks now, PayPal has been sending me emails that say they have a U$S 5 reward for me. I have to click a button and the prize is limited to the first 40k people. I assume it’s probably legit. Now… people should NOT click on this kind of email!! Are they so dense? Their security department should have a heart to heart with their marketing department.

Stop using PayPal, they've shown they can't be trusted, outright robbing users.

I assume that Paypal has no business interest in making the email and the links in the email seem more legit. Users that think it is phishing will disregard the email and not claim back the money they rightfully own. Info https://www.paypal-community.com/t5/About-Protections-Archiv...

My state (I assume similar in all/most) has laws about how businesses must handle unclaimed funds, eventually if they cannot get a response from the owner of the funds, they get deposited with the state and the owner (or heir) can claim them.

What's the problem here? It's really easy to tell that this is a real email. It comes from @paypal.com and has a valid DKIM signature for that domain.

This email does not contain any sketchy links, in fact I think the email doesn't contain any links at all! https://www.flickr.com/groups/olympus-e500/discuss/721576308... (via: alisonkisk)

There's no particular reason to be suspicious of this email, they did everything right.

It’s actually a real email PayPal sends.

That's the very sad thing, it's harder and harder to differentiate phishing from real email campaign, not only because phishing is getting better at imitating real emails, but because real marketing emails are using the same tricks as phishing to have people open the mail and click on links.


Very sad that legitimate emails are often so bad that even after researching for 10-15 minutes I cannot be sure if a message is legitimate or not. And I'm working with email professionally (as sysadmin/SRE) for more than 10 years.

Regular email users who are not email expects can either trust all emails or delete most of them. Security trainings which tell don't open suspicious emails are useless because most emails are suspicious. PayPal, many utility providers even some big banks send very suspicious emails.

A typical example of fishy but legitimate emails is when company with the main domain example.com send emails from a different but similarly looking domain e. g. example-invoices.com and: whois is hidden using whois privacy, there is no website on this domain (even if there is - why should I trust it?), infrastructure is completely different from the main domain. In other words example-invoices.com have nothing in common with example.com the only way I can think example-invoices.com is legit - they know some personal data of a recipient but if you're paranoid you can expect this to come from a breach which nowadays are common.

When businesses out source part of their operations to a 3rd party it's often challenging and slow to get a proper system in place. Instead the 3rd party and company will agree to register a similar looking domain, and thus the problems begin.

This is incredibly common with short-lived projects such as a promotional website, or after downsizing with expert services such as legal/financial/support being awarded on contract.

It's also very common with local subsidiaries of larger companies. Where the website is run from HQ, and the local regions have no ability whatsoever to plug into that system.

> Regular email users who are not email experts can either trust all emails or delete most of them.

I do the latter.

Default practice these days should be do not respond to any phone call, text, email etc. if you don't recognize it, and if you have a non-personal relationship to what appears to be the sender, don't answer it unless it's a response to your initial communication.

Communications these days are mostly vans with candy and missing puppies. Based on my spam folder and incoming call records anyway.

Your candy van's extended warranty is about to expire!

It's not just the marketing side, every customer facing thing corporations can outsource is being pipelined through the same kind of ad-like machinery.

After considerable effort educating the non-technically inclined members of the family to check URLs to avoid shenanigans, cue our ISP sending very important confirmation links via SMS (bad enough) pointing to isp-name.onelink.me, amid a particularly active wave of SMS phishing scams earlier this year. One of the top 10 telecom corps worldwide in size and the mf'ers couldn't bother using their own domain.

Spam filters should catch up and filter out all that crap as malicious.

The problem is that, by definition, it isn’t malicious: it’s just incredibly poorly planned legitimate communications. Filtering it out will just make it harder for users to get key information.

I think that might be the point; it would create a headache for the company and its users and when they do the retrospective they'll find that use of unverifiable domains was the mistake. Or using the vendor who uses them was the mistake. Filtering that catches "false positives" which are indiscernible from phishing is 10x more likely to curb this practice than trying to educate anyone about the problem.

It is - marketing platform links often track you (which is in breach of the GDPR btw), conceal the true target of the links (so you can't tell whether the final target is legitimate) and most marketing platforms are for some reason obsessed with HTTP even when the final target link is HTTPS, exposing you to risk on insecure networks.

My company makes everyone take phishing training twice a year, yet at the same time they pay for services that send emails looking like phishing. Outlook of course shows the warning "This email originated from outside of organization. Please be mindful of phishing attempts...".

It's not only marketing. Tons of services allow spoofing senders name, and try convince you they've been sent by actual people.

I'm interested: Does your company in this training allow you access to what usually is a dead simple way to identify 99% or phishing/spam emails?

I luckily don't work for companies that do this regularly but the ones I've seen online before and the one I did have to do, do not give you access to the headers.

While I realize that most non-techies won't know how to do any of that, it's the easiest for any technically inclined person. The first defence is the real email address (which I always have displayed by default anyway), which gets rid of a large swath of them already and the rest are usually pretty clear from some of the others headers. It has never happened to me that something as intriguing as this post's message came in.

Of course not :) They are targeted towards non-techies. Look at emails content, there's domain which looks funky and a URL you're asked to click -> that's phishing for sure!

Which begs a question: why they haven't "blessed" the messages from external providers, that are actually legit? Like with a warning "This message comes from a trusted third party".

Yes and its pervasive because people are willing to blame[/suggest] the victim [was at fault]

When much of this stuff is getting more sophisticated and identical to legitimate emails

Any sufficiently smelly marketing campaign is indistinguishable from phishing.

I googled the phone number, and found this discussion: https://www.paypal-community.com/t5/About-Protections-Archiv... (sidenote - very sketchy looking domain name... but legit)

Lots of people are suspicious of it, but a few have verified that it's legit. If it somehow is a scam, it's very impressive for someone to be operating it for 5+ years without getting shut down - so yeah, it's almost certainly real.

Considering we're talking about PayPal here which is absolutely useless at customer support (and indeed there's not a single official response on that thread, it's all "new community member"), it wouldn't be hard for a scammer to set up fake accounts on the forum and vouch for said email and claim it's legitimate.

Paypal have a long history of constructing emails that appear to be phishing attacks but are genuine. They use obscure domains, have login buttons in the email (please don't) and have ignored all requests to tighten things up.

I once got an email from PayPal with the title of "Correction for duplicate payment received", saying that I'd been reimbursed by PayPal twice by accident. It even had my name spelled wrong (checked that my PayPal account did in fact have my name spelled out correctly) in a very obvious way.

I was sure that it was some kind of a scam until I logged onto my PayPal account through the mobile app and saw that there were indeed two payments from PayPal for the same sum on the same day.

Could still be phishing though? If someone has a hack to let them see what appears to be privileged info then it presumably makes phishing much more successful.

Why don't we use [PPK] signed emails?

Because normal people do it know what a “signed email” might mean. Also, both PGP and S/MIME are hot messes of insecure 1990s cryptography with no reliable key distribution, no authenticated encryption, and meaningful headers which are not covered by the signature.

So essentially they found an old dkim key which had been exposed and used that?

Or it's a legit mail. Hard to tell.

Why is it hard to tell? Obviously this is a legit email. https://www.flickr.com/groups/olympus-e500/discuss/721576308... (via: alisonkisk)

Looks like it. It's a good idea to take down old keys after they have gone into disuse, to prevent things like this.

It doesn't look like that at all, this is a legit email and there's not been even a hint of evidence to the contrary. https://www.flickr.com/groups/olympus-e500/discuss/721576308... (via: alisonkisk)

No idea what sent the stackexchange poster down this paranoid rabbit hole, the email doesn't even contain any links.

Just because a message is authentic does not mean it is not spam.

Is this some legacy infra that Acoustic has "inherited" from silverpop, perhaps? An old-but-valid DKIM key, a private dns entry for a mail2550.paypal-notification.com server, etc?

I only read non-HTML mail.

The rest get deleted.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact