You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mark London <mr...@psfc.mit.edu> on 2023/03/20 17:17:25 UTC
Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?
Can someone tell me why this paypal phishing email, managed to trigger
USER_IN_DEF_SPF_WL?
Or put it another way. Why wasn't it detected as a phishing email? Thanks.
Received: from a39-208.smtp-out.amazonses.com
(a39-208.smtp-out.amazonses.com [54.240.39.208])
by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id 32KGQHFm099160
(version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NOT)
for <ma...@psfc.mit.edu>; Mon, 20 Mar 2023 12:26:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=rid2v4iwdmeb26wntc7bqs5dnqgasdul; d=dropbox.com; t=1679329577;
h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To;
bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
b=JZDgJOd2uPgAFKgSkAHeZ91+AJxLr/Rl231qxeOFdeMpeSo3NYG+WyedzpPWJneI
IkTEHtDYWQMhQf5bAJYJB+3hEF0n6t9MnmQzaF8xDlRK269ILVw/pfn8NHiNW7XR5R5
S/Y1XQpbvN8ezTWvCqiedTTQ/ubqm9KPXljCyPF4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1679329577;
h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To:Feedback-ID;
bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
b=WvG6JHQ5+a4w8pq7gZNZYz/ph2i13+NZaJqfqWqnQYRewLpSyhcx5a5AeaJ+JPd+
xwwriSGEl5bNes3b0gkdp/oYd9niSty0sZy/Vquwx5tQiZWVr6zWXzhyBMyqHvWbkh0
sK3+fUdnhNigDX3wqE7/W3+ccK+XgH7ab5pstqb0=
Content-Type: multipart/alternative;
boundary="===============1633481412880569064=="
MIME-Version: 1.0
From: PayPal Support <no...@dropbox.com>
To: xxx@psfc.mit.edu
CC:
Subject: =?utf-8?q?Your_invoice_from_PayPal_Support_=28=23038989SL43=29?=
Date: Mon, 20 Mar 2023 16:26:17 +0000
Message-ID:
<01...@email.amazonses.com>
X-Dropbox-Message-ID: 3637112534418604150
Reply-To: no-reply@PayPal.com
Feedback-ID:
1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2023.03.20-54.240.39.208
--===============1633481412880569064==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
New invoice $629.00 Paid on March 20, 2023 View invoice[1] To PayPal=
Billing Bot invoice_receipt@PayPal.com From PayPal Support no-reply@P=
ayPal.com Issued March 20, 2023 Title wish to request a refund, please co=
ntact our support team at : +1 (833) 465-5681 Your recent purchase of Te=
ther (USDT) for $629.00 via PayPal has been confirmed. The funds will be re=
flected in your account within 24 hours. If you require any assistance or w=
ish to request a refund, please contact our support team at : <br>+1 (833) =
465-5681 PayPal Support sent you an invoice using Dropbox, Inc. PO Box 77=
767, San Francisco, CA 94107 View Privacy Policy[2] =20
[1]: https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt1l=
3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_medium=
=3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice
[2]: https://www.dropbox.com/l/AABfXvXi7J31sSfCfcEcmcs-kdTvg1Al_EE/privacy
--===============1633481412880569064==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w=
3.org/TR/REC-html40/loose.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml">
<head>
<meta content=3D"text/html; charset=3Dutf-8" http-equiv=3D"Content-Type">
<style></style>
</head> <body marginheight=3D"0" marginwidth=3D"0" style=3D"width: 100% !im=
portant; margin: 0 auto; padding: 0; -webkit-text-size-adjust: 100%; -ms-te=
xt-size-adjust: 100%; background-color: #FFF;"><table align=3D"center" cell=
padding=3D"0" cellspacing=3D"0" role=3D"presentation" style=3D"margin: 0 au=
to; width: 100% !important; max-width: 720px; border: 0px;">
<tr></tr>
<tr><td><table cellpadding=3D"0" cellspacing=3D"0" role=3D"presentation" wi=
dth=3D"100%"><tr><td style=3D"color: #000; font-family: Atlas Grotesk, Open=
Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue,
Helvetica=
, Arial, Lucida Grande, sans-serif; font-size: 20px; font-weight: 300; line=
-height: 1.45em; padding: 15px 0; width: 720px;"><table cellpadding=3D"0" c=
ellspacing=3D"0" role=3D"presentation" style=3D"max-width:720px;" width=3D"=
100%"><tr style=3D"text-align: center;"><td><table style=3D"max-width: 480p=
x; min-width: 375px; margin: 0px auto;" width=3D"480px">
<tr><td style=3D"background-color: #F7F5F2; background-color: #FFFFFF;"><di=
v style=3D"max-width:480px;"><div style=3D"margin: 40px;"><img src=3D"https=
://uc23f69e513a7b1b17ccc7d1f588.previews.dropboxusercontent.com/p/thumb/AB2=
3Sfr6KTspBYwEohQjThbkp-M4jII6ln2wNWy3TcHmMXTUSDA97iY8eWy1jRN0gfSoGc_Da3FeQ6=
PfGho_Z_i9gCidyjb8mZOIhwpcWlSJkenlzGQNmSBgSCYW5vSLkXT1ZDtILzVQO6V8IvAS9UGN0=
_3iwE0viFseqwnjc1-Y6rEX287bpvuAz7dvvzCQvjdtKc62DOK19_RoPDsmTyk8pskVlF8-1f6J=
_lh5Y3xhMQf1FgBDq8s60tJMbf9_fI8PfI3-T-msJ8bEitVA0MsbMoH3S8pvyRJBdcDcVEd77LW=
OlNw_yG43-lIhxWiDKbw/p.jpeg" style=3D"height: 64px; object-fit: contain;"><=
/div></div></td></tr>
<tr><td style=3D"padding: 27px 32px 24px;"><table style=3D"width: 100%; min=
-width:375px; margin: 0px auto;"><tr>
<td style=3D"text-align: center; width: 30%;"><span style=3D"display: block=
; height: 1px; background-color: #A69E92"></span></td>
<td style=3D"text-align: center; width: 40%;"><p style=3D"color: #524A3E; f=
ont-size: 16px; line-height: 26px; font-family: Sharp Grotesk DB Book, Atla=
s Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica =
Neue, Helvetica, Arial, Lucida Grande, sans-serif; opacity: 82%; margin: 0;=
">New invoice</p></td>
<td style=3D"text-align: center; width: 30%;"><span style=3D"display: block=
; height: 1px; background-color: #A69E92"></span></td>
</tr></table></td></tr>
<tr style=3D"text-align: center"><td><h2 style=3D"color: #1E1919; font-size=
: 56px; line-height: 64px; font-family: Sharp Grotesk DB Book, Atlas Grotes=
k, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, He=
lvetica, Arial, Lucida Grande, sans-serif; margin: 0 0 8px; font-weight: no=
rmal; max-width:480px;">$629.00</h2></td></tr>
<tr><td style=3D"text-align: center; padding: 4px 0 24px;"><table border=3D=
"0" cellpadding=3D"0" cellspacing=3D"0" style=3D"height: 32px; margin: 0 au=
to; padding: 0 12px; border-radius: 50px; background-color: #F7F5F2;"><tr>
<td style=3D"width: 24px; margin-right: 2px;"><img height=3D"24px" src=3D"h=
ttps://www.dropbox.com/static/images/fbm/email/calendar_2x.png" style=3D"ve=
rtical-align: middle" width=3D"24px"></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; font-fa=
mily: Atlas Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, =
Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; margin: 0; ">P=
aid on March 20, 2023</p></td>
</tr></table></td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px 40px;"><a h=
ref=3D"https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt=
1l3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_me=
dium=3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice" style=3D=
"text-decoration: none; background-color: #0061FE; color: white; font-size:=
16px; line-height: 20px; margin: 0 auto; width: 100%; padding: 10px 0;
dis=
play: block; background-color: #002C8A; color:#f7f5f2; ">View invoice</a></=
td></tr>
<tr><td style=3D"padding: 0px 32px 32px;"><table style=3D"background-color:=
#F7F5F2; width: 100%; min-width:375px; margin: 0px auto; padding: 16px
20p=
x 20px; font-size: 12px; line-height: 20px; font-weight: 400; text-align: =
left;">
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0; font-weight: 500;">To</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:=
0;">PayPal Billing Bot</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0;"></p></td>
<td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0; padding-bottom: 1=
6px;">invoice_receipt@PayPal.com</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0; font-weight: 500;">From</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:=
0;">PayPal Support</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0;"></p></td>
<td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0; padding-bottom: 1=
6px;">no-reply@PayPal.com</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0; font-weight: 500;">Issued</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:=
0;">March 20, 2023</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0; font-weight: 500;">Title</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:=
0;">wish to request a refund, please contact our support team at : +1
(83=
3) 465-5681</p></td>
</tr>
</table></td></tr>
<tr><td style=3D"padding: 0px 32px 0px; text-align: left;"><p style=3D"font=
-size:14px; line-height:22px; color:#1E1919">Your recent purchase of Tether=
(USDT) for $629.00 via PayPal has been confirmed. The funds will be
reflec=
ted in your account within 24 hours. If you require any assistance or wish =
to request a refund, please contact our support team at : <br>+1 (833) 465-=
5681</p></td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px;">
<p style=3D"font-size: 12px; line-height:28px; color:#524A3E; opacity: 0.82=
; margin: 0;">PayPal Support sent you an invoice using</p>
<img height=3D"20px" src=3D"https://www.dropbox.com/static/images/fbm/invoi=
ce_wordmark_2x.png">
</td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px 52px;">
<p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity: 0.82=
; margin: 0;">Dropbox, Inc. PO Box 77767, San Francisco, CA 94107</p>
<p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity: 0.82=
; margin: 0;"><a href=3D"https://www.dropbox.com/l/AABu1cd-4liBqZhM00gH24g3=
HtVHu7tb9rc/privacy" style=3D"text-decoration: none; margin-left: 12px">Vie=
w Privacy Policy</a></p>
</td></tr>
</table></td></tr></table></td></tr></table></td></tr>
</table></body>
</html><img height=3D"1" src=3D"https://www.dropbox.com/l/AACSvyNy75C_S_pXf=
DFRWnzE6wulAbspDwg" width=3D"1" />
--===============1633481412880569064==--
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2023-03-20 at 13:17:25 UTC-0400 (Mon, 20 Mar 2023 13:17:25 -0400)
Mark London <mr...@psfc.mit.edu>
is rumored to have said:
> Can someone tell me why this paypal phishing email, managed to trigger
> USER_IN_DEF_SPF_WL?
Hard to be sure, since you didn't include any indication of the envelope
sender address (a.k.a. Return-Path) which is what SPF validates.
IF the envelope sender was a dropbox.com address (as implied by the From
header and one of the DKIM headers) then SPF passed because the SPF TXT
record for dropbox.com includes the AmazonSES machine that this came
from. USER_IN_DEF_SPF_WL passed because at some point in the past
someone with commit permission deemed Dropbox to be a sender of
substantial amounts of predominantly wanted non-spam that occasionally
was being classified as spam AND that they had a useful SPF record.
This appears to be actual mail from a Dropbox service. In that sense, it
is not a phish. It seems to want you to think that it is a PayPal
invoice, and I'm not sure that SA can detect that sort of recursive
phish without hardcoding concrete details like "PayPal does not send
invoices using Dropbox" that we don't really have any way to know
reliably.
> Or put it another way. Why wasn't it detected as a phishing email?
> Thanks.
Because as of right now, SpamAssassin does not know that PayPal does not
use a Dropbox service to send invoices. As of this moment, I also can't
say for sure that they do not, although I strongly doubt that they would
do so.
And that Dropbox service does not seem to protect itself from fraudulent
customers. That seems like a bad idea. We may need to reconsider
Dropbox's presence in the distributed "default welcomelist."
>
> Received: from a39-208.smtp-out.amazonses.com
> (a39-208.smtp-out.amazonses.com [54.240.39.208])
> by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id 32KGQHFm099160
> (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NOT)
> for <ma...@psfc.mit.edu>; Mon, 20 Mar 2023 12:26:17 -0400
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=rid2v4iwdmeb26wntc7bqs5dnqgasdul; d=dropbox.com; t=1679329577;
> h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To;
> bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
> b=JZDgJOd2uPgAFKgSkAHeZ91+AJxLr/Rl231qxeOFdeMpeSo3NYG+WyedzpPWJneI
> IkTEHtDYWQMhQf5bAJYJB+3hEF0n6t9MnmQzaF8xDlRK269ILVw/pfn8NHiNW7XR5R5
> S/Y1XQpbvN8ezTWvCqiedTTQ/ubqm9KPXljCyPF4=
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1679329577;
> h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To:Feedback-ID;
> bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
> b=WvG6JHQ5+a4w8pq7gZNZYz/ph2i13+NZaJqfqWqnQYRewLpSyhcx5a5AeaJ+JPd+
> xwwriSGEl5bNes3b0gkdp/oYd9niSty0sZy/Vquwx5tQiZWVr6zWXzhyBMyqHvWbkh0
> sK3+fUdnhNigDX3wqE7/W3+ccK+XgH7ab5pstqb0=
> Content-Type: multipart/alternative;
> boundary="===============1633481412880569064=="
> MIME-Version: 1.0
> From: PayPal Support <no...@dropbox.com>
> To: xxx@psfc.mit.edu
> CC:
> Subject:
> =?utf-8?q?Your_invoice_from_PayPal_Support_=28=23038989SL43=29?=
> Date: Mon, 20 Mar 2023 16:26:17 +0000
> Message-ID:
> <01...@email.amazonses.com>
> X-Dropbox-Message-ID: 3637112534418604150
> Reply-To: no-reply@PayPal.com
> Feedback-ID:
> 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
> X-SES-Outgoing: 2023.03.20-54.240.39.208
>
> --===============1633481412880569064==
> Content-Type: text/plain; charset="utf-8"
> MIME-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
>
> New invoice $629.00 Paid on March 20, 2023 View invoice[1] To
> PayPal=
> Billing Bot invoice_receipt@PayPal.com From PayPal Support
> no-reply@P=
> ayPal.com Issued March 20, 2023 Title wish to request a refund,
> please co=
> ntact our support team at : +1 (833) 465-5681 Your recent purchase
> of Te=
> ther (USDT) for $629.00 via PayPal has been confirmed. The funds will
> be re=
> flected in your account within 24 hours. If you require any assistance
> or w=
> ish to request a refund, please contact our support team at : <br>+1
> (833) =
> 465-5681 PayPal Support sent you an invoice using Dropbox, Inc. PO
> Box 77=
> 767, San Francisco, CA 94107 View Privacy Policy[2] =20
>
> [1]:
> https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt1l=
> 3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_medium=
> =3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice
> [2]:
> https://www.dropbox.com/l/AABfXvXi7J31sSfCfcEcmcs-kdTvg1Al_EE/privacy
> --===============1633481412880569064==
> Content-Type: text/html; charset="utf-8"
> MIME-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
> "http://www.w=
> 3.org/TR/REC-html40/loose.dtd">
> <html xmlns=3D"http://www.w3.org/1999/xhtml">
> <head>
> <meta content=3D"text/html; charset=3Dutf-8"
> http-equiv=3D"Content-Type">
> <style></style>
> </head> <body marginheight=3D"0" marginwidth=3D"0" style=3D"width:
> 100% !im=
> portant; margin: 0 auto; padding: 0; -webkit-text-size-adjust: 100%;
> -ms-te=
> xt-size-adjust: 100%; background-color: #FFF;"><table align=3D"center"
> cell=
> padding=3D"0" cellspacing=3D"0" role=3D"presentation" style=3D"margin:
> 0 au=
> to; width: 100% !important; max-width: 720px; border: 0px;">
> <tr></tr>
> <tr><td><table cellpadding=3D"0" cellspacing=3D"0"
> role=3D"presentation" wi=
> dth=3D"100%"><tr><td style=3D"color: #000; font-family: Atlas Grotesk,
> Open=
> Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue,
> Helvetica=
> , Arial, Lucida Grande, sans-serif; font-size: 20px; font-weight: 300;
> line=
> -height: 1.45em; padding: 15px 0; width: 720px;"><table
> cellpadding=3D"0" c=
> ellspacing=3D"0" role=3D"presentation" style=3D"max-width:720px;"
> width=3D"=
> 100%"><tr style=3D"text-align: center;"><td><table style=3D"max-width:
> 480p=
> x; min-width: 375px; margin: 0px auto;" width=3D"480px">
> <tr><td style=3D"background-color: #F7F5F2; background-color:
> #FFFFFF;"><di=
> v style=3D"max-width:480px;"><div style=3D"margin: 40px;"><img
> src=3D"https=
> ://uc23f69e513a7b1b17ccc7d1f588.previews.dropboxusercontent.com/p/thumb/AB2=
> 3Sfr6KTspBYwEohQjThbkp-M4jII6ln2wNWy3TcHmMXTUSDA97iY8eWy1jRN0gfSoGc_Da3FeQ6=
> PfGho_Z_i9gCidyjb8mZOIhwpcWlSJkenlzGQNmSBgSCYW5vSLkXT1ZDtILzVQO6V8IvAS9UGN0=
> _3iwE0viFseqwnjc1-Y6rEX287bpvuAz7dvvzCQvjdtKc62DOK19_RoPDsmTyk8pskVlF8-1f6J=
> _lh5Y3xhMQf1FgBDq8s60tJMbf9_fI8PfI3-T-msJ8bEitVA0MsbMoH3S8pvyRJBdcDcVEd77LW=
> OlNw_yG43-lIhxWiDKbw/p.jpeg" style=3D"height: 64px; object-fit:
> contain;"><=
> /div></div></td></tr>
> <tr><td style=3D"padding: 27px 32px 24px;"><table style=3D"width:
> 100%; min=
> -width:375px; margin: 0px auto;"><tr>
> <td style=3D"text-align: center; width: 30%;"><span style=3D"display:
> block=
> ; height: 1px; background-color: #A69E92"></span></td>
> <td style=3D"text-align: center; width: 40%;"><p style=3D"color:
> #524A3E; f=
> ont-size: 16px; line-height: 26px; font-family: Sharp Grotesk DB Book,
> Atla=
> s Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue Light,
> Helvetica =
> Neue, Helvetica, Arial, Lucida Grande, sans-serif; opacity: 82%;
> margin: 0;=
> ">New invoice</p></td>
> <td style=3D"text-align: center; width: 30%;"><span style=3D"display:
> block=
> ; height: 1px; background-color: #A69E92"></span></td>
> </tr></table></td></tr>
> <tr style=3D"text-align: center"><td><h2 style=3D"color: #1E1919;
> font-size=
> : 56px; line-height: 64px; font-family: Sharp Grotesk DB Book, Atlas
> Grotes=
> k, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica
> Neue, He=
> lvetica, Arial, Lucida Grande, sans-serif; margin: 0 0 8px;
> font-weight: no=
> rmal; max-width:480px;">$629.00</h2></td></tr>
> <tr><td style=3D"text-align: center; padding: 4px 0 24px;"><table
> border=3D=
> "0" cellpadding=3D"0" cellspacing=3D"0" style=3D"height: 32px; margin:
> 0 au=
> to; padding: 0 12px; border-radius: 50px; background-color:
> #F7F5F2;"><tr>
> <td style=3D"width: 24px; margin-right: 2px;"><img height=3D"24px"
> src=3D"h=
> ttps://www.dropbox.com/static/images/fbm/email/calendar_2x.png"
> style=3D"ve=
> rtical-align: middle" width=3D"24px"></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> font-fa=
> mily: Atlas Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue
> Light, =
> Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; margin:
> 0; ">P=
> aid on March 20, 2023</p></td>
> </tr></table></td></tr>
> <tr style=3D"text-align: center"><td style=3D"padding: 0px 32px
> 40px;"><a h=
> ref=3D"https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt=
> 1l3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_me=
> dium=3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice"
> style=3D=
> "text-decoration: none; background-color: #0061FE; color: white;
> font-size:=
> 16px; line-height: 20px; margin: 0 auto; width: 100%; padding: 10px
> 0; dis=
> play: block; background-color: #002C8A; color:#f7f5f2; ">View
> invoice</a></=
> td></tr>
> <tr><td style=3D"padding: 0px 32px 32px;"><table
> style=3D"background-color:=
> #F7F5F2; width: 100%; min-width:375px; margin: 0px auto; padding:
> 16px 20p=
> x 20px; font-size: 12px; line-height: 20px; font-weight: 400;
> text-align: =
> left;">
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0; font-weight: 500;">To</p></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> margin:=
> 0;">PayPal Billing Bot</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0;"></p></td>
> <td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0;
> padding-bottom: 1=
> 6px;">invoice_receipt@PayPal.com</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0; font-weight: 500;">From</p></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> margin:=
> 0;">PayPal Support</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0;"></p></td>
> <td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0;
> padding-bottom: 1=
> 6px;">no-reply@PayPal.com</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0; font-weight: 500;">Issued</p></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> margin:=
> 0;">March 20, 2023</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0; font-weight: 500;">Title</p></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> margin:=
> 0;">wish to request a refund, please contact our support team at :
> +1 (83=
> 3) 465-5681</p></td>
> </tr>
> </table></td></tr>
> <tr><td style=3D"padding: 0px 32px 0px; text-align: left;"><p
> style=3D"font=
> -size:14px; line-height:22px; color:#1E1919">Your recent purchase of
> Tether=
> (USDT) for $629.00 via PayPal has been confirmed. The funds will be
> reflec=
> ted in your account within 24 hours. If you require any assistance or
> wish =
> to request a refund, please contact our support team at : <br>+1 (833)
> 465-=
> 5681</p></td></tr>
> <tr style=3D"text-align: center"><td style=3D"padding: 0px 32px;">
> <p style=3D"font-size: 12px; line-height:28px; color:#524A3E; opacity:
> 0.82=
> ; margin: 0;">PayPal Support sent you an invoice using</p>
> <img height=3D"20px"
> src=3D"https://www.dropbox.com/static/images/fbm/invoi=
> ce_wordmark_2x.png">
> </td></tr>
> <tr style=3D"text-align: center"><td style=3D"padding: 0px 32px
> 52px;">
> <p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity:
> 0.82=
> ; margin: 0;">Dropbox, Inc. PO Box 77767, San Francisco, CA 94107</p>
> <p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity:
> 0.82=
> ; margin: 0;"><a
> href=3D"https://www.dropbox.com/l/AABu1cd-4liBqZhM00gH24g3=
> HtVHu7tb9rc/privacy" style=3D"text-decoration: none; margin-left:
> 12px">Vie=
> w Privacy Policy</a></p>
> </td></tr>
> </table></td></tr></table></td></tr></table></td></tr>
> </table></body>
> </html><img height=3D"1"
> src=3D"https://www.dropbox.com/l/AACSvyNy75C_S_pXf=
> DFRWnzE6wulAbspDwg" width=3D"1" />
> --===============1633481412880569064==--
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?
Posted by Greg Troxel <gd...@lexort.com>.
A quick grep shows:
4.000000/updates_spamassassin_org/60_welcomelist_auth.cf:def_welcomelist_auth *@*.dropbox.com
so the code is operating as designed.
It seems that either dropbox is compromised, or dropbox is allowing
user-generated content to go out under their domain. Either way it
seems they should be removed from USER_IN_DEF_SPF_WL, unless this is a
blip and they fix it right away.
Have you written to abuse@dropbox.com, and what did they say?
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?
Posted by Mark London <mr...@psfc.mit.edu>.
It seems like it too high a negative score.
On 3/20/2023 1:24 PM, Reindl Harald wrote:
>
>
> Am 20.03.23 um 18:17 schrieb Mark London:
>> Can someone tell me why this paypal phishing email, managed to
>> trigger USER_IN_DEF_SPF_WL?
>> Or put it another way. Why wasn't it detected as a phishing email?
>> Thanks.
>
> Becasue it was a SPF hit and the envelope sender is in
> USER_IN_DEF_SPF_WL? frankly - what else do you expect to hear?
>