Guys, I need help, Is this fishing?

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
Nime
Normal user
Normal user
Posts: 163
Joined: 2009-03-12 11:50
Contact:

Guys, I need help, Is this fishing?

Post by Nime » 2022-08-18 15:32

Hi all!

I just received an email from paypal.com and it's really really paypal.com, I've confirmed the domain is P A Y P A and L dot com.

It says bla bla (I'm adding screenshots). My guess someone sent me an invoice and wishes to pay me the bill.
Since I'm from Turkey, Paypal is totally blocked in my country for some other reasons.

Gmail screenshot:

Image

Invoice screenshot:

Image

Normally, I would just delete the message, however my cell phone was at the repair shop, so it makes me think the worst.
I've also checked my credit cards, there are no transactions for 600 bucks.

Imho the only goal is to let me click Pay 600$ button.

What are your opinions? Thanks!
Last edited by Nime on 2022-08-18 15:42, edited 1 time in total.

palinka
Senior user
Senior user
Posts: 3658
Joined: 2017-09-12 17:57

Re: Guys, I need help, Is this fishing?

Post by palinka » 2022-08-18 15:40

Paste the eml into code blocks. If sending server is legit and all links are legit, then the message is legit and you should call them to see what's going on. Screenshots are not worth much. I've seen a few very, very high quality phishing messages. Some are extremely sophisticated.

User avatar
Nime
Normal user
Normal user
Posts: 163
Joined: 2009-03-12 11:50
Contact:

Re: Guys, I need help, Is this fishing?

Post by Nime » 2022-08-18 15:45

That's what I did at first, DMARC, SPF, all seems ok...
Plus, GMAIL has no flag or warning.

Original raw eml:

Image

User avatar
Nime
Normal user
Normal user
Posts: 163
Joined: 2009-03-12 11:50
Contact:

Re: Guys, I need help, Is this fishing?

Post by Nime » 2022-08-18 15:49

Code: Select all


Orijinal İleti
İleti Kimliği	<5C.D9.45723.4A73EF26@ccg13mail04>
Oluşturulma tarihi:	18 Ağustos 2022 15:59 (3 saniye sonra teslim edildi)
Gönderen:	"service@paypal.com" <service@paypal.com>
Alıcı:	eminakbulut@gmail.com
Konu:	Billing Department of PayPal updated your invoice ( 21452319 )
SPF:	173.0.84.227 IP numarası için SPF kimlik doğrulaması sonucu: PASS Daha fazla bilgi
DKIM:	paypal.com alanı için DKIM kimlik doğrulaması sonucu: 'PASS' Daha fazla bilgi
DMARC:	'PASS' Daha fazla bilgi


Orijinal İletiyi İndir	Panoya kopyala	
Delivered-To: eminakbulut@gmail.com
Received: by 2002:ab0:1e03:0:b0:397:3ac9:a3af with SMTP id m3csp326388uak;
        Thu, 18 Aug 2022 05:59:20 -0700 (PDT)
X-Google-Smtp-Source: AA6agR5BYDMpkIvdRREJgg0XHpgPbDaULMwHeFPAPmQBzFbUIG2iFjurF1+/hemfqgzE33cNAiN3
X-Received: by 2002:a63:fc20:0:b0:41d:234f:53e2 with SMTP id j32-20020a63fc20000000b0041d234f53e2mr2381041pgi.199.1660827559913;
        Thu, 18 Aug 2022 05:59:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660827559; cv=none;
        d=google.com; s=arc-20160816;
        b=xn8eWhxV0Nhx6I/oL7vtQjPqZmQI3lZizuY12adwgfNagz2+R0kZks6yfm5CxIJ11H
         qYyBTdn4DYWY65rvImOQZAr4VV8AtqN7HzsirakLd29SXKSqYMc1JxTunT18CokCYn33
         08bXV+FBXL3SBHgcE5I7Vmy9o3Fg9Xkj3/K7bOexKCxljGKiQspRxrX2QNY8MWNbEZb4
         zYPzapWYH5S/1dn2wqF5JD61f9eEQYiQDOeUnRZ4hIfrAEzrNFpr66+OW/MHCNXc4rmB
         d3IUlVE2q+Hg1OrwQ2hbP7fOFd83jXeP+GZrRQBH1iuXUQLail4NxACJZSecfq9tOzNa
         wb9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=amq-delivery-message-id:mime-version:from:to:subject
         :pp-correlation-id:message-id:date:content-transfer-encoding
         :dkim-signature;
        bh=LLD2fzAq0oVfNQNgdciy/RrQPTtv8+gwK6jZurpN8UA=;
        b=Ey/k5KYGSMoqr99avEpbW3wE0jKRDPxNHi3HgUTkBeCMUTCShTo572Jby1omW2/bXh
         kDPtJIhH006VnfUjdrkFuZ2l3fDHpjgIrArC/OZD8TBAwgFFq2Iamx77RIQbcKIG70GY
         BZ6n0u8prdYYIn85/0aV1mDCIFCgXvHDH+dwnuV3z7ynfR7kMtrJ5Ba3W/HGwrDpbT7k
         s9d1cmVX/SkF6Bt2O9v5xF0xf7n/oAoJizINFXo8g+GGNksnbusC5jAZ+Qi1HNQICXxH
         inTDH6wHCKB+tlU/7WkaVCiUPKoSPB/XocBQBY0G4w0WwG3Xe7xangvj4llo6/veNvMs
         7IMg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=HAwEhunk;
       spf=pass (google.com: domain of service@paypal.com designates 173.0.84.227 as permitted sender) smtp.mailfrom=service@paypal.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Return-Path: <service@paypal.com>
Received: from mx2.slc.paypal.com (mx2.slc.paypal.com. [173.0.84.227])
        by mx.google.com with ESMTPS id u12-20020a655c0c000000b0041a518712fbsi1453940pgr.542.2022.08.18.05.59.19
        for <eminakbulut@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 18 Aug 2022 05:59:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of service@paypal.com designates 173.0.84.227 as permitted sender) client-ip=173.0.84.227;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=HAwEhunk;
       spf=pass (google.com: domain of service@paypal.com designates 173.0.84.227 as permitted sender) smtp.mailfrom=service@paypal.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.com; t=1660827556; h=From:From:Subject:Date:To:MIME-Version:Content-Type; bh=LLD2fzAq0oVfNQNgdciy/RrQPTtv8+gwK6jZurpN8UA=; b=HAwEhunkDTAIUR4M4D5e0KBR52HKv2vSI+wOJ/pV1pAs5ZUvqrDT+U2JMNSjYHwN gpKOI8cbwnLzL/xtZigj+kpWO0m8dwzIvwFw8Hz6WERNEBtOHE1YRMRY4KZLuQt0 bqRQ4PSEavJwhLDSN1OXc9sDS3vjIbbnzTl+9lPk6ZIatHbAYoe8JvKd4Ub9hf6T IS950ykucxkbqSrVdA4qrE664eVi4PItH95L1ARmzxWgTLzosOCcIyFOVpaRzpXB pTZqbfr6K9mVt9hzvJ0WS5cEB5pTcyjwEEPGfbrwIN8/Gra/3pneeUMGKif/Q0a8 mTO8LuuqyS68KMliqSAmvA==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Thu, 18 Aug 2022 05:59:16 -0700
Message-ID: <5C.D9.45723.4A73EF26@ccg13mail04>
X-PP-REQUESTED-TIME: 1660827549285
X-PP-Email-transmission-Id: 8f13503c-1ef5-11ed-9909-40a6b7293988
PP-Correlation-Id: f489498b7b382
Subject: Billing Department of PayPal updated your invoice ( 21452319 )
X-MaxCode-Template: PPC001082
To: <eminakbulut@gmail.com>
From: "service@paypal.com" <service@paypal.com>
X-Email-Type-Id: PPC001082
MIME-Version: 1.0
X-PP-Priority: 0-none-false
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval

<html dir=3D"ltr">

  <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8=
" />
    <meta name=3D"viewport" content=3D"initial-scale=3D1.0,minimum-scale=3D=
1.0,maximum-scale=3D1.0,width=3Ddevice-width,height=3Ddevice-height,target-=
densitydpi=3Ddevice-dpi,user-scalable=3Dno" />
    <title>Billing Department of PayPal updated your invoice ( 21452319 )</=
title>
    <style type=3D"text/css">
      /**
 * PayPal Fonts
 */
      @font-face {
        font-family: PayPal-Sans;
        font-style: normal;
        font-weight: 400;
        src: local('PayPalSansSmall-Regular'), url('https://www.paypalobjec=
ts.com/ui-web/paypal-sans-small/1-0-0/PayPalSansSmall-Regular.eot');
        /* IE9 Compat Modes */
        src: local('PayPalSansSmall-Regular'),
          url('https://www.paypalobjects.com/ui-web/paypal-sans-small/1-0-0=
/PayPalSansSmall-Regular.woff2') format('woff2'),
          /* Moderner Browsers */
          url('https://www.paypalobjects.com/ui-web/paypal-sans-small/1-0-0=
/PayPalSansSmall-Regular.woff') format('woff'),
          /* Modern Browsers */
          url('https://www.paypalobjects.com/ui-web/paypal-sans-small/1-0-0=
/PayPalSansSmall-Regular.svg#69ac2c9fc1e0803e59e06e93859bed03') format('svg=
');
        /* Legacy iOS */
        /* Fallback font for - MS Outlook older versions (2007,13, 16)*/
        mso-font-alt: 'Calibri';
      }

      @font-face {
        font-family: PayPal-Sans;
        font-style: normal;
        font-weight: 500;

        src: local('PayPalSansSmall-Medium'), url('https://www.paypalobject=
s.com/ui-web/paypal-sans-small/1-0-0/PayPalSansSmall-Medium.eot');
        /* IE9 Compat Modes */
        src: local('PayPalSansSmall-Medium'), url('https://www.paypalobject=
s.com/ui-web/paypal-sans-small/1-0-0/PayPalSansSmall-Medium.woff2') format(=
'woff2'),
          /* Moderner Browsers */
          url('https://www.paypalobjects.com/ui-web/paypal-sans-small/1-0-0=
/PayPalSansSmall-Medium.woff') format('woff'),
          /* Modern Browsers */
          url('https://www.paypalobjects.com/ui-web/paypal-sans-small/1-0-0=
/PayPalSansSmall-Medium.svg#69ac2c9fc1e0803e59e06e93859bed03') format('svg'=
);
        /* Legacy iOS */
        /* Fallback font for - MS Outlook older versions (2007,13, 16)*/
        mso-font-alt: 'Calibri';
      }

      /* End - PayPal Fonts */

      /**
 * VX-LIB Styles=20
 * Import only the styles required for Email templates.
 */
      @charset "UTF-8";

      html {
        box-sizing: border-box;
      }

      *,
      *:before,
      *:after {
        box-sizing: inherit;
      }

      /* Setting these elements to height of 100% ensures that
 * .vx_foreground-container fully covers the whole viewport
 */
      html,
      body {
        height: 100%;
      }

      /**
 * @fileOverview Contains type treatment for PayPal's new VX Patterns
 * @name type-vxPtrn
 * @author jlowery
 * @notes The below styles are mobile first
 */
      body {
        font-size: inherit !important;
        font-family: 'PayPal-Sans', sans-serif;
        -webkit-font-smoothing: antialiased;
        -moz-osx-font-smoothing: grayscale;
        font-smoothing: antialiased;
      }

      a,
      a:visited {
        color: #0070ba;
        text-decoration: none;
        font-weight: 500;
        font-family: 'PayPal-Sans', Calibri, Trebuchet, Arial, sans-serif;
      }

      a:active,
      a:focus,
      a:hover {
        color: #005ea6;
        text-decoration: underline;
      }

      p,
      li,
      dd,
      dt,
      label,
      input,
      textarea,
      pre,
      code {
        font-size: 0.9375rem;
        line-height: 1.6;
        font-weight: 400;
        text-transform: none;
        font-family: 'PayPal-Sans', Calibri, Trebuchet, Arial, sans-serif;
      }

      .vx_legal-text {
        font-size: 0.8125rem;
        line-height: 1.38461538;
        font-weight: 400;
        text-transform: none;
        font-family: 'PayPal-Sans', sans-serif;
        color: #6c7378;
      }

      /* End - VX-LIB Styles */

      /**
 * Styles from Neptune
 */
      /* prevent iOS font upsizing */
      * {
        -webkit-text-size-adjust: none;
      }

      /* force Outlook.com to honor line-height */
      .ExternalClass * {
        line-height: 100%;
      }

      td {
        mso-line-height-rule: exactly;
      }

      /* prevent iOS auto-linking */
      /* Android margin fix */
      body {
        margin: 0;
        padding: 0;
        font-family: 'PayPal-Sans', Calibri, Trebuchet, Arial, sans-serif !=
important;
        background: #f2f2f2;
        color: #2c2e2f;
      }

      div[style*=3D"margin: 16px 0"] {
        margin: 0 !important;
      }

      /** Prevent Outlook Purple Links **/
      .greyLink a:link {
        color: #949595;
      }

      /* prevent iOS auto-linking */
      .applefix a {
        /* use on a span around the text */
        color: inherit;
        text-decoration: none;
      }

      .ppsans {
        font-family: 'PayPal-Sans', Calibri, Trebuchet, Arial, sans-serif !=
important;
      }

      /* use to make image scale to 100 percent */
      .mpidiv img {
        width: 100%;
        height: auto;
        min-width: 100%;
        max-width: 100%;
      }

      .stackTbl {
        width: 100%;
        display: table;
      }

      .greetingText {
        padding: 0px 20px;
      }

      /* Responsive CSS */
      @media screen and (max-width: 640px) {

        /*** Image Width Styles ***/
        .imgWidth {
          width: 20px !important;
        }
      }

      @media screen and (max-width: 480px) {

        /*** Image Width Styles ***/
        .imgWidth {
          width: 10px !important;
        }

        .greetingText {
          padding: 0;
        }
      }

      /* End - Responsive CSS */

      /* Fix for Neptune partner logo */
      .partner_image {
        max-width: 250px;
        max-height: 90px;
        display: block;
      }

      /* End - Styles from Neptune */
    </style>
  </head>

  <body>
    <h4 id=3D"preHeader" style=3D"display:none;color:#fff;font-size:0px;lin=
e-height:0px">PayPal User, here are your updated invoice details.</h4>
    <table cellPadding=3D"0" cellSpacing=3D"0" border=3D"0" width=3D"100%" =
class=3D"marginFix">
      <tbody>
        <tr>
          <td bgcolor=3D"#ffffff" class=3D"mobMargin" style=3D"font-size:0p=
x"></td>
          <td bgcolor=3D"#ffffff" width=3D"660" align=3D"center" class=3D"m=
obContent">
            <table cellPadding=3D"0" cellSpacing=3D"0" border=3D"0" width=
=3D"100%" dir=3D"ltr">
              <tbody>
                <tr>
                  <td>
                    <table cellPadding=3D"0" cellSpacing=3D"0" border=3D"0"=
 width=3D"100%">
                      <tbody>
                        <tr>
                          <td align=3D"center" colSpan=3D"3" class=3D"greet=
ingText" width=3D"600" style=3D"padding-bottom:20px">
                            <table width=3D"100%" cellPadding=3D"0" cellSpa=
cing=3D"0" border=3D"0" bgcolor=3D"#f5f7fa" dir=3D"ltr">
                              <tbody>
                                <tr>
                                  <td align=3D"center" style=3D"font-size:1=
4px;line-height:18px;color:#687173;padding:20px">Hello, PayPal User</td>
                                </tr>
                              </tbody>
                            </table>
                          </td>
                        </tr>
                        <tr>
                          <td class=3D"mobMargin"></td>
                          <td align=3D"center" width=3D"600" style=3D"paddi=
ng-bottom:20px">
                            <table width=3D"100%" cellPadding=3D"0" cellSpa=
cing=3D"0" border=3D"0">
                              <tbody>
                                <tr>
                                  <td width=3D"250" align=3D"center"><img d=
ata-testid=3D"partner-logo" src=3D"https://pics.paypal.com/00/s/MTQyWDIyNlh=
KUEc/p/ZWNiODk3M2ItMDE0Yi00MjUxLTgwOTgtNDdmMDRhZTExZGNi/image_109.JPG" heig=
ht=3D"60" style=3D"max-height:60px;max-width:170px;display:block" border=3D=
"0" alt=3D"small business logo" title=3D"smallBusinessLogo" /></td>
                                </tr>
                              </tbody>
                            </table>
                          </td>
                          <td class=3D"mobMargin"></td>
                        </tr>
                        <tr>
                          <td class=3D"mobMargin" align=3D"center" valign=
=3D"top" bgcolor=3D"#004f9b" style=3D"min-width:10px"><img class=3D"imgWidt=
h" src=3D"https://www.paypalobjects.com/digitalassets/c/system-triggered-em=
ail/n/layout/images/2header-sidebar-left-top.jpg" width=3D"100%" height=3D"=
58" style=3D"display:block" border=3D"0" alt=3D"" /></td>
                          <td align=3D"center" width=3D"600" bgcolor=3D"#00=
4f9b">
                            <table height=3D"100%" width=3D"100%" cellPaddi=
ng=3D"0" cellSpacing=3D"0" border=3D"0">
                              <tbody>
                                <tr>
                                  <td width=3D"12" align=3D"center" valign=
=3D"top"><img src=3D"https://www.paypalobjects.com/digitalassets/c/system-t=
riggered-email/n/layout/images/2header-left-corner.jpg" width=3D"12" height=
=3D"100%" style=3D"display:block" border=3D"0" alt=3D"" /></td>
                                  <td align=3D"center" valign=3D"top"><img =
src=3D"https://www.paypalobjects.com/digitalassets/c/system-triggered-email=
/n/layout/images/2header-center.jpg" width=3D"100%" height=3D"100%" style=
=3D"display:block" border=3D"0" alt=3D"" /></td>
                                  <td width=3D"12" align=3D"center" valign=
=3D"top"><img src=3D"https://www.paypalobjects.com/digitalassets/c/system-t=
riggered-email/n/layout/images/2header-right-corner.jpg" width=3D"12" heigh=
t=3D"100%" style=3D"display:block" border=3D"0" alt=3D"" /></td>
                                </tr>
                              </tbody>
                            </table>
                          </td>
                          <td class=3D"mobMargin" align=3D"center" valign=
=3D"top" bgcolor=3D"#004f9b" style=3D"min-width:10px"><img class=3D"imgWidt=
h" src=3D"https://www.paypalobjects.com/digitalassets/c/system-triggered-em=
ail/n/layout/images/2header-sidebar-right-top.jpg" width=3D"100%" height=3D=
"58" style=3D"display:block" border=3D"0" alt=3D"" /></td>
                        </tr>
                      </tbody>
                    </table>
                  </td>
                </tr>
              </tbody>
            </table>
            <table cellPadding=3D"0" cellSpacing=3D"0" border=3D"0" width=
=3D"100%" class=3D"ppsans" dir=3D"ltr">
              <tbody>
                <tr>
                  <td class=3D"mobMargin" align=3D"left" valign=3D"top" sty=
le=3D"min-width:10px">
                    <table width=3D"100%" cellPadding=3D"0" cellSpacing=3D"=
0" border=3D"0">
                      <tbody>
                        <tr>
                          <td align=3D"center" valign=3D"top" bgcolor=3D"#0=
04f9b"><img class=3D"imgWidth" src=3D"https://www.paypalobjects.com/digital=
assets/c/system-triggered-email/n/layout/images/header-sidebar-left-bottom.=
jpg" width=3D"100%" height=3D"96" style=3D"display:block" border=3D"0" alt=
=3D"" /></td>
                        </tr>
                        <tr>
                          <td align=3D"right" valign=3D"top"><img src=3D"ht=
tps://www.paypalobjects.com/digitalassets/c/system-triggered-email/n/layout=
/images/dark-mode/sidebar-gradient.png" width=3D"1" height=3D"100" style=3D=
"display:block" alt=3D"" /></td>
                        </tr>
                      </tbody>
                    </table>
                  </td>
                  <td width=3D"600" valign=3D"top" align=3D"center"><br />
                    <table width=3D"100%" cellSpacing=3D"0" cellPadding=3D"=
0" border=3D"0" style=3D"padding:0px 20px 30px 20px;word-break:break-word">
                      <tbody>
                        <tr>
                          <td align=3D"center">
                            <p class=3D"ppsans" style=3D"font-size:32px;lin=
e-height:40px;color:#2c2e2f;margin:0" dir=3D"ltr"><span>Invoice updated</sp=
an></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table width=3D"100%" cellSpacing=3D"0" cellPadding=3D"=
0" border=3D"0" style=3D"padding:0px 20px 20px 20px">
                      <tbody>
                        <tr>
                          <td align=3D"center" valign=3D"top">
                            <p class=3D"vx_legal-text ppsans" style=3D"font=
-size:20px;line-height:28px;color:#687173;margin:0" dir=3D"ltr"><span>Billi=
ng Department of PayPal updated your invoice</span></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table width=3D"100%" cellSpacing=3D"0" cellPadding=3D"=
0" border=3D"0" style=3D"padding:0px 20px 20px 20px">
                      <tbody>
                        <tr>
                          <td align=3D"center" valign=3D"top">
                            <p class=3D"vx_legal-text ppsans" style=3D"font=
-size:20px;line-height:28px;color:#687173;margin:0" dir=3D"ltr"><span>Amoun=
t due: $600.00=C2=A0USD</span></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table width=3D"100%" border=3D"0" cellSpacing=3D"0" ce=
llPadding=3D"0" class=3D"neptuneButtonwhite">
                      <tbody>
                        <tr>
                          <td align=3D"center" style=3D"padding:0px 30px 30=
px 30px">
                            <table border=3D"0" cellSpacing=3D"0" cellPaddi=
ng=3D"0">
                              <tbody>
                                <tr>
                                  <td align=3D"center" style=3D"border-radi=
us:1.5rem" bgcolor=3D"#0070ba"><a href=3D"https://www.paypal.com/invoice/pa=
yerView/details/INV2-KWYN-7A79-9HAX-JBDD?locale.x=3Den_US&v=3D1&utm_source=
=3Dunp&utm_medium=3Demail&utm_campaign=3DRT000307&utm_unptid=3D8f13503c-1ef=
5-11ed-9909-40a6b7293988&ppid=3DRT000307&cnac=3DUS&rsta=3Den_US%28en-US%29&=
cust=3D&unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&calc=3Df489498b7b382&=
unp_tpcid=3Dinvoice-buyer-updated&page=3Dmain%3Aemail%3ART000307&pgrp=3Dmai=
n%3Aemail&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&appVersion=3D1.107.0&xt=3D1040=
38%2C124817" target=3D"_blank" class=3D"ppsans" style=3D"line-height:1.6;fo=
nt-size:15px;border-radius:1.5rem;padding:10px 20px;display:inline-block;bo=
rder:1px solid #0070ba;font-weight:500;text-align:center;text-decoration:no=
ne;cursor:pointer;min-width:150px;background-color:#0070ba;color:#ffffff">V=
iew and Pay Invoice</a></td>
                                </tr>
                              </tbody>
                            </table>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table width=3D"100%" cellPadding=3D"0" cellSpacing=3D"=
0" border=3D"0">
                      <tbody>
                        <tr>
                          <td class=3D"ppsans" style=3D"padding:0px 20px 20=
px 20px">
                            <p class=3D"ppsans" style=3D"font-size:16px;lin=
e-height:24px;color:#2c2e2f;margin:0;word-break:break-word" dir=3D"ltr">
                            <table width=3D"100%" cellPadding=3D"0" cellSpa=
cing=3D"0" border=3D"0">
                              <tbody>
                                <tr>
                                  <td style=3D"padding:0px">
                                    <hr style=3D"border-top:1px solid #6871=
73" />
                                  </td>
                                </tr>
                              </tbody>
                            </table>
                            </p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table width=3D"100%" cellSpacing=3D"0" cellPadding=3D"=
0" border=3D"0" style=3D"padding:0px 20px 20px 20px">
                      <tbody>
                        <tr>
                          <td valign=3D"top">
                            <p class=3D"vx_legal-text ppsans" style=3D"font=
-size:20px;line-height:28px;color:#009cde;margin:0" dir=3D"ltr"><span>Selle=
r note to customer</span></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table width=3D"100%" cellPadding=3D"0" cellSpacing=3D"=
0" border=3D"0">
                      <tbody>
                        <tr>
                          <td class=3D"ppsans" style=3D"padding:0px 20px 20=
px 20px">
                            <p class=3D"ppsans" style=3D"font-size:16px;lin=
e-height:24px;color:#2c2e2f;margin:0;word-break:break-word" dir=3D"ltr"><sp=
an>There is evidence that your PayPal account has been accessed unlawfully.=
=20

$600. 00 has been debited to your account for the Walmart eGift Card purcha=
se.  This transaction will appear in the automatically deducted amount on P=
ayPal activity after 24 hours.=20
If you suspect you did not make this transaction, immediately contact us at=
 the toll-free number +1 (888) 392-2307 or visit the PayPal Support Center =
area for assistance.=20
=20
Our Service Hours: (06:00 a. m.  to 06:00 p. m.  Pacific Time, Monday throu=
gh Friday)</span></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                  </td>
                  <td valign=3D"top" align=3D"left" class=3D"mobMargin" sty=
le=3D"min-width:10px">
                    <table width=3D"100%" cellSpacing=3D"0" cellPadding=3D"=
0" border=3D"0">
                      <tbody>
                        <tr>
                          <td valign=3D"top" align=3D"center" bgcolor=3D"#0=
04f9b"><img width=3D"100%" border=3D"0" height=3D"96" class=3D"imgWidth" st=
yle=3D"display:block" src=3D"https://www.paypalobjects.com/digitalassets/c/=
system-triggered-email/n/layout/images/header-sidebar-right-bottom.jpg" alt=
=3D"" /></td>
                        </tr>
                        <tr>
                          <td valign=3D"top" align=3D"left"><img width=3D"1=
" height=3D"100" style=3D"display:block" src=3D"https://www.paypalobjects.c=
om/digitalassets/c/system-triggered-email/n/layout/images/dark-mode/sidebar=
-gradient.png" alt=3D"" /></td>
                        </tr>
                      </tbody>
                    </table>
                  </td>
                </tr>
                <tr>
                  <td class=3D"mobMargin"></td>
                  <td align=3D"center" width=3D"600">
                    <table width=3D"100%" cellPadding=3D"0" cellSpacing=3D"=
0" border=3D"0" dir=3D"ltr">
                      <tbody>
                        <tr>
                          <td>
                            <table width=3D"100%" cellPadding=3D"0" cellSpa=
cing=3D"0" border=3D"0">
                              <tbody>
                                <tr>
                                  <td width=3D"12" align=3D"center" valign=
=3D"top"><img src=3D"https://www.paypalobjects.com/digitalassets/c/system-t=
riggered-email/n/layout/images/dark-mode/footer-left-corner.png" width=3D"1=
2" height=3D"141" style=3D"display:block" border=3D"0" alt=3D"" /></td>
                                  <td align=3D"center" valign=3D"top"><img =
src=3D"https://www.paypalobjects.com/digitalassets/c/system-triggered-email=
/n/layout/images/dark-mode/footer-left-stroke.png" width=3D"100%" height=3D=
"141" style=3D"display:block" border=3D"0" alt=3D"" /></td>
                                  <td width=3D"120" align=3D"center" valign=
=3D"top"><img src=3D"https://www.paypalobjects.com/digitalassets/c/system-t=
riggered-email/n/layout/images/dark-mode/footer-pp-logo.png" width=3D"120" =
height=3D"141" style=3D"display:block" border=3D"0" alt=3D"PayPal" /></td>
                                  <td align=3D"center" valign=3D"top"><img =
src=3D"https://www.paypalobjects.com/digitalassets/c/system-triggered-email=
/n/layout/images/dark-mode/footer-right-stroke.png" width=3D"100%" height=
=3D"141" style=3D"display:block" border=3D"0" alt=3D"" /></td>
                                  <td width=3D"12" align=3D"center" valign=
=3D"top"><img src=3D"https://www.paypalobjects.com/digitalassets/c/system-t=
riggered-email/n/layout/images/dark-mode/footer-right-corner.png" width=3D"=
12" height=3D"141" style=3D"display:block" border=3D"0" alt=3D"" /></td>
                                </tr>
                              </tbody>
                            </table>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table id=3D"body_footer_links" width=3D"100%" cellPadd=
ing=3D"0" cellSpacing=3D"0" border=3D"0" style=3D"margin-bottom:0px">
                      <tbody>
                        <tr>
                          <td align=3D"center" style=3D"font-size:15px;line=
-height:22px;color:#444444;padding:20px" class=3D"ppsans"><a href=3D"https:=
//www.paypal.com/us/smarthelp/home?v=3D1&utm_source=3Dunp&utm_medium=3Demai=
l&utm_campaign=3DRT000307&utm_unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988=
&ppid=3DRT000307&cnac=3DUS&rsta=3Den_US%28en-US%29&cust=3D&unptid=3D8f13503=
c-1ef5-11ed-9909-40a6b7293988&calc=3Df489498b7b382&unp_tpcid=3Dinvoice-buye=
r-updated&page=3Dmain%3Aemail%3ART000307&pgrp=3Dmain%3Aemail&e=3Dcl&mchn=3D=
em&s=3Dci&mail=3Dsys&appVersion=3D1.107.0&xt=3D104038%2C124817" target=3D"_=
blank" class=3D"ppsans" style=3D"color:#0070ba;text-decoration:none" alt=3D=
"Help &amp; Contact">Help &amp; Contact</a><span> | </span><a href=3D"https=
://www.paypal.com/us/webapps/mpp/paypal-safety-and-security?v=3D1&utm_sourc=
e=3Dunp&utm_medium=3Demail&utm_campaign=3DRT000307&utm_unptid=3D8f13503c-1e=
f5-11ed-9909-40a6b7293988&ppid=3DRT000307&cnac=3DUS&rsta=3Den_US%28en-US%29=
&cust=3D&unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&calc=3Df489498b7b382=
&unp_tpcid=3Dinvoice-buyer-updated&page=3Dmain%3Aemail%3ART000307&pgrp=3Dma=
in%3Aemail&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&appVersion=3D1.107.0&xt=3D104=
038%2C124817" target=3D"_blank" class=3D"ppsans" style=3D"color:#0070ba;tex=
t-decoration:none" alt=3D"Security">Security</a><span> | </span><a href=3D"=
https://www.paypal.com/us/webapps/mpp/mobile-apps?v=3D1&utm_source=3Dunp&ut=
m_medium=3Demail&utm_campaign=3DRT000307&utm_unptid=3D8f13503c-1ef5-11ed-99=
09-40a6b7293988&ppid=3DRT000307&cnac=3DUS&rsta=3Den_US%28en-US%29&cust=3D&u=
nptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&calc=3Df489498b7b382&unp_tpcid=
=3Dinvoice-buyer-updated&page=3Dmain%3Aemail%3ART000307&pgrp=3Dmain%3Aemail=
&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&appVersion=3D1.107.0&xt=3D104038%2C1248=
17" target=3D"_blank" class=3D"ppsans" style=3D"color:#0070ba;text-decorati=
on:none" alt=3D"Apps">Apps</a></td>
                        </tr>
                        <tr>
                          <td align=3D"center" style=3D"padding-bottom:20px=
;padding-top:0px">
                            <table align=3D"center" cellPadding=3D"0" cellS=
pacing=3D"0" border=3D"0">
                              <tbody>
                                <tr>
                                  <td align=3D"center" valign=3D"middle" wi=
dth=3D"50"><a id=3D"twitter" href=3D"https://twitter.com/PayPal?v=3D1%2C0.1=
&utm_source=3Dunp&utm_medium=3Demail&utm_campaign=3DRT000307&utm_unptid=3D8=
f13503c-1ef5-11ed-9909-40a6b7293988&ppid=3DRT000307&cnac=3DUS&rsta=3Den_US%=
28en-US%29&cust=3D&unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&calc=3Df48=
9498b7b382&unp_tpcid=3Dinvoice-buyer-updated&page=3Dmain%3Aemail%3ART000307=
&pgrp=3Dmain%3Aemail&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&appVersion=3D1.107.=
0&xt=3D104038%2C124817" target=3D"_blank"><img border=3D"0" src=3D"https://=
www.paypalobjects.com/digitalassets/c/system-triggered-email/n/layout/image=
s/dark-mode/icon-tw.png" width=3D"28" height=3D"28" style=3D"display:block"=
 alt=3D"Twitter" /></a></td>
                                  <td align=3D"center" valign=3D"middle" wi=
dth=3D"50"><a id=3D"instagram" href=3D"https://www.instagram.com/paypal/?v=
=3D1%2C0.1&utm_source=3Dunp&utm_medium=3Demail&utm_campaign=3DRT000307&utm_=
unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&ppid=3DRT000307&cnac=3DUS&rst=
a=3Den_US%28en-US%29&cust=3D&unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&=
calc=3Df489498b7b382&unp_tpcid=3Dinvoice-buyer-updated&page=3Dmain%3Aemail%=
3ART000307&pgrp=3Dmain%3Aemail&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&appVersio=
n=3D1.107.0&xt=3D104038%2C124817" target=3D"_blank"><img border=3D"0" src=
=3D"https://www.paypalobjects.com/digitalassets/c/system-triggered-email/n/=
layout/images/dark-mode/icon-ig.png" width=3D"28" height=3D"28" style=3D"di=
splay:block" alt=3D"Instagram" /></a></td>
                                  <td align=3D"center" valign=3D"middle" wi=
dth=3D"50"><a id=3D"facebook" href=3D"https://www.facebook.com/PayPalUSA?v=
=3D1%2C0.1&utm_source=3Dunp&utm_medium=3Demail&utm_campaign=3DRT000307&utm_=
unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&ppid=3DRT000307&cnac=3DUS&rst=
a=3Den_US%28en-US%29&cust=3D&unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&=
calc=3Df489498b7b382&unp_tpcid=3Dinvoice-buyer-updated&page=3Dmain%3Aemail%=
3ART000307&pgrp=3Dmain%3Aemail&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&appVersio=
n=3D1.107.0&xt=3D104038%2C124817" target=3D"_blank"><img border=3D"0" src=
=3D"https://www.paypalobjects.com/digitalassets/c/system-triggered-email/n/=
layout/images/dark-mode/icon-fb.png" width=3D"28" height=3D"28" style=3D"di=
splay:block" alt=3D"Facebook" /></a></td>
                                  <td align=3D"center" valign=3D"middle" wi=
dth=3D"50"><a id=3D"linkedin" href=3D"http://www.linkedin.com/company/1482?=
trk=3Dtyah&v=3D1&utm_source=3Dunp&utm_medium=3Demail&utm_campaign=3DRT00030=
7&utm_unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&ppid=3DRT000307&cnac=3D=
US&rsta=3Den_US%28en-US%29&cust=3D&unptid=3D8f13503c-1ef5-11ed-9909-40a6b72=
93988&calc=3Df489498b7b382&unp_tpcid=3Dinvoice-buyer-updated&page=3Dmain%3A=
email%3ART000307&pgrp=3Dmain%3Aemail&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&app=
Version=3D1.107.0&xt=3D104038%2C124817" target=3D"_blank"><img border=3D"0"=
 src=3D"https://www.paypalobjects.com/digitalassets/c/system-triggered-emai=
l/n/layout/images/dark-mode/icon-li.png" width=3D"28" height=3D"28" style=
=3D"display:block" alt=3D"LinkedIn" /></a></td>
                                </tr>
                              </tbody>
                            </table>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                  </td>
                  <td class=3D"mobMargin"></td>
                </tr>
              </tbody>
            </table>
            <table cellPadding=3D"0" cellSpacing=3D"0" border=3D"0" width=
=3D"100%" style=3D"padding-bottom:20px">
              <tbody>
                <tr>
                  <td class=3D"hide">=C2=A0</td>
                  <td align=3D"center" class=3D"ppsans" width=3D"600">
                    <table id=3D"hideForTextFooter" width=3D"100%" cellPadd=
ing=3D"0" cellSpacing=3D"0" border=3D"0">
                      <tbody>
                        <tr>
                          <td style=3D"font-size:13px;line-height:20px;colo=
r:#687173;padding:10px 30px 10px 30px">
                            <p class=3D"ppsans" style=3D"font-size:13px;mar=
gin:0" dir=3D"ltr"><span>PayPal is committed to preventing fraudulent email=
s. Emails from PayPal will always contain your full name. <a href=3D"https:=
//www.paypal.com/us/webapps/mpp/security/suspicious-activity?v=3D1&utm_sour=
ce=3Dunp&utm_medium=3Demail&utm_campaign=3DRT000307&utm_unptid=3D8f13503c-1=
ef5-11ed-9909-40a6b7293988&ppid=3DRT000307&cnac=3DUS&rsta=3Den_US%28en-US%2=
9&cust=3D&unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&calc=3Df489498b7b38=
2&unp_tpcid=3Dinvoice-buyer-updated&page=3Dmain%3Aemail%3ART000307&pgrp=3Dm=
ain%3Aemail&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&appVersion=3D1.107.0&xt=3D10=
4038%2C124817" target=3D"_blank" style=3D"text-decoration:none">Learn to id=
entify phishing</a></span></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table id=3D"hideForTextFooter" width=3D"100%" cellPadd=
ing=3D"0" cellSpacing=3D"0" border=3D"0">
                      <tbody>
                        <tr>
                          <td style=3D"font-size:13px;line-height:20px;colo=
r:#687173;padding:10px 30px 10px 30px">
                            <p class=3D"ppsans" style=3D"font-size:13px;mar=
gin:0" dir=3D"ltr"><span>Please don't reply to this email. To get in touch =
with us, click <strong><a href=3D"https://www.paypal.com/selfhelp/home?v=3D=
1&utm_source=3Dunp&utm_medium=3Demail&utm_campaign=3DRT000307&utm_unptid=3D=
8f13503c-1ef5-11ed-9909-40a6b7293988&ppid=3DRT000307&cnac=3DUS&rsta=3Den_US=
%28en-US%29&cust=3D&unptid=3D8f13503c-1ef5-11ed-9909-40a6b7293988&calc=3Df4=
89498b7b382&unp_tpcid=3Dinvoice-buyer-updated&page=3Dmain%3Aemail%3ART00030=
7&pgrp=3Dmain%3Aemail&e=3Dcl&mchn=3Dem&s=3Dci&mail=3Dsys&appVersion=3D1.107=
.0&xt=3D104038%2C124817" target=3D"_blank" style=3D"text-decoration:none">H=
elp &amp; Contact</a></strong>.</span></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table id=3D"" width=3D"100%" cellPadding=3D"0" cellSpa=
cing=3D"0" border=3D"0">
                      <tbody>
                        <tr>
                          <td style=3D"font-size:13px;line-height:20px;colo=
r:#687173;padding:10px 30px 10px 30px">
                            <p class=3D"ppsans" style=3D"font-size:13px;mar=
gin:0" dir=3D"ltr"><span>Not sure why you received this email? <a href=3D"h=
ttps://www.paypal.com/us/smarthelp/article/why-am-i-receiving-emails-from-p=
aypal-when-i-dont-have-an-account-faq4172?v=3D1&utm_source=3Dunp&utm_medium=
=3Demail&utm_campaign=3DRT000307&utm_unptid=3D8f13503c-1ef5-11ed-9909-40a6b=
7293988&ppid=3DRT000307&cnac=3DUS&rsta=3Den_US%28en-US%29&cust=3D&unptid=3D=
8f13503c-1ef5-11ed-9909-40a6b7293988&calc=3Df489498b7b382&unp_tpcid=3Dinvoi=
ce-buyer-updated&page=3Dmain%3Aemail%3ART000307&pgrp=3Dmain%3Aemail&e=3Dcl&=
mchn=3Dem&s=3Dci&mail=3Dsys&appVersion=3D1.107.0&xt=3D104038%2C124817" targ=
et=3D"_blank" style=3D"text-decoration:none">Learn more</a></span></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                    <table width=3D"100%" cellPadding=3D"0" cellSpacing=3D"=
0" border=3D"0">
                      <tbody>
                        <tr>
                          <td style=3D"font-size:13px;line-height:20px;colo=
r:#687173;padding:10px 30px 10px 30px">
                            <p class=3D"ppsans" style=3D"font-size:13px;mar=
gin:0" dir=3D"ltr">
                            <div style=3D"font-size:11px" dir=3D"ltr"><span=
>Copyright &copy; 1999-2022 PayPal, Inc. All rights reserved. PayPal is loc=
ated at 2211 N. First St., San Jose, CA 95131.</span></div>
                            <p style=3D"font-size:11px" dir=3D"ltr">PayPal =
RT000307:en_US(en-US):1.1.0:f489498b7b382</p><img alt=3D"" height=3D"1" wid=
th=3D"1" border=3D"0" src=3D"https://t.paypal.com/ts?v=3D1&amp;utm_source=
=3Dunp&amp;utm_medium=3Demail&amp;utm_campaign=3DRT000307&amp;utm_unptid=3D=
8f13503c-1ef5-11ed-9909-40a6b7293988&amp;ppid=3DRT000307&amp;cnac=3DUS&amp;=
rsta=3Den_US%28en-US%29&amp;cust=3D&amp;unptid=3D8f13503c-1ef5-11ed-9909-40=
a6b7293988&amp;calc=3Df489498b7b382&amp;unp_tpcid=3Dinvoice-buyer-updated&a=
mp;page=3Dmain%3Aemail%3ART000307&amp;pgrp=3Dmain%3Aemail&amp;e=3Dop&amp;mc=
hn=3Dem&amp;s=3Dci&amp;mail=3Dsys&amp;appVersion=3D1.107.0&amp;xt=3D104038%=
2C124817" /></p>
                          </td>
                        </tr>
                      </tbody>
                    </table>
                  </td>
                  <td class=3D"hide">=C2=A0</td>
                </tr>
              </tbody>
            </table>
          </td>
          <td bgcolor=3D"#ffffff" class=3D"mobMargin" style=3D"font-size:0p=
x"></td>
        </tr>
      </tbody>
    </table>
  </body>

</html>


User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 16:04

Looks legit, do als told, call (make sure you pick their real phone number!) or visit support area (check URL!) and ask for assistance, never pay!
Especially because you say your phone was at a repair shop...
Last edited by RvdH on 2022-08-18 16:12, edited 3 times in total.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
Nime
Normal user
Normal user
Posts: 163
Joined: 2009-03-12 11:50
Contact:

Re: Guys, I need help, Is this fishing?

Post by Nime » 2022-08-18 16:04

That site explains the situations like my case:

https://www.howtogeek.com/822610/paypal-invoice-scams/

User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 16:09

Nime wrote:
2022-08-18 16:04
That site explains the situations like my case:

https://www.howtogeek.com/822610/paypal-invoice-scams/
But that site doesn't show any SPF, DKIM and DMARC analysis, so it not really helpful, is it?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 16:43

Plz let us know the outcome :wink:
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 5533
Joined: 2006-08-21 15:38
Location: Denmark

Re: Guys, I need help, Is this fishing?

Post by SorenR » 2022-08-18 19:42

Well, DON'T TRUST THE INTERNET!

If you can't remember spending that money, then you did not! Simple as that.

I get invoices from all sorts of strange places claiming I have ordered this and that - domain statistics, SEO optimization and bla bla. If something I have purchased online suddenly has become more expensive ... Well, Danish/EU law is quite firm. Unless they can prove fraud then the price I paid is the price they can charge. Period. There is no way they can "come back for more". Only thing they can legally do is cancel the order (if nothing is delivered) and in that case they would owe ME money... EU sucks big time except in a few instances :mrgreen:

Oh and EU being what EU is ... If seller is non-EU selling into EU - they still have to follow EU law 8) That also applies to GDPR (person data protection) and is why a number of AMERICAN news sites do NOT accept EU readers coming to their sites :roll:

I host my public DNS in USA, domain is registered with Network Solutions - everything else is physically located in my house and you need physical access to do "stuff" ;-)

All non-backed claims are going directly in the SPAM folder faster than you can say "SPAM". Unless there is a tatooed bodybuilder type with arms like the wife's legs banging on my door I will clain to my dying days that I did NOT spend that money or order that <whatever> service!

Actually, rule of thumb: unless it's your local law inforcement banging on your door you don't have to pay sh*t! :mrgreen:
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 20:23

SorenR wrote:
2022-08-18 19:42
Well, DON'T TRUST THE INTERNET!

If you can't remember spending that money, then you did not! Simple as that.

I get invoices from all sorts of strange places claiming I have ordered this and that - domain statistics, SEO optimization and bla bla. If something I have purchased online suddenly has become more expensive ... Well, Danish/EU law is quite firm. Unless they can prove fraud then the price I paid is the price they can charge. Period. There is no way they can "come back for more". Only thing they can legally do is cancel the order (if nothing is delivered) and in that case they would owe ME money... EU sucks big time except in a few instances :mrgreen:

Oh and EU being what EU is ... If seller is non-EU selling into EU - they still have to follow EU law 8) That also applies to GDPR (person data protection) and is why a number of AMERICAN news sites do NOT accept EU readers coming to their sites :roll:

I host my public DNS in USA, domain is registered with Network Solutions - everything else is physically located in my house and you need physical access to do "stuff" ;-)

All non-backed claims are going directly in the SPAM folder faster than you can say "SPAM". Unless there is a tatooed bodybuilder type with arms like the wife's legs banging on my door I will clain to my dying days that I did NOT spend that money or order that <whatever> service!

Actually, rule of thumb: unless it's your local law inforcement banging on your door you don't have to pay sh*t! :mrgreen:
Strange comparison...except one thing, eg: DON'T TRUST THE INTERNET!


`Real` rule of the dumb, if you don't trust a email call/contact the company that supposedly sent it (make sure you use genuine phone numbers and or websites, if it a phishing mail those listed in the mail itself are (almost) guaranteed fake)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 9593
Joined: 2011-09-08 17:48

Re: Guys, I need help, Is this fishing?

Post by jimimaseye » 2022-08-18 21:04

To me, that is as genuine as tartan paint.

You are in turkey, an invoice in American Dollars, with a warning someone on a "genuine" email from paypal warning you that "There is evidence that your PayPal account has been accessed unlawfully".

Go on: log in to YOUR account on paypal and view your invoices. Whats that? You dont have a paypal account? Surely, this cant be right. It clearly says ""Hello, Paypal User". And of course, I presume you are "michael hence" with a yahoo address, and recently ordered gift cards, right?

I mean, how can it not be genuine. Any doubts, call them - I mean they have even given you a help desk number.....in America!!! Click the "Pay $600" button. (oh wait, you cant. After all, paypal is blocked, right?) :lol: :lol: (I bet the link isn't.)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 21:11

jimimaseye wrote:
2022-08-18 21:04
To me, that is as genuine as tartan paint.

You are in turkey, an invoice in American Dollars, with a warning someone on a "genuine" email from paypal warning you that "There is evidence that your PayPal account has been accessed unlawfully".

Go on: log in to YOUR account on paypal and view your invoices. Whats that? You dont have a paypal account? Surely, this cant be right. It clearly says ""Hello, Paypal User". And of course, I presume you are "michael hence" with a yahoo address, and recently ordered gift cards, right?

I mean, how can it not be genuine. Any doubts, call them - I mean they have even given you a help desk number.....in America!!! Click the "Pay $600" button. (oh wait, you cant. After all, paypal is blocked, right?) :lol: :lol:
Genuine as in:

Code: Select all

Authentication-Results: mx.google.com;
       dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=HAwEhunk;
       spf=pass (google.com: domain of service@paypal.com designates 173.0.84.227 as permitted sender) smtp.mailfrom=service@paypal.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
How would it be possible to successfully DKIM sign a message without the valid private key? and match SPF?

IP: 173.0.84.227
Host: mx2.slc.paypal.com
Country Code: US
Country: United States United States
Continent: North America
Time zone: America/Chicago
ASN/ISP: AS17012 PAYPAL

I would try to find another phone repair shop, looks like a employee there did more then only fix his phone
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 9593
Joined: 2011-09-08 17:48

Re: Guys, I need help, Is this fishing?

Post by jimimaseye » 2022-08-18 21:24

RvdH wrote:
2022-08-18 21:11
Genuine as in:

Code: Select all

Authentication-Results: mx.google.com;
       dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=HAwEhunk;
       spf=pass (google.com: domain of service@paypal.com designates 173.0.84.227 as permitted sender) smtp.mailfrom=service@paypal.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
How would it possible to successfully DKIM sign a message without the valid private key? and match SPF?

IP: 173.0.84.227
Host: mx2.slc.paypal.com
Country Code: US
Country: United States United States
Continent: North America
Time zone: America/Chicago
ASN/ISP: AS17012 PAYPAL
Dunno - Im not in the business of sending phishing spam emails. And dont care.

As I said, I bet the PAY button isnt taking him to a (blocked) Paypal website.

Come on, you are all seasoned mail server admins and deal with mail daily and are forgetting the 3 main rules:

Are you expecting it?
Do you recognise it?
Does it look genuine by what is written?

If any one of the answers is "NO" then its probably spam (not to mention all 3). And if you are wrong and it turns out to be genuine but yet you ignore it , the sender will be in touch again some how.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 21:27

jimimaseye wrote:
2022-08-18 21:24
RvdH wrote:
2022-08-18 21:11
Genuine as in:

Code: Select all

Authentication-Results: mx.google.com;
       dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=HAwEhunk;
       spf=pass (google.com: domain of service@paypal.com designates 173.0.84.227 as permitted sender) smtp.mailfrom=service@paypal.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
How would it possible to successfully DKIM sign a message without the valid private key? and match SPF?

IP: 173.0.84.227
Host: mx2.slc.paypal.com
Country Code: US
Country: United States United States
Continent: North America
Time zone: America/Chicago
ASN/ISP: AS17012 PAYPAL
Dunno - Im not in the business of sending phishing spam emails. And dont care.

As I said, I bet the PAY button isnt taking him to a (blocked) Paypal website.

Come on, you are all seasoned mail server admins and deal with mail and are forgetting the 3 main rules:

Are you expecting it?
Do you recognise it?
Does it look genuine by what is written?

If any one of the answers is "NO" then its probably spam (not to mention all 3). And if you are wrong and it turns out to be genuine but yet you ignore it , the sender will be in touch again some how.
Come on, you know you can't fake DKIM!
The mail looks legit, only question is, why did he get that mail...someone accessed his paypal account? Someone stole his paypal credentials (phone repair shop) or just his paypal ID?

That is what i would worry about, and as said before...never pay!

PS, the source email is there, the link brings you to the official paypal site, eg: https://www.paypal.com/invoice/payerVie ... 8%2C124817 (invoice is no longer valid)

Maybe paypal was breached?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 9593
Joined: 2011-09-08 17:48

Re: Guys, I need help, Is this fishing?

Post by jimimaseye » 2022-08-18 21:31

5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 21:37

Vulnerability in paypal business account? This is scary stuff, paypal should really take action, soon!
https://twitter.com/0xdf_/status/155440 ... Flang%3Den
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 21:52

Code: Select all

describe	T_PAYPAL_PHISH2022 Phishing
rawbody	__T_PAYPAL_PHISH2022_A /^.*(Hello, PayPal User).*$/i
header	__T_PAYPAL_PHISH2022_B Return-Path =~ /\@(paypal\.com)>?$/i
header	__T_PAYPAL_PHISH2022_C From:name =~ /^.*(paypal).*$/i
header	__T_PAYPAL_PHISH2022_D From:addr =~ /^.*\@(paypal\.com).*$/i
meta     T_PAYPAL_PHISH2022 ( __T_PAYPAL_PHISH2022_A && __T_PAYPAL_PHISH2022_B && __T_PAYPAL_PHISH2022_C && __T_PAYPAL_PHISH2022_D && ( SPF_PASS || SPF_HELO_PASS && DKIM_VALID ))
score    T_PAYPAL_PHISH2022 100
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 2317
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Guys, I need help, Is this fishing?

Post by RvdH » 2022-08-18 22:46

PS, above SA rule needs this or 5.7 Alpha, eg: Return-Path addition for SA spam checks
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Post Reply