Ask HN: Scam from `service@paypal.com` email, How?
Sender IP and SPF: The SPF record indicates that the email was sent from IP 66.211.170.88 and that this IP is a designated sender for paypal.com. This is a good sign, as SPF is a method for domain owners to specify which IPs are allowed to send emails on their behalf. Still, this can be faked in phishing emails, so it isn't an absolute proof.
DKIM Signature: DKIM provides an encryption-based method to validate the authenticity and integrity of a message. The DKIM-Signature indicates that the email is signed and suggests it genuinely came from paypal.com with the signature being verified. This is another positive sign.
DMARC: The DMARC record shows a pass for the email. DMARC builds on SPF and DKIM to give receivers a way to improve and monitor the protection of the domain from fraudulent email. This is another good indication that the email is genuine.
Helo Record: The email identifies itself as coming from mx2.phx.paypal.com. Cross-referencing this with the IP 66.211.170.88 can give more information. Ideally, a DNS lookup on this domain should resolve to this IP, or vice versa. Authentication-Results: spf=pass (sender IP is 66.211.170.88)
smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action=none
header.from=paypal.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
66.211.170.88 as permitted sender) receiver=protection.outlook.com;
client-ip=66.211.170.88; helo=mx2.phx.paypal.com; pr=C
Received: from mx2.phx.paypal.com (66.211.170.88) by
AM7EUR06FT065.mail.protection.outlook.com (10.233.255.252) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.6723.11 via Frontend Transport; Mon, 21 Aug 2023 14:39:41 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:D3EF06AD4D210DE94DD4CEF7676ADB33FFADDA146826968760B256614DBA0BB3;UpperCasedChecksum:C166224836B8549C000E1248A8D0B21B268DA10BAE404535ECAE6D2AC1E4F7F4;SizeAsReceived:1198;Count:17
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1692628775;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=y3PR47e+bNTQkjaVkSmH1awii6kjs/uhFtgV+UQXT64=;
b=Y75EdoYH0VTDJ+1oaj5hM8Ev5CFNJxLSoLPSF6ICH/o4WEEW1kKZUvQDi63VGPd5
LxThPfH3DOqpW/o/mi8AmnbRaSfuYR2vhSIVYMXghc0VQ4CKD9J06JjDN2IO5M7/
lfWDOrXZJEAbJcSr92SnOucKMwoDngZiB2gy7SJG17187W2zmGjqZAFzNton8ssu
3aM6RRfFS+JxDEpuX3XPxYzQQsczTy2Qn/L28Yl+cJ4/HaV7myzte2OGr0qi+cQw
UEyT8Gd345qdkpxBmBUAk9Tu/Wcb6gQUdm+cDymkdcnPsuOKuW6DBgj47c76Arxw
20exiKh305Upy67mHCHvAA==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Mon, 21 Aug 2023 07:39:35 -0700
Message-ID: <53.BB.28950.72773E46@ccg01mail04>
X-PP-REQUESTED-TIME: 1692628766599
X-PP-Email-transmission-Id: 8a9be26e-4030-11ee-bba5-40a6b729312c
PP-Correlation-Id: b2d6ca346679c
*Subject: Invoice from Marquis Pleasants (0084)*
X-MaxCode-Template: RT000238
To: <xxxxxxxxxxxxxxxxxxxxxxx>
From: "service@paypal.com" <service@paypal.com>
X-Email-Type-Id: RT000238
X-PP-Priority: 0-none-true
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
X-IncomingHeaderCount: 17
....
X-Microsoft-Antispam: BCL:5;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Aug 2023 14:39:41.5613
(UTC)
...
X-Microsoft-Antispam-Mailbox-Delivery:
7 comments
[ 5.7 ms ] story [ 32.0 ms ] threadPhishing contents: Hello, Suspicious transaction of $399.90 detected. If not done by you contact Fraud Investigation team at +1 (833) 902-0431 to cancel. Service hours(9AM-6PM) Email cs-billings@hilton.com
Here's your invoice Marquis Pleasants sent you an invoice for $399.90 USD
Marquis Pleasants 001 8339020431
You don't have any payments with this seller in the last year.
Don't recognize this invoice?
Report this invoice Before paying, make sure you recognize this invoice. If you don't, report it. Learn more about common security threats and how to spot them. For example, PayPal would never use an invoice or a money request to ask you for your account credentials.
Buy now. Pay over time.
Simply select PayPal Credit at checkout and enjoy No Interest if paid in full in 6 months. Subject to credit approval. See terms. US customers only.
If this is a genuine invoice, then this whole thread is moot.
https://news.ycombinator.com/item?id=32511086
2) The format of the email leads me to question it, the top part has the text: " Hello, Suspicious transaction of $399.90 detected. If not done by you contact Fraud Investigation team at +1 (833) 902-0431 to cancel. Service hours(9AM-6PM) Email cs-billings@hilton.com"
Is there a free HTML text field for sending invoice? And how did the break out of the email box and get to the top. This would be easier with a picture.