Mailing List Archive

Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?
Can someone tell me why this paypal phishing email, managed to trigger
USER_IN_DEF_SPF_WL?
Or put it another way. Why wasn't it detected as a phishing email? Thanks.

Received: from a39-208.smtp-out.amazonses.com
(a39-208.smtp-out.amazonses.com [54.240.39.208])
by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id 32KGQHFm099160
(version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NOT)
for <marmar@psfc.mit.edu>; Mon, 20 Mar 2023 12:26:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=rid2v4iwdmeb26wntc7bqs5dnqgasdul; d=dropbox.com; t=1679329577;
h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To;
bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
b=JZDgJOd2uPgAFKgSkAHeZ91+AJxLr/Rl231qxeOFdeMpeSo3NYG+WyedzpPWJneI
IkTEHtDYWQMhQf5bAJYJB+3hEF0n6t9MnmQzaF8xDlRK269ILVw/pfn8NHiNW7XR5R5
S/Y1XQpbvN8ezTWvCqiedTTQ/ubqm9KPXljCyPF4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1679329577;
h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To:Feedback-ID;
bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
b=WvG6JHQ5+a4w8pq7gZNZYz/ph2i13+NZaJqfqWqnQYRewLpSyhcx5a5AeaJ+JPd+
xwwriSGEl5bNes3b0gkdp/oYd9niSty0sZy/Vquwx5tQiZWVr6zWXzhyBMyqHvWbkh0
sK3+fUdnhNigDX3wqE7/W3+ccK+XgH7ab5pstqb0=
Content-Type: multipart/alternative;
boundary="===============1633481412880569064=="
MIME-Version: 1.0
From: PayPal Support <no-reply@dropbox.com>
To: xxx@psfc.mit.edu
CC:
Subject: =?utf-8?q?Your_invoice_from_PayPal_Support_=28=23038989SL43=29?=
Date: Mon, 20 Mar 2023 16:26:17 +0000
Message-ID:
<01000186ffd7c860-2ed35238-7287-4f0b-b752-22466377b187-000000@email.amazonses.com>
X-Dropbox-Message-ID: 3637112534418604150
Reply-To: no-reply@PayPal.com
Feedback-ID:
1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2023.03.20-54.240.39.208

--===============1633481412880569064==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

New invoice $629.00 Paid on March 20, 2023 View invoice[1] To PayPal=
Billing Bot invoice_receipt@PayPal.com From PayPal Support no-reply@P=
ayPal.com Issued March 20, 2023 Title wish to request a refund, please co=
ntact our support team at : +1 (833) 465-5681 Your recent purchase of Te=
ther (USDT) for $629.00 via PayPal has been confirmed. The funds will be re=
flected in your account within 24 hours. If you require any assistance or w=
ish to request a refund, please contact our support team at : <br>+1 (833) =
465-5681 PayPal Support sent you an invoice using Dropbox, Inc. PO Box 77=
767, San Francisco, CA 94107 View Privacy Policy[2] =20

[1]: https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt1l=
3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_medium=
=3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice
[2]: https://www.dropbox.com/l/AABfXvXi7J31sSfCfcEcmcs-kdTvg1Al_EE/privacy
--===============1633481412880569064==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w=
3.org/TR/REC-html40/loose.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml">
<head>
<meta content=3D"text/html; charset=3Dutf-8" http-equiv=3D"Content-Type">
<style></style>
</head> <body marginheight=3D"0" marginwidth=3D"0" style=3D"width: 100% !im=
portant; margin: 0 auto; padding: 0; -webkit-text-size-adjust: 100%; -ms-te=
xt-size-adjust: 100%; background-color: #FFF;"><table align=3D"center" cell=
padding=3D"0" cellspacing=3D"0" role=3D"presentation" style=3D"margin: 0 au=
to; width: 100% !important; max-width: 720px; border: 0px;">
<tr></tr>
<tr><td><table cellpadding=3D"0" cellspacing=3D"0" role=3D"presentation" wi=
dth=3D"100%"><tr><td style=3D"color: #000; font-family: Atlas Grotesk, Open=
Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue,
Helvetica=
, Arial, Lucida Grande, sans-serif; font-size: 20px; font-weight: 300; line=
-height: 1.45em; padding: 15px 0; width: 720px;"><table cellpadding=3D"0" c=
ellspacing=3D"0" role=3D"presentation" style=3D"max-width:720px;" width=3D"=
100%"><tr style=3D"text-align: center;"><td><table style=3D"max-width: 480p=
x; min-width: 375px; margin: 0px auto;" width=3D"480px">
<tr><td style=3D"background-color: #F7F5F2; background-color: #FFFFFF;"><di=
v style=3D"max-width:480px;"><div style=3D"margin: 40px;"><img src=3D"https=
://uc23f69e513a7b1b17ccc7d1f588.previews.dropboxusercontent.com/p/thumb/AB2=
3Sfr6KTspBYwEohQjThbkp-M4jII6ln2wNWy3TcHmMXTUSDA97iY8eWy1jRN0gfSoGc_Da3FeQ6=
PfGho_Z_i9gCidyjb8mZOIhwpcWlSJkenlzGQNmSBgSCYW5vSLkXT1ZDtILzVQO6V8IvAS9UGN0=
_3iwE0viFseqwnjc1-Y6rEX287bpvuAz7dvvzCQvjdtKc62DOK19_RoPDsmTyk8pskVlF8-1f6J=
_lh5Y3xhMQf1FgBDq8s60tJMbf9_fI8PfI3-T-msJ8bEitVA0MsbMoH3S8pvyRJBdcDcVEd77LW=
OlNw_yG43-lIhxWiDKbw/p.jpeg" style=3D"height: 64px; object-fit: contain;"><=
/div></div></td></tr>
<tr><td style=3D"padding: 27px 32px 24px;"><table style=3D"width: 100%; min=
-width:375px; margin: 0px auto;"><tr>
<td style=3D"text-align: center; width: 30%;"><span style=3D"display: block=
; height: 1px; background-color: #A69E92"></span></td>
<td style=3D"text-align: center; width: 40%;"><p style=3D"color: #524A3E; f=
ont-size: 16px; line-height: 26px; font-family: Sharp Grotesk DB Book, Atla=
s Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica =
Neue, Helvetica, Arial, Lucida Grande, sans-serif; opacity: 82%; margin: 0;=
">New invoice</p></td>
<td style=3D"text-align: center; width: 30%;"><span style=3D"display: block=
; height: 1px; background-color: #A69E92"></span></td>
</tr></table></td></tr>
<tr style=3D"text-align: center"><td><h2 style=3D"color: #1E1919; font-size=
: 56px; line-height: 64px; font-family: Sharp Grotesk DB Book, Atlas Grotes=
k, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, He=
lvetica, Arial, Lucida Grande, sans-serif; margin: 0 0 8px; font-weight: no=
rmal; max-width:480px;">$629.00</h2></td></tr>
<tr><td style=3D"text-align: center; padding: 4px 0 24px;"><table border=3D=
"0" cellpadding=3D"0" cellspacing=3D"0" style=3D"height: 32px; margin: 0 au=
to; padding: 0 12px; border-radius: 50px; background-color: #F7F5F2;"><tr>
<td style=3D"width: 24px; margin-right: 2px;"><img height=3D"24px" src=3D"h=
ttps://www.dropbox.com/static/images/fbm/email/calendar_2x.png" style=3D"ve=
rtical-align: middle" width=3D"24px"></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; font-fa=
mily: Atlas Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, =
Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; margin: 0; ">P=
aid on March 20, 2023</p></td>
</tr></table></td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px 40px;"><a h=
ref=3D"https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt=
1l3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&amp;utm_me=
dium=3Demail&amp;utm_source=3Ddropbox&amp;utm_term=3Dview_invoice" style=3D=
"text-decoration: none; background-color: #0061FE; color: white; font-size:=
16px; line-height: 20px; margin: 0 auto; width: 100%; padding: 10px 0;
dis=
play: block; background-color: #002C8A; color:#f7f5f2; ">View invoice</a></=
td></tr>
<tr><td style=3D"padding: 0px 32px 32px;"><table style=3D"background-color:=
#F7F5F2; width: 100%; min-width:375px; margin: 0px auto; padding: 16px
20p=
x 20px; font-size: 12px; line-height: 20px; font-weight: 400; text-align: =
left;">
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0; font-weight: 500;">To</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:=
0;">PayPal Billing Bot</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0;"></p></td>
<td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0; padding-bottom: 1=
6px;">invoice_receipt@PayPal.com</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0; font-weight: 500;">From</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:=
0;">PayPal Support</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0;"></p></td>
<td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0; padding-bottom: 1=
6px;">no-reply@PayPal.com</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0; font-weight: 500;">Issued</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:=
0;">March 20, 2023</p></td>
</tr>
<tr>
<td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82; margi=
n: 0; font-weight: 500;">Title</p></td>
<td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px; margin:=
0;">wish to request a refund, please contact our support team at : +1
(83=
3) 465-5681</p></td>
</tr>
</table></td></tr>
<tr><td style=3D"padding: 0px 32px 0px; text-align: left;"><p style=3D"font=
-size:14px; line-height:22px; color:#1E1919">Your recent purchase of Tether=
(USDT) for $629.00 via PayPal has been confirmed. The funds will be
reflec=
ted in your account within 24 hours. If you require any assistance or wish =
to request a refund, please contact our support team at : <br>+1 (833) 465-=
5681</p></td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px;">
<p style=3D"font-size: 12px; line-height:28px; color:#524A3E; opacity: 0.82=
; margin: 0;">PayPal Support sent you an invoice using</p>
<img height=3D"20px" src=3D"https://www.dropbox.com/static/images/fbm/invoi=
ce_wordmark_2x.png">
</td></tr>
<tr style=3D"text-align: center"><td style=3D"padding: 0px 32px 52px;">
<p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity: 0.82=
; margin: 0;">Dropbox, Inc. PO Box 77767, San Francisco, CA 94107</p>
<p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity: 0.82=
; margin: 0;"><a href=3D"https://www.dropbox.com/l/AABu1cd-4liBqZhM00gH24g3=
HtVHu7tb9rc/privacy" style=3D"text-decoration: none; margin-left: 12px">Vie=
w Privacy Policy</a></p>
</td></tr>
</table></td></tr></table></td></tr></table></td></tr>
</table></body>
</html><img height=3D"1" src=3D"https://www.dropbox.com/l/AACSvyNy75C_S_pXf=
DFRWnzE6wulAbspDwg" width=3D"1" />
--===============1633481412880569064==--
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam? [ In reply to ]
It seems like it too high a negative score.

On 3/20/2023 1:24 PM, Reindl Harald wrote:
>
>
> Am 20.03.23 um 18:17 schrieb Mark London:
>> Can someone tell me why this paypal phishing email, managed to
>> trigger USER_IN_DEF_SPF_WL?
>> Or put it another way. Why wasn't it detected as a phishing email?
>> Thanks.
>
> Becasue it was a SPF hit and the envelope sender is in
> USER_IN_DEF_SPF_WL? frankly - what else do you expect to hear?
>
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam? [ In reply to ]
I’ve never seen a false positive with USER_IN_DEF_SPF_WL.

> On Mar 20, 2023, at 1:48 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
>
> ?
>
>> Am 20.03.23 um 18:44 schrieb Mark London:
>> It seems like it too high a negative score.
>
> then adjust it in local.cf
>
> the point of a WL is exactly to WL something - and yes, it can happen that spam comes from a whitelisted source
>
> for example when some employeer of your bank has malware on his machine - would you want regular mails from your bank at the risk of FP and lose money just because filtering can't be perfect by definition?
>
>>> On 3/20/2023 1:24 PM, Reindl Harald wrote:
>>>
>>>
>>> Am 20.03.23 um 18:17 schrieb Mark London:
>>>> Can someone tell me why this paypal phishing email, managed to trigger USER_IN_DEF_SPF_WL?
>>>> Or put it another way. Why wasn't it detected as a phishing email? Thanks.
>>>
>>> Becasue it was a SPF hit and the envelope sender is in USER_IN_DEF_SPF_WL? frankly - what else do you expect to hear?
>
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam? [ In reply to ]
On 2023-03-20 at 13:17:25 UTC-0400 (Mon, 20 Mar 2023 13:17:25 -0400)
Mark London <mrl@psfc.mit.edu>
is rumored to have said:

> Can someone tell me why this paypal phishing email, managed to trigger
> USER_IN_DEF_SPF_WL?

Hard to be sure, since you didn't include any indication of the envelope
sender address (a.k.a. Return-Path) which is what SPF validates.

IF the envelope sender was a dropbox.com address (as implied by the From
header and one of the DKIM headers) then SPF passed because the SPF TXT
record for dropbox.com includes the AmazonSES machine that this came
from. USER_IN_DEF_SPF_WL passed because at some point in the past
someone with commit permission deemed Dropbox to be a sender of
substantial amounts of predominantly wanted non-spam that occasionally
was being classified as spam AND that they had a useful SPF record.

This appears to be actual mail from a Dropbox service. In that sense, it
is not a phish. It seems to want you to think that it is a PayPal
invoice, and I'm not sure that SA can detect that sort of recursive
phish without hardcoding concrete details like "PayPal does not send
invoices using Dropbox" that we don't really have any way to know
reliably.

> Or put it another way. Why wasn't it detected as a phishing email?
> Thanks.

Because as of right now, SpamAssassin does not know that PayPal does not
use a Dropbox service to send invoices. As of this moment, I also can't
say for sure that they do not, although I strongly doubt that they would
do so.

And that Dropbox service does not seem to protect itself from fraudulent
customers. That seems like a bad idea. We may need to reconsider
Dropbox's presence in the distributed "default welcomelist."

>
> Received: from a39-208.smtp-out.amazonses.com
> (a39-208.smtp-out.amazonses.com [54.240.39.208])
> by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id 32KGQHFm099160
> (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NOT)
> for <marmar@psfc.mit.edu>; Mon, 20 Mar 2023 12:26:17 -0400
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=rid2v4iwdmeb26wntc7bqs5dnqgasdul; d=dropbox.com; t=1679329577;
> h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To;
> bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
> b=JZDgJOd2uPgAFKgSkAHeZ91+AJxLr/Rl231qxeOFdeMpeSo3NYG+WyedzpPWJneI
> IkTEHtDYWQMhQf5bAJYJB+3hEF0n6t9MnmQzaF8xDlRK269ILVw/pfn8NHiNW7XR5R5
> S/Y1XQpbvN8ezTWvCqiedTTQ/ubqm9KPXljCyPF4=
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1679329577;
> h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To:Feedback-ID;
> bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
> b=WvG6JHQ5+a4w8pq7gZNZYz/ph2i13+NZaJqfqWqnQYRewLpSyhcx5a5AeaJ+JPd+
> xwwriSGEl5bNes3b0gkdp/oYd9niSty0sZy/Vquwx5tQiZWVr6zWXzhyBMyqHvWbkh0
> sK3+fUdnhNigDX3wqE7/W3+ccK+XgH7ab5pstqb0=
> Content-Type: multipart/alternative;
> boundary="===============1633481412880569064=="
> MIME-Version: 1.0
> From: PayPal Support <no-reply@dropbox.com>
> To: xxx@psfc.mit.edu
> CC:
> Subject:
> =?utf-8?q?Your_invoice_from_PayPal_Support_=28=23038989SL43=29?=
> Date: Mon, 20 Mar 2023 16:26:17 +0000
> Message-ID:
> <01000186ffd7c860-2ed35238-7287-4f0b-b752-22466377b187-000000@email.amazonses.com>
> X-Dropbox-Message-ID: 3637112534418604150
> Reply-To: no-reply@PayPal.com
> Feedback-ID:
> 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
> X-SES-Outgoing: 2023.03.20-54.240.39.208
>
> --===============1633481412880569064==
> Content-Type: text/plain; charset="utf-8"
> MIME-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
>
> New invoice $629.00 Paid on March 20, 2023 View invoice[1] To
> PayPal=
> Billing Bot invoice_receipt@PayPal.com From PayPal Support
> no-reply@P=
> ayPal.com Issued March 20, 2023 Title wish to request a refund,
> please co=
> ntact our support team at : +1 (833) 465-5681 Your recent purchase
> of Te=
> ther (USDT) for $629.00 via PayPal has been confirmed. The funds will
> be re=
> flected in your account within 24 hours. If you require any assistance
> or w=
> ish to request a refund, please contact our support team at : <br>+1
> (833) =
> 465-5681 PayPal Support sent you an invoice using Dropbox, Inc. PO
> Box 77=
> 767, San Francisco, CA 94107 View Privacy Policy[2] =20
>
> [1]:
> https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt1l=
> 3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_medium=
> =3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice
> [2]:
> https://www.dropbox.com/l/AABfXvXi7J31sSfCfcEcmcs-kdTvg1Al_EE/privacy
> --===============1633481412880569064==
> Content-Type: text/html; charset="utf-8"
> MIME-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
> "http://www.w=
> 3.org/TR/REC-html40/loose.dtd">
> <html xmlns=3D"http://www.w3.org/1999/xhtml">
> <head>
> <meta content=3D"text/html; charset=3Dutf-8"
> http-equiv=3D"Content-Type">
> <style></style>
> </head> <body marginheight=3D"0" marginwidth=3D"0" style=3D"width:
> 100% !im=
> portant; margin: 0 auto; padding: 0; -webkit-text-size-adjust: 100%;
> -ms-te=
> xt-size-adjust: 100%; background-color: #FFF;"><table align=3D"center"
> cell=
> padding=3D"0" cellspacing=3D"0" role=3D"presentation" style=3D"margin:
> 0 au=
> to; width: 100% !important; max-width: 720px; border: 0px;">
> <tr></tr>
> <tr><td><table cellpadding=3D"0" cellspacing=3D"0"
> role=3D"presentation" wi=
> dth=3D"100%"><tr><td style=3D"color: #000; font-family: Atlas Grotesk,
> Open=
> Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue,
> Helvetica=
> , Arial, Lucida Grande, sans-serif; font-size: 20px; font-weight: 300;
> line=
> -height: 1.45em; padding: 15px 0; width: 720px;"><table
> cellpadding=3D"0" c=
> ellspacing=3D"0" role=3D"presentation" style=3D"max-width:720px;"
> width=3D"=
> 100%"><tr style=3D"text-align: center;"><td><table style=3D"max-width:
> 480p=
> x; min-width: 375px; margin: 0px auto;" width=3D"480px">
> <tr><td style=3D"background-color: #F7F5F2; background-color:
> #FFFFFF;"><di=
> v style=3D"max-width:480px;"><div style=3D"margin: 40px;"><img
> src=3D"https=
> ://uc23f69e513a7b1b17ccc7d1f588.previews.dropboxusercontent.com/p/thumb/AB2=
> 3Sfr6KTspBYwEohQjThbkp-M4jII6ln2wNWy3TcHmMXTUSDA97iY8eWy1jRN0gfSoGc_Da3FeQ6=
> PfGho_Z_i9gCidyjb8mZOIhwpcWlSJkenlzGQNmSBgSCYW5vSLkXT1ZDtILzVQO6V8IvAS9UGN0=
> _3iwE0viFseqwnjc1-Y6rEX287bpvuAz7dvvzCQvjdtKc62DOK19_RoPDsmTyk8pskVlF8-1f6J=
> _lh5Y3xhMQf1FgBDq8s60tJMbf9_fI8PfI3-T-msJ8bEitVA0MsbMoH3S8pvyRJBdcDcVEd77LW=
> OlNw_yG43-lIhxWiDKbw/p.jpeg" style=3D"height: 64px; object-fit:
> contain;"><=
> /div></div></td></tr>
> <tr><td style=3D"padding: 27px 32px 24px;"><table style=3D"width:
> 100%; min=
> -width:375px; margin: 0px auto;"><tr>
> <td style=3D"text-align: center; width: 30%;"><span style=3D"display:
> block=
> ; height: 1px; background-color: #A69E92"></span></td>
> <td style=3D"text-align: center; width: 40%;"><p style=3D"color:
> #524A3E; f=
> ont-size: 16px; line-height: 26px; font-family: Sharp Grotesk DB Book,
> Atla=
> s Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue Light,
> Helvetica =
> Neue, Helvetica, Arial, Lucida Grande, sans-serif; opacity: 82%;
> margin: 0;=
> ">New invoice</p></td>
> <td style=3D"text-align: center; width: 30%;"><span style=3D"display:
> block=
> ; height: 1px; background-color: #A69E92"></span></td>
> </tr></table></td></tr>
> <tr style=3D"text-align: center"><td><h2 style=3D"color: #1E1919;
> font-size=
> : 56px; line-height: 64px; font-family: Sharp Grotesk DB Book, Atlas
> Grotes=
> k, Open Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica
> Neue, He=
> lvetica, Arial, Lucida Grande, sans-serif; margin: 0 0 8px;
> font-weight: no=
> rmal; max-width:480px;">$629.00</h2></td></tr>
> <tr><td style=3D"text-align: center; padding: 4px 0 24px;"><table
> border=3D=
> "0" cellpadding=3D"0" cellspacing=3D"0" style=3D"height: 32px; margin:
> 0 au=
> to; padding: 0 12px; border-radius: 50px; background-color:
> #F7F5F2;"><tr>
> <td style=3D"width: 24px; margin-right: 2px;"><img height=3D"24px"
> src=3D"h=
> ttps://www.dropbox.com/static/images/fbm/email/calendar_2x.png"
> style=3D"ve=
> rtical-align: middle" width=3D"24px"></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> font-fa=
> mily: Atlas Grotesk, Open Sans, HelveticaNeue-Light, Helvetica Neue
> Light, =
> Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; margin:
> 0; ">P=
> aid on March 20, 2023</p></td>
> </tr></table></td></tr>
> <tr style=3D"text-align: center"><td style=3D"padding: 0px 32px
> 40px;"><a h=
> ref=3D"https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAAAAAOxsdGyt=
> 1l3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&amp;utm_me=
> dium=3Demail&amp;utm_source=3Ddropbox&amp;utm_term=3Dview_invoice"
> style=3D=
> "text-decoration: none; background-color: #0061FE; color: white;
> font-size:=
> 16px; line-height: 20px; margin: 0 auto; width: 100%; padding: 10px
> 0; dis=
> play: block; background-color: #002C8A; color:#f7f5f2; ">View
> invoice</a></=
> td></tr>
> <tr><td style=3D"padding: 0px 32px 32px;"><table
> style=3D"background-color:=
> #F7F5F2; width: 100%; min-width:375px; margin: 0px auto; padding:
> 16px 20p=
> x 20px; font-size: 12px; line-height: 20px; font-weight: 400;
> text-align: =
> left;">
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0; font-weight: 500;">To</p></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> margin:=
> 0;">PayPal Billing Bot</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0;"></p></td>
> <td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0;
> padding-bottom: 1=
> 6px;">invoice_receipt@PayPal.com</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0; font-weight: 500;">From</p></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> margin:=
> 0;">PayPal Support</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0;"></p></td>
> <td><p style=3D"color: #524a3e; opacity: 0.82; margin: 0;
> padding-bottom: 1=
> 6px;">no-reply@PayPal.com</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0; font-weight: 500;">Issued</p></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> margin:=
> 0;">March 20, 2023</p></td>
> </tr>
> <tr>
> <td style=3D"width: 48px;"><p style=3D"color: #524a3e; opacity: 0.82;
> margi=
> n: 0; font-weight: 500;">Title</p></td>
> <td><p style=3D"color: #1E1919; font-size: 14px; line-height: 22px;
> margin:=
> 0;">wish to request a refund, please contact our support team at :
> +1 (83=
> 3) 465-5681</p></td>
> </tr>
> </table></td></tr>
> <tr><td style=3D"padding: 0px 32px 0px; text-align: left;"><p
> style=3D"font=
> -size:14px; line-height:22px; color:#1E1919">Your recent purchase of
> Tether=
> (USDT) for $629.00 via PayPal has been confirmed. The funds will be
> reflec=
> ted in your account within 24 hours. If you require any assistance or
> wish =
> to request a refund, please contact our support team at : <br>+1 (833)
> 465-=
> 5681</p></td></tr>
> <tr style=3D"text-align: center"><td style=3D"padding: 0px 32px;">
> <p style=3D"font-size: 12px; line-height:28px; color:#524A3E; opacity:
> 0.82=
> ; margin: 0;">PayPal Support sent you an invoice using</p>
> <img height=3D"20px"
> src=3D"https://www.dropbox.com/static/images/fbm/invoi=
> ce_wordmark_2x.png">
> </td></tr>
> <tr style=3D"text-align: center"><td style=3D"padding: 0px 32px
> 52px;">
> <p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity:
> 0.82=
> ; margin: 0;">Dropbox, Inc. PO Box 77767, San Francisco, CA 94107</p>
> <p style=3D"font-size: 10px; line-height:28px; color:#524A3E; opacity:
> 0.82=
> ; margin: 0;"><a
> href=3D"https://www.dropbox.com/l/AABu1cd-4liBqZhM00gH24g3=
> HtVHu7tb9rc/privacy" style=3D"text-decoration: none; margin-left:
> 12px">Vie=
> w Privacy Policy</a></p>
> </td></tr>
> </table></td></tr></table></td></tr></table></td></tr>
> </table></body>
> </html><img height=3D"1"
> src=3D"https://www.dropbox.com/l/AACSvyNy75C_S_pXf=
> DFRWnzE6wulAbspDwg" width=3D"1" />
> --===============1633481412880569064==--


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam? [ In reply to ]
A quick grep shows:

4.000000/updates_spamassassin_org/60_welcomelist_auth.cf:def_welcomelist_auth *@*.dropbox.com

so the code is operating as designed.

It seems that either dropbox is compromised, or dropbox is allowing
user-generated content to go out under their domain. Either way it
seems they should be removed from USER_IN_DEF_SPF_WL, unless this is a
blip and they fix it right away.

Have you written to abuse@dropbox.com, and what did they say?
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam? [ In reply to ]
On 2023-03-20 at 13:54:42 UTC-0400 (Mon, 20 Mar 2023 13:54:42 -0400)
Mark London <mrl@psfc.mit.edu>
is rumored to have said:

> I’ve never seen a false positive with USER_IN_DEF_SPF_WL.

It can happen, particularly when a listed domain changes the way they
send email. I'm not sure I understand exactly what Dropbox is doing here
or how it is possible for a user to masquerade as PayPal, but I suspect
this is a new service of some sort.

N.B.: h.reindl replies directly to some messages on this list (which is
publicly archived) but he cannot post to the list due to a uniquely
unhelpful history.



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam? [ In reply to ]
Bill Cole <sausers-20150205@billmail.scconsult.com> writes:

> It can happen, particularly when a listed domain changes the way they
> send email. I'm not sure I understand exactly what Dropbox is doing
> here or how it is possible for a user to masquerade as PayPal, but I
> suspect this is a new service of some sort.

It seems to be a new service:

https://invoice.dropbox.com/login

and from the mail Mark posted, it seems they let people

choose the human part of the name: "John Doe <no-reply@dropbox.com>"
choose the Subject
choose the Reply-To:
choose the body

put something at dropbox that will have a link in the mail

but include a footer which is

[name] sent you an invoice using Dropbox, Inc. PO Box 77= 767, San
Francisco, CA 94107 View Privacy Policy[2]

have the mail go out dkim-signed under dropbox.com

and thus I think dropbox.com needs to be removed from
default_welcomelist, as surely entities on default_welcomelist can't
allow web users to spam and match the entry.
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam? [ In reply to ]
On 20.03.23 13:54, Mark London wrote:
>I’ve never seen a false positive with USER_IN_DEF_SPF_WL.

I have seen multiple, that's why I have:

unwelcomelist_auth *@*.getresponse-mail.com
- don't remember this one

unwelcomelist_auth *@google.com
- spam from google drive, docs etc

unwelcomelist_auth *@*.microsoft.com
- spam from teams invitations

in my config.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam? [ In reply to ]
On 3/21/23 09:37, Matus UHLAR - fantomas wrote:
> On 20.03.23 13:54, Mark London wrote:
>> I’ve never seen a false positive with USER_IN_DEF_SPF_WL.
>
> I have seen multiple, that's why I have:
>
> unwelcomelist_auth   *@*.getresponse-mail.com
> - don't remember this one
>
> unwelcomelist_auth *@google.com
> - spam from google drive, docs etc
>
I agree, there is a bz open for this issue.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7902

> unwelcomelist_auth *@*.microsoft.com
> - spam from teams invitations
>
we should have a better welcomelist_auth check to welcomelist only some email addresses.

Giovanni


> in my config.
>
>