Niamh Holding <[email protected]> writes: > Hello Greg, > > Wednesday, January 29, 2025, 12:28:13 PM, you wrote: > > GT> - 1) this email was emitted from paypal's mail system > GT> - 2) paypal's DKIM signing key is compromised > GT> - 3) spamassassin is misparsing DKIM > GT> - 4) something else > > GT> I would take the message and run it through SA with -D -t. > GT> I am guessing we are in case 1. > > GT> To be clear: if this is case 1, then it is not true that "the From: > GT> address [is] faked". > > I'm 99.9% sure paypal doesn't use outlook.com to deliver emails. > > X-Spam-Relays-Untrusted: [ ip=13.110.227.172 rdns=mta58.emails.paypal.com > helo=mta58.emails.paypal.com by=iron.holtain.net ident= envfrom= > intl=0 id=EEC48C00559A auth= msa=0 ]
It doesn't in general, but it seems someone has set up a MS account to forward to others someone has caused paypal to send an *authentic, DKIM-signed* message from paypal's systems to that MS account (with phishing content) You having an example of (legit) paypal mail direct to you doesn't argue that this isn't case 1.
