Forums
New posts
Articles
Product Reviews
Policies
FAQ
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Menu
Log in
Register
Install the app
Install
Forums
General Discussions
Security Awareness
PayPal phishing email
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Kryten" data-source="post: 1920091" data-attributes="member: 16377"><p>I recently closed both my PayPal accounts, one personal and the other business. This was sent to my personal account.</p><p>I'm this is a scam but how have they spoofed <a href="mailto:service@paypal.com">service@paypal.com</a> email address? I'm posting the header text if that helps. You can see the View Estimate does actually take you to the PayPal website. I don't know who Killo Carter is. The email tells me my PP account has been accessed illegally or words to that effect.</p><p></p><p>Any ideas most welcome, thanks guys.</p><p></p><p>"<a href="mailto:service@paypal.com">service@paypal.com</a>" <<a href="mailto:service@paypal.com">service@paypal.com</a>></p><p>Estimate from Billing department Of paypal (0106)</p><p>To: My Details removed by me</p><p>Delivered-To: My email address</p><p>X-Pp-Requested-Time: 1665822733272</p><p>Pp-Correlation-Id: f532255291939</p><p>X-Xpt-Xsl-Name: nullval</p><p>X-Pp-Priority: 0-none-true</p><p>X-Spam-Report: Action: no action Symbol: ARC_NA(0.00) Symbol: R_DKIM_ALLOW(-0.20) Symbol: RWL_MAILSPIKE_POSSIBLE(0.00) Symbol: FROM_DN_EQ_ADDR(1.00) Symbol: DWL_DNSWL_MED(-2.00) Symbol: R_SPF_ALLOW(-0.20) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: TO_DN_NONE(0.00) Symbol: RCVD_DKIM_ARC_DNSWL_MED(-0.50) Symbol: RCPT_COUNT_ONE(0.00) Symbol: MID_RHS_NOT_FQDN(0.50) Symbol: DKIM_TRACE(0.00) Symbol: RCVD_IN_DNSWL_MED(-0.40) Symbol: DMARC_POLICY_ALLOW(-0.50) Symbol: WHITELIST_DMARC(-7.00) Symbol: MIME_HTML_ONLY(0.20) Symbol: RCVD_COUNT_ONE(0.00) Symbol: FUZZY_BLOCKED(0.00) Symbol: WHITELIST_SPF_DKIM(-3.00) Symbol: FROM_EQ_ENVFROM(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: RCVD_TLS_ALL(0.00) Symbol: NEURAL_HAM(0.00) Symbol: ONCE_RECEIVED(0.10) Message-ID: 3B.48.26877.5107A436@ccg01mail02</p><p>Return-Path: <<a href="mailto:service@paypal.com">service@paypal.com</a>></p><p>X-Maxcode-Template: PPC001840</p><p>Mime-Version: 1.0</p><p>Authentication-Results: mx1.lhr.stackcp.net; iprev=pass (mx0.phx.paypal.com) smtp.remote-ip=66.211.170.86; spf=pass smtp.mailfrom=paypal.com; dmarc=skipped</p><p>Content-Transfer-Encoding: quoted-printable</p><p>Dkim-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.com; t=1665822741; h=From:From:Subject<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite8" alt=":D" title="Big grin :D" loading="lazy" data-shortname=":D" />ate:To:MIME-Version:Content-Type; bh=xzYlohkOJ1gmgD3KSNgKAIVbAjckIJdaDc1mKRqrepw=; b=gztfWeKlDbsJ/XsdhjJ+NQzbZiEvh06bRQWe75tFzRcnq7c/g4o9meCDUJzZp1XW 2Y3FXpV4dY1rcNedBzmt0smN5GsRYjMaZcW0YYrfeFf9/9YN76T5hKf5V4GhX3hT nJ+dhp9mjeLtl3rKENwG72rqh6Tndiw6ZWBslkE+trHWZsLEzbsK4paP9AMQmOkH Z5Fmhj2Fy+EdSne5p67N9vu7eNJgyXdO1hwIkCazUuOP7mSKNRrmTh0ALcEso7qz DnIp1x4iTGlSbnfPC4H7/W5YYLJiiAT+mxNpLD2h/TVe1iWa5N9+E55Ac4jR9RlM fKN0rv0xaMrjNEaEEHe8rA==;</p><p><3B.48.26877.5107A436@ccg01mail02></p><p>X-Spam-Score: -12.0 (------------)</p><p>X-Email-Type-Id: PPC001840</p><p>Content-Type: text/html; charset="UTF-8"</p><p>X-Pp-Email-Transmission-Id: e108f16c-4c63-11ed-bf28-3cfdfeec12bc</p><p>Received-Spf: pass (mx1.lhr.stackcp.net: domain of paypal.com designates 66.211.170.86 as permitted sender) client-ip=66.211.170.86; envelope-from=<a href="mailto:service@paypal.com">service@paypal.com</a>; helo=mx0.phx.paypal.com;</p><p>Amq-Delivery-Message-Id: nullval</p><p>Received: from mailauth4.lhr.stackcp.net ([10.4.13.3]) by mail18.lhr.stackcp.net with LMTP id wHggLhdwSmMUJwAA2vlgcg (envelope-from <<a href="mailto:service@paypal.com">service@paypal.com</a>>) for <My email address>; Sat, 15 Oct 2022 09:32:23 +0100</p><p>Received: from mx1.lhr.stackcp.net ([10.4.12.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by mailauth4.lhr.stackcp.net with LMTPS id eMLyLBdwSmNgTQAAl5XFYQ (envelope-from <<a href="mailto:service@paypal.com">service@paypal.com</a>>) for <My email address>; Sat, 15 Oct 2022 09:32:23 +0100</p><p>Received: from mx0.phx.paypal.com ([66.211.170.86]) by mx1.lhr.stackcp.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <<a href="mailto:service@paypal.com">service@paypal.com</a>>) id 1ojcal-000549-1B for My email address; Sat, 15 Oct 2022 09:32:23 +0100</p><p></p><p>[ATTACH=full]37071[/ATTACH]</p></blockquote><p></p>
[QUOTE="Kryten, post: 1920091, member: 16377"] I recently closed both my PayPal accounts, one personal and the other business. This was sent to my personal account. I'm this is a scam but how have they spoofed [EMAIL]service@paypal.com[/EMAIL] email address? I'm posting the header text if that helps. You can see the View Estimate does actually take you to the PayPal website. I don't know who Killo Carter is. The email tells me my PP account has been accessed illegally or words to that effect. Any ideas most welcome, thanks guys. "[EMAIL]service@paypal.com[/EMAIL]" <[EMAIL]service@paypal.com[/EMAIL]> Estimate from Billing department Of paypal (0106) To: My Details removed by me Delivered-To: My email address X-Pp-Requested-Time: 1665822733272 Pp-Correlation-Id: f532255291939 X-Xpt-Xsl-Name: nullval X-Pp-Priority: 0-none-true X-Spam-Report: Action: no action Symbol: ARC_NA(0.00) Symbol: R_DKIM_ALLOW(-0.20) Symbol: RWL_MAILSPIKE_POSSIBLE(0.00) Symbol: FROM_DN_EQ_ADDR(1.00) Symbol: DWL_DNSWL_MED(-2.00) Symbol: R_SPF_ALLOW(-0.20) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: TO_DN_NONE(0.00) Symbol: RCVD_DKIM_ARC_DNSWL_MED(-0.50) Symbol: RCPT_COUNT_ONE(0.00) Symbol: MID_RHS_NOT_FQDN(0.50) Symbol: DKIM_TRACE(0.00) Symbol: RCVD_IN_DNSWL_MED(-0.40) Symbol: DMARC_POLICY_ALLOW(-0.50) Symbol: WHITELIST_DMARC(-7.00) Symbol: MIME_HTML_ONLY(0.20) Symbol: RCVD_COUNT_ONE(0.00) Symbol: FUZZY_BLOCKED(0.00) Symbol: WHITELIST_SPF_DKIM(-3.00) Symbol: FROM_EQ_ENVFROM(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: RCVD_TLS_ALL(0.00) Symbol: NEURAL_HAM(0.00) Symbol: ONCE_RECEIVED(0.10) Message-ID: 3B.48.26877.5107A436@ccg01mail02 Return-Path: <[EMAIL]service@paypal.com[/EMAIL]> X-Maxcode-Template: PPC001840 Mime-Version: 1.0 Authentication-Results: mx1.lhr.stackcp.net; iprev=pass (mx0.phx.paypal.com) smtp.remote-ip=66.211.170.86; spf=pass smtp.mailfrom=paypal.com; dmarc=skipped Content-Transfer-Encoding: quoted-printable Dkim-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.com; t=1665822741; h=From:From:Subject:Date:To:MIME-Version:Content-Type; bh=xzYlohkOJ1gmgD3KSNgKAIVbAjckIJdaDc1mKRqrepw=; b=gztfWeKlDbsJ/XsdhjJ+NQzbZiEvh06bRQWe75tFzRcnq7c/g4o9meCDUJzZp1XW 2Y3FXpV4dY1rcNedBzmt0smN5GsRYjMaZcW0YYrfeFf9/9YN76T5hKf5V4GhX3hT nJ+dhp9mjeLtl3rKENwG72rqh6Tndiw6ZWBslkE+trHWZsLEzbsK4paP9AMQmOkH Z5Fmhj2Fy+EdSne5p67N9vu7eNJgyXdO1hwIkCazUuOP7mSKNRrmTh0ALcEso7qz DnIp1x4iTGlSbnfPC4H7/W5YYLJiiAT+mxNpLD2h/TVe1iWa5N9+E55Ac4jR9RlM fKN0rv0xaMrjNEaEEHe8rA==; <3B.48.26877.5107A436@ccg01mail02> X-Spam-Score: -12.0 (------------) X-Email-Type-Id: PPC001840 Content-Type: text/html; charset="UTF-8" X-Pp-Email-Transmission-Id: e108f16c-4c63-11ed-bf28-3cfdfeec12bc Received-Spf: pass (mx1.lhr.stackcp.net: domain of paypal.com designates 66.211.170.86 as permitted sender) client-ip=66.211.170.86; envelope-from=[EMAIL]service@paypal.com[/EMAIL]; helo=mx0.phx.paypal.com; Amq-Delivery-Message-Id: nullval Received: from mailauth4.lhr.stackcp.net ([10.4.13.3]) by mail18.lhr.stackcp.net with LMTP id wHggLhdwSmMUJwAA2vlgcg (envelope-from <[EMAIL]service@paypal.com[/EMAIL]>) for <My email address>; Sat, 15 Oct 2022 09:32:23 +0100 Received: from mx1.lhr.stackcp.net ([10.4.12.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by mailauth4.lhr.stackcp.net with LMTPS id eMLyLBdwSmNgTQAAl5XFYQ (envelope-from <[EMAIL]service@paypal.com[/EMAIL]>) for <My email address>; Sat, 15 Oct 2022 09:32:23 +0100 Received: from mx0.phx.paypal.com ([66.211.170.86]) by mx1.lhr.stackcp.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <[EMAIL]service@paypal.com[/EMAIL]>) id 1ojcal-000549-1B for My email address; Sat, 15 Oct 2022 09:32:23 +0100 [ATTACH type="full" alt="Screenshot 2022-10-15 at 11.11.26.png"]37071[/ATTACH] [/QUOTE]
Verification
Name this item 🌈
Post reply
Forums
General Discussions
Security Awareness
PayPal phishing email
Top
