It looks to me that Paypal is not sending the emails in a secure and verifiable method. Emails that are sent from a domain that's different than the from address are legitimately suspicious, especially when they contain financial keywords.
I recently received an email claiming to be from paypal (the SPF+DKIM passed) but inviting me to click on links in "epl.paypal-communication.com". How do I know this is not phishing? It certainly looks like phishing, and I certainly wouldn't click on those. But if it is not, how stupid must these guys be to use "paypal-communication.com"?
I'd really like to see a customizable threshhold on what is and isn't spam. I've noticed a lot of mailing lists and things I did sign up for getting passed to junk, though periodically I try to mark them as "not spam" presumably enough other people mark similar messages as spam that my suggestions are overridden when new messages arrive. Something as simple as a slider to control how zealously the filter culls messages from the inbox might go a long way to making users feel more in control of the situation (whether such a control could be effective enough not to annoy users and have a real effect on the false positive rate is another question, so I admit there's no easy answer).
> “Emails that are sent from a domain that's different than the from address are legitimately suspicious”
That’s not how this works. The “from” email header has nothing to do with the actual sender due to the email standard. The actual sender is specified in the SMTP command.
This is why SPF and DKIM for example have nothing to do with “from” either. SPF refers to the sender in the SMTP command and DKIM signing can use the keys of a domain unrelated to “from” and it’s all legal.
It’s very easy actually to spoof the “From” header and Gmail won’t complain.
That “via” information you’re seeing is just another header that doesn’t have much to do with Gmail. If you’re seeing it, that’s because the sender wants you to see it.
Also, every website asks you to check the spam folder if the verification mail hasn't shown after a couple of minutes, it's not like you lost it forever.
I use a redirection service and use a unique address for paypal. And I have to change that periodically because it leaks on to spam lists. In $current_year there's absolutely no reason for them to be sending your actual email address to anyone outside their company.
Now, that shouldn't be something Google takes into account, but given that Paypal is inexcusably lax in how they manage customer privacy, my inclination is they're not sticking to best practices as a mass sender and are running afoul of Google's spam filters as a result.
BTW, if you use a redirection service and thus have unique emails for all companies you correspond with, you know those emails are private and won't get spam. (Or you turn them off.) It works well enough that I have a gmail rule that blanket prevents them from being filtered.
Gmail also inappropriately spam-filters Stripe emails. I have received thousands of these messages and have a rule set up to file them away (skip inbox, apply a label). I don't want them in my inbox, but I like to know how many are coming in each day because it gives me a sense of payment flow for our most popular product.
You would think that gmail would be smart enough to realize that if I've received thousands of emails from an address and NEVER marked as spam/deleted, it probably isn't spam. Also, if I have a rule set up to file these messages (and keep unread), that should also throw a flag that it's not spam. But I've had to go in and create another special rule to never have this mail marked as spam.
I then had to broaden that rule because the Stripe customer service emails started getting marked as spam...
I'm sorry to hear that your Stripe emails are being spam-filtered. I work for Stripe as part of their engineering team responsible for email deliverability and would love to see some examples of email that has been incorrectly classified so we can try to prevent this from happening in the future. Would you be able to forward a few examples with full headers[0] to zack [at] stripe [dot] com?
I've noticed in the past if I delete emails without reading (as is often the case when the subject and first line is enough, i.e. transactional emails) Gmail will start classifying them as spam. I'm very careful now to 'mark as read' instead.
It is because of the DMARC setup that Paypal has put in place which is doing exactly what they want it to do which is put any non verified and in alignment (not coming from the paypal.com domain) - this is why you see the via in the from.
The current DMARC policy for Paypal.com is
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
This doesn't sound perfectly accurate for my case (since the DMARC policy seems to be for paypal.co.uk, not .com), but quite related / perhaps the other way around?
I see in the headers:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=pp-dkim1 header.b=UsIpWUs9;
spf=pass (google.com: domain of [email protected] designates 173.0.84.226 as permitted sender) [email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.co.uk
Received: from mx0.slc.paypal.com (mx1.slc.paypal.com. [173.0.84.226])
by mx.google.com with ESMTPS id q195si2496022ita.120.2019.02.05.13.10.37
You'd think so, but no even internal G Suite emails that never leave the domain, still subject to GMail's generic all users spam filters. And even as a paying user, you can't get out of them.
It be really great if they allowed G Suite admins to have fine grained control over what is and isn't SPAM in their own domain. Alas even that's subject to consumer Gmail spam filters.
The gmail filters have been wonky for the last week or so. I keep getting messages marked as "potentially unsafe". Messages I've been getting daily for years and have marked as high priority.
So either the introduced a bug or flipped a switch to make it a lot more restrictive.
This happens even in the best families. Yesterday Outlook365 informed me that there's a suspicious and blocked message coming from Github. And yep, that was the email confirmation I should've received from the real Github. I would assume that whitelisting bought services could be a thing within Microsoft...
SPF and DKIM test the "Envelope-From" address that is part of the SMTP conversation, and separate from the "From" that is typically displayed in the message. If you examine the full "Return-Path:" header you will see that it was not sent from your friends address after all.
Everyone is receiving those (bogus) phishing emails.
It is crowdsourced; the best thing you can do is mark it as not spam. The most likely explanation for what happened here is PayPal are a bunch of filthy spammers, lots of users marked their mail as spam, and they use the same IPs or envelope senders to send service messages. Always use gold-plated IPs and return addresses for critical service messages.
While the tone of this post was a little tongue in check, it is certainly the most likely answer. PayPal does send marketing/sales traffic on the same pipe as their transactional traffic, which as expected ends up with lots of spam flags. ie I didn't ask for a line of credit.
Side note:
There are only 3 major webmail/freemail services left, so running afoul can be a very serious issue. Speaking about the postmaster level.
GMail, Verizon, Microsoft
Verizon might be bigger than Gmail at this point with acquisitions.
[+] [-] abraham|7 years ago|reply
It looks to me that Paypal is not sending the emails in a secure and verifiable method. Emails that are sent from a domain that's different than the from address are legitimately suspicious, especially when they contain financial keywords.
https://support.google.com/mail/answer/1311182?hl=en
[+] [-] cm2187|7 years ago|reply
[+] [-] WorldMaker|7 years ago|reply
[+] [-] dwringer|7 years ago|reply
[+] [-] nh2|7 years ago|reply
> '[email protected]' via Paypal-Admins <[email protected]>
namely:
> 1) The domain it was sent from doesn't match the domain in the "From:" address'
> 2) The email was sent to a Google Group from a domain that has a "p=reject or p=quarantine" DMARC policy
In my case, it's (2): The target email is a Google Group email (e.g. [email protected]).
Should that make the email more spammy though?
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] bad_user|7 years ago|reply
That’s not how this works. The “from” email header has nothing to do with the actual sender due to the email standard. The actual sender is specified in the SMTP command.
This is why SPF and DKIM for example have nothing to do with “from” either. SPF refers to the sender in the SMTP command and DKIM signing can use the keys of a domain unrelated to “from” and it’s all legal.
It’s very easy actually to spoof the “From” header and Gmail won’t complain.
That “via” information you’re seeing is just another header that doesn’t have much to do with Gmail. If you’re seeing it, that’s because the sender wants you to see it.
[+] [-] ASalazarMX|7 years ago|reply
[+] [-] ben509|7 years ago|reply
Now, that shouldn't be something Google takes into account, but given that Paypal is inexcusably lax in how they manage customer privacy, my inclination is they're not sticking to best practices as a mass sender and are running afoul of Google's spam filters as a result.
BTW, if you use a redirection service and thus have unique emails for all companies you correspond with, you know those emails are private and won't get spam. (Or you turn them off.) It works well enough that I have a gmail rule that blanket prevents them from being filtered.
[+] [-] gleb|7 years ago|reply
[+] [-] gnicholas|7 years ago|reply
You would think that gmail would be smart enough to realize that if I've received thousands of emails from an address and NEVER marked as spam/deleted, it probably isn't spam. Also, if I have a rule set up to file these messages (and keep unread), that should also throw a flag that it's not spam. But I've had to go in and create another special rule to never have this mail marked as spam.
I then had to broaden that rule because the Stripe customer service emails started getting marked as spam...
[+] [-] zackbleach|7 years ago|reply
[0] https://support.google.com/mail/answer/29436?hl=en
[+] [-] hnick|7 years ago|reply
[+] [-] futureastronaut|7 years ago|reply
[+] [-] thedrake|7 years ago|reply
[+] [-] nh2|7 years ago|reply
I see in the headers:
> this is why you see the via in the fromI am not sure, it may also appear due to what I said in https://news.ycombinator.com/item?id=19100315
[+] [-] nh2|7 years ago|reply
https://github.com/nh2/gmail-spamfilters-paypal-security-mes...
[+] [-] type0|7 years ago|reply
Other Gmail users!
[+] [-] hsk0823|7 years ago|reply
[+] [-] hsk0823|7 years ago|reply
[+] [-] VRay|7 years ago|reply
[+] [-] orbitingpluto|7 years ago|reply
[+] [-] jedberg|7 years ago|reply
So either the introduced a bug or flipped a switch to make it a lot more restrictive.
[+] [-] hsk0823|7 years ago|reply
[+] [-] trm42|7 years ago|reply
[+] [-] mikelward|7 years ago|reply
That would be very useful information.
[+] [-] dzhiurgis|7 years ago|reply
They seem to have SPF and DKIM setup, but a friend keeps receiving extortion emails (with his old passwords from probably old password leaks).
[+] [-] haroldp|7 years ago|reply
Everyone is receiving those (bogus) phishing emails.
[+] [-] shereadsthenews|7 years ago|reply
[+] [-] frankydp|7 years ago|reply
Side note: There are only 3 major webmail/freemail services left, so running afoul can be a very serious issue. Speaking about the postmaster level.
GMail, Verizon, Microsoft
Verizon might be bigger than Gmail at this point with acquisitions.
[+] [-] hprotagonist|7 years ago|reply
(Are phishing attempts so similar to real things now that the ROC shifts?)
[+] [-] xianb|7 years ago|reply