ydal

The story of PayPal and the wayward e-mail

It was a quickly coo­ling night after an unex­pec­ted sunny day at the end of Sep­tem­bre when I was rea­ding my e-mail inbox for my CCCC address. Rea­ding the last mail, I was con­fron­ted with a mail from category@paypal.com refe­ren­cing the sub­ject of a recently sent mail of mine. This made me won­der — scam­mers try­ing to mask their phis­hing attempts or UBE as mes­sa­ges see­ming to ori­gi­nate from Pay­Pal is old news to someone who bothe­red che­cking his inbox or spam fil­ters the last decade or so, but what rai­sed my atten­tion me was that I the sub­ject was from a mail I sent to a mai­ling list. This did not seem all too unli­kely, see­ing how I regu­larly get spam­med on all user IDs of my GPG public key­ring, but it was (and still is, actually) rather odd. So I che­cked the mail.

From category@paypal.com Sun Sep 23 01:17:52 2007
Return-path: <category@paypal.com>
Envelope-to: towo@koeln.ccc.de
Delivery-date: Sun, 23 Sep 2007 01:17:52 +0200
Recei­ved: from mx1.phx.paypal.com ([66.211.168.231]
helo=phx01imail03.phx.paypal.com) by eternity.koeln.ccc.de with esmtp (Exim
4.50) id 1IZEES-00010K-K9 for towo@koeln.ccc.de; Sun, 23 Sep 2007 01:17:52
+0200
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Thread-Topic:Content-Class:Received:Message-ID:
X-MimeOLE:Date:From:To:Subject:MIME-Version:
Content-Type:Content-Transfer-Encoding:X-Mailer:
Return-Path:X-OriginalArrivalTime;
b=Zid/bPlpxsC2tL+3bTApCi+VUjUI6UMQK+BMSEhAqE9x/CUu2r3fY
sDpPMVCTs5WnFhPmlg0gEqN46IJOMI6Yq9MFnzWqaXYX9dPAE9Z4g
VGwq2wtmHUCfZ3P0JR2uuzWvEbfY7e7P30nT3TZyYEo9TjT2zJpu/ +GU52FkQTxC0=;
Thread-Topic: War­nung vor cacert.org (KMM3385442I96L0KM) :ppk1
Content-Class: urn:content-classes:message
Recei­ved: from oma-kaaas-005 ([10.248.144.75]) by
usa-entot-002.corp.ebay.com with Micro­soft SMTPSVC(5.0.2195.6713); Sat, 22
Sep 2007 18:20:47 –0500
Message-ID: <30057323.1190503245854.JavaMail.kanauser@oma-kaaas-005>
X-MimeOLE: Pro­du­ced By Micro­soft MimeOLE V6.00.2800.1896
Date: Sat, 22 Sep 2007 18:20:46 –0500 (CDT)
From: <category@paypal.com>
To: “Tobias Wol­ter” <towo@koeln.ccc.de>
Sub­ject: Re: War­nung vor cacert.org (KMM3385442I96L0KM) :ppk1
MIME-Version: 1.0
Content-Type: text/plain; charset=“iso-8859–1″
X-Mailer: KANA Response 9.5.0.31
X-OriginalArrivalTime: 22 Sep 2007 23:20:47.0312 (UTC)
FILETIME=[34D80D00:01C7FD6F]
X-SA-Do-Not-Run: Yes
X-Verified-Sender: Yes
X-SA-Exim-Connect-IP: 66.211.168.231
X-SA-Exim-Mail-From: category@paypal.com
X-SA-Exim-Scanned: No (on eternity.koeln.ccc.de); SAExim­Run­Cond expan­ded to
false
X-Evolution-Source: imap://towo@eternity.koeln.ccc.de/
Content-Transfer-Encoding: 8bit

Dear Tobias Wolter,

Thank you for con­ta­c­ting PayPal.

Unfor­t­u­na­tely, we are unable to deter­mine the nature of your inquiry. In
order to bet­ter assist you, we need you to pro­vide us with the buyer
/seller’s email address, along with a case num­ber or other per­ti­nent
infor­ma­tion per­tai­ning to this case. We do apo­lo­gize for any
inconvenience.

Thank you for your coope­ra­tion and we look for­ward to your reply.

If you have any fur­ther ques­ti­ons, please feel free to con­tact us again.

Sin­ce­rely,
Cyn­thia
Pay­Pal Reso­lu­tion Ser­vices
Pay­Pal, an eBay Company

Ori­gi­nal Mes­sage Fol­lows:
————————
Am Sonn­tag, den ##.##.####, ##:## +#### schrieb Stef­fen Dett­mer:
> Nun will man anschei­nend im nachtrC$glich (!) Sicher­heits­richt­li­nien
> fest­le­gen, um in Fire­fox zu kom­men. Wie bitte soll das im NACH­HIN­EIN
> gehen — oder gibt es ein neues root-Zertifikat?
>
> Wei­ter­hin gibt es Zer­ti­fi­kate, die in den Subject-Informationen
> ledig­lich einen Host­na­men beinhal­ten, aber kei­nen Ver­weis auf eine
> jurs­tisch fass­bare Ein­rich­tung.
>
> Das alles ist for­mal und sicher­heits­tech­nisch untrag­bar.
Das kom­plette Kon­zept von X.###-Zertifikaten ist aber von die­sem gro­ben
Ent­wick­lungs­pro­blem betrof­fen. Der Unter­schied zwi­schen CAcert und jeder
ande­ren belie­bi­gen CA ist nur, daC? CAcert nichts kos­tet. Man C<bergibt
in
jedem Falle das Ver­trauen an einen ande­ren, und ab da beginnt der Punkt,
wo Sicher­heit per Defi­ni­ton nur noch bedingt her­stell­bar ist.
–towo
[ Attach­ment # Type: application/pgp-signature Name: signature.asc]
[ Attach­ment #.# Type: application/pgp-signature]

[ Attach­ment # Type: application/pgp-signature Name: signature.asc]

And what do you know… It seems to be rather authen­tic. The Recei­ved: lines check out — or are well-faked — and even the num­be­ring scheme seems to stem from PayPal’s request tra­cker. Also note that there are no spel­ling mis­ta­kes in the boi­ler­plate text, and a script that seems to thought­fully replace poten­ti­ally incri­mi­na­ting digits (those little bas­tards, always snea­king into mails!) with aes­the­ti­cally plea­sing hash marks.

Strange shit. I replied; let’s see what happens.

Sep­tem­ber 23rd: Lo and behold, there was a reply:

Return-path: <category@paypal.com>
Envelope-to: towo@koeln.ccc.de
Delivery-date: Sun, 23 Sep 2007 16:56:54 +0200
Recei­ved: from mx1.phx.paypal.com ([66.211.168.231]
helo=phx01imail03.phx.paypal.com) by eternity.koeln.ccc.de with esmtp (Exim
4.50) id 1IZStC-00074y-1H for towo@koeln.ccc.de; Sun, 23 Sep 2007 16:56:54
+0200
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Thread-Topic:Content-Class:Received:Message-ID:
X-MimeOLE:Date:From:To:Subject:MIME-Version:
Content-Type:Content-Transfer-Encoding:X-Mailer:
Return-Path:X-OriginalArrivalTime;
b=oHyWWASLC9BdnFKCIoYuhdAvrIzwNLwSqeLKlmdtsblKs/7q44RTj
4U6syRHlPPe3hNgXEUlhmp2ZCJM4+oh7UTr4M3/H0+CEEnm47d4K2
PKXOl4ZnKHFGEZx0oHFlibru3zNGlADolPbHwH0hxTcp0ffcCw7MN Sk/CbeOFmkME=;
Thread-Topic: War­nung vor cacert.org (KMM3505931I96L0KM) :ppk1
Content-Class: urn:content-classes:message
Recei­ved: from oma-kaaas-005 ([10.248.144.75]) by
usa-entot-002.corp.ebay.com with Micro­soft SMTPSVC(5.0.2195.6713); Sun, 23
Sep 2007 09:59:42 –0500
Message-ID: <996629.1190559582213.JavaMail.kanauser@oma-kaaas-005>
X-MimeOLE: Pro­du­ced By Micro­soft MimeOLE V6.00.2800.1896
Date: Sun, 23 Sep 2007 09:59:42 –0500 (CDT)
From: <category@paypal.com>
To: “Tobias Wol­ter” <towo@koeln.ccc.de>
Sub­ject: Re: War­nung vor cacert.org (KMM3505931I96L0KM) :ppk1
MIME-Version: 1.0
Content-Type: text/plain; charset=“iso-8859–1″
Content-Transfer-Encoding: quoted-printable
X-Mailer: KANA Response 9.5.0.31
X-OriginalArrivalTime: 23 Sep 2007 14:59:42.0319 (UTC)
FILETIME=[5F1FEFF0:01C7FDF2]
X-SA-Do-Not-Run: Yes
X-Verified-Sender: Yes
X-SA-Exim-Connect-IP: 66.211.168.231
X-SA-Exim-Mail-From: category@paypal.com
X-SA-Exim-Scanned: No (on eternity.koeln.ccc.de); SAExim­Run­Cond expan­ded to
false
X-Evolution-Source: imap://towo@eternity.koeln.ccc.de/

Dear Tobias Wolter,

Thanks for wri­t­ing to us. I app­re­ciate the oppor­tu­nity to assist you=20
with your questions.

Busi­ness and Pre­mier account hol­ders receive Pre­mium Cust­o­mer Service,=20
seven days a week from our Busi­ness and Pre­mier account spe­cia­lists. Our
team is spe­ci­fi­cally trai­ned to accom­mo­date the needs of pre­mium account
mem­bers. There are a num­ber of ways to con­tact specialists:=20

=B7 By phone: 08707 307 191=20

=B7 By Email:=20

1. Log in to your account at https://www.paypal.co.uk/

2. Click the ‘Help’ link in the upper right-hand cor­ner of any=20
Pay­Pal page=20

3. Click the ‘Con­tact Us’ link=20

4. Select ‘Con­tact Cust­o­mer Ser­vice’ for help by email or=20
’Ser­vice Centre’ for help by phone=20

=B7 By post:=20
Pay­Pal Europe
P.O. Box 9473
Dub­lin 15
Ireland=20
For future refe­rence, this infor­ma­tion is also loca­ted in the Help=20
Centre. To locate the Pay­Pal Help Centre please fol­low these=20
instructions:

1. Click https://www.paypal.co.uk/help

2. Go to ‘Con­tact Us’ under Cate­go­ries on the Help Centre page=20

Thank you for using Pay­Pal for your online pay­ment needs.

Sin­ce­rely,
Scott
Pay­Pal, an eBay Company

Copy­right =A9 1999–2007 Pay­Pal. All rights reserved.=20
Pay­Pal (Europe) S.=E0 r.l. & Cie, S.C.A.
Soci=E9t=E9 en Com­man­dite par Actions
Regis­te­red Office: 5th Floor 22–24 Bou­le­vard Royal L-2449, Luxem­bourg
RCS Luxem­bourg B 118 349

Ori­gi­nal Mes­sage Fol­lows:
————————
Am Sams­tag, den ##.##.####, ##:## -#### schrieb category@paypal.com:
> Unfor­t­u­na­tely, we are unable to deter­mine the nature of your inquiry.=20
In
> order to bet­ter assist you, we need you to pro­vide us with the buyer=20
> /seller’s email address, along with a case num­ber or other pertinent=20
> infor­ma­tion per­tai­ning to this case. We do apo­lo­gize for any=20
> inconvenience.=20
>=20
> Thank you for your coope­ra­tion and we look for­ward to your reply.=20
>=20
> If you have any fur­ther ques­ti­ons, please feel free to con­tact us=20
again.

Yeah, I’m really inte­res­ted to know why you boi­ler­plate (since my Ger­man
obviously didn’t faze you in any regard) me with a mai­ling list pos­ting
that seems to have somehow found a way into your request tracker.

Care to explain?

For com­ple­ten­ess, my sup­po­sed ori­gi­nal mes­sage fol­lows…
> Ori­gi­nal Mes­sage Fol­lows:
> ————————
> Am Sonn­tag, den ##.##.####, ##:## +#### schrieb Stef­fen Dett­mer:
> > Nun will man anschei­nend im nachtrC$glich (!) Sicher­heits­richt­li­nien
> > fest­le­gen, um in Fire­fox zu kom­men. Wie bitte soll das im NACH­HIN­EIN
> > gehen — oder gibt es ein neues root-Zertifikat?
> >=20
> > Wei­ter­hin gibt es Zer­ti­fi­kate, die in den Subject-Informationen
> > ledig­lich einen Host­na­men beinhal­ten, aber kei­nen Ver­weis auf eine
> > jurs­tisch fass­bare Ein­rich­tung.
> >=20
> > Das alles ist for­mal und sicher­heits­tech­nisch untrag­bar.
> Das kom­plette Kon­zept von X.###-Zertifikaten ist aber von diesem=20
gro­ben
> Ent­wick­lungs­pro­blem betrof­fen. Der Unter­schied zwi­schen CAcert und=20
jeder
> ande­ren belie­bi­gen CA ist nur, daC? CAcert nichts kos­tet. Man=20
C<bergibt=20
> in
> jedem Falle das Ver­trauen an einen ande­ren, und ab da beginnt der=20
Punkt,
> wo Sicher­heit per Defi­ni­ton nur noch bedingt her­stell­bar ist.
> –towo
> [ Attach­ment # Type: application/pgp-signature Name: signature.asc]
> [ Attach­ment #.# Type: application/pgp-signature]
>=20
> [ Attach­ment # Type: application/pgp-signature Name: signature.asc]

–towo

P.S.: category@paypal.com sounds like a serious mail sys­tem char­lie
fox­trot for a sup­port address.

[ Attach­ment # Type: application/pgp-signature Name: signature.asc]

Seems like no-one there is keen on being sup­por­tive in the least.

2 Comments

  1. Peter says:
    2008-09-20 at 06:45

    Found your web­site through google while che­cking out the email ser­ver of a pay­pal “sup­port” (I use the term loo­sely) per­son via hea­der info.
    I was que­ry­ing their sen­ding of an email say­ing I would soon receive a repla­ce­ment debit card (I don’t have one, nor do I want one), and all they seem to say is that it was a phis­hing email, whe­reas the ser­ver is cle­arly a pay­pal ser­ver, and the only email link is to a sub­do­main of https://paypal (not spoo­fed).
    Like you I got boi­ler­plate responses.

  2. Escovan says:
    2011-06-14 at 08:43

    I recei­ved a simi­lar e-mail, con­ta­c­ted Pay­pal Sup­port Nether­lands and was kindly instruc­ted to for­ward the full mail inclu­ding hea­ders to spoof@paypal.com.
    Mean­while I found this web­site, so I think there’s eit­her: Someone with awe­some paypal-mail-faking skills, which to me seems odd, given the con­ti­nuous effort by Pay­Pal to have their sys­tems secu­red. Or there sim­ply is someone inside the orga­ni­sa­tion or a for­mer employee that can fake these mail through inside information.

Leave a Reply