The story of PayPal and the wayward e-mail

It was a quickly cooling night after an unexpected sunny day at the end of Septembre when I was reading my e-mail inbox for my CCCC address. Reading the last mail, I was confronted with a mail from category@paypal.com referencing the subject of a recently sent mail of mine. This made me wonder – scammers trying to mask their phishing attempts or UBE as messages seeming to originate from PayPal is old news to someone who bothered checking his inbox or spam filters the last decade or so, but what raised my attention me was that I the subject was from a mail I sent to a mailing list. This did not seem all too unlikely, seeing how I regularly get spammed on all user IDs of my GPG public keyring, but it was (and still is, actually) rather odd. So I checked the mail.

From category@paypal.com Sun Sep 23 01:17:52 2007
Return-path: <category@paypal.com>
Envelope-to: towo@koeln.ccc.de
Delivery-date: Sun, 23 Sep 2007 01:17:52 +0200
Received: from mx1.phx.paypal.com (1
helo=phx01imail03.phx.paypal.com) by eternity.koeln.ccc.de with esmtp (Exim
4.50) id 1IZEES-00010K-K9 for towo@koeln.ccc.de; Sun, 23 Sep 2007 01:17:52
+0200
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Thread-Topic:Content-Class:Received:Message-ID:
X-MimeOLE:Date:From:To:Subject:MIME-Version:
Content-Type:Content-Transfer-Encoding:X-Mailer:
Return-Path:X-OriginalArrivalTime;
b=Zid/bPlpxsC2tL+3bTApCi+VUjUI6UMQK+BMSEhAqE9x/CUu2r3fY
sDpPMVCTs5WnFhPmlg0gEqN46IJOMI6Yq9MFnzWqaXYX9dPAE9Z4g
VGwq2wtmHUCfZ3P0JR2uuzWvEbfY7e7P30nT3TZyYEo9TjT2zJpu/ +GU52FkQTxC0=;
Thread-Topic: Warnung vor cacert.org (KMM3385442I96L0KM) :ppk1
Content-Class: urn:content-classes:message
Received: from oma-kaaas-005 (2) by
usa-entot-002.corp.ebay.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 22
Sep 2007 18:20:47 -0500
Message-ID: <30057323.1190503245854.JavaMail.kanauser@oma-kaaas-005>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896
Date: Sat, 22 Sep 2007 18:20:46 -0500 (CDT)
From: <category@paypal.com>
To: “Tobias Wolter” <towo@koeln.ccc.de>
Subject: Re: Warnung vor cacert.org (KMM3385442I96L0KM) :ppk1
MIME-Version: 1.0
Content-Type: text/plain; charset=”iso-8859-1″
X-Mailer: KANA Response 9.5.0.31
X-OriginalArrivalTime: 22 Sep 2007 23:20:47.0312 (UTC)
FILETIME=[34D80D00:01C7FD6F]
X-SA-Do-Not-Run: Yes
X-Verified-Sender: Yes
X-SA-Exim-Connect-IP: 66.211.168.231
X-SA-Exim-Mail-From: category@paypal.com
X-SA-Exim-Scanned: No (on eternity.koeln.ccc.de); SAEximRunCond expanded to
false
X-Evolution-Source: imap://towo@eternity.koeln.ccc.de/
Content-Transfer-Encoding: 8bit

Dear Tobias Wolter,

Thank you for contacting PayPal.

Unfortunately, we are unable to determine the nature of your inquiry. In
order to better assist you, we need you to provide us with the buyer
/seller’s email address, along with a case number or other pertinent
information pertaining to this case. We do apologize for any
inconvenience.

Thank you for your cooperation and we look forward to your reply.

If you have any further questions, please feel free to contact us again.

Sincerely,
Cynthia
PayPal Resolution Services
PayPal, an eBay Company

Original Message Follows:
————————
Am Sonntag, den ##.##.####, ##:## +#### schrieb Steffen Dettmer:
> Nun will man anscheinend im nachtrC$glich (!) Sicherheitsrichtlinien
> festlegen, um in Firefox zu kommen. Wie bitte soll das im NACHHINEIN
> gehen – oder gibt es ein neues root-Zertifikat?
>
> Weiterhin gibt es Zertifikate, die in den Subject-Informationen
> lediglich einen Hostnamen beinhalten, aber keinen Verweis auf eine
> jurstisch fassbare Einrichtung.
>
> Das alles ist formal und sicherheitstechnisch untragbar.
Das komplette Konzept von X.###-Zertifikaten ist aber von diesem groben
Entwicklungsproblem betroffen. Der Unterschied zwischen CAcert und jeder
anderen beliebigen CA ist nur, daC? CAcert nichts kostet. Man C<bergibt
in
jedem Falle das Vertrauen an einen anderen, und ab da beginnt der Punkt,
wo Sicherheit per Definiton nur noch bedingt herstellbar ist.
-towo
[ Attachment # Type: application/pgp-signature Name: signature.asc]
[ Attachment #.# Type: application/pgp-signature]

[ Attachment # Type: application/pgp-signature Name: signature.asc]

And what do you know… It seems to be rather authentic. The Received: lines check out – or are well-faked – and even the numbering scheme seems to stem from PayPal’s request tracker. Also note that there are no spelling mistakes in the boilerplate text, and a script that seems to thoughtfully replace potentially incriminating digits (those little bastards, always sneaking into mails!) with aesthetically pleasing hash marks.

Strange shit. I replied; let’s see what happens.

September 23rd: Lo and behold, there was a reply:

Return-path: <category@paypal.com>
Envelope-to: towo@koeln.ccc.de
Delivery-date: Sun, 23 Sep 2007 16:56:54 +0200
Received: from mx1.phx.paypal.com (1
helo=phx01imail03.phx.paypal.com) by eternity.koeln.ccc.de with esmtp (Exim
4.50) id 1IZStC-00074y-1H for towo@koeln.ccc.de; Sun, 23 Sep 2007 16:56:54
+0200
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Thread-Topic:Content-Class:Received:Message-ID:
X-MimeOLE:Date:From:To:Subject:MIME-Version:
Content-Type:Content-Transfer-Encoding:X-Mailer:
Return-Path:X-OriginalArrivalTime;
b=oHyWWASLC9BdnFKCIoYuhdAvrIzwNLwSqeLKlmdtsblKs/7q44RTj
4U6syRHlPPe3hNgXEUlhmp2ZCJM4+oh7UTr4M3/H0+CEEnm47d4K2
PKXOl4ZnKHFGEZx0oHFlibru3zNGlADolPbHwH0hxTcp0ffcCw7MN Sk/CbeOFmkME=;
Thread-Topic: Warnung vor cacert.org (KMM3505931I96L0KM) :ppk1
Content-Class: urn:content-classes:message
Received: from oma-kaaas-005 (2) by
usa-entot-002.corp.ebay.com with Microsoft SMTPSVC(5.0.2195.6713); Sun, 23
Sep 2007 09:59:42 -0500
Message-ID: <996629.1190559582213.JavaMail.kanauser@oma-kaaas-005>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896
Date: Sun, 23 Sep 2007 09:59:42 -0500 (CDT)
From: <category@paypal.com>
To: “Tobias Wolter” <towo@koeln.ccc.de>
Subject: Re: Warnung vor cacert.org (KMM3505931I96L0KM) :ppk1
MIME-Version: 1.0
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable
X-Mailer: KANA Response 9.5.0.31
X-OriginalArrivalTime: 23 Sep 2007 14:59:42.0319 (UTC)
FILETIME=[5F1FEFF0:01C7FDF2]
X-SA-Do-Not-Run: Yes
X-Verified-Sender: Yes
X-SA-Exim-Connect-IP: 66.211.168.231
X-SA-Exim-Mail-From: category@paypal.com
X-SA-Exim-Scanned: No (on eternity.koeln.ccc.de); SAEximRunCond expanded to
false
X-Evolution-Source: imap://towo@eternity.koeln.ccc.de/

Dear Tobias Wolter,

Thanks for writing to us. I appreciate the opportunity to assist you=20
with your questions.

Business and Premier account holders receive Premium Customer Service,=20
seven days a week from our Business and Premier account specialists. Our
team is specifically trained to accommodate the needs of premium account
members. There are a number of ways to contact specialists:=20

=B7 By phone: 08707 307 191=20

=B7 By Email:=20

1. Log in to your account at https://www.paypal.co.uk/

2. Click the ‘Help’ link in the upper right-hand corner of any=20
PayPal page=20

3. Click the ‘Contact Us’ link=20

4. Select ‘Contact Customer Service’ for help by email or=20
‘Service Centre’ for help by phone=20

=B7 By post:=20
PayPal Europe
P.O. Box 9473
Dublin 15
Ireland=20
For future reference, this information is also located in the Help=20
Centre. To locate the PayPal Help Centre please follow these=20
instructions:

1. Click https://www.paypal.co.uk/help

2. Go to ‘Contact Us’ under Categories on the Help Centre page=20

Thank you for using PayPal for your online payment needs.

Sincerely,
Scott
PayPal, an eBay Company

Copyright =A9 1999-2007 PayPal. All rights reserved.=20
PayPal (Europe) S.=E0 r.l. & Cie, S.C.A.
Soci=E9t=E9 en Commandite par Actions
Registered Office: 5th Floor 22-24 Boulevard Royal L-2449, Luxembourg
RCS Luxembourg B 118 349

Original Message Follows:
————————
Am Samstag, den ##.##.####, ##:## -#### schrieb category@paypal.com:
> Unfortunately, we are unable to determine the nature of your inquiry.=20
In
> order to better assist you, we need you to provide us with the buyer=20
> /seller’s email address, along with a case number or other pertinent=20
> information pertaining to this case. We do apologize for any=20
> inconvenience.=20
>=20
> Thank you for your cooperation and we look forward to your reply.=20
>=20
> If you have any further questions, please feel free to contact us=20
again.

Yeah, I’m really interested to know why you boilerplate (since my German
obviously didn’t faze you in any regard) me with a mailing list posting
that seems to have somehow found a way into your request tracker.

Care to explain?

For completeness, my supposed original message follows…
> Original Message Follows:
> ————————
> Am Sonntag, den ##.##.####, ##:## +#### schrieb Steffen Dettmer:
> > Nun will man anscheinend im nachtrC$glich (!) Sicherheitsrichtlinien
> > festlegen, um in Firefox zu kommen. Wie bitte soll das im NACHHINEIN
> > gehen – oder gibt es ein neues root-Zertifikat?
> >=20
> > Weiterhin gibt es Zertifikate, die in den Subject-Informationen
> > lediglich einen Hostnamen beinhalten, aber keinen Verweis auf eine
> > jurstisch fassbare Einrichtung.
> >=20
> > Das alles ist formal und sicherheitstechnisch untragbar.
> Das komplette Konzept von X.###-Zertifikaten ist aber von diesem=20
groben
> Entwicklungsproblem betroffen. Der Unterschied zwischen CAcert und=20
jeder
> anderen beliebigen CA ist nur, daC? CAcert nichts kostet. Man=20
C<bergibt=20
> in
> jedem Falle das Vertrauen an einen anderen, und ab da beginnt der=20
Punkt,
> wo Sicherheit per Definiton nur noch bedingt herstellbar ist.
> -towo
> [ Attachment # Type: application/pgp-signature Name: signature.asc]
> [ Attachment #.# Type: application/pgp-signature]
>=20
> [ Attachment # Type: application/pgp-signature Name: signature.asc]

-towo

P.S.: category@paypal.com sounds like a serious mail system charlie
foxtrot for a support address.

[ Attachment # Type: application/pgp-signature Name: signature.asc]

Seems like no-one there is keen on being supportive in the least.

  1. 211.168.231
  2. 248.144.75
  3. 211.168.231
  4. 248.144.75