How can PayPal spoof emails so easily to say it comes from someone else?

  • When I receive a payment in PayPal, it sends me an email about it (pictured below). The problem is that the email is shown to be coming from the money sender's email address and not from PayPal itself, even though the real sender is PayPal.

    Email from paypal

    Here is the text that appears when I select "show original" in Gmail:

    From: "[email protected]" <[email protected]>  
    Sender: [email protected]
    

    So you can see that the real sender is PayPal.

    If PayPal can spoof the email sender so easily, and Gmail does not recognize it, does it mean that anybody can spoof the email sender address and Gmail will not recognize it?

    When I send emails to Gmail myself using telnet, the email comes with the warning:

    This message may not have been sent by: [email protected]

    Is this a security issue? Because if I am used to the fact that payment emails in PayPal appear to come from the money sender's email and not from PayPal, then the sender can just spoof the payment himself by sending a message like that from his email, and I may think that this is the real payment.

    Is this something specific to PayPal, or can anybody fool Gmail like that? And if anybody can, what is the exact method that PayPal is using to fool Gmail?

    Generally, don't trust the contents of any email that's not cryptographically signed. There's lots of things you can do to improve the default situation, but email is generally pretty bad at security. If you get a message from paypal, goto paypal and check it's correct. - and don't use the links on the email in-case its from a scammer and for some reason slipped the net.

    I know, but it is not realistic. If I get an email from my friend, must I always call him and ask if he really did send the email? I used to think that gmail can recognize when email is from fake sender, so this situation with paypal is a surprise for me. What I want to know is whether this is something specific to paypal, or whether anybody can fool gmail like that. And if anybody can, what is the exact method that paypal is using to fool gmail?

    @Sunny88: "If I get an email from my friend, must I always call him and ask if he really did send the email?" In essence, you are absolutely correct. E-mail, at its core, is a plaintext, best-effort, store-and-forward, unauthenticated, trust-everyone protocol, and completely unsuitable for any sort of transactions where security and/or authenticity is desired. (I attribute the fact that it *is* used for such transactions down to general human laziness)

    (as to "doesn't happen": there are phishing attacks in the wild based on this; those go something a bit like this: "Hello, this is an e-mail message from your friend, [email protected], please run the attached executable, it contains a funny animation of dancing hampsters. Of course it's from me, Piskvor, and not from an impostor, trust me.")

    Ask your friend to setup GPG and sign all his messages. Then you won't have to worry.

    I have actually raised this with Paypal (no reply as yet). My email domain has DKIM setup and so emails sent by PayPal 'on my behalf' will in most likelihood be bounced by the recipient server. As to how they then know I've sent a payment I don't know...

  • Tom Leek

    Tom Leek Correct answer

    10 years ago

    Here is a dramatization of how the communication goes, when a mail is received anywhere.


    Context: an e-mail server, alone in a bay, somewhere in Moscow. The server just sits there idly, with an expression of expectancy.

    Server:
    Ah, long are the days of my servitude,
    That shall be spent in ever solitude,
    'Ere comes hailing from the outer rings
    The swift bearer of external tidings.

    A connection is opened.

    Server:
    An incoming client ! Perchance a mail
    To my guardianship shall be entrusted
    That I may convey as the fairest steed
    And to the recipient bring the full tale.

    220 mailserver.kremlin.ru ESMTP Postfix (Ubuntu)
    

    Welcome to my realm, net wanderer,
    Learn that I am a mighty mail server.
    How will you in this day be addressed
    Shall the need rise, for your name to be guessed ?

    Client:

    HELO whitehouse.gov
    

    Hail to thee, keeper of the networking,
    Know that I am spawned from the pale building.

    Server:

    250 mailserver.kremlin.ru
    

    The incoming IP address resolves through the DNS to "nastyhackerz.cn".

    Noble envoy, I am yours to command,
    Even though your voice comes from the hot plains
    Of the land beyond the Asian mountains,
    I will comply to your flimsiest demand.

    Client:

    MAIL FROM: [email protected]
    RCPT TO: [email protected]
    Subject: biggest bomb
    
    I challenge you to a contest of the biggest nuclear missile,
    you pathetic dummy ! First Oussama, then the Commies !
    .
    

    Here is my message, for you to send,
    And faithfully transmit on the ether;
    Mind the addresses, and name of sender
    That shall be displayed at the other end.

    Server:

    250 Ok
    

    So it was written, so it shall be done.
    The message is sent, and to Russia gone.

    The server sends the email as is, adding only a "Received:" header to mark the name which the client gave in its first command. Then Third World War begins. The End.


    Commentary: there's no security whatsoever in email. All the sender and receiver names are indicative and there is no reliable way to detect spoofing (otherwise there would me much fewer spams).

    I'm liking the poetic Leek!

    Best. Answer. ***EVER.***

    Simple, massively tasteful, poetry if ever I saw it.

    I'm slightly offended by the references to communism.

    This is so good I signed up specifically to upvote this.

    Reminds me a bit of the Audigy one act irc play (some NSFW words)

    i think this is my favourite thing ever.

    lol, that's an awesome answer

    Dear sir, a non native English speaker may have to invest time in deciphering your poetic post in order to unravel the actual answer. With all due respect (And although the poem is awesome) poetry shouldn't be on Stack Exchange and the upvotes are giving newbies the wrong impression that such answers are acceptable.

    Hello Hello - I think Tom answered this creatively because the question is essentially an RTFM question. Tom's answer has saved it, and brought enjoyment to hundreds. SE is essentially an English speaking site, so while I understand your frustration, it is a bit unwarranted. Also - if newbies could answer like this I'd be very impressed :-)

    Dear @HelloWorld, poetry has been a widespread method to convey elaborate ideas since the Epic of Gilgamesh, about 4000 years ago. Confucius used poetry. The Odyssey is a famous poem full of philosophical content. It would be a shame if poetry became suddenly unacceptable. In fact, newbies (and seasoned users) should strive to learn to express their ideas elegantly.

    Also, I am not a native English speaker.

    This could be made into a rock opera (Bohemian Rhapsody like thing).

    It's actually even worse than this. The sender and recipient addresses appear **twice**: first in the `MAIL FROM` and `RCPT TO` envelope headers, and then again in the `DATA` payload headers `From` and `To`. Nothing in the SMTP protocol ensures that these two occurrences correspond, and in practice they in fact may be completely different addresses (for example, BCC addresses are often in `RCPT TO` even if they aren't displayed to the user). Many email clients only display the payload headers to the user, even though most email servers only use the envelope headers for routing and delivery.

    BTW, little prevents the incoming IP from resolving to `whitehouse.gov` A less gullible server would check the reverse DNS of the remote ip address (and it should match the EHLO string) and countercheck if that name resolves back to the same ip. This would have helped here. Then again, nothing would have been wrong with a `HELO nasztyhackerz.cn` in the first place. But whitehous.gov is protected by SPF, so the (not so gullible) server could notice that nastyhackers.cn (or their ip address) is not authorized to send `FROM: [email protected]`

    I only do not fancy the outlook at the end not. A world war over emails? Hmmm....

    I too joined this site to UV this answer. My favorite line is the response from the server `Ok`.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used