PayPal needs to grow a brain...

[Domainate.com]

First off, I know what I'm about to say will make ME come across as completely stupid, but keep in mind this happened late last night while I was in the middle of other crap and didn't stop to think about what could happen.

On GFY, almost everyone deals in ePassporte with only a few people dealing with PayPal. A common request on there is to get ePassporte funds for PayPal funds. As sad as it may be, even though I'm not too fond of ePassporte for a few reasons, they might be saving me from being scammed out of some money.

I did the PayPal -> ePass for an individual last night, and this morning before coming to work, I decided to check my email. I got 3 emails from PayPal, with the last one indicating that a reversal had been done on a payment. *groan*...I had to immediately inform both PayPal and ePass about it, which made me late to work, but more importantly I'm REALLY upset that PayPal could be so stupid to accept dispute emails directly rather than through a logged-in account. The individual who did this spoofed an email from me likely telling them "that person never bought anything from me. Go ahead and refund them." So because of their stupidity, I may be bilked out of money (thankfully only $76...could have been worse I guess). We'll see how it goes.

 

[Spade]

First off, I know what I'm about to say will make ME come across as completely stupid, but keep in mind this happened late last night while I was in the middle of other crap and didn't stop to think about what could happen.

On GFY, almost everyone deals in ePassporte with only a few people dealing with PayPal. A common request on there is to get ePassporte funds for PayPal funds. As sad as it may be, even though I'm not too fond of ePassporte for a few reasons, they might be saving me from being scammed out of some money.

I did the PayPal -> ePass for an individual last night, and this morning before coming to work, I decided to check my email. I got 3 emails from PayPal, with the last one indicating that a reversal had been done on a payment. *groan*...I had to immediately inform both PayPal and ePass about it, which made me late to work, but more importantly I'm REALLY upset that PayPal could be so stupid to accept dispute emails directly rather than through a logged-in account. The individual who did this spoofed an email from me likely telling them "that person never bought anything from me. Go ahead and refund them." So because of their stupidity, I may be bilked out of money (thankfully only $76...could have been worse I guess). We'll see how it goes.

So, if I understand this correctly. They got an approval to refund, from an email addy that was not the one on the account? Or it was a spoofed one? Gotta set up that Sender Policy Framework.

 

[Domainate.com]

So, if I understand this correctly. They got an approval to refund, from an email addy that was not the one on the account? Or it was a spoofed one? Gotta set up that Sender Policy Framework.

I'm guessing they spoofed an email from the one on the account, again which could have been prevented if PayPal required response via their site or via the phone vs soliciting it via email. All someone needs to do is test it out with 2 dummy accounts and they would see exactly what they need to send to PayPal to make it appear they're legitimately replying to PayPal's email.

Considering I've got the site/email on GoDaddy, I'm not sure I can do any SPF (I didn't know what SPF was til you mentioned it in your post, clueless me! ). I just don't like how this kind of stuff can happen on sites that process millions of dollars a day.

 

[Spade]

Considering I've got the site/email on GoDaddy, I'm not sure I can do any SPF (I didn't know what SPF was til you mentioned it in your post, clueless me! ). I just don't like how this kind of stuff can happen on sites that process millions of dollars a day.

Yes you can. Its in your DNS controls and I would recommend it! Paypal should be able to tell that it was a scam - what theyll do.... Im curious.

 

[Domainate.com]

Yes you can. Its in your DNS controls and I would recommend it! Paypal should be able to tell that it was a scam - what theyll do.... Im curious.

Ah, found the area...thanks! I sent you a PM asking about some specifics for my situation.

 

[Spade]

Ah, found the area...thanks! I sent you a PM asking about some specifics for my situation.

LoL... I looked at how to set it up, Beyon the obvious - im probably not gonna be much help anymore.. Theyve changed how its setup and the layout, and I barely remember how to do it. I know its not much help, but this should resolve any kind of spoofing.

Justin

 

[Optinom]

SPF record is fairly simple, if its your server..

This shd help.
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/