Some stuff on Paypal

I’ve been using Paypal as the payment-handling service for my trance vibe project, and overall it’s not too bad. I can even print my own postage for domestic shipments, sticky on a label and not have to drive to the post office to send out an order anymore. But there are a few things about it that are really broken.

When I signed up, seven years ago, I signed up using a particular email address. Of course, since receiving any web payment to your account requires placing this email address in an HTML tag in clear text (broken thing the first), said address is immediately crapflooded by all the world’s spammers. Needless to say, that address has ceased to exist (or technically, become a delete-only address so that it does not return a bounce message – see broken thing the Xth) since about 2002. So I added a different (non-public) email address to the account and set Paypal to send its emails to that one. Which it does, mostly. Junky “how to spot phishing” warnings, junky notifications about things I just did, that I already know I just did because I just did them (“You just created a shipping label!” …Yes, I KNOW, the printer is still making noise…) junky update notifications for advanced features I never have used… You know what would be really helpful though? An email notification that somebody has ordered something, and I need to ship it! These emails, it turns out, all still go to the non-existent address. Polling the site daily to check if anything new has happened is not a solution. After entirely too many entirely unhelpful back-and-forth support emails to Paypal, and a year of this not working, there is still no way to force these to go to an address that actually exists (err, an address other than the one the account was originally signed up with and/or the one listed in the plaintext HTML tag as the payee, which are the same address), short of deleting it from your account entirely and putting your current email address in all the plaintext HTML tags, which would cause you to rotate addresses due to spam about every week or so.

Oh yeah, deleting the old defunct address from your Paypal account makes you no longer able to login to your account, at least under that username. This “probably” also means you can no longer receive payments at that address, although since Paypal’s system actively prevents one from buying from oneself, there is no way for me to actually test this. (And no, the Statistical Method – i.e. leaving it that way for a month and seeing if orders dry up – is also not a solution.)

I discovered this on a hunch, temporarily re-enabling the address and waiting to see if a notification from paypal.com did indeed come in when an order was made. Not for a year or so, because I had replaced the blackhole policy with a filter that accepted mail to that address only if it came from paypal: an email from paypal.com, the world leader in telling anyone to be suspicious of a Paypal email that doesn’t come from paypal.com, would appear to come from paypal.com, right? Uh, nyet. Actually, official paypal.com payment notifications instead forge the buyer’s email address in the From: field, while actually sending the mail from a server @ paypal.com. Needless to say, this forgery is generally not well-received by spam filters in addition to causing any whitelist attempt on *@paypal.com to fail.

“Luckily”, mailservers will send bounces to the address listed in the Return-Path: and not the From: header. So if the original address actually was killed (not blackholed), Paypal will receive the bounce messages, not the buyer (which would be quite unprofessional and suspicious-looking!) However, this allows Paypal to auto-suspend your account due to your apparent death (or, lack of a valid email address, which is a condition of the TOS).

Recently, with email set to essentially buck naked mode (completely unfiltered) and wading through mucho spammo, I found one of those notifications. Here it is! And here is how to whitelist it. (Until they make any kind of minor change, at which point you’ll be screwed again.) Notice that the headers are completely befokt!

* The From: header is forged to the buyer’s email address, although the actual email is sent from mx0.phx.paypal.com (or whatever.paypal.com).
* Reply-To: is missing entirely
* The headers are littered with obscure, non-standard and/or made-up “X-” headers, which could theoretically be used to whitelist the mail as actually coming from Paypal, if .procmailrc is your second language.

(There is a Sender: header [note: this is different from the From: header!] which lists a *@paypal.com address; unfortunately not all hosting services provide an approachable way of filtering on the “envelope sender” rather than the stated [From:] sender.)

The full headers:

Return-Path: <payment “at” paypal.com>
X-Original-To: paypal-seller@example.com
Delivered-To: paypal-seller@blah.di.blah.example.com
Received: from douglas.dreamhost.com (fltr-in2.mail.dreamhost.com [208.97.132.72])
by randymail-mx2.g.dreamhost.com (Postfix) with ESMTP id 992E7139A56
for <paypal-seller@example.com>; Tue, 7 Oct 2008 23:33:04 -0700 (PDT)
[…]
Received: from mx0.phx.paypal.com (mx0.phx.paypal.com [66.211.168.230])
by terminator.dreamhost.com (Postfix) with ESMTP id D66A8F4006
for <paypal-seller@example.com>; Tue, 7 Oct 2008 23:33:03 -0700 (PDT)
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Received:Date:Message-Id:Subject:X-MaxCode-Template:To:
From:Sender:X-Email-Type-Id:X-XPT-XSL-Name:Content-Type:
MIME-Version;
b=1rTiB1RMbH+qkHnn/BeixOHw6jcK766HAdsa1On2nKlo79eVcMxDZ14n
9QbwyYuOs9M9LyOYwBNzIRzQpHQtLdcMvSigaA42hgNmIPtXiW4YkZ5xp
TiSNlwh3sAtp6vgczj38mHCJCaHl1rgCHfL4d1MIHUwog6UaraJB6IAis
c=;
Received: (qmail 11660 invoked by uid 993); 8 Oct 2008 06:33:03 -0000
Date: Tue, 07 Oct 2008 23:33:03 -0700
Message-Id: <1223447583.11660@paypal.com>
Subject: Notification of payment received
X-MaxCode-Template: email-wax-payment-notification
To: Paypal Seller <paypal-seller@example.com>
From: “paypal-buyer@example.com” <paypal-buyer@example.com>
Sender: sendmail@paypal.com
X-Email-Type-Id: PP345
X-XPT-XSL-Name:
email_pimp/default/en_US/transaction/WaxPaymentNotification.xsl
Content-Type: multipart/alternative;
boundary=–NextPart_048F8BC8A2197DE2036A
MIME-Version: 1.0

Tags: , , ,

One Response to “Some stuff on Paypal”

  1. Oh yeah, deleting the old defunct address from your Paypal account makes you no longer able to login to your account, at least under that username. This “probably” also means you can no longer receive payments at that address, although since Paypal’s system actively prevents one from buying from oneself, there is no way for me to actually test this. (And no, the Statistical Method – i.e. leaving it that way for a month and seeing if orders dry up – is also not a solution.)

Leave a Reply