Dave_L

14:13:01 -0700 (PDT): The "-0700" means seven hours earlier than GMT. To convert to GMT, add seven hours. 23:12:57 +0200: The "+0200" means two hours later than GMT. To convert to GMT, subtract two hours.

The date/time stamps generally help here, although they're not always 100% reliable. For example: The timestamp in "0" is Thu, 04 May 2017 14:13:01 -0700 (PDT), which is four seconds later than the timestamp in "3", Thu, 04 May 2017 23:12:57 +0200 (21:13:01 GMT - 21:12:57 GMT = 4 seconds).

Some newer web sites that require login have put the username and password entry on separate pages. I.e., you enter the username on one page and then are redirected to a second page for password entry. Is this considered to be more secure than the traditional method of entering the username and password on the same page?

The Spamcop FAQ section has a page that's supposed to explain "confirmed opt-in", but it's useless, since it refers to two non-existent pages: https://www.spamcop.net/fom-serve/cache/406.html I found a decent explanation of "confirmed opt-in" here: https://www.spamhaus.org/faq/section/Marketing FAQs#15 Maybe the broken links could be replaced with that one. Or maybe the text itself could be added to the Spamcop FAQ page. That's probably ok, as long as the source is cited.

Does the subscription process use CONFIRMED OPT-IN? If you don't know what that means, here's an explanation: https://www.spamhaus.org/faq/section/Marketing FAQs#15 If the email addresses in your list were not obtained using confirmed opt-in, then you should: 1. Delete the list. 2. Start building a new mailing list, using a confirmed opt-in process. Also: At the location where users subscribe to your mailing list, ensure that there is a clear explanation of what kind of information will be included in the mailings. If the mailings will include advertisements, that should be stated.

I suppose a legitimate action in a case like this would be to use the Spamcop parser to identify the apppropriate reporting authority(ies), and then compose and send your own report(s), written so as to make it clear that you, and not Spamcop, are the report submitter. (Personally I wouldn't bother for an isolated case.)

My guess is that since the next to last "Received" header ("Received: from 41....") contains no date, the Spamcop parser doesn't trust the headers.

The SpamCop Email System no longer exists. That's probably an old page that was never removed.

Domain name registrars don't seem to care how their customers use the domains, as long as they pay the registration fees. Have you reported the spam to the email source provider(s) and the web host provider(s)?

I think that the mail would simply be discarded, and not bounced.

I use sneakemail DOT com to create unique, disposable email forwarding addresses. The received email messages are tagged so you easily tell which email address was used. If you have a Linux server, you could accomplish the same thing. I've been intending to do that myself.

I wonder if it's related to the recent Verizon acquisition of Yahoo.

Once again, you have made a mistake. I mentioned a link in my initial post. We normal users cannot accept these imperfections from administrators. (I edited my most recent post, to add some info.)

I've previously parsed the email using Spamcop (see my initial post), but I couldn't determine conclusively from that whether it was from PayPal. I just forwarded the email to spoof AT paypal DOT com, to ask about it. I'll see what they say. A web search revealed that there was another class action settlement against PayPal in 2004. PayPal seemed to be deliberately trying to confuse people, e.g. by using a separate domain, to discourage people from participating in the settlement.