Paypal - not scam
So, it turns out that the email that Paypal told me was a scam and I should ignore - was not a scam.
It turns out that, contrary to them saying "The email address mx1.slc.paypal.com is not from PayPal." the latest email came from mx1.slc.paypal.com and really was from Paypal.
They said "The email address that we are using in sending emails or notifications are firstname.lastname@example.org or email@example.com alone nothing more nothing less." The "From: " does say that, but we al know that this is easily forged. The important thing is the header, which says which server the email really did come from, and that is mx1.slc.paypal.com
I have two email addresses on record with Paypal. The first "scam" email was sent to my first address, the second one to my secondary address.
So how do I now that this latest email was really from Paypal (and that the first one was also)? Because when I went to Paypal (not by clicking on the email, obviously), there was indeed an "account notification", and they did indeed want a few additional details, which I've given them.
So it's no wonder that first email looked so realistic. It's because it really did come from Paypal, but Paypal were too incompetent to know that they send emails from
mx1.slc.paypal.com, and were too incompetent to be able to see that the email had indeed come from Paypal when they checked their records.
This has been a problem for a long time. For MANY years, there have been obvious holes in the security of banks and financial organisations. The problem boils down to this - they prioritise convenience over security, and prefer fake security to real security.