Bingo!!--it is a scam. The tipoff is this line:
Received: from server1.ddf.com.br ([18.104.22.168])
Here is the result of a whois search:
mherring@1[grub]$ whois server1.ddf.com.br
% Copyright (c) Nic.br
% The use of the data below is only permitted as described in
% being prohibited its distribution, comercialization or
% reproduction, in particular, to use it for advertising or
% any similar purpose.
% 2007-06-10 10:55:39 (BRT -03:00)
% Query rate limit exceeded. Reduced information.
% Use https://registro.br/cgi-bin/avail/
for domain availability.
owner: Daniel de Melo Franqueira ME (682010)
% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/
, respectivelly to firstname.lastname@example.org
% and email@example.com
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), ticket, provider, ID, CIDR
% block, IP and ASN.
Going to registro.br confirms that they are in fact in Brazil.
I would definitely pass this on to Paypal (use an address for them that
you know to be good)