DHL Phish

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 03 Feb 2025 06:47:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98 (FreeBSD))

(envelope-from )

id 1tewmW-00000000A3d-1slR

for dave@doctor.nl2k.ab.ca;

Mon, 03 Feb 2025 06:46:32 -0700

Resent-From: The Doctor

Resent-Date: Mon, 3 Feb 2025 06:46:32 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from wartam.com ([107.173.122.165]:58418)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98 (FreeBSD))

(envelope-from )

id 1tewQv-00000000964-0Zel

for root@nk.ca;

Mon, 03 Feb 2025 06:24:18 -0700

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wartam.com; s=202500;

t=1738589046; bh=HxuJD7YoEFBM5aXmFDED6/RlaXR5KL2zUbXLP0TihJc=;

h=From:To:Subject:Date:From;

b=Jmj1FsQWIHc/HA8XgoKlRPuuLig7LSP0++1LH/j+9PNhfeatGCtwKrrDjfYwrycBq

x9rDPFfOxJyvQ8K0q3ZzZ0LNSodOguy1gU0BpjOq9XaTcj6qzxijP7MO5KtmfHNmmk

PGOSBaRVaAWl4eP0e2XTzcqa1QeojFyD1m9QeqocUJUNXRXX/G5WkACuVm04E+5LHZ

5/wWfP8KfYpGrmriX8g1xmPegKmhvwzrfWZ0Jimn3tC8/QHLa8+25BzvoaIjCwgX5L

YYePQ23pDR6fvscRJOucDbb6TiTm9jO213sA94W5ZE8iDLuAQ7CSLvKahid3GgkO7R

4juF+Ug8QayAA==

Received: from [176.65.139.60] (unknown [176.65.139.60])

by wartam.com (Postfix) with ESMTPSA id 78E531CF525

for ; Mon, 3 Feb 2025 13:24:05 +0000 (UTC)

From: " DHL "

To: root@nk.ca

Subject: Shipping Notification: Track your package with DHL

Date: 3 Feb 2025 05:24:03 -0800

Message-ID: <20250203052402.447B395AE6967472@wartam.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 24.7

X-Spam_score_int: 247

X-Spam_bar: ++++++++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: INCOMING SHIPMENT NOTIFICATION Hello root



Content analysis details: (24.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[176.65.139.60 listed in will-spam-for-food.eu.org]

[176.65.139.60 listed in will-spam-for-food.eu.org]

[176.65.139.60 listed in will-spam-for-food.eu.org]

[176.65.139.60 listed in will-spam-for-food.eu.org]

[176.65.139.60 listed in will-spam-for-food.eu.org]

[176.65.139.60 listed in will-spam-for-food.eu.org]

[176.65.139.60 listed in will-spam-for-food.eu.org]

[176.65.139.60 listed in will-spam-for-food.eu.org]

[107.173.122.165 listed in will-spam-for-food.eu.org]

[107.173.122.165 listed in will-spam-for-food.eu.org]

[107.173.122.165 listed in will-spam-for-food.eu.org]

[107.173.122.165 listed in will-spam-for-food.eu.org]

[107.173.122.165 listed in will-spam-for-food.eu.org]

[107.173.122.165 listed in will-spam-for-food.eu.org]

[107.173.122.165 listed in will-spam-for-food.eu.org]

[107.173.122.165 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[107.173.122.165 listed in dnsbl.ahbl.org]

[107.173.122.165 listed in dnsbl.ahbl.org]

[107.173.122.165 listed in dnsbl.ahbl.org]

[107.173.122.165 listed in dnsbl.ahbl.org]

[176.65.139.60 listed in dnsbl.ahbl.org]

[176.65.139.60 listed in dnsbl.ahbl.org]

[176.65.139.60 listed in dnsbl.ahbl.org]

[176.65.139.60 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[107.173.122.165 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[107.173.122.165 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[107.173.122.165 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[107.173.122.165 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL

[107.173.122.165 listed in sbl-xbl.spamhaus.org]

[176.65.139.60 listed in sbl-xbl.spamhaus.org]

[176.65.139.60 listed in sbl-xbl.spamhaus.org]

3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS

[107.173.122.165 listed in zen.spamhaus.org]

0.1 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS

blocklist

[URI: wartam.com/107.173.122.165]

2.6 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL

[176.65.139.60 listed in zen.spamhaus.org]

2.5 URIBL_DBL_PHISH Contains a Phishing URL listed in the DBL blocklist

[URI: wartam.com]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: wartam.com]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: wartam.com]

0.1 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist

[URI: wartam.com/107.173.122.165]

[URI: ipfs.io/209.94.90.1]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from

envelope-from domain

-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's

domain

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

1.0 FROMSPACE Idiosyncratic "From" header format

0.5 NO_RDNS Sending MTA has no reverse DNS (Postfix variant)

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.0 HTML_MESSAGE BODY: HTML included in message

0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area

0.0 T_MXG_EMAIL_FRAG BODY: URI with email in fragment

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 URI_IPFSIO References Interplanetary File System PtP content via

ipfs.io, likely phishing

1.5 GB_CUSTOM_HTM_URI Custom html uri

0.8 SARE_FROM_SPAM_WORD3 I don't know people named this!

0.0 URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of

phish via Google proxy?

0.0 T_FROM_MISSP_DKIM From misspaced, DKIM dependable

0.0 URI_IPFS References Interplanetary File System PtP content, probable

phishing

Subject: {SPAM?} Shipping Notification: Track your package with DHL












order-image: none;" alt=3D"On Demand Delivery" src=3D"https://ci5.googleuse=

rcontent.com/proxy/5ehwsj614AMDg_JrsSCmH8EYnk3FtDiHL7Q2qkwuGLTgkX3N1CcQCRJE=

M0l4kqVrpO_37uZF6rYLHEasRE5MYUsONgANTInr1w=3Ds0-d-e1-ft#https://del.dhl.com=

/img/email_assets/images/header.jpg"> 





r: rgb(0, 0, 0); text-transform: none; letter-spacing: normal; font-family:=

"Times New Roman"; font-size: 13px; font-style: normal; word-spacing: 0px;=

vertical-align: bottom; white-space: normal; border-collapse: collapse; ba=

ckground-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-va=

riant-caps: normal; text-decoration-style: initial; text-decoration-color: =

initial; text-decoration-thickness: initial;'=20

border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
>




ft" style=3D"padding: 10px 25px 40px; font-size: 0px; border-collapse: coll=

apse;">

1; font-family: "Helvetica Neue", Arial, sans-serif; font-size: 22px;'>INC=

OMING SHIPMENT NOTIFICATION

padding: 10px 25px 0px; font-size: 0px; border-collapse: collapse;">


font-family: "Helvetica Neue", Arial, sans-serif; font-size: 16px;'> &=

nbsp;    

e=3D"padding: 8px; width: 600px;">

>

font-family: "Helvetica Neue", Arial, sans-serif; font-size: 16px;'>Hello =

root



We write to inform you of an incoming shipment with your User-ID =

;root@nk.ca
registered as the official recipient

Your shipmen=

t is en-route and ready for Online Tracking
Use the button below to acce=

ss our e-Tracking Portal

er-collapse: collapse;">
=3D"line-height: 0px; border-collapse: separate;" border=3D"0" cellspacing=

=3D"0" cellpadding=3D"0">

" valign=3D"left" style=3D"padding: 15px 25px; border-radius: 3px; border: =

currentColor; border-image: none; color: rgb(255, 255, 255); border-collaps=

e: collapse; cursor: auto;" bgcolor=3D"#d90000">


55); text-transform: none; line-height: 18px; font-family: "Helvetica Neue"=

, Arial, sans-serif; font-size: 15px; font-weight: normal; text-decoration:=

none; display: block;'>
ion: none;" href=3D"https://ipfs.io/ipfs/bafkreih6kdzajhcbb5lh3lc2bkrayyrpk=

uaznj32lqafreemcvixaqgady?filename=3Dorseac.html#root@nk.ca">TRACK MY SHIPM=

ENT NOW


pse: collapse;">

e-height: 0px; font-family: "Helvetica Neue", Arial, sans-serif; font-size:=

16px;'>Thank you for using DHL On-Demand Delivery.

align=3D"center" style=3D"padding: 10px 25px; font-size: 0px; border-collap=

se: collapse;">

5px; font-size: 0px; border-collapse: collapse;">


t-family: "Helvetica Neue", Arial, sans-serif; font-size: 18px;'>Sincerely,=


DHL Parcel team


x;">

>
nk" rel=3D"noreferrer">
c=3D"https://clientesparcel.dhl.es/RecursosMailSP/ig_icon.png" width=3D"80"=

height=3D"80">


valign=3D"middle" style=3D"width: 16%;">
m/dhlparcelespana/" target=3D"_blank" rel=3D"noreferrer">
height: 100%; max-width: 100%;" src=3D"https://clientesparcel.dhl.es/Recurs=

osMailSP/fb_icon.png" width=3D"80" height=3D"80">
=


=3D"width: 16%;">


=3D"_blank" rel=3D"noreferrer">
00%;" src=3D"https://clientesparcel.dhl.es/RecursosMailSP/ln_icon.png" widt=

h=3D"80" height=3D"80">

td>

https://youtube.com/c/DHLParcelIberia" target=3D"_blank" rel=3D"noreferrer"=

>


rcel.dhl.es/RecursosMailSP/yt_icon.png" width=3D"80" height=3D"80"> =


e" style=3D"width: 16%;">



d40511" size=3D"5">dhlparcel.com   
<=

/div>










Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA