Aeroplan Phish
Posted by Dave Yadallee on
Phishers will do anything . Intercepted in our e-mail system:
From - Tue Sep 27 05:08:40 2011
X-Account-Key: account2
X-UIDL: b7,"!l(@!!JMn!!%&"#!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca
X-Spam-Level:
X-Spam-Status: No, score=2.0 required=5.0 tests=URIBL_BLACK autolearn=no
version=3.3.2
Received: from localhost by doctor.nl2k.ab.ca
with SpamAssassin (version 3.3.2);
Tue, 27 Sep 2011 05:07:54 -0600
From: "Aeroplan"
Subject: *****SPAM****
Date: Tue, 27 Sep 2011 12:47:18 +0200
Message-Id:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4E81AE8A.5CC6A729"
X-UIDL: b7,"!l(@!!JMn!!%&"#!
X-Brightmail-Tracker: AAAABBkMsM0ZDLDEGQ1zjhkNhZ4=
X-Brightmail-Tracker: AAAAAA==
This is a multi-part message in MIME format.
------------=_4E81AE8A.5CC6A729
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "doctor.nl2k.ab.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Thanks for the purchase! Your booking is confirmed. Booking
number: K4QCTI Your credit card has been charged for $438.60 (CAD) Please
print the itinerary/receipt for your reference. Sign in to aircanada.com
and print it by clicking the link below https://book.aircanada.com/pl/AConline/en/GetPNRsListServle/
To cancel your booking online, please click the link below: https://book.aircanada.com/pl/AConline/en/CancelBookTripPlanServlet/
On board you will be offered: Beverages; Food; Daily press. Thank you
for choosing Air Canada and we look forward to welcoming you on board. Best
regards, Air Canada [...]
Content analysis details: (7.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 RCVD_IN_BACKSCATTER RBL: Received via a relay in Backscatter.org
[200.9.190.178 listed in ips.backscatterer.org]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: keepourpromise.org]
0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4E81AE8A.5CC6A729
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path:
X-Original-To: aboo@doctor.nl2k.ab.ca
Delivered-To: aboo@doctor.nl2k.ab.ca
Received: from localhost (localhost.nl2k.ab.ca [127.0.0.1])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id D38BE12CFA82
for; Tue, 27 Sep 2011 05:07:52 -0600 (MDT)
X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca
X-Spam-Flag: YES
X-Spam-Score: 23.081
X-Spam-Level: **********************
X-Spam-Status: Yes, score=23.081 tagged_above=2 required=6.2
tests=[BAYES_50=0.001, FORGED_MUA_OUTLOOK=3.116,
FORGED_OUTLOOK_HTML=0.001, FORGED_OUTLOOK_TAGS=0.001,
FROM_MISSPACED=3.799, FROM_MISSP_DKIM=0.001, FROM_MISSP_MSFT=1.295,
FROM_MISSP_NO_TO=2.628, FROM_MISSP_URI=0.001, FROM_MISSP_USER=0.871,
FSL_CTYPE_WIN1251=0.001, FSL_UA=0.243, FSL_XM_419=0.59,
HTML_IMAGE_ONLY_12=2.46, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.097, MIME_HTML_ONLY=1.457,
MISSING_HEADERS=1.292, NSL_RCVD_FROM_USER=0.001,
RCVD_IN_BACKSCATTER=1, TO_NO_BRKTS_FROM_MSSP=1.3,
TO_NO_BRKTS_MSFT=0.96, T_REMOTE_IMAGE=0.01, URIBL_BLACK=1.955]
autolearn=spam
Received: from doctor.nl2k.ab.ca ([127.0.0.1])
by localhost (doctor.nl2k.ab.ca [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HDF1AfNWe1zt for;
Tue, 27 Sep 2011 05:07:45 -0600 (MDT)
Received: from ns.cccp.com.ni (ns.cccp.com.ni [200.9.190.178])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 903BA12CFA81
for; Tue, 27 Sep 2011 05:07:38 -0600 (MDT)
Received: from User ([93.174.95.21]) by ns.cccp.com.ni with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 27 Sep 2011 04:46:18 -0600
From: "Aeroplan"
Subject: ***SPAM*** Aeroplan Reward - Electronic Ticket Itinerary/Receipt
Date: Tue, 27 Sep 2011 12:47:18 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 27 Sep 2011 10:46:19.0359 (UTC) FILETIME=[B0A016F0:01CC7D02]
------------=_4E81AE8A.5CC6A729--
From - Tue Sep 27 05:08:40 2011
X-Account-Key: account2
X-UIDL: b7,"!l(@!!JMn!!%&"#!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca
X-Spam-Level:
X-Spam-Status: No, score=2.0 required=5.0 tests=URIBL_BLACK autolearn=no
version=3.3.2
Received: from localhost by doctor.nl2k.ab.ca
with SpamAssassin (version 3.3.2);
Tue, 27 Sep 2011 05:07:54 -0600
From: "Aeroplan"
Subject: *****SPAM****
Date: Tue, 27 Sep 2011 12:47:18 +0200
Message-Id:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4E81AE8A.5CC6A729"
X-UIDL: b7,"!l(@!!JMn!!%&"#!
X-Brightmail-Tracker: AAAABBkMsM0ZDLDEGQ1zjhkNhZ4=
X-Brightmail-Tracker: AAAAAA==
This is a multi-part message in MIME format.
------------=_4E81AE8A.5CC6A729
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "doctor.nl2k.ab.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Thanks for the purchase! Your booking is confirmed. Booking
number: K4QCTI Your credit card has been charged for $438.60 (CAD) Please
print the itinerary/receipt for your reference. Sign in to aircanada.com
and print it by clicking the link below https://book.aircanada.com/pl/AConline/en/GetPNRsListServle/
To cancel your booking online, please click the link below: https://book.aircanada.com/pl/AConline/en/CancelBookTripPlanServlet/
On board you will be offered: Beverages; Food; Daily press. Thank you
for choosing Air Canada and we look forward to welcoming you on board. Best
regards, Air Canada [...]
Content analysis details: (7.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 RCVD_IN_BACKSCATTER RBL: Received via a relay in Backscatter.org
[200.9.190.178 listed in ips.backscatterer.org]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: keepourpromise.org]
0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4E81AE8A.5CC6A729
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path:
X-Original-To: aboo@doctor.nl2k.ab.ca
Delivered-To: aboo@doctor.nl2k.ab.ca
Received: from localhost (localhost.nl2k.ab.ca [127.0.0.1])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id D38BE12CFA82
for
X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca
X-Spam-Flag: YES
X-Spam-Score: 23.081
X-Spam-Level: **********************
X-Spam-Status: Yes, score=23.081 tagged_above=2 required=6.2
tests=[BAYES_50=0.001, FORGED_MUA_OUTLOOK=3.116,
FORGED_OUTLOOK_HTML=0.001, FORGED_OUTLOOK_TAGS=0.001,
FROM_MISSPACED=3.799, FROM_MISSP_DKIM=0.001, FROM_MISSP_MSFT=1.295,
FROM_MISSP_NO_TO=2.628, FROM_MISSP_URI=0.001, FROM_MISSP_USER=0.871,
FSL_CTYPE_WIN1251=0.001, FSL_UA=0.243, FSL_XM_419=0.59,
HTML_IMAGE_ONLY_12=2.46, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.097, MIME_HTML_ONLY=1.457,
MISSING_HEADERS=1.292, NSL_RCVD_FROM_USER=0.001,
RCVD_IN_BACKSCATTER=1, TO_NO_BRKTS_FROM_MSSP=1.3,
TO_NO_BRKTS_MSFT=0.96, T_REMOTE_IMAGE=0.01, URIBL_BLACK=1.955]
autolearn=spam
Received: from doctor.nl2k.ab.ca ([127.0.0.1])
by localhost (doctor.nl2k.ab.ca [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HDF1AfNWe1zt for
Tue, 27 Sep 2011 05:07:45 -0600 (MDT)
Received: from ns.cccp.com.ni (ns.cccp.com.ni [200.9.190.178])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 903BA12CFA81
for
Received: from User ([93.174.95.21]) by ns.cccp.com.ni with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 27 Sep 2011 04:46:18 -0600
From: "Aeroplan"
Subject: ***SPAM*** Aeroplan Reward - Electronic Ticket Itinerary/Receipt
Date: Tue, 27 Sep 2011 12:47:18 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 27 Sep 2011 10:46:19.0359 (UTC) FILETIME=[B0A016F0:01CC7D02]
Thanks for the purchase!
Your booking is confirmed.
Booking number: K4QCTI
Your credit card has been charged for $438.60 (CAD)
Please print the itinerary/receipt for your reference.
Sign in to aircanada.com and print it by clicking the link below
https://book.aircanada.com/pl/AConline/en/GetPNRsListServle/
To cancel your booking online, please click the link below:
https://book.aircanada.com/pl/AConline/en/CancelBookTripPlanServlet/
On board you will be offered:
Beverages;
Food;
Daily press.
Thank you for choosing Air Canada and we look forward to welcoming you
on board.
Best regards,
Air Canada
------------=_4E81AE8A.5CC6A729--
with ESMTP id p8RJ7gpO023174