Telus Phish
Posted by Dave Yadallee on
From - Wed May 16 11:30:08 2018
X-Account-Key: account2
X-UIDL: 0006629d501fb806
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path:
Envelope-to: sales@nk.ca
Delivery-date: Wed, 16 May 2018 11:30:09 -0600
Received: from atmail15.worldsoft-mail.net ([217.196.177.215]:33176)
by doctor.nl2k.ab.ca with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91 (FreeBSD))
(envelope-from)
id 1fJ0FP-000628-D9
for sales@nk.ca; Wed, 16 May 2018 11:29:58 -0600
Received: from [162.219.30.67] (helo=localhost.localdomain)
by atmail15.worldsoft-mail.net with esmtpa (Exim 4.80.1)
(envelope-from)
id 1fJ0FH-0002fC-7A
for sales@nk.ca; Wed, 16 May 2018 19:29:47 +0200
Date: Wed, 16 May 2018 17:29:44 +0000
To: sales@nk.ca
From: =?UTF-8?B?VEVMVVM=?=
Subject: =?UTF-8?B?WW91ciBtb250aGx5IHBheW1lbnQgIzQ3MDE5Mjk5NSB3YXMgcmVjZW50bHkgcmVmdXNlZA==?=
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.2.6
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64
X-Spam_score: 8.2
X-Spam_score_int: 82
X-Spam_bar: ++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear sales@nk.ca, Your monthly payment was recently declined.
The decline could be due to insufficient funds, card expired, etc. Since
you haven't provided us new billing information yet, we thought we'd remind
you to please provide us with updated billing information to avoid any billing
problems with your account.
Content analysis details: (8.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 T_SPF_TEMPERROR SPF: test of record failed (temperror)
0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
0.5 L_HELLO_ADDRESS BODY: Greets you by address, not by name
1.2 HTML_OBFUSCATE_10_20 BODY: Message is 10% to 20% HTML obfuscation
0.7 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.0 SARE_FROM_SPAM_WORD4 From address suggests this may be spam
0.1 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
0.0 T_REMOTE_IMAGE Message contains an external image
Subject: {SPAM?} =?UTF-8?B?WW91ciBtb250aGx5IHBheW1lbnQgIzQ3MDE5Mjk5NSB3YXMgcmVjZW50bHkgcmVmdXNlZA==?=
X-Antivirus: AVG (VPS 180515-0, 05/14/2018), Inbound message
X-Antivirus-Status: Clean
PGh0bWw+CiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0i
d2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8L2hlYWQ+CiAgICA8
Ym9keT4KICAgICAgICA8dGFibGUgc3R5bGU9ImJvcmRlcjogMDsgd2lkdGg6IDUwMHB4OyBtYXJn
aW46IDAgYXV0bzsiPgogICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICA8dGQ+CiAgICAg
ICAgICAgICAgICAgICAgPGRpdiBzdHlsZT0iaGVpZ2h0OiA0MHB4OyI+CiAgICAgICAgICAgICAg
ICAgICAgICAgIDxpbWcgc3JjPSJodHRwczovL2RpZ2l0YWxzdGFuZGFyZHMudGVsdXMuY29tL2Fz
c2V0cy9pbWcvZG93bmxvYWRzL1RFTFVTX2xvZ29fRU4uanBnIiB3aWR0aD0iMjUwIiBoZWlnaHQ9
IjUwIj4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwvdGQ+CiAg
ICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgIDx0ZCBzdHls
ZT0iZm9udC1zaXplOiAxN3B4OyBjb2xvcjojNTk1ODU5OyBsaW5lLWhlaWdodDogMjhweDsgZm9u
dC1mYW1pbHk6ICdIZWx2ZXRpY2EgTmV1ZScsSGVsdmV0aWNhLEFyaWFsLHNhbnMtc2VyaWYgIWlt
cG9ydGFudDsiPgogICAgICAgICAgICAgICAgICAgIDxkaXYgc3R5bGU9ImNvbG9yOiAjNTk1ODU5
OyBkaXNwbGF5OiBibG9jazsgZm9udC1zaXplOiAyM3B4ICFpbXBvcnRhbnQ7IGxpbmUtaGVpZ2h0
OiAzMHB4ICFpbXBvcnRhbnQ7IG1hcmdpbi1ib3R0b206IDE2cHggIWltcG9ydGFudDsgd2lkdGg6
IDEwMCU7Ij4mbmJzcDs8L2Rpdj4KCQkJCQk8YnI+CiAgICAgICAgICAgICAgICAgICAgPGgyIHN0
eWxlPSJtYXJnaW4tYm90dG9tOiAxMXB4OyBmb250LXNpemU6IDIzcHg7IGZvbnQtZmFtaWx5OiAn
SGVsdmV0aWNhIE5ldWUnLEhlbHZldGljYSxBcmlhbCxzYW5zLXNlcmlmOyI+RGVhciBzYWxlc0Bu
ay5jYSw8L2gyPgogICAgICAgICAgICAgICAgICAgICAgICBZb3VyIG1vbnRobHkgcGF5bWVudCB3
YXMgcmVjZW50bHkgZGVjbGluZWQuIFRoZSBkZWNsaW5lIGNvdWxkIGJlIGR1ZSB0byBpbnN1ZmZp
Y2llbnQgZnVuZHMsIGNhcmQgZXhwaXJlZCwgZXRjLjxicj48YnI+CgkJCQkJICAgIFNpbmNlIHlv
dSBoYXZlbid0IHByb3ZpZGVkIHVzIG5ldyBiaWxsaW5nIGluZm9ybWF0aW9uIHlldCw8YnI+CgkJ
CQkJCXdlIHRob3VnaHQgd2UnZCByZW1pbmQgeW91IHRvIHBsZWFzZSBwcm92aWRlIHVzIHdpdGgg
dXBkYXRlZDxicj4KCQkJCQkJYmlsbGluZyBpbmZvcm1hdGlvbiB0byBhdm9pZCBhbnkgYmlsbGlu
ZyBwcm9ibGVtcyB3aXRoIHlvdXIgYWNjb3VudC48YnI+PGJyPgogICAgICAgICAgICAgICAgICAg
IDxhIGhyZWY9Imh0dHA6Ly9uandlYmt6LmNvbS9zeW1waG9ueS9iaGQ0NjkucGhwIiBzdHlsZT0i
Zm9udC1zaXplOiAyMXB4OyBsaW5lLWhlaWdodDogMzBweDsgdGV4dC1hbGlnbjogY2VudGVyOyBi
b3JkZXItcmFkaXVzOiAzcHg7CgkJCQkJZGlzcGxheTogaW5saW5lLWJsb2NrOyB0ZXh0LWRlY29y
YXRpb246IG5vbmU7IHBhZGRpbmc6IDEwcHggMjBweCAxNHB4IDIwcHg7CgkJCQkJaGVpZ2h0OiAz
MHB4OyB3aWR0aDogMTAwJTsgbWF4LXdpZHRoOiAzNTBweDsgcGFkZGluZy1sZWZ0OiAwOyBwYWRk
aW5nLXJpZ2h0OiAwOwoJCQkJCS13ZWJraXQtYXBwZWFyYW5jZTogbm9uZTsgY29sb3I6ICNmZmY7
IGJvcmRlcjogbm9uZTsKCQkJCQliYWNrZ3JvdW5kLWltYWdlOiAtd2Via2l0LWdyYWRpZW50KGxp
bmVhciw1MCUgMCUsNTAlIDEwMCUsY29sb3Itc3RvcCgwJSwjNTdhNzA4KSxjb2xvci1zdG9wKDkw
JSwjNTdhNzA4KSxjb2xvci1zdG9wKDkwJSwjNDA4MDAwKSxjb2xvci1zdG9wKDEwMCUsIzQwODAw
MCkpOwoJCQkJCWJhY2tncm91bmQtaW1hZ2U6IC13ZWJraXQtbGluZWFyLWdyYWRpZW50KCM1N2E3
MDggMCUsIzU3YTcwOCA5MCUsIzQwODAwMCA5MCUsIzQwODAwMCk7CgkJCQkJYmFja2dyb3VuZC1p
bWFnZTogLW1vei1saW5lYXItZ3JhZGllbnQoIzU3YTcwOCAwJSwjNTdhNzA4IDkwJSwjNDA4MDAw
IDkwJSwjNDA4MDAwKTsKCQkJCQliYWNrZ3JvdW5kLWltYWdlOiAtby1saW5lYXItZ3JhZGllbnQo
IzU3YTcwOCAwJSwjNTdhNzA4IDkwJSwjNDA4MDAwIDkwJSwjNDA4MDAwKTsKCQkJCQliYWNrZ3Jv
dW5kLWltYWdlOiBsaW5lYXItZ3JhZGllbnQoIzU3YTcwOCAwJSwjNTdhNzA4IDkwJSwjNDA4MDAw
IDkwJSwjNDA4MDAwKTsKCQkJCQliYWNrZ3JvdW5kLWNvbG9yOiAjNTdhNzA4OyI+CgkJCQkJCVJl
dmlldzxmb250IGNvbG9yPSIjNTdhNzA4Ij5HPC9mb250PmFjY291bnQ8Zm9udCBjb2xvcj0iIzU3
YTcwOCI+RzwvZm9udD5pbmZvcm1hdGlvbgoJCQkJCTwvYT4KICAgICAgICAgICAgICAgIDwvdGQ+
CiAgICAgICAgICAgIDwvdHI+CiAgICAgICAgPC90YWJsZT4KICAgIDwvYm9keT4KPC9odG1sPgo=
X-Account-Key: account2
X-UIDL: 0006629d501fb806
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path:
Envelope-to: sales@nk.ca
Delivery-date: Wed, 16 May 2018 11:30:09 -0600
Received: from atmail15.worldsoft-mail.net ([217.196.177.215]:33176)
by doctor.nl2k.ab.ca with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91 (FreeBSD))
(envelope-from
id 1fJ0FP-000628-D9
for sales@nk.ca; Wed, 16 May 2018 11:29:58 -0600
Received: from [162.219.30.67] (helo=localhost.localdomain)
by atmail15.worldsoft-mail.net with esmtpa (Exim 4.80.1)
(envelope-from
id 1fJ0FH-0002fC-7A
for sales@nk.ca; Wed, 16 May 2018 19:29:47 +0200
Date: Wed, 16 May 2018 17:29:44 +0000
To: sales@nk.ca
From: =?UTF-8?B?VEVMVVM=?=
Subject: =?UTF-8?B?WW91ciBtb250aGx5IHBheW1lbnQgIzQ3MDE5Mjk5NSB3YXMgcmVjZW50bHkgcmVmdXNlZA==?=
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.2.6
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64
X-Spam_score: 8.2
X-Spam_score_int: 82
X-Spam_bar: ++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear sales@nk.ca, Your monthly payment was recently declined.
The decline could be due to insufficient funds, card expired, etc. Since
you haven't provided us new billing information yet, we thought we'd remind
you to please provide us with updated billing information to avoid any billing
problems with your account.
Content analysis details: (8.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 T_SPF_TEMPERROR SPF: test of record failed (temperror)
0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
0.5 L_HELLO_ADDRESS BODY: Greets you by address, not by name
1.2 HTML_OBFUSCATE_10_20 BODY: Message is 10% to 20% HTML obfuscation
0.7 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.0 SARE_FROM_SPAM_WORD4 From address suggests this may be spam
0.1 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
0.0 T_REMOTE_IMAGE Message contains an external image
Subject: {SPAM?} =?UTF-8?B?WW91ciBtb250aGx5IHBheW1lbnQgIzQ3MDE5Mjk5NSB3YXMgcmVjZW50bHkgcmVmdXNlZA==?=
X-Antivirus: AVG (VPS 180515-0, 05/14/2018), Inbound message
X-Antivirus-Status: Clean
PGh0bWw+CiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0i
d2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8L2hlYWQ+CiAgICA8
Ym9keT4KICAgICAgICA8dGFibGUgc3R5bGU9ImJvcmRlcjogMDsgd2lkdGg6IDUwMHB4OyBtYXJn
aW46IDAgYXV0bzsiPgogICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICA8dGQ+CiAgICAg
ICAgICAgICAgICAgICAgPGRpdiBzdHlsZT0iaGVpZ2h0OiA0MHB4OyI+CiAgICAgICAgICAgICAg
ICAgICAgICAgIDxpbWcgc3JjPSJodHRwczovL2RpZ2l0YWxzdGFuZGFyZHMudGVsdXMuY29tL2Fz
c2V0cy9pbWcvZG93bmxvYWRzL1RFTFVTX2xvZ29fRU4uanBnIiB3aWR0aD0iMjUwIiBoZWlnaHQ9
IjUwIj4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwvdGQ+CiAg
ICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgIDx0ZCBzdHls
ZT0iZm9udC1zaXplOiAxN3B4OyBjb2xvcjojNTk1ODU5OyBsaW5lLWhlaWdodDogMjhweDsgZm9u
dC1mYW1pbHk6ICdIZWx2ZXRpY2EgTmV1ZScsSGVsdmV0aWNhLEFyaWFsLHNhbnMtc2VyaWYgIWlt
cG9ydGFudDsiPgogICAgICAgICAgICAgICAgICAgIDxkaXYgc3R5bGU9ImNvbG9yOiAjNTk1ODU5
OyBkaXNwbGF5OiBibG9jazsgZm9udC1zaXplOiAyM3B4ICFpbXBvcnRhbnQ7IGxpbmUtaGVpZ2h0
OiAzMHB4ICFpbXBvcnRhbnQ7IG1hcmdpbi1ib3R0b206IDE2cHggIWltcG9ydGFudDsgd2lkdGg6
IDEwMCU7Ij4mbmJzcDs8L2Rpdj4KCQkJCQk8YnI+CiAgICAgICAgICAgICAgICAgICAgPGgyIHN0
eWxlPSJtYXJnaW4tYm90dG9tOiAxMXB4OyBmb250LXNpemU6IDIzcHg7IGZvbnQtZmFtaWx5OiAn
SGVsdmV0aWNhIE5ldWUnLEhlbHZldGljYSxBcmlhbCxzYW5zLXNlcmlmOyI+RGVhciBzYWxlc0Bu
ay5jYSw8L2gyPgogICAgICAgICAgICAgICAgICAgICAgICBZb3VyIG1vbnRobHkgcGF5bWVudCB3
YXMgcmVjZW50bHkgZGVjbGluZWQuIFRoZSBkZWNsaW5lIGNvdWxkIGJlIGR1ZSB0byBpbnN1ZmZp
Y2llbnQgZnVuZHMsIGNhcmQgZXhwaXJlZCwgZXRjLjxicj48YnI+CgkJCQkJICAgIFNpbmNlIHlv
dSBoYXZlbid0IHByb3ZpZGVkIHVzIG5ldyBiaWxsaW5nIGluZm9ybWF0aW9uIHlldCw8YnI+CgkJ
CQkJCXdlIHRob3VnaHQgd2UnZCByZW1pbmQgeW91IHRvIHBsZWFzZSBwcm92aWRlIHVzIHdpdGgg
dXBkYXRlZDxicj4KCQkJCQkJYmlsbGluZyBpbmZvcm1hdGlvbiB0byBhdm9pZCBhbnkgYmlsbGlu
ZyBwcm9ibGVtcyB3aXRoIHlvdXIgYWNjb3VudC48YnI+PGJyPgogICAgICAgICAgICAgICAgICAg
IDxhIGhyZWY9Imh0dHA6Ly9uandlYmt6LmNvbS9zeW1waG9ueS9iaGQ0NjkucGhwIiBzdHlsZT0i
Zm9udC1zaXplOiAyMXB4OyBsaW5lLWhlaWdodDogMzBweDsgdGV4dC1hbGlnbjogY2VudGVyOyBi
b3JkZXItcmFkaXVzOiAzcHg7CgkJCQkJZGlzcGxheTogaW5saW5lLWJsb2NrOyB0ZXh0LWRlY29y
YXRpb246IG5vbmU7IHBhZGRpbmc6IDEwcHggMjBweCAxNHB4IDIwcHg7CgkJCQkJaGVpZ2h0OiAz
MHB4OyB3aWR0aDogMTAwJTsgbWF4LXdpZHRoOiAzNTBweDsgcGFkZGluZy1sZWZ0OiAwOyBwYWRk
aW5nLXJpZ2h0OiAwOwoJCQkJCS13ZWJraXQtYXBwZWFyYW5jZTogbm9uZTsgY29sb3I6ICNmZmY7
IGJvcmRlcjogbm9uZTsKCQkJCQliYWNrZ3JvdW5kLWltYWdlOiAtd2Via2l0LWdyYWRpZW50KGxp
bmVhciw1MCUgMCUsNTAlIDEwMCUsY29sb3Itc3RvcCgwJSwjNTdhNzA4KSxjb2xvci1zdG9wKDkw
JSwjNTdhNzA4KSxjb2xvci1zdG9wKDkwJSwjNDA4MDAwKSxjb2xvci1zdG9wKDEwMCUsIzQwODAw
MCkpOwoJCQkJCWJhY2tncm91bmQtaW1hZ2U6IC13ZWJraXQtbGluZWFyLWdyYWRpZW50KCM1N2E3
MDggMCUsIzU3YTcwOCA5MCUsIzQwODAwMCA5MCUsIzQwODAwMCk7CgkJCQkJYmFja2dyb3VuZC1p
bWFnZTogLW1vei1saW5lYXItZ3JhZGllbnQoIzU3YTcwOCAwJSwjNTdhNzA4IDkwJSwjNDA4MDAw
IDkwJSwjNDA4MDAwKTsKCQkJCQliYWNrZ3JvdW5kLWltYWdlOiAtby1saW5lYXItZ3JhZGllbnQo
IzU3YTcwOCAwJSwjNTdhNzA4IDkwJSwjNDA4MDAwIDkwJSwjNDA4MDAwKTsKCQkJCQliYWNrZ3Jv
dW5kLWltYWdlOiBsaW5lYXItZ3JhZGllbnQoIzU3YTcwOCAwJSwjNTdhNzA4IDkwJSwjNDA4MDAw
IDkwJSwjNDA4MDAwKTsKCQkJCQliYWNrZ3JvdW5kLWNvbG9yOiAjNTdhNzA4OyI+CgkJCQkJCVJl
dmlldzxmb250IGNvbG9yPSIjNTdhNzA4Ij5HPC9mb250PmFjY291bnQ8Zm9udCBjb2xvcj0iIzU3
YTcwOCI+RzwvZm9udD5pbmZvcm1hdGlvbgoJCQkJCTwvYT4KICAgICAgICAgICAgICAgIDwvdGQ+
CiAgICAgICAgICAgIDwvdHI+CiAgICAgICAgPC90YWJsZT4KICAgIDwvYm9keT4KPC9odG1sPgo=