More Fake Canada Post Spam from Amazon
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 26 Apr 2022 07:07:01 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1njKtG-0003Da-3v
for dave@doctor.nl2k.ab.ca;
Tue, 26 Apr 2022 07:06:02 -0600
Resent-From: The Doctor
Resent-Date: Tue, 26 Apr 2022 07:06:02 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from ec2-35-72-201-243.ap-northeast-1.compute.amazonaws.com ([35.72.201.243]:44900 helo=multiweb.sdpi)
by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))
(envelope-from)
id 1njH8Y-0009Da-LV
for doctor@doctor.nl2k.ab.ca;
Tue, 26 Apr 2022 03:05:40 -0600
Received: by multiweb.sdpi (Postfix, from userid 48)
id D2FA31B6D32B; Tue, 26 Apr 2022 17:56:45 +0900 (JST)
To: doctor@doctor.nl2k.ab.ca
Subject: =?UTF-8?B?VGhhbmtzIGZvciB1c2luZyBESExFeHByZXNz?=
X-PHP-Originating-Script: 48:Mailer8768790324SQDSQDSSQDSSQDSQDDSQDSQDSD.php
From: =?UTF-8?B?REhMRXhwcmVzcyBQb3N0?=
MIME-Version: 1.0;
Content-type: multipart/mixed; boundary="--VAPU3YEumj"
Message-Id: <20220426085645.D2FA31B6D32B@multiweb.sdpi>
Date: Tue, 26 Apr 2022 17:56:45 +0900 (JST)
X-Spam_score: 9.8
X-Spam_score_int: 98
X-Spam_bar: +++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, Your package N [54246452-AV] is waiting for delivery.
Please confirm the payment (1,65 CAD) on the link below, the online verification
needs to be done in the next 14 days before it expires.​
Content analysis details: (9.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
https://senderscore.org/blocklistlookup/
[35.72.201.243 listed in bl.score.senderscore.com]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in
DNS
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ceshi.banhui.xyz (xyz)]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 T_TVD_MIME_NO_HEADERS BODY: No description available.
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 URI_TRY_3LD URI: "Try it" URI, suspicious hostname
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.1 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
3.3 BOGUS_MIME_VERSION Mime version header is bogus
0.0 PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: banhui.xyz]
Subject: {SPAM?} =?UTF-8?B?VGhhbmtzIGZvciB1c2luZyBESExFeHByZXNz?=
----VAPU3YEumj
Content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
----VAPU3YEumj
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 26 Apr 2022 07:07:01 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1njKtG-0003Da-3v
for dave@doctor.nl2k.ab.ca;
Tue, 26 Apr 2022 07:06:02 -0600
Resent-From: The Doctor
Resent-Date: Tue, 26 Apr 2022 07:06:02 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from ec2-35-72-201-243.ap-northeast-1.compute.amazonaws.com ([35.72.201.243]:44900 helo=multiweb.sdpi)
by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))
(envelope-from
id 1njH8Y-0009Da-LV
for doctor@doctor.nl2k.ab.ca;
Tue, 26 Apr 2022 03:05:40 -0600
Received: by multiweb.sdpi (Postfix, from userid 48)
id D2FA31B6D32B; Tue, 26 Apr 2022 17:56:45 +0900 (JST)
To: doctor@doctor.nl2k.ab.ca
Subject: =?UTF-8?B?VGhhbmtzIGZvciB1c2luZyBESExFeHByZXNz?=
X-PHP-Originating-Script: 48:Mailer8768790324SQDSQDSSQDSSQDSQDDSQDSQDSD.php
From: =?UTF-8?B?REhMRXhwcmVzcyBQb3N0?=
MIME-Version: 1.0;
Content-type: multipart/mixed; boundary="--VAPU3YEumj"
Message-Id: <20220426085645.D2FA31B6D32B@multiweb.sdpi>
Date: Tue, 26 Apr 2022 17:56:45 +0900 (JST)
X-Spam_score: 9.8
X-Spam_score_int: 98
X-Spam_bar: +++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, Your package N [54246452-AV] is waiting for delivery.
Please confirm the payment (1,65 CAD) on the link below, the online verification
needs to be done in the next 14 days before it expires.​
Content analysis details: (9.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
https://senderscore.org/blocklistlookup/
[35.72.201.243 listed in bl.score.senderscore.com]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in
DNS
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ceshi.banhui.xyz (xyz)]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 T_TVD_MIME_NO_HEADERS BODY: No description available.
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 URI_TRY_3LD URI: "Try it" URI, suspicious hostname
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.1 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
3.3 BOGUS_MIME_VERSION Mime version header is bogus
0.0 PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: banhui.xyz]
Subject: {SPAM?} =?UTF-8?B?VGhhbmtzIGZvciB1c2luZyBESExFeHByZXNz?=
----VAPU3YEumj
Content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
Hello,
Your package N [54246452-AV] is waiting for delivery.
Please confirm the payment
t face="sans-serif, Arial, Verdana, Trebuchet MS" style="box-sizing: border-box; line-height: 1.4em;">(1,65 CAD) on the link below, the online verification needs to be done in the next 14 days before it expires.​
AN SMS VERIFICATION WILL BE REQUESTED. IN ORDER TO ENSURE YOUR IDENTITY.
2022 @ DHL International GmbH. All rights reserved.
----VAPU3YEumj