Cosmetic brushes spam from Google

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 07 May 2022 06:57:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nnJyk-0001nw-3r

for dave@doctor.nl2k.ab.ca;

Sat, 07 May 2022 06:56:10 -0600

Resent-From: The Doctor

Resent-Date: Sat, 7 May 2022 06:56:10 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [117.12.16.254] (port=49238 helo=ALT1.ASPMX.L.GOOGLE.COM)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nnJro-0000ci-Fm

for root@nk.ca;

Sat, 07 May 2022 06:49:10 -0600

Date: Sat, 7 May 2022 20:53:37 +0800 (CST)

From: ym18333786356

Sender: nftnvifxav

To: root

Message-ID: <218711746.19996093.1651928017551@ALT1.ASPMX.L.GOOGLE.COM>

Subject: Re:OEM/ODM professional manufacturer of high-end cosmetic brushes

MIME-Version: 1.0

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: 7bit

X-Spam_score: 7.6

X-Spam_score_int: 76

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear friends, I have developed several new mouth tubes and

hair styles with different shapes for makeup brush, which should be helpful

to improve your sales.Now the market is depressed, we must reduce the cost.

You [...]



Content analysis details: (7.6 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.6 HK_RANDOM_ENVFROM Envelope sender username looks random

0.3 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence

0.0 FROM_LOCAL_DIGITS From: localpart has long digit sequence

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level

mail domains are different

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=nftnvifxav%40eureka.mo.us;ip=117.12.16.254;r=doctor.nl2k.ab.ca]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail

provider

[ym18333786356[at]163.com]

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML

tag

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and

EnvelopeFrom freemail headers are

different

0.6 PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS

0.0 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS

1.9 SPOOFED_FREEMAIL No description available.

Subject: {SPAM?} Re:OEM/ODM professional manufacturer of high-end cosmetic brushes





Dear   friends,

 I have developed several new mouth tubes and hair styles with   different shapes for makeup brush, which should be helpful to improve your   sales.Now the market is depressed, we must reduce the cost. You can tell me   the sample size requirements  you care   about or want to test and the order quantity of each batch. I will give you a   quotation and make samples for free.




Beneficiary spam from Google

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 07 May 2022 06:52:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nnJtx-0001Oj-B3

for dave@doctor.nl2k.ab.ca;

Sat, 07 May 2022 06:51:13 -0600

Resent-From: The Doctor

Resent-Date: Sat, 7 May 2022 06:51:13 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-lj1-f195.google.com ([209.85.208.195]:40845)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1nnEKo-000Jke-OX

for doctor@doctor.nl2k.ab.ca;

Sat, 07 May 2022 00:54:43 -0600

Received: by mail-lj1-f195.google.com with SMTP id l19so11513710ljb.7

for ; Fri, 06 May 2022 23:54:14 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20210112;

h=mime-version:reply-to:from:date:message-id:subject:to;

bh=hsUKIcNshGh5u0mR8/5G+ouRleuJ4g/FKTudx9uBO0M=;

b=ZeiowRfa+AzUHe4l78g56mg2hmHvwLUUxdIqhUBuPcF+c9nP4qCEHvK21eIp8TjW4w

ejMPa4AwGT2hDUGJgFKwO+QV6OEdkVF2Bdwp6UTxX3aVKT/h1gOuICrOBl4BWoa2V5vg

Dbrht1vjd4OkplKin6Y/h/iYJDvS6HmhlOusH2ktNADE8sJI+TzMdLEDIasRfcCWgJSJ

8BuG+fZk70GY4KJ4RqLdhIB6T/eQVysGGpMpqPh+gPzAlOb3ch/d8GpSqOMVV9bd0rEp

/ZFD0RZRUdL+fiRPrltsle1oTj/sItXukhi6wE0xotWGBDFm1oBRXW1Zm/gWbGEHnGbQ

AvVg==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20210112;

h=x-gm-message-state:mime-version:reply-to:from:date:message-id

:subject:to;

bh=hsUKIcNshGh5u0mR8/5G+ouRleuJ4g/FKTudx9uBO0M=;

b=V8eavbLdQystp3k3orMg6MeNxqPqYKF+rRXlXr5HNZdb/Fg2adcx87z6W47LYVWmwh

HkAPAQpv9G6v3rzIb3Zt+r8DiIUZofLsPqKllywXemyWr+Ng6+Opd7S4MTH8RAQOZiVz

JHHxn0+pxOVII7xuMWGHUTR2ZT+iaBKDED+oDsDCpWCNOhUiWlHUub1VjY8cmiAgg/RB

jQHhr0F0AT19f8IddPnYSD4Ky1c4sXjHFUtq/0ftiTogWwkpUDXV+B5J+yv+wDp9SjOC

SFcB3/lWL+Gqz+LJTSwN49rjzqWJu9YvEKmkKdq1dnCaj3Iy4Sw/uXqzqN4RZbF5Jz4o

GXSQ==

X-Gm-Message-State: AOAM531DqAs44D5w1PZLsw8WAQqTpAh1NHhB46EX8JM7AKqTUBAJl7U9

nOeBg26imDTJhAl0/N68kIzaX+gUNMfGcY608sc=

X-Google-Smtp-Source: ABdhPJwetQrnPOnNwVVMXXVnrQbmKj9Z42McXXLJOjALv15BrDod2iugfiLOknIsVX3fGXqRhk+3eQEVf/tSf00Jd5A=

X-Received: by 2002:a2e:7206:0:b0:250:796b:12ed with SMTP id

n6-20020a2e7206000000b00250796b12edmr4250193ljc.499.1651906447991; Fri, 06

May 2022 23:54:07 -0700 (PDT)

MIME-Version: 1.0

Received: by 2002:a05:6504:641:0:0:0:0 with HTTP; Fri, 6 May 2022 23:54:07

-0700 (PDT)

Reply-To: Mrs_Bill.Chantal.Lawrence2022@europemail.com

From: MRS Chantal Lawrence

Date: Sat, 7 May 2022 09:54:07 +0300

Message-ID:

Subject: Dear Beneficiary

To: undisclosed-recipients:;

Content-Type: text/plain; charset="UTF-8"

Bcc: doctor@doctor.nl2k.ab.ca

X-Spam_score: 13.1

X-Spam_score_int: 131

X-Spam_bar: +++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello Dear You Have Been Compensated With The Sum Of 4.4 Million

Dollars In This United Nation the Payment Will Be Issued Into ATM Visa Card

and Sent To You From The Bank.You Can Send Me Your Whats app,And Your [...]





Content analysis details: (13.1 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[209.85.208.195 listed in wl.mailspike.net]

0.6 HK_RANDOM_ENVFROM Envelope sender username looks random

1.0 HK_RANDOM_FROM From username looks random

-0.0 SPF_PASS SPF: sender matches SPF record

0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in

digit

[mrs_bill.chantal.lawrence2022[at]europemail.com]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail

provider

[konbfcx[at]gmail.com]

3.5 DEAR_BENEFICIARY BODY: Dear Beneficiary:

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily

valid

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from

envelope-from domain

-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from

author's domain

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.5 HK_NAME_FM_MR_MRS No description available.

0.0 LOTS_OF_MONEY Huge... sums of money

1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain

different freemails

3.5 UNDISC_FREEM Undisclosed recipients + freemail reply-to

0.3 MONEY_FREEMAIL_REPTO Lots of money from someone using free

email?

1.9 UNDISC_MONEY Undisclosed recipients + money/fraud signs

Subject: {SPAM?} Dear Beneficiary



Hello Dear



You Have Been Compensated With The Sum Of 4.4 Million Dollars In This

United Nation the Payment Will Be Issued Into ATM Visa Card and Sent

To You

>From The Bank.You Can Send Me Your Whats app,And Your Passport.



THANKS



Mrs Bill Chant Lawrence

oil filtration spam

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 06 May 2022 20:47:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nnAST-0001v2-8q

for dave@doctor.nl2k.ab.ca;

Fri, 06 May 2022 20:46:13 -0600

Resent-From: The Doctor

Resent-Date: Fri, 6 May 2022 20:46:13 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [123.145.203.112] (port=63521 helo=ALT3.ASPMX.L.GOOGLE.COM)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nnARF-0001mA-2f

for sales@nk.ca;

Fri, 06 May 2022 20:45:04 -0600

Date: Sat, 7 May 2022 10:44:33 +0800 (CST)

From: lanhuan51018050

Sender: eetvsnmyv

To: sales

Message-ID: <1527568706.508963.1651891473262@ALT3.ASPMX.L.GOOGLE.COM>

Subject: Re: Oil Filtration & Tester Cooperation- FUOOTECH

MIME-Version: 1.0

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.4

X-Spam_score_int: 74

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear sales, Good day! This is Kevin from FUOOTECH Oil Filtration

Group. We are the leading manufacturer and exporter of oil filtration machine,

oil tester, transformer evacuation system, dry air generator, transformer

test [...]



Content analysis details: (7.4 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[123.145.203.112 listed in bl.score.senderscore.com]

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level

mail domains are different

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=eetvsnmyv%40cm-cascais.pt;ip=123.145.203.112;r=doctor.nl2k.ab.ca]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail

provider

[lanhuan51018050[at]126.com]

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML

tag

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and

EnvelopeFrom freemail headers are

different

0.6 PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS

0.0 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS

Subject: {SPAM?} Re: Oil Filtration & Tester Cooperation- FUOOTECH



Dear sales,


argin-top:2px;margin-bottom:2px;">


n-bottom:2px;">Good day!

=


This is Kevin from =

FUOOTECH Oil Filtration Group. We are the leading manufacturer and exporter=

of oil filtration machine, oil tester, transformer evacuation syst=

em, dry air generator, transformer test machine, electrical testing equipme=

nt, etc... with over 18 years.


n-bottom:2px;">

for =

any interests or need, welcome to contact us!


;margin-bottom:2px;">


">Thanks & best regards,


x;">

Kevin


le=3D"margin-top: 2px; margin-bottom: 2px;">