Chinese payment spam
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 02 May 2022 08:46:03 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1nlXHm-000PUJ-KF
for dave@doctor.nl2k.ab.ca;
Mon, 02 May 2022 08:44:26 -0600
Resent-From: The Doctor
Resent-Date: Mon, 2 May 2022 08:44:26 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from 211-75-132-13.hinet-ip.hinet.net ([211.75.132.13]:47422 helo=mail.yesee.com.tw)
by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))
(envelope-from)
id 1nlXGc-000PPY-Hb
for root@doctor.nl2k.ab.ca;
Mon, 02 May 2022 08:43:20 -0600
Received: from User (unknown [175.195.28.237])
by mail.yesee.com.tw (Postfix) with ESMTPA id 95DA020E9AC;
Mon, 2 May 2022 22:41:46 +0800 (CST)
Reply-To:
From: "NOTIFICATION OF PAYMENT"
Subject: FUND TRANSFER
Date: Mon, 2 May 2022 23:39:52 -1200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam_score: 21.7
X-Spam_score_int: 217
X-Spam_bar: +++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: DEPARTMENT OF THE TREASURY 1500 Pennsylvania Avenue, NW Washington,
D.C. 20220 Attention: Sir/Madam,
Content analysis details: (21.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 TVD_RCVD_IP Message was received from an IP address
0.0 NSL_RCVD_FROM_USER Received from User
0.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1.2 MISSING_HEADERS Missing To: header
1.6 SUBJ_ALL_CAPS Subject is all capitals
2.5 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received:
date
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=info%40un.org;ip=211.75.132.13;r=doctor.nl2k.ab.ca]
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
1.0 FROM_MISSP_SPF_FAIL No description available.
0.1 MISSING_MID Missing Message-Id: header
0.6 FSL_NEW_HELO_USER Spam's using Helo and User
0.0 LOTS_OF_MONEY Huge... sums of money
0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
1.9 REPLYTO_WITHOUT_TO_CC No description available.
0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority
0.0 FROM_MISSP_USER From misspaced, from "User"
0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
1.7 FROM_MISSP_DYNIP From misspaced + dynamic rDNS
0.0 MONEY_FROM_MISSP Lots of money and misspaced From
0.0 FROM_MISSPACED From: missing whitespace
0.0 FROM_MISSP_REPLYTO From misspaced, has Reply-To
0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
0.0 T_FROM_MISSP_DKIM From misspaced, DKIM dependable
0.0 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
0.3 FROM_MISSP_EH_MATCH From misspaced, matches envelope
2.5 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information
0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
1.3 MONEY_FORM_SHORT Lots of money if you fill out a short form
Subject: {SPAM?} FUND TRANSFER
DEPARTMENT OF THE TREASURY
1500 Pennsylvania Avenue, NW Washington, D.C. 20220
Attention: Sir/Madam,
This is to inform you that World Bank and International Monetary Fund (IMF) has given us instructions to release your outstanding payment immediately you get back to me with your full details where you want your US20.5M transfer to.
Now Department Of The Treasury Direct-Account Washington DC is ready to release your fund immediately you get back to us with your full information including your bank account details list below:
1) Your full Name:
2) Your Full Address:
3) Phones, Fax and Mobile No:
4) Profession, Age and Marital Status:
5) Copy of any valid form of your Identification:
6) Your bank account details where you want Director of Telex and Wire Department to transfer your approved fund.
Meanwhile all legal documents will be release to you before your fund will be credit into your bank account.
Thanks for your maximum co-operation.
Mr. Richard Douglas
Director of Accountant Department Of The Treasury
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 02 May 2022 08:46:03 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1nlXHm-000PUJ-KF
for dave@doctor.nl2k.ab.ca;
Mon, 02 May 2022 08:44:26 -0600
Resent-From: The Doctor
Resent-Date: Mon, 2 May 2022 08:44:26 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from 211-75-132-13.hinet-ip.hinet.net ([211.75.132.13]:47422 helo=mail.yesee.com.tw)
by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))
(envelope-from
id 1nlXGc-000PPY-Hb
for root@doctor.nl2k.ab.ca;
Mon, 02 May 2022 08:43:20 -0600
Received: from User (unknown [175.195.28.237])
by mail.yesee.com.tw (Postfix) with ESMTPA id 95DA020E9AC;
Mon, 2 May 2022 22:41:46 +0800 (CST)
Reply-To:
From: "NOTIFICATION OF PAYMENT"
Subject: FUND TRANSFER
Date: Mon, 2 May 2022 23:39:52 -1200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam_score: 21.7
X-Spam_score_int: 217
X-Spam_bar: +++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: DEPARTMENT OF THE TREASURY 1500 Pennsylvania Avenue, NW Washington,
D.C. 20220 Attention: Sir/Madam,
Content analysis details: (21.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 TVD_RCVD_IP Message was received from an IP address
0.0 NSL_RCVD_FROM_USER Received from User
0.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1.2 MISSING_HEADERS Missing To: header
1.6 SUBJ_ALL_CAPS Subject is all capitals
2.5 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received:
date
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=info%40un.org;ip=211.75.132.13;r=doctor.nl2k.ab.ca]
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
1.0 FROM_MISSP_SPF_FAIL No description available.
0.1 MISSING_MID Missing Message-Id: header
0.6 FSL_NEW_HELO_USER Spam's using Helo and User
0.0 LOTS_OF_MONEY Huge... sums of money
0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
1.9 REPLYTO_WITHOUT_TO_CC No description available.
0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority
0.0 FROM_MISSP_USER From misspaced, from "User"
0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
1.7 FROM_MISSP_DYNIP From misspaced + dynamic rDNS
0.0 MONEY_FROM_MISSP Lots of money and misspaced From
0.0 FROM_MISSPACED From: missing whitespace
0.0 FROM_MISSP_REPLYTO From misspaced, has Reply-To
0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
0.0 T_FROM_MISSP_DKIM From misspaced, DKIM dependable
0.0 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
0.3 FROM_MISSP_EH_MATCH From misspaced, matches envelope
2.5 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information
0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
1.3 MONEY_FORM_SHORT Lots of money if you fill out a short form
Subject: {SPAM?} FUND TRANSFER
DEPARTMENT OF THE TREASURY
1500 Pennsylvania Avenue, NW Washington, D.C. 20220
Attention: Sir/Madam,
This is to inform you that World Bank and International Monetary Fund (IMF) has given us instructions to release your outstanding payment immediately you get back to me with your full details where you want your US20.5M transfer to.
Now Department Of The Treasury Direct-Account Washington DC is ready to release your fund immediately you get back to us with your full information including your bank account details list below:
1) Your full Name:
2) Your Full Address:
3) Phones, Fax and Mobile No:
4) Profession, Age and Marital Status:
5) Copy of any valid form of your Identification:
6) Your bank account details where you want Director of Telex and Wire Department to transfer your approved fund.
Meanwhile all legal documents will be release to you before your fund will be credit into your bank account.
Thanks for your maximum co-operation.
Mr. Richard Douglas
Director of Accountant Department Of The Treasury