Western union phish from Google Mail Gmail
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 29 Aug 2022 08:27:02 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1oSeob-000Fx1-9G
for dave@doctor.nl2k.ab.ca;
Mon, 29 Aug 2022 07:28:33 -0600
Resent-From: The Doctor
Resent-Date: Mon, 29 Aug 2022 07:28:33 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mail-yw1-f171.google.com ([209.85.128.171]:46809)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256
(Exim 4.95 (FreeBSD))
(envelope-from)
id 1oSc9k-0001UC-FC
for root@nk.ca;
Mon, 29 Aug 2022 04:38:17 -0600
Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-3413ad0640dso28750487b3.13
for; Mon, 29 Aug 2022 03:37:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=content-transfer-encoding:to:subject:message-id:date:from:reply-to
:mime-version:from:to:cc;
bh=PEmB3x6VdXcWnJW7B80xYuqe+o1lnmoF5m750WPXd4U=;
b=nYj9gBRWPgSOBAvmmyesuBlxqtBPzdEyJu7ZvcnruuLDKzC/csrkIALZe4z5WUO5z6
sr+Ruck9S6trg4HK0LFDm+gU6JHg3Ei9/HVZ/upSDOFCnz/GIZe5MC0vH4RMw3AFDa+A
tIeynFPNF+OenzHFHzKOqwbLIkcvGJZlfss0xkuJuCCzUCA+zEvNy8b7a4I1rq0p9flF
tHUgaRlDiHy82rCM7XIB4T6znRKQco3Jnr6pPk12sNYvuUefNTWJBiybWOe0G9iQ2SYf
U5Feer3SkreBT3zVqtZearaKGSBLCJgrZvpBanKPLXssOY32lFp1F92FGUXufcyHXA0I
dQXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:to:subject:message-id:date:from:reply-to
:mime-version:x-gm-message-state:from:to:cc;
bh=PEmB3x6VdXcWnJW7B80xYuqe+o1lnmoF5m750WPXd4U=;
b=7ypbdQ8ggeNqIP1PajWd9XMTRql7Mwx+ECQmGdeXWirt9ARQkR/3XfkCAjpyP/UqS1
+rL84SeYkDMHQKYcrqv/rP2yMbYSSfEGVk3VzbJMNzpglg3QQoLWpa0r+eiMliVaN2vs
bWqB0hZ2xJb1jdHyrqwqUOVrLpjFBqfCGyAKY1TyHwW1jurohdHxKf1UnXIPxhvBt0KC
XNsUwmy0pmSRfsZNPMhb/Yvg+juOm7Vy563jhWOqLJKzr0KIaMRyU2b1ZYgNaD6Ak6gT
KLILtrD5e488k31JMIeYmlG4Jjv0sz1423ulFLsR+d+CXc2HlTYvo7xz4WQ7WCKTLi9v
KpZQ==
X-Gm-Message-State: ACgBeo1vWWbyoR3sjTeItue6qdhagBmVEZWyFZgjSdim8WgK/VuhPajY
gRrblJSqo1gYgDoQe7hnB3djU6uASJyjHi4nUlg=
X-Google-Smtp-Source: AA6agR7U4DY0i7U3U95CetGH/RXGLyT8COaJfa5ZjPuNQe/tGOTCAw7SfOqzxe7O3dDJlfvLTSpsJJzMy8lVDvxqq44=
X-Received: by 2002:a25:eb0d:0:b0:696:436e:c833 with SMTP id
d13-20020a25eb0d000000b00696436ec833mr7262617ybs.574.1661769469214; Mon, 29
Aug 2022 03:37:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a05:7010:4848:b0:2ef:b4be:b855 with HTTP; Mon, 29 Aug 2022
03:37:48 -0700 (PDT)
Reply-To: wesernunion.179@yahoo.com
From: Western Union Money Transfer
Date: Mon, 29 Aug 2022 03:37:48 -0700
Message-ID:
Subject: Available Money To Pick Up
To: undisclosed-recipients:;
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Bcc: root@nk.ca
X-Spam_score: 21.0
X-Spam_score_int: 210
X-Spam_bar: +++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Attention E-mail Address Owner: Sequel to the first edition
2022 meeting held yesterday with Federal Bureau of Investigation, The International
Monetary Fund (IMF) is compensating all the scam victims and your email address
was foun [...]
Content analysis details: (21.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: westernunion.com]
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[209.85.128.171 listed in wl.mailspike.net]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
[africateam397[at]gmail.com]
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
in digit
[africateam397[at]gmail.com]
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in
digit
[wesernunion.179[at]yahoo.com]
-0.0 SPF_PASS SPF: sender matches SPF record
1.5 HK_SCAM_N8 BODY: No description available.
2.5 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.0 HK_SCAM No description available.
0.0 LOTS_OF_MONEY Huge... sums of money
-0.0 T_SCC_BODY_TEXT_LINE No description available.
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain
different freemails
3.2 UNDISC_FREEM Undisclosed recipients + freemail reply-to
1.7 MONEY_FREEMAIL_REPTO Lots of money from someone using free
email?
0.0 FILL_THIS_FORM Fill in a form with personal information
2.2 FILL_THIS_FORM_LOAN Answer loan question(s)
0.0 T_FILL_THIS_FORM_LOAN Answer loan question(s)
0.0 MONEY_FORM Lots of money if you fill out a form
0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
2.8 UNDISC_MONEY Undisclosed recipients + money/fraud signs
2.3 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of
money
3.1 MONEY_FRAUD_3 Lots of money and several fraud phrases
Subject: {SPAM?} Available Money To Pick Up
Attention E-mail Address Owner:
Sequel to the first edition 2022 meeting held yesterday with Federal
Bureau of Investigation, The International Monetary Fund (IMF) is
compensating all the scam victims and your email address was found in
the scam victims list and selected to be compensated. This Western
Union office has been mandated by the IMF to transfer your
compensation to you via Western Union Money Transfer.
However, we have concluded to effect your payment through Western Union
Money Transfer, $3,500,00. twice per day until your total sum of $3.500,000=
.00.
is completely transferred to you. We have made your first payment this morn=
ing
but you can't pick it because your payment file need to activate and renewe=
d
before you could pick up the payment today and it will cost you $75. only t=
o
activate and renewed your payment file.
THIS IS YOUR FIRST PAYMENT INFORMATION; visit Western Union Website on.
https://www.westernunion.com/global-service/track-transfer
[https://www.westernunion.com/global-service/track-transfer]
MTCN: 770-413-6000.
SENDERS NAME: PETER MOORE
SENDERS COUNTRY: BENIN REPUBLIC
TEXT QUESTION: IN GOD
TEXT ANS: WE TRUST
AMOUNT: $3,500.00
Note that your payment files will be returned to the IMF within 72 hours if
we did not hear from you, this was the instruction given to us by the IMF.
Send the $75. with this information below.
Receiver Name =3D=3D=3D=3D DANIEL CHRISTIAN
Country =3D=3D=3D=3D Benin Republic
City =3D=3D=3D=3D Cotonou
Test Question =3D=3D=3D=3D=3D When
Answer =3D=3D=3D Now
Amount =3D=3D=3D=3D $75
SINCERELY,
MR. ROBERT SMITH
Telephone: +229-60333897
Western Union=C2=AE Money Transfer,
Head Office Benin Republic
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 29 Aug 2022 08:27:02 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1oSeob-000Fx1-9G
for dave@doctor.nl2k.ab.ca;
Mon, 29 Aug 2022 07:28:33 -0600
Resent-From: The Doctor
Resent-Date: Mon, 29 Aug 2022 07:28:33 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mail-yw1-f171.google.com ([209.85.128.171]:46809)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256
(Exim 4.95 (FreeBSD))
(envelope-from
id 1oSc9k-0001UC-FC
for root@nk.ca;
Mon, 29 Aug 2022 04:38:17 -0600
Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-3413ad0640dso28750487b3.13
for
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=content-transfer-encoding:to:subject:message-id:date:from:reply-to
:mime-version:from:to:cc;
bh=PEmB3x6VdXcWnJW7B80xYuqe+o1lnmoF5m750WPXd4U=;
b=nYj9gBRWPgSOBAvmmyesuBlxqtBPzdEyJu7ZvcnruuLDKzC/csrkIALZe4z5WUO5z6
sr+Ruck9S6trg4HK0LFDm+gU6JHg3Ei9/HVZ/upSDOFCnz/GIZe5MC0vH4RMw3AFDa+A
tIeynFPNF+OenzHFHzKOqwbLIkcvGJZlfss0xkuJuCCzUCA+zEvNy8b7a4I1rq0p9flF
tHUgaRlDiHy82rCM7XIB4T6znRKQco3Jnr6pPk12sNYvuUefNTWJBiybWOe0G9iQ2SYf
U5Feer3SkreBT3zVqtZearaKGSBLCJgrZvpBanKPLXssOY32lFp1F92FGUXufcyHXA0I
dQXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:to:subject:message-id:date:from:reply-to
:mime-version:x-gm-message-state:from:to:cc;
bh=PEmB3x6VdXcWnJW7B80xYuqe+o1lnmoF5m750WPXd4U=;
b=7ypbdQ8ggeNqIP1PajWd9XMTRql7Mwx+ECQmGdeXWirt9ARQkR/3XfkCAjpyP/UqS1
+rL84SeYkDMHQKYcrqv/rP2yMbYSSfEGVk3VzbJMNzpglg3QQoLWpa0r+eiMliVaN2vs
bWqB0hZ2xJb1jdHyrqwqUOVrLpjFBqfCGyAKY1TyHwW1jurohdHxKf1UnXIPxhvBt0KC
XNsUwmy0pmSRfsZNPMhb/Yvg+juOm7Vy563jhWOqLJKzr0KIaMRyU2b1ZYgNaD6Ak6gT
KLILtrD5e488k31JMIeYmlG4Jjv0sz1423ulFLsR+d+CXc2HlTYvo7xz4WQ7WCKTLi9v
KpZQ==
X-Gm-Message-State: ACgBeo1vWWbyoR3sjTeItue6qdhagBmVEZWyFZgjSdim8WgK/VuhPajY
gRrblJSqo1gYgDoQe7hnB3djU6uASJyjHi4nUlg=
X-Google-Smtp-Source: AA6agR7U4DY0i7U3U95CetGH/RXGLyT8COaJfa5ZjPuNQe/tGOTCAw7SfOqzxe7O3dDJlfvLTSpsJJzMy8lVDvxqq44=
X-Received: by 2002:a25:eb0d:0:b0:696:436e:c833 with SMTP id
d13-20020a25eb0d000000b00696436ec833mr7262617ybs.574.1661769469214; Mon, 29
Aug 2022 03:37:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a05:7010:4848:b0:2ef:b4be:b855 with HTTP; Mon, 29 Aug 2022
03:37:48 -0700 (PDT)
Reply-To: wesernunion.179@yahoo.com
From: Western Union Money Transfer
Date: Mon, 29 Aug 2022 03:37:48 -0700
Message-ID:
Subject: Available Money To Pick Up
To: undisclosed-recipients:;
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Bcc: root@nk.ca
X-Spam_score: 21.0
X-Spam_score_int: 210
X-Spam_bar: +++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Attention E-mail Address Owner: Sequel to the first edition
2022 meeting held yesterday with Federal Bureau of Investigation, The International
Monetary Fund (IMF) is compensating all the scam victims and your email address
was foun [...]
Content analysis details: (21.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: westernunion.com]
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[209.85.128.171 listed in wl.mailspike.net]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
[africateam397[at]gmail.com]
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
in digit
[africateam397[at]gmail.com]
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in
digit
[wesernunion.179[at]yahoo.com]
-0.0 SPF_PASS SPF: sender matches SPF record
1.5 HK_SCAM_N8 BODY: No description available.
2.5 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.0 HK_SCAM No description available.
0.0 LOTS_OF_MONEY Huge... sums of money
-0.0 T_SCC_BODY_TEXT_LINE No description available.
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain
different freemails
3.2 UNDISC_FREEM Undisclosed recipients + freemail reply-to
1.7 MONEY_FREEMAIL_REPTO Lots of money from someone using free
email?
0.0 FILL_THIS_FORM Fill in a form with personal information
2.2 FILL_THIS_FORM_LOAN Answer loan question(s)
0.0 T_FILL_THIS_FORM_LOAN Answer loan question(s)
0.0 MONEY_FORM Lots of money if you fill out a form
0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
2.8 UNDISC_MONEY Undisclosed recipients + money/fraud signs
2.3 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of
money
3.1 MONEY_FRAUD_3 Lots of money and several fraud phrases
Subject: {SPAM?} Available Money To Pick Up
Attention E-mail Address Owner:
Sequel to the first edition 2022 meeting held yesterday with Federal
Bureau of Investigation, The International Monetary Fund (IMF) is
compensating all the scam victims and your email address was found in
the scam victims list and selected to be compensated. This Western
Union office has been mandated by the IMF to transfer your
compensation to you via Western Union Money Transfer.
However, we have concluded to effect your payment through Western Union
Money Transfer, $3,500,00. twice per day until your total sum of $3.500,000=
.00.
is completely transferred to you. We have made your first payment this morn=
ing
but you can't pick it because your payment file need to activate and renewe=
d
before you could pick up the payment today and it will cost you $75. only t=
o
activate and renewed your payment file.
THIS IS YOUR FIRST PAYMENT INFORMATION; visit Western Union Website on.
https://www.westernunion.com/global-service/track-transfer
[https://www.westernunion.com/global-service/track-transfer]
MTCN: 770-413-6000.
SENDERS NAME: PETER MOORE
SENDERS COUNTRY: BENIN REPUBLIC
TEXT QUESTION: IN GOD
TEXT ANS: WE TRUST
AMOUNT: $3,500.00
Note that your payment files will be returned to the IMF within 72 hours if
we did not hear from you, this was the instruction given to us by the IMF.
Send the $75. with this information below.
Receiver Name =3D=3D=3D=3D DANIEL CHRISTIAN
Country =3D=3D=3D=3D Benin Republic
City =3D=3D=3D=3D Cotonou
Test Question =3D=3D=3D=3D=3D When
Answer =3D=3D=3D Now
Amount =3D=3D=3D=3D $75
SINCERELY,
MR. ROBERT SMITH
Telephone: +229-60333897
Western Union=C2=AE Money Transfer,
Head Office Benin Republic