Western union phish from Google Mail Gmail

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 29 Aug 2022 08:27:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oSeob-000Fx1-9G

for dave@doctor.nl2k.ab.ca;

Mon, 29 Aug 2022 07:28:33 -0600

Resent-From: The Doctor

Resent-Date: Mon, 29 Aug 2022 07:28:33 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-yw1-f171.google.com ([209.85.128.171]:46809)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oSc9k-0001UC-FC

for root@nk.ca;

Mon, 29 Aug 2022 04:38:17 -0600

Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-3413ad0640dso28750487b3.13

for ; Mon, 29 Aug 2022 03:37:55 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20210112;

h=content-transfer-encoding:to:subject:message-id:date:from:reply-to

:mime-version:from:to:cc;

bh=PEmB3x6VdXcWnJW7B80xYuqe+o1lnmoF5m750WPXd4U=;

b=nYj9gBRWPgSOBAvmmyesuBlxqtBPzdEyJu7ZvcnruuLDKzC/csrkIALZe4z5WUO5z6

sr+Ruck9S6trg4HK0LFDm+gU6JHg3Ei9/HVZ/upSDOFCnz/GIZe5MC0vH4RMw3AFDa+A

tIeynFPNF+OenzHFHzKOqwbLIkcvGJZlfss0xkuJuCCzUCA+zEvNy8b7a4I1rq0p9flF

tHUgaRlDiHy82rCM7XIB4T6znRKQco3Jnr6pPk12sNYvuUefNTWJBiybWOe0G9iQ2SYf

U5Feer3SkreBT3zVqtZearaKGSBLCJgrZvpBanKPLXssOY32lFp1F92FGUXufcyHXA0I

dQXA==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20210112;

h=content-transfer-encoding:to:subject:message-id:date:from:reply-to

:mime-version:x-gm-message-state:from:to:cc;

bh=PEmB3x6VdXcWnJW7B80xYuqe+o1lnmoF5m750WPXd4U=;

b=7ypbdQ8ggeNqIP1PajWd9XMTRql7Mwx+ECQmGdeXWirt9ARQkR/3XfkCAjpyP/UqS1

+rL84SeYkDMHQKYcrqv/rP2yMbYSSfEGVk3VzbJMNzpglg3QQoLWpa0r+eiMliVaN2vs

bWqB0hZ2xJb1jdHyrqwqUOVrLpjFBqfCGyAKY1TyHwW1jurohdHxKf1UnXIPxhvBt0KC

XNsUwmy0pmSRfsZNPMhb/Yvg+juOm7Vy563jhWOqLJKzr0KIaMRyU2b1ZYgNaD6Ak6gT

KLILtrD5e488k31JMIeYmlG4Jjv0sz1423ulFLsR+d+CXc2HlTYvo7xz4WQ7WCKTLi9v

KpZQ==

X-Gm-Message-State: ACgBeo1vWWbyoR3sjTeItue6qdhagBmVEZWyFZgjSdim8WgK/VuhPajY

gRrblJSqo1gYgDoQe7hnB3djU6uASJyjHi4nUlg=

X-Google-Smtp-Source: AA6agR7U4DY0i7U3U95CetGH/RXGLyT8COaJfa5ZjPuNQe/tGOTCAw7SfOqzxe7O3dDJlfvLTSpsJJzMy8lVDvxqq44=

X-Received: by 2002:a25:eb0d:0:b0:696:436e:c833 with SMTP id

d13-20020a25eb0d000000b00696436ec833mr7262617ybs.574.1661769469214; Mon, 29

Aug 2022 03:37:49 -0700 (PDT)

MIME-Version: 1.0

Received: by 2002:a05:7010:4848:b0:2ef:b4be:b855 with HTTP; Mon, 29 Aug 2022

03:37:48 -0700 (PDT)

Reply-To: wesernunion.179@yahoo.com

From: Western Union Money Transfer

Date: Mon, 29 Aug 2022 03:37:48 -0700

Message-ID:

Subject: Available Money To Pick Up

To: undisclosed-recipients:;

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable

Bcc: root@nk.ca

X-Spam_score: 21.0

X-Spam_score_int: 210

X-Spam_bar: +++++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Attention E-mail Address Owner: Sequel to the first edition

2022 meeting held yesterday with Federal Bureau of Investigation, The International

Monetary Fund (IMF) is compensating all the scam victims and your email address

was foun [...]



Content analysis details: (21.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: westernunion.com]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[209.85.128.171 listed in wl.mailspike.net]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail

provider

[africateam397[at]gmail.com]

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends

in digit

[africateam397[at]gmail.com]

0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in

digit

[wesernunion.179[at]yahoo.com]

-0.0 SPF_PASS SPF: sender matches SPF record

1.5 HK_SCAM_N8 BODY: No description available.

2.5 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 HK_SCAM No description available.

0.0 LOTS_OF_MONEY Huge... sums of money

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain

different freemails

3.2 UNDISC_FREEM Undisclosed recipients + freemail reply-to

1.7 MONEY_FREEMAIL_REPTO Lots of money from someone using free

email?

0.0 FILL_THIS_FORM Fill in a form with personal information

2.2 FILL_THIS_FORM_LOAN Answer loan question(s)

0.0 T_FILL_THIS_FORM_LOAN Answer loan question(s)

0.0 MONEY_FORM Lots of money if you fill out a form

0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)

0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)

2.8 UNDISC_MONEY Undisclosed recipients + money/fraud signs

2.3 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of

money

3.1 MONEY_FRAUD_3 Lots of money and several fraud phrases

Subject: {SPAM?} Available Money To Pick Up



Attention E-mail Address Owner:



Sequel to the first edition 2022 meeting held yesterday with Federal

Bureau of Investigation, The International Monetary Fund (IMF) is

compensating all the scam victims and your email address was found in

the scam victims list and selected to be compensated. This Western

Union office has been mandated by the IMF to transfer your

compensation to you via Western Union Money Transfer.



However, we have concluded to effect your payment through Western Union

Money Transfer, $3,500,00. twice per day until your total sum of $3.500,000=

.00.

is completely transferred to you. We have made your first payment this morn=

ing

but you can't pick it because your payment file need to activate and renewe=

d

before you could pick up the payment today and it will cost you $75. only t=

o

activate and renewed your payment file.



THIS IS YOUR FIRST PAYMENT INFORMATION; visit Western Union Website on.



https://www.westernunion.com/global-service/track-transfer

[https://www.westernunion.com/global-service/track-transfer]



MTCN: 770-413-6000.

SENDERS NAME: PETER MOORE

SENDERS COUNTRY: BENIN REPUBLIC

TEXT QUESTION: IN GOD

TEXT ANS: WE TRUST

AMOUNT: $3,500.00



Note that your payment files will be returned to the IMF within 72 hours if

we did not hear from you, this was the instruction given to us by the IMF.



Send the $75. with this information below.



Receiver Name =3D=3D=3D=3D DANIEL CHRISTIAN

Country =3D=3D=3D=3D Benin Republic

City =3D=3D=3D=3D Cotonou

Test Question =3D=3D=3D=3D=3D When

Answer =3D=3D=3D Now

Amount =3D=3D=3D=3D $75



SINCERELY,

MR. ROBERT SMITH

Telephone: +229-60333897

Western Union=C2=AE Money Transfer,

Head Office Benin Republic