Phish | Entries from Monday, September 19. 2022

NetKnow Corporate Blog

credential phish

credential phish

Archives

Categories

Syndicate This Blog

Blog Administration

Powered by

NetKnow Navigation

Remote RSS/OPML-Blogroll Feed

Error

addthis

Empire Avenue

Error

Error

Error

Syndicate This Blog

Error

Error

Error

Error

Error

Error

Error

Error

Error

Error

Error

Error

Error

Error

Error

Posted by Dave Yadallee on Monday, September 19. 2022

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 19 Sep 2022 07:12:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oaGYP-000LQT-UM

for dave@doctor.nl2k.ab.ca;

Mon, 19 Sep 2022 07:11:17 -0600

Resent-From: The Doctor

Resent-Date: Mon, 19 Sep 2022 07:11:17 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail0.gobaxte.com ([85.31.46.32]:38516)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oaFAE-00089D-85

for doctor@nl2k.ab.ca;

Mon, 19 Sep 2022 05:42:18 -0600

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=gobaxte.com;

h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:

Content-Transfer-Encoding; i=contatti@gobaxte.com;

bh=JlGpXpFdiHpnn5klaXE8kPNhkkiEqz34o1yPJ+sjDBs=;

b=GdzAROf6xTKvdLQPld7ImFbbhyFIq1dBmgF7l63HTzcV55rsU7PaetYb6u2FanMAUSw2o2GYckVZ

nO4zBOcPuR1UO8BwHSqQ865/9+LuUhN/z9uMRIZGAX/dfTUjElGBX+2bxTMhhqbJXxQ7mWBVSbp7

oydF4Y0RWsBcNmLi128=

From: Email Serverinfo

To: doctor@nl2k.ab.ca

Subject: doctor@nl2k.ab.ca Urgent: Emails Waiting on Server

Date: 19 Sep 2022 04:26:06 -0700

Message-ID: <20220919042606.E4B3ADF925A0BE49@gobaxte.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 9.5

X-Spam_score_int: 95

X-Spam_bar: +++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Dear doctor You have some messages waiting on your server.

Please VERIFY YOURSELF doctor@nl2k.ab.ca Use the following account to access

standby messages.

Content analysis details: (9.5 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist

[URIs: gobaxte.com]

1.5 NIX_SPAM RBL: Listed in NIX_SPAM DNSBL (thanks to heise.de)

[85.31.46.32 listed in ix.dnsbl.manitu.net]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

2.2 GOOG_STO_EMAIL_PHISH Possible phishing with google hosted

content URI having email address

3.0 GOOG_STO_NOIMG_HTML Apparently using google content hosting to

avoid URIBL

Subject: {SPAM?} doctor@nl2k.ab.ca Urgent: Emails Waiting on Server

Dear doctor

You have some messages waiting on your server.<=

/P>

Please VERIFY YOURSELF doctor@nl2k.ab.ca Use the following accoun=

t to access standby messages.

Activation expires after 12 hours 9/19=

/2022 4:26:06 a.m. and your domain name nl2k.ab.ca will be =

blocked

E>

Registration Team.

arent" border=3D"0">

wbsh.appspot.com/o/BGFtkkuhy.html?alt=3Dmedia&token=3D0de3ab42-1ab5-48f=

f-adc3-a34f435978f8#doctor@nl2k.ab.ca" rel=3Dnoreferrer target=3D_blank>VER=

IFY ACCOUNT HERE

September '22