USPS Phish from 36.92.48.205 PT Telekomunikasi Indonesia

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 09 Nov 2022 16:19:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1osuKd-000Ej7-9D

for dave@doctor.nl2k.ab.ca;

Wed, 09 Nov 2022 16:18:07 -0700

Resent-From: The Doctor

Resent-Date: Wed, 9 Nov 2022 16:18:07 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [36.92.48.205] (port=50244 helo=mail.pntanjung.com)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1osoMz-000OA3-5R

for root@nk.ca;

Wed, 09 Nov 2022 09:56:15 -0700

Received: by mail.pntanjung.com (Postfix, from userid 48)

id 9513438234581; Wed, 9 Nov 2022 23:42:21 +0700 (WIB)

To: root@nk.ca

Subject: Your Package Number LZ213465621CN Is On Hold.

X-PHP-Originating-Script: 48:salam.php

Date: Thu, 10 Nov 2022 00:42:21 +0800

From: "U.S Postal Service."

Message-ID: <5036b7ede5c67d7399f95e09aa5cea43@sipembayar.pntanjung.com>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="b1_5036b7ede5c67d7399f95e09aa5cea43"

Content-Transfer-Encoding: 8bit

X-Spam_score: 9.0

X-Spam_score_int: 90

X-Spam_bar: +++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear Customer, Your package is waiting for delivery. Confirm

payment of 3.00 USD in the following link, verification must be done online

in the next 3 days before it expires.Fees to pay : 3.00 USD.Date : 09/11/2022.





Content analysis details: (9.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[36.92.48.205 listed in bl.score.senderscore.com]

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs

[URI: usd.date (date)]

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or

identical to background

0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of

words

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

2.5 NORDNS_LOW_CONTRAST No rDNS + hidden text

Subject: {SPAM?} Your Package Number LZ213465621CN Is On Hold.



This is a multi-part message in MIME format.



--b1_5036b7ede5c67d7399f95e09aa5cea43

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit



















Dear Customer,









Your package is waiting for delivery. Confirm payment of 3.00 USD in the following link, verification must be done online in the next 3 days before it expires.Fees to pay : 3.00 USD.Date : 09/11/2022.





Send my package





















© 2022 Need help ? contact us at service-mail@usps.com































--b1_5036b7ede5c67d7399f95e09aa5cea43

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: 8bit









































Dear Customer,






















Your package is waiting for delivery. Confirm payment of 3.00 USD in the following link, verification must be done online in the next 3 days before it expires.

Fees to pay : 3.00 USD.

Date : 09/11/2022.
Send my package
















© 2022 Need help ? contact us at service-mail@usps.com



















--b1_5036b7ede5c67d7399f95e09aa5cea43--



webmail phish aganst nk.ca users

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 09 Nov 2022 08:15:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1osmms-0008r7-0C

for dave@doctor.nl2k.ab.ca;

Wed, 09 Nov 2022 08:14:46 -0700

Resent-From: The Doctor

Resent-Date: Wed, 9 Nov 2022 08:14:45 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mmdqpczb.plusboingo.com ([92.52.217.207]:39602)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1osgBA-000PTV-Op

for root@nk.ca;

Wed, 09 Nov 2022 01:11:29 -0700

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=plusboingo.com;

h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; i=info@plusboingo.com;

bh=bqiLjJ2t/ynLcqYpsDMUiXIud1c=;

b=2kvCqw9XMn5ZTH9RepqVjg6O6aQh087p4yUOP3KgBwubj8SGcsFJmLlGSJRTaTk9UhJJmgDNbAH6

p8wkJJ3h5v8THTBzBYP2z21GWH+1VJxvqTvF0u3joUL+klD5CwfYflnCwYUBQbV4VNgf/yJKTwG+

QkWA6NhVLibewEYrNj3WyOxjuqJeSN2leJq1fa4Pps28tiW5x4pB/pMliZHPWqi1I7R7KLfsKGS+

u3lKuiHwn1N232vUYmPij/ay0vH/LRhPz5S7Z2bcr343RCNfPQvMvksqQonKwr6kM8/rF8r27z2a

IP10AkzSQtYWauu8b+0Fw3TR0oTCeVknnjj9/g==

DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=plusboingo.com;

b=EYbCojbOvBtvTH1BDH8Y1rV1JYVUjNiqco05Ol0cbX//HFZ/q3qV1iUKPdiLIO756STxZRUPHeyk

FXcc9ysy/Z7PpJVrbBKFRMo8ho6EDTppzvKFcSf8cc5E29O/w2cA5hqJnSQJQgF+4PBznotvKWfo

4EGqbGTxZ2whvsyGSTQf943foCh3HIPwkG70h+2ZoFtktxYMyhyPaNKNZyLl0k7pQ9EwGlRUdFFd

hGQU3Dt+qPromlhjH/f1EJsITCXM9MmwpdWvY7/kJpvqsoRfEIT8N4bXIXcCSiuik+DBxebv3dm/

2NvBxUEjN1yvk1UkCgCNzSrQs2giMUXICJ4enw==;

From: nk.ca Administrator

To: root@nk.ca

Subject: We have a new version for your webmail

Date: 09 Nov 2022 00:08:33 -0800

Message-ID: <20221109000833.62B5A70A9EF1C5E9@plusboingo.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 8.0

X-Spam_score_int: 80

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear root We have a new version for your webmail. You need

to validate your account in order to switch to the new version. Incoming

messages will be placed on hold if your do not validate your webmail immediately.





Content analysis details: (8.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL

[92.52.217.207 listed in psbl.surriel.com]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[92.52.217.207 listed in bl.score.senderscore.com]

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.

[92.52.217.207 listed in bb.barracudacentral.org]

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

-0.0 SPF_PASS SPF: sender matches SPF record

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or

identical to background

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

Subject: {SPAM?} We have a new version for your webmail










=3D"FONT-SIZE: 13px; FONT-FAMILY: 'Helvetica Neue', Helvetica, Arial, sans-=

serif; WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FONT-W=

EIGHT: 400; COLOR: #000000; FONT-STYLE: normal; ORPHANS: 2; WIDOWS: 2; LETT=

ER-SPACING: normal; BACKGROUND-COLOR: #ffffff; TEXT-INDENT: 0px; font-varia=

nt-ligatures: normal; font-variant-caps: normal; -webkit-text-stroke-width:=

0px; text-decoration-thickness: initial;=20

text-decoration-style: initial; text-decoration-color: initial">


 



ass=3Dv1v1ydp4a052d4cyiv0233121931ydpcc7d027dyahoo_quoted style=3D"FONT-SIZ=

E: 13px; FONT-FAMILY: 'Helvetica Neue', Helvetica, Arial, sans-serif; WHITE=

-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FONT-WEIGHT: 400; =

COLOR: #000000; FONT-STYLE: normal; ORPHANS: 2; WIDOWS: 2; LETTER-SPACING: =

normal; BACKGROUND-COLOR: #ffffff; TEXT-INDENT: 0px; font-variant-ligatures=

: normal; font-variant-caps: normal;=20

-webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-de=

coration-style: initial; text-decoration-color: initial">


ial, sans-serif; COLOR: #26282a">













 





T-STYLE: normal; LINE-HEIGHT: normal; font-stretch: normal">


"0" width=3D"100%" align=3D"center" bgcolor=3D"#f5f7f8" border=3D"0">








HT: #f0f1f6 1px solid; BORDER-COLLAPSE: collapse; BORDER-BOTTOM: #f0f1f6 1p=

x solid; BORDER-LEFT: #f0f1f6 1px solid" cellspacing=3D"0" cellpadding=3D"0=

" align=3D"center" border=3D"0">






600" align=3D"center">


"0" width=3D"100%" align=3D"center" border=3D"0">








"0" width=3D"92%" align=3D"center" border=3D"0">






TR>



"0" width=3D"100%" align=3D"center">






















ABLE>












R>







 
 



"0" width=3D"90%">






COLOR: #333333; FONT-STYLE: normal; LINE-HEIGHT: 18px; font-stretch: norma=

l" valign=3D"top">Dear root



"0" width=3D"100%" border=3D"0">









 

al; COLOR: #666666; FONT-STYLE: normal; LINE-HEIGHT: 19px; font-stretch: no=

rmal">We have a new version for your webmail. You need to validate your acc=

ount in order to switch to the new version.


e>Incoming messages will be placed on hold if your do not validate your web=

mail immediately.
 





"0" align=3D"center" border=3D"0">










RM: uppercase; COLOR: #ffffff; DISPLAY: block; LINE-HEIGHT: 40px" href=3D"h=

ttps://f3r0-f-kjw3r-f9nj-hw39rhnf-ndem-fc9wnhr-fefef.obs.ap-southeast-2.myh=

uaweicloud.com:443/f30r9jgfv-03wnhr-0gfvbw3r0-nvfg-0wreinb-wrefwed.html?AWS=

AccessKeyId=3DMQBACYQR6PMPLZ8WJWJH&Expires=3D1669054564&Signature=

=3DWpiCb1OR4flp2QRpHaVU5iZoNFg%3D#root@nk.ca" shape=3Drect rel=3D"noopener =

noreferrer" target=3D_blank>VALIDATE 



"0" width=3D"100%" border=3D"0">










DY>
 

al; COLOR: #666666; FONT-STYLE: normal; LINE-HEIGHT: 19px; font-stretch: no=

rmal">NOTE: Admin will always keep you n=

otified on recent webmail update for better optimized usage.
 
 



"0" width=3D"90%">






COLOR: #333333; FONT-STYLE: normal; LINE-HEIGHT: 18px; font-stretch: norma=

l" valign=3D"top">©2022 
ect rel=3Dnoreferrer>nk.ca Administrator Service. All=

Rights Reserved

V>