Crypto phish violationg the use of Elon Musk

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 02 Apr 2023 15:05:06 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96)

(envelope-from )

id 1pj4s3-000Eqb-2S

for dave@doctor.nl2k.ab.ca;

Sun, 02 Apr 2023 15:04:15 -0600

Resent-From: The Doctor

Resent-Date: Sun, 2 Apr 2023 15:04:15 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.itanetbandalarga.com.br ([177.23.140.66]:50434)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.96)

(envelope-from )

id 1pizM9-0000fE-0B

for root@nk.ca;

Sun, 02 Apr 2023 09:11:00 -0600

Received: from fixed-189-203-131-169.totalplay.net ([189.203.131.169] helo=[127.0.1.1])

by relay.itanetbandalarga.com.br with esmtp (Exim 4.94.2)

(envelope-from )

id 1piyo8-000TEG-Qp; Sun, 02 Apr 2023 11:35:49 -0300

Content-Type: multipart/alternative; boundary="===============1481302113=="

MIME-Version: 1.0

Subject: Biggest Crypto Giveaway of 100M

To: recipients

From: Elon Musk

Date: Sun, 02 Apr 2023 08:35:45 -0600

X-Mailer: outlook

X-Spam_score: 7.8

X-Spam_score_int: 78

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: SpaceX 2023 - All Rights Reserved Time-limited Offer SpaceX

2023 - All Rights Reserved



Content analysis details: (7.8 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.1 MISSING_MID Missing Message-Id: header

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[177.23.140.66 listed in bl.score.senderscore.com]

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

[177.23.140.66 listed in bl.score.senderscore.com]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[giveaway23(at)gmail.com]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[giveaway23(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words

0.0 HTML_MESSAGE BODY: HTML included in message

0.8 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[177.23.140.66 listed in wl.mailspike.net]

0.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image

0.3 FROM_MISSP_EH_MATCH From misspaced, matches envelope

0.0 T_FROM_MISSP_FREEMAIL From misspaced + freemail provider

0.0 FROM_MISSP_FREEMAIL From misspaced + freemail provider

0.0 SPOOFED_FREEMAIL No description available.

0.0 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Biggest Crypto Giveaway of 100M



You will not see this in a MIME-aware mail reader.



--===============1481302113==

Content-Type: text/plain; charset="utf-8"

MIME-Version: 1.0

Content-Transfer-Encoding: quoted-printable

Content-Description: Mail message body







SpaceX 2023 - All Rights Reserved



Time-limited Offer















=20

--===============1481302113==

Content-Type: text/html; charset="utf-8"

MIME-Version: 1.0

Content-Transfer-Encoding: quoted-printable

Content-Description: Mail message body




=3Dutf-8"/>






th=3D"1545" height=3D"692" style=3D"width: 1545px; height: 692px;" src=3D"h=

ttps://i.imgur.com/Q0BGZbF.jpeg" border=3D"0">


nt-family: Arial;">SpaceX 2023 - All Rights Reserved


font-size: 12.1px;">Time-limited =

Offer












--===============1481302113==--

nigerian spam from outlook

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 02 Apr 2023 06:09:06 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96)

(envelope-from )

id 1piwVp-000Jiy-1s

for dave@doctor.nl2k.ab.ca;

Sun, 02 Apr 2023 06:08:45 -0600

Resent-From: The Doctor

Resent-Date: Sun, 2 Apr 2023 06:08:45 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-dm6nam10rlhn2171.outbound.protection.outlook.com ([40.95.32.171]:34112 helo=NAM10-DM6-obe.outbound.protection.outlook.com)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.96)

(envelope-from )

id 1piwTJ-000JQv-1C

for doctor@nl2k.ab.ca;

Sun, 02 Apr 2023 06:06:13 -0600

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

b=DC+cxIPqxeMm5mgeQVC+P+8Epw2nfeU4aEzFa+iGE/xnusNlPas+ytBmkVN6SBDqJN7mnNc/6BB6R2uXCqTDEd9Zx1jvEZGSnO9/xWLthB0Lc6G6IikxTF03+whWc/oirc2vwfGduCX1ZCAUithIdyCRYeg1Hk2TfhHTP3auETRLOyLEqaS3YNZ0gE4IejewvdHRVnvcjAYJOI4iTeoTwwC7EKPqo1/UaAML27A43liJd2+MtYiu9jdPcfl2GS1sMFq7OK2Z1i3E16ec71l+kSjz5VAnXO9i+fQEpZHdilIjCMkkOiq7jb+/wC0xGb0RdY2CnpLTE1B5MGWdqZAehA==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

s=arcselector9901;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=rk+us9hS6fm1KaZ4x55RAlTb9TrtPjphIFlMDQeM8Wg=;

b=GYto6/5NaHJOzduL5qLP+vZxftxGSs1GJbjMAhW0QxuZHw0DoaNlsTiYU6rPuzkOswf+5W1XNWpfzqd2lhxsr1Byy75wnGoJJXTvfTmV1OiAPkyk3tsKvfdkx6eWgvqpCh/Z60vlfHEJmwUSxs8SiCWk8wFMOjsOyaNiNgedWCRWtiqevlcKEvltv+BjyFztba/qT8ru5zRws0NE1DBp5bEtsnuR6YmQtrHS6B2KYz9V6IL5Uuyp4ss5+VbT6DMgsfvjdqjaFu7oG2eZNxxx5hsrQLXnWFt/Fr03bE2jvsY0NRK2T3p5POPzhYNb9oGrRjbQWa1TZRJvbTnADl65TA==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is

8.42.207.81) smtp.rcpttodomain=yourdinlied.com smtp.mailfrom=usa.org;

dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=usa.org;

dkim=none (message not signed); arc=none

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wwjwm.onMicrosoft.com;

s=selector2-wwjwm-onMicrosoft-com;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=rk+us9hS6fm1KaZ4x55RAlTb9TrtPjphIFlMDQeM8Wg=;

b=ILinR4ZrgzgpQAX6mKpD6NkHdPiPRsw1luuBOK20U100dZk3xQN23kj+0P1JVHV6vnOoaGPqJgO5VQSJkmT1H4V9AgfCr84/LEVxDMpeDp5VEP3MF7y4TzFCUPmqfGOzE1luSsaF7rTYSfRO7mbg+tb+x+6U/aZf+CCr/iRbmS8=

Received: from BN9PR03CA0601.namprd03.prod.outlook.com (2603:10b6:408:106::6)

by SA1PR01MB7326.prod.exchangelabs.com (2603:10b6:806:1f5::21) with Microsoft

SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

15.20.6277.22; Sun, 2 Apr 2023 12:04:02 +0000

Received: from BN8NAM12FT021.eop-nam12.prod.protection.outlook.com

(2603:10b6:408:106:cafe::4c) by BN9PR03CA0601.outlook.office365.com

(2603:10b6:408:106::6) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6254.22 via Frontend

Transport; Sun, 2 Apr 2023 12:04:02 +0000

X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 8.42.207.81)

smtp.mailfrom=usa.org; dkim=none (message not signed)

header.d=none;dmarc=fail action=oreject header.from=usa.org;

Received-SPF: Fail (protection.outlook.com: domain of usa.org does not

designate 8.42.207.81 as permitted sender) receiver=protection.outlook.com;

client-ip=8.42.207.81; helo=mail1.jas.com;

Received: from mail1.jas.com (8.42.207.81) by

BN8NAM12FT021.mail.protection.outlook.com (10.13.183.135) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

15.20.6277.20 via Frontend Transport; Sun, 2 Apr 2023 12:04:02 +0000

Received: from USBCDPSMBX01.jas1.ds.Jas.com (172.29.10.51) by

USBCDPSMBX01.jas1.ds.Jas.com (172.29.10.51) with Microsoft SMTP Server

(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

15.2.1118.26; Sun, 2 Apr 2023 08:03:41 -0400

Received: from User (194.55.224.158) by USBCDPSMBX01.jas1.ds.Jas.com

(172.29.10.51) with Microsoft SMTP Server id 15.2.1118.26 via Frontend

Transport; Sun, 2 Apr 2023 08:03:35 -0400

Reply-To:

From: "Mr. Nikhil Rathi"

Subject: Re: United States Dollars US$25,000,000.00

Date: Sun, 2 Apr 2023 05:03:41 -0700

MIME-Version: 1.0

Content-Type: text/plain; charset="Windows-1251"

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Message-ID:

To: Undisclosed recipients:;

X-EOPAttributedMessage: 0

X-MS-PublicTrafficType: Email

X-MS-TrafficTypeDiagnostic: BN8NAM12FT021:EE_|SA1PR01MB7326:EE_

X-MS-Office365-Filtering-Correlation-Id: a01d7e69-b5a1-4459-2aa3-08db3372594e

X-MS-Exchange-SenderADCheck: 2

X-MS-Exchange-AntiSpam-Relay: 1

X-Microsoft-Antispam: BCL:0;

X-Microsoft-Antispam-Message-Info:

=?windows-1251?Q?ryKLvKCCUKnZZyzsFLsGRXWJ1dI3o8OhHebjBMoEPrlcU/BHOpkZAyQ4?=

=?windows-1251?Q?NFdV5FJYltWjuBHI8T1aGF8gWXs0ftcyCXE5ma0elNv11y9Li9vrWZza?=

=?windows-1251?Q?fIJRch/KIXeamL5huQtx/HrrKQ8F8JRZKxwgAGCroByAYIF1dC51JRmM?=

=?windows-1251?Q?hbYW+hy7ExDsqJVUo+wTqYz2XHZSUlEEX7UIteEgWnY8zFgicWqKRW9E?=

=?windows-1251?Q?58A245imCiwlIkQ3R8oBI35OkHYHO64ZIzCwMzpeTw71TKbxSFMx21GI?=

=?windows-1251?Q?LoBwkh7FsNjebsah4eDLNCuzEgu/ZB5Tu5++mlcZUeju3MYd54IObQmU?=

=?windows-1251?Q?Lu8Y9+fwPfECVsVaFssbyI0L6TxOOlJESlzU6/BC+3W5pkdpEOuil3dq?=

=?windows-1251?Q?m01b1P6MQCdayqn/y9fzjVZmSPcEBBrSGwBuzI5dzYfpL1uUNjJNscXe?=

=?windows-1251?Q?bjoVV7hOv4Kg2jmrfR0rYBEaXEq0d1ABk33yMDaN7MfvBsFEZerkiLXY?=

=?windows-1251?Q?yatah99HjttxlpBBDmZO4f9ZwKnoNONZJPacXEMUOoB0xExCNyRe5p8h?=

=?windows-1251?Q?17nNmGRiDCYrkAH+v8LhQrl3v5hfPM4oz5MV8ti7wMTolaWn8Iblr/Hq?=

=?windows-1251?Q?lJRkEPhsteifRy/otiX6AEu0C1cJz/Qa8hs/19hAOB+Pu19e10GtK3/j?=

=?windows-1251?Q?Tl5Cfb6T090xOFlgnH0qmCMnMq+X7PCA1LE38lIdvWd4Tlfrg4qAm1ut?=

=?windows-1251?Q?RMjlRNo8W6yYvPTE7EHwfjVYwEVE2xw5wlsfDmdkRy1l94AZMKel8zmq?=

=?windows-1251?Q?rJstQmysX0hbfi3BLlkfQHvB2u22FmK8XRIpsKOlplVb80cBUWw4I62f?=

=?windows-1251?Q?cqKzatQeQbiPLZ+/N4pV3wCpwKJ6CpJWXKEhfNZSJP5Q6ORQznZ7y1g9?=

=?windows-1251?Q?DciMnZiQdX7BtMt29BH4a1Hf46vJOzNnXo4g8lbZr2pCJ3/dxTQalk+1?=

=?windows-1251?Q?564X3U715DjWfERkT6NShbTrNu3KCyNV8LIYy2PV9/fAh8j75drpgoR7?=

=?windows-1251?Q?gilAfHGve9mJzf9W+875V9i3iP07h0xykCM1f6TdGXYGbyaeIzlabirA?=

=?windows-1251?Q?zswzk3m2E86WoDDEgnY6UVY8oni8ZYeiRLqRn0eCW20C1wfQ85xyQK8A?=

=?windows-1251?Q?4nNPpp8PYE7DtZEsLLHoaa1LBWDFCTC8?=

X-Forefront-Antispam-Report:

CIP:8.42.207.81;CTRY:US;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail1.jas.com;PTR:InfoDomainNonexistent;CAT:OSPM;SFS:(13230028)(4636009)(346002)(136003)(376002)(39860400002)(396003)(109986019)(451199021)(46966006)(40470700004)(316002)(8676002)(8936002)(41300700001)(2860700004)(2906002)(5660300002)(70586007)(70206006)(498600001)(31686004)(7416002)(7406005)(7366002)(66899021)(6666004)(83380400001)(356005)(81166007)(9686003)(82202003)(26005)(40460700003)(956004)(40480700001)(336012)(47076005)(35950700001)(82740400003)(82310400005)(86362001)(31696002)(2700400008);DIR:OUT;SFP:1023;

X-OriginatorOrg: WWJWM.onmicrosoft.com

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2023 12:04:02.0015

(UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: a01d7e69-b5a1-4459-2aa3-08db3372594e

X-MS-Exchange-CrossTenant-Id: fa3414ca-197f-48b7-8ff3-892f8bdd8e93

X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=fa3414ca-197f-48b7-8ff3-892f8bdd8e93;Ip=[8.42.207.81];Helo=[mail1.jas.com]

X-MS-Exchange-CrossTenant-AuthSource:

BN8NAM12FT021.eop-nam12.prod.protection.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem

X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR01MB7326

X-Spam_score: 31.2

X-Spam_score_int: 312

X-Spam_bar: +++++++++++++++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Financial Conduct Authority (FCA) 12 Endeavour Square London

E20 1JN Dear Beneficiary, This is from the office of the "Financial Conduct

Authority" (FCA), a financial regulatory body in the United Kingdom. The

FCA regulates financial firms providing services to consumers and maintains

t [...]



Content analysis details: (31.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=info%40usa.org;ip=40.95.32.171;r=doctor.nl2k.ab.ca]

3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS

[194.55.224.158 listed in zen.spamhaus.org]

2.6 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL

[194.55.224.158 listed in zen.spamhaus.org]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[40.95.32.171 listed in list.dnswl.org]

0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=NAM10-DM6-obe.outbound.protection.outlook.com;ip=40.95.32.171;r=doctor.nl2k.ab.ca]

0.0 AXB_X_FF_SEZ_S Forefront sez this is spam

0.0 NSL_RCVD_FROM_USER Received from User

0.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam

0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit

[nikhil.rathi02266(at)gmail.com]

2.5 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)

3.5 DEAR_BENEFICIARY BODY: Dear Beneficiary:

1.3 PDS_HELO_SPF_FAIL High profile HELO that fails SPF

0.0 FAKE_REPLY_C No description available.

0.6 FSL_NEW_HELO_USER Spam's using Helo and User

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 LOTS_OF_MONEY Huge... sums of money

0.0 T_HK_NAME_MR_MRS No description available.

0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait

0.0 HK_NAME_MR_MRS No description available.

2.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From

2.0 FILL_THIS_FORM_LONG Fill in a form with personal information

0.0 FILL_THIS_FORM Fill in a form with personal information

2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook

0.0 MONEY_FREEMAIL_REPTO Lots of money from someone using free email?

0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)

0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)

0.0 MONEY_FORM Lots of money if you fill out a form

3.1 MONEY_FRAUD_3 Lots of money and several fraud phrases

3.3 UNDISC_MONEY Undisclosed recipients + money/fraud signs

1.8 ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money

Subject: {SPAM?} Re: United States Dollars US$25,000,000.00



Financial Conduct Authority (FCA)

12 Endeavour Square

London E20 1JN



Dear Beneficiary,



This is from the office of the "Financial Conduct Authority" (FCA), a financial regulatory body in the United Kingdom. The FCA regulates financial firms providing services to consumers and maintains the integrity of the financial markets in the United Kingdom. Though on the line of our services as the financial regulatory body in the United Kingdom, we discovered some irregularities concerning your fund worth's of Twenty-Five Millions United States Dollars (US$25,000,000.00) which was trying to be siphon and diverted into another Bank Account in Japan by some group of people through the "China Construction Bank (London) Limited".



Therefore, in view of this, we are contacting you to verify the authentication of this transaction being masterminded by some group of people through the "China Construction Bank (London) Limited". We stopped this transaction depending on our final verification from you concerning this matter therefore you are advised to respond and get back to us immediately upon receiving this message.



Finally, note to reconfirm and forward to us the following details/information below, ( nikhil.rathi02266@gmail.com )



Your Full Names:=============

Residential Address:=========

Contact Phone Number:========

Valid ID Card:===============



Your Faithfully,



Mr. Nikhil Rathi

Chief Executive Officer

Financial Conduct Authority (FCA)