McAfee Phish from sendgrid
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Thu, 08 Jun 2023 16:59:04 -0600
Received: from s.wrqvwxzv.outbound-mail.sendgrid.net ([149.72.154.232]:55862)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256
(Exim 4.96 (FreeBSD))
(envelope-from)
id 1q7OZx-0009Ri-38
for dave@doctor.nl2k.ab.ca;
Thu, 08 Jun 2023 16:58:10 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
h=from:subject:content-type:to:cc:cc:content-type:from:subject:to;
s=smtpapi; bh=6NxAN7yw3irSBeaO3AUxCQFMf6i9iJz76KBYA6JUeBg=;
b=BmmmY7mN+wWoLv20ab/paSeXCeVL/ZvMp04Fw5x0WDjgxHj6UCgMuShjd7xwdBxBFhI/
xnhDDBQqjsi44RbgHkYXGYVTX82Cw0NAm6mJQP5whYAjgQsJG8V6EIT6XIjeCUbFjxF+E9
yOHABGoK5F9T/C3j2IW13a2DhNHBED13Y=
Received: by filterdrecv-78999db45c-hdblx with SMTP id filterdrecv-78999db45c-hdblx-1-64825C80-1C
2023-06-08 22:56:00.463920065 +0000 UTC m=+2502973.445229916
Received: from amazon.com (unknown)
by geopod-ismtpd-1 (SG) with ESMTP
id S9dwKmOBRm2HD_RaIbz31g
for;
Thu, 08 Jun 2023 22:56:00.259 +0000 (UTC)
Date: Thu, 08 Jun 2023 22:56:00 +0000 (UTC)
From: AntiVirus_Alert_3488
Subject: "Urgent Alert 1337"
Content-Type: multipart/alternative;
boundary="b1_493f3521f617a60df11e3e28d4b9a36b"
Message-ID:
X-SG-EID:
=?us-ascii?Q?sGhiINJ04pZS+xT29gqfkFX3XyNbORGj2FzYvFBLJxA70lP1dPBBfO9SfI57Yc?=
=?us-ascii?Q?RzbZ1+cDZ8tU5uqVC7JLwhOgpXbwoQTYzFCSYmP?=
=?us-ascii?Q?DpBoGwjoyEJ4IC1VFHiGJgbrBFYOjQ=2FNHxfig+n?=
=?us-ascii?Q?qiCYDK+R1HaKe64I0lCfQMz7+Uf5o0dqc=2Fu++=2Fv?=
=?us-ascii?Q?nzICrv1uMIo+6Zz7EEIWv77IHQtKRhU6QYOuGxf?=
=?us-ascii?Q?JyKm=2FdDf1oEk7qaCXdrZ16HuTjvKpjTf4L=2Fa3+g?=
=?us-ascii?Q?nNpd1u1RWKwOPQIR5ALwnzMA5o0hAfmIw9Iy66W?= =?us-ascii?Q?OoA=3D?=
To: dave@doctor.nl2k.ab.ca, dave@doctor.nl2k.ab.ca
Cc: dave@doctor.nl2k.ab.ca, dave@doctor.nl2k.ab.ca
X-Entity-ID: QrbCk70iNDJx5RyB9vLpRA==
X-Spam_score: 9.8
X-Spam_score_int: 98
X-Spam_bar: +++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Â Tracking number165414491 Your package is waiting for delivery
!
Content analysis details: (9.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.1 URIBL_GREY Contains an URL listed in the URIBL greylist
[URI: sendgrid.net]
-0.0 SPF_PASS SPF: sender matches SPF record
3.5 VIRUS_WARNING62 'From' indicates unhelpful 'virus warning' (62)
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[149.72.154.232 listed in wl.mailspike.net]
0.0 NORMAL_HTTP_TO_IP URI: URI host has a public dotted-decimal IPv4
address
1.6 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
1.5 MPART_ALT_DIFF_COUNT BODY: HTML and text parts are different
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_EXTRA_CLOSE BODY: HTML contains far too many close tags
0.3 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
2.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
headers
0.0 T_REMOTE_IMAGE Message contains an external image
Subject: {SPAM?} "Urgent Alert 1337"
X-Antivirus: AVG (VPS 230608-8, 6/8/2023), Inbound message
X-Antivirus-Status: Clean
--b1_493f3521f617a60df11e3e28d4b9a36b
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Â
Tracking number165414491
Your package is waiting for delivery !
Hi memka,In order to complete the delivery of your package , please confirm the payment (1.65 CAD). Online confirmation must be made within the next 14 days, before it expires.
Deliver my package
Kind regards,2023 © DHL International GmbH. All rights reserved.
Â
Â
Â
--b1_493f3521f617a60df11e3e28d4b9a36b
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

.
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Thu, 08 Jun 2023 16:59:04 -0600
Received: from s.wrqvwxzv.outbound-mail.sendgrid.net ([149.72.154.232]:55862)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256
(Exim 4.96 (FreeBSD))
(envelope-from
id 1q7OZx-0009Ri-38
for dave@doctor.nl2k.ab.ca;
Thu, 08 Jun 2023 16:58:10 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
h=from:subject:content-type:to:cc:cc:content-type:from:subject:to;
s=smtpapi; bh=6NxAN7yw3irSBeaO3AUxCQFMf6i9iJz76KBYA6JUeBg=;
b=BmmmY7mN+wWoLv20ab/paSeXCeVL/ZvMp04Fw5x0WDjgxHj6UCgMuShjd7xwdBxBFhI/
xnhDDBQqjsi44RbgHkYXGYVTX82Cw0NAm6mJQP5whYAjgQsJG8V6EIT6XIjeCUbFjxF+E9
yOHABGoK5F9T/C3j2IW13a2DhNHBED13Y=
Received: by filterdrecv-78999db45c-hdblx with SMTP id filterdrecv-78999db45c-hdblx-1-64825C80-1C
2023-06-08 22:56:00.463920065 +0000 UTC m=+2502973.445229916
Received: from amazon.com (unknown)
by geopod-ismtpd-1 (SG) with ESMTP
id S9dwKmOBRm2HD_RaIbz31g
for
Thu, 08 Jun 2023 22:56:00.259 +0000 (UTC)
Date: Thu, 08 Jun 2023 22:56:00 +0000 (UTC)
From: AntiVirus_Alert_3488
Subject: "Urgent Alert 1337"
Content-Type: multipart/alternative;
boundary="b1_493f3521f617a60df11e3e28d4b9a36b"
Message-ID:
X-SG-EID:
=?us-ascii?Q?sGhiINJ04pZS+xT29gqfkFX3XyNbORGj2FzYvFBLJxA70lP1dPBBfO9SfI57Yc?=
=?us-ascii?Q?RzbZ1+cDZ8tU5uqVC7JLwhOgpXbwoQTYzFCSYmP?=
=?us-ascii?Q?DpBoGwjoyEJ4IC1VFHiGJgbrBFYOjQ=2FNHxfig+n?=
=?us-ascii?Q?qiCYDK+R1HaKe64I0lCfQMz7+Uf5o0dqc=2Fu++=2Fv?=
=?us-ascii?Q?nzICrv1uMIo+6Zz7EEIWv77IHQtKRhU6QYOuGxf?=
=?us-ascii?Q?JyKm=2FdDf1oEk7qaCXdrZ16HuTjvKpjTf4L=2Fa3+g?=
=?us-ascii?Q?nNpd1u1RWKwOPQIR5ALwnzMA5o0hAfmIw9Iy66W?= =?us-ascii?Q?OoA=3D?=
To: dave@doctor.nl2k.ab.ca, dave@doctor.nl2k.ab.ca
Cc: dave@doctor.nl2k.ab.ca, dave@doctor.nl2k.ab.ca
X-Entity-ID: QrbCk70iNDJx5RyB9vLpRA==
X-Spam_score: 9.8
X-Spam_score_int: 98
X-Spam_bar: +++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Â Tracking number165414491 Your package is waiting for delivery
!
Content analysis details: (9.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.1 URIBL_GREY Contains an URL listed in the URIBL greylist
[URI: sendgrid.net]
-0.0 SPF_PASS SPF: sender matches SPF record
3.5 VIRUS_WARNING62 'From' indicates unhelpful 'virus warning' (62)
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[149.72.154.232 listed in wl.mailspike.net]
0.0 NORMAL_HTTP_TO_IP URI: URI host has a public dotted-decimal IPv4
address
1.6 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
1.5 MPART_ALT_DIFF_COUNT BODY: HTML and text parts are different
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_EXTRA_CLOSE BODY: HTML contains far too many close tags
0.3 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
2.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
headers
0.0 T_REMOTE_IMAGE Message contains an external image
Subject: {SPAM?} "Urgent Alert 1337"
X-Antivirus: AVG (VPS 230608-8, 6/8/2023), Inbound message
X-Antivirus-Status: Clean
--b1_493f3521f617a60df11e3e28d4b9a36b
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Â
Tracking number165414491
Your package is waiting for delivery !
Hi memka,In order to complete the delivery of your package , please confirm the payment (1.65 CAD). Online confirmation must be made within the next 14 days, before it expires.
Deliver my package
Kind regards,2023 © DHL International GmbH. All rights reserved.
Â
Â
Â
--b1_493f3521f617a60df11e3e28d4b9a36b
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Your Protection From Viruses Has Ended

.
zDducf3lJyfKLAqQAZVygUVklws4TqgjTjEWox7YWdzxDPe4FZsMJeXVAfPkwVug4Y2jlZ773wvwczqHoJkYN7JedoozaIF4wxeHncFgy0DBpU9Dtjr7g1bjfpJgYebkCfSPhnWGdp7t97Wtgeqn5rxbH6hvbiGDoojvC51GlZZkXME3RUhMbEOIBW4C5A5jOeEhawNlmDw9f03WKazMFdk7ZezUEv4jAyqAV4L8x77DY1qy1QaxTluJqUuVfp5FOm5zgHxEFv8tmoRe5SCP4XokHJ6NZ1iDde2kMqOhMNAY1i3W1vBViQ5Pq1sfTBJWGC6iSLpvoQjgYc3PyvAGcwmtoFz778UDARLjt1EIHOPwRIcf4DM70YqeuQcrOXVfFxpYoTxWxcjeKlkFPWCFLTK6ANnfA9k6wzVKjixHkGMVSWqxJT3lDDh3gu9HujDQJorTwOqHl2s4OJ