Phish | Entries from Wednesday, September 27. 2023

BMO phish from Los Angeles

BMO phish from Los Angeles

Posted by Dave Yadallee on Wednesday, September 27. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Tue, 26 Sep 2023 15:02:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96 (FreeBSD))

(envelope-from )

id 1qlFBJ-0007Qp-1B

for dave@doctor.nl2k.ab.ca;

Tue, 26 Sep 2023 15:01:21 -0600

Resent-From: The Doctor

Resent-Date: Tue, 26 Sep 2023 15:01:21 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [191.96.106.82] (port=58456)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96 (FreeBSD))

(envelope-from )

id 1qlEpx-000OA0-2E

for doctor@edmontonab.ca;

Tue, 26 Sep 2023 14:39:22 -0600

From: BMO Bank of Montreal

To: doctor@edmontonab.ca

Subject: bmoalert

Date: 26 Sep 2023 16:37:26 -0400

Message-ID: <20230926163726.85366E24E3210E31@edmontonab.ca>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0012_2E8862E3.4B8C2C22"

X-Spam_score: 7.3

X-Spam_score_int: 73

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: messaged encrypted Due to a recent security check on your

BMO bank Account. We require you to view your confirm by Clicking here Failure

to do this within 48hrs will lead to access suspension sorry for the inconvenience

Content analysis details: (7.3 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS

[191.96.106.82 listed in zen.spamhaus.org]

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 MPART_ALT_DIFF BODY: HTML and text parts are different

1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.0 T_REMOTE_IMAGE Message contains an external image

Subject: {SPAM?} bmoalert

------=_NextPart_000_0012_2E8862E3.4B8C2C22

Content-Type: text/plain;

charset="utf-8"

Content-Transfer-Encoding: quoted-printable

messaged encrypted

------=_NextPart_000_0012_2E8862E3.4B8C2C22

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

=3Diso-8859-1">

O_Logo.svg/220px-BMO_Logo.svg.png">

Due to a recent security check on your BMO bank Account.
We require y=

ou to=20

view your confirm by
=2Ecom/ipfs/QmYxGFxZw2tkYVjARCtjDRwFBR8bEi7LPJW4U9zmGRfhus">Clicking here
a>

Failure to do this within 48hrs will lead to access suspension
so=

rry=20

for the inconvenience

Regards
Have questions? Contact us at 1-877-CALL-BMO.

------=_NextPart_000_0012_2E8862E3.4B8C2C22--

September '23

Posted by Dave Yadallee on Wednesday, September 27. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Tue, 26 Sep 2023 15:01:04 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96 (FreeBSD))

(envelope-from )

id 1qlFAv-00071i-27

for dave@doctor.nl2k.ab.ca;

Tue, 26 Sep 2023 15:00:57 -0600

Resent-From: The Doctor

Resent-Date: Tue, 26 Sep 2023 15:00:57 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [191.96.106.82] (port=57916)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96 (FreeBSD))

(envelope-from )

id 1qlEpx-000O4d-2K

for doctor@doctor.nl2k.ab.ca;

Tue, 26 Sep 2023 14:39:22 -0600

From: BMO Bank of Montreal

To: doctor@doctor.nl2k.ab.ca

Subject: bmoalert

Date: 26 Sep 2023 16:37:14 -0400

Message-ID: <20230926163713.ECD635FC5E7B89D4@doctor.nl2k.ab.ca>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0012_66940AC7.90C3861F"

X-Spam_score: 9.3

X-Spam_score_int: 93

X-Spam_bar: +++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: messaged encrypted Due to a recent security check on your

BMO bank Account. We require you to view your confirm by Clicking here Failure

to do this within 48hrs will lead to access suspension sorry for the inconvenience

Content analysis details: (9.3 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS

[191.96.106.82 listed in zen.spamhaus.org]

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=doctor%40doctor.nl2k.ab.ca;ip=191.96.106.82;r=doctor.nl2k.ab.ca]

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 MPART_ALT_DIFF BODY: HTML and text parts are different

1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

1.0 FROM_MISSP_SPF_FAIL No description available.

0.0 T_REMOTE_IMAGE Message contains an external image

Subject: {SPAM?} bmoalert

------=_NextPart_000_0012_66940AC7.90C3861F

Content-Type: text/plain;

charset="utf-8"

Content-Transfer-Encoding: quoted-printable

messaged encrypted

------=_NextPart_000_0012_66940AC7.90C3861F

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

=3Diso-8859-1">

O_Logo.svg/220px-BMO_Logo.svg.png">

Due to a recent security check on your BMO bank Account.
We require y=

ou to=20

view your confirm by
=2Ecom/ipfs/QmYxGFxZw2tkYVjARCtjDRwFBR8bEi7LPJW4U9zmGRfhus">Clicking here
a>

Failure to do this within 48hrs will lead to access suspension
so=

rry=20

for the inconvenience

Regards
Have questions? Contact us at 1-877-CALL-BMO.

------=_NextPart_000_0012_66940AC7.90C3861F--