Nigerian PHish from Messagelabs
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 25 Dec 2023 11:35:00 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97 (FreeBSD))
(envelope-from)
id 1rHpn0-000000001u4-1Dv1
for dave@doctor.nl2k.ab.ca;
Mon, 25 Dec 2023 11:34:58 -0700
Resent-From: The Doctor
Resent-Date: Mon, 25 Dec 2023 11:34:58 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mail1.bemta34.messagelabs.com ([195.245.231.2]:40506)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.97 (FreeBSD))
(envelope-from)
id 1rHnsy-00000000HGm-2xOx
for doctor@doctor.nl2k.ab.ca;
Mon, 25 Dec 2023 09:33:03 -0700
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGKsWRWlGSWpSXmKPExsVibNLVrmu3rjP
VYOEZUYs7t5+xWsxuOcFu8ffubRaLDWt/Mlt8nLSWzaJ/9w5Wi8XXbjBbXG5YxGjx5dJTZiC3
n8Xi4cRXjBaHXylbXNnQzWJx/HQLs8XrQ++ZLO5OOMti8eTwMRaL6Ve2M1rcfB9n8fvVEzYHE
Y8VrSeZPPad/cDi8eIIkFjfvYPV42zHQyaPrtYlLB7fZ1xk8Zg6+ymjx71zU5g8GrpfsHp8bM
3y2LRxKaPHsSV9rB6T1j9i9ri76S+7x9Zj15kCRKJYM/OS8isSWDNO/P/EUvCQseLOjlbmBsY
djF2MXBxCAt8YJc68X8gE4RxklNj05j17FyMnB7OAnsSNqVPYQGxeAUGJkzOfsEDEtSWWLXzN
3MXIAWSrSXztKgEJCwsoScy9/J4JxBYRkJZYen4dmM0moCDRvGcl2EgWAVWJiW8fgdlCAioSS
2f0M0OM95Nov3aLESIuLrHq4T2WCYy8s5BcMQvJFbOQXDEL4YoFjCyrGE2LU4vKUot0zfSSij
LTM0pyEzNz9BKrdBP1Ukt1y1OLS3SN9BLLi/VSi4v1iitzk3NS9PJSSzYxAqM6pVj5wg7GJ98
b9A8xSnIwKYnyvv/ZkSrEl5SfUpmRWJwRX1Sak1p8iFGPg0PgwtmHnxgFrnz41MQkxZKXn5eq
JMFbsaYzVUiwKDU9tSItMweYhGAaJDh4lER4FZKA0rzFBYm5xZnpEKlTjMYc23fu38vM8fnQl
b3MQmCTpMR5r4BMEgApzSjNgxsES46XGGWlhHkZGRgYhHgKUotyM0tQ5V8xinMwKgnzfloNNI
UnM68Ebt8roFOYgE7596UD5JSSRISUVANTd5dusPBBpS0r1KYe3dp4/YKKPtOSUDvGX411O/a
78W34+rD5zyQbcVktBnaeg4GNNsun6D64dWbR7aB7zHe+HCtsY42xYow8VdHnu9tke+83t5R3
105Y9prv6E+9uScrtDD6fvkqzvf7rxhPbFp+wdGz01t23/lZbQzTw588/DbNpOjjusrADXbJ8
k3qs+LeMtvrqjTdurS1Vp/LNvGthnDHiVMfJY5+tdhjpXD+cbLt7Y2PshzuT+g51br8qVF2TK
c4+0qOfW0s3kfYMi9eLjw8xX+j9/8HoQw+m6JqjJ6Y3Ww7yb8t33H7ujrPy0p220SOOixcdOt
d4O6dc1zOtlnbeHBOil5yK0BOhD9PiaU4I9FQi7moOBEAkEPh7wkEAAA=
X-Env-Sender: PM@usa.com
X-Msg-Ref: server-6.tower-565.messagelabs.com!1703521851!87671!11
X-Originating-IP: [51.52.138.135]
X-SYMC-ESS-Client-Auth: outbound-route-from=fail
X-StarScan-Received:
X-StarScan-Version: 9.110.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 22291 invoked from network); 25 Dec 2023 16:30:54 -0000
Received: from unknown (HELO Corp-Exch-02.globalcoal.com) (51.52.138.135)
by server-6.tower-565.messagelabs.com with ECDHE-RSA-AES256-SHA384 encrypted SMTP; 25 Dec 2023 16:30:54 -0000
Received: from Colo-Exch-02.globalcoal.com (10.2.1.189) by
Corp-Exch-02.globalcoal.com (10.2.1.185) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.2176.14; Mon, 25 Dec 2023 16:28:28 +0000
Received: from [194.33.191.109] (194.33.191.109) by
Colo-Exch-02.globalcoal.com (10.2.1.189) with Microsoft SMTP Server id
15.1.2507.34 via Frontend Transport; Mon, 25 Dec 2023 16:28:27 +0000
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: COMPLIMENT OF THE SEASON.
To: Recipients
From: Precious Mpho
Date: Mon, 25 Dec 2023 18:28:58 -0800
Reply-To:
Message-ID:
X-Spam_score: 14.0
X-Spam_score_int: 140
X-Spam_bar: ++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, Write Mr. Grenville through this email (fredgrenville@aliyun.com)
and ask him for your draft of (3,750.000 USD) It is for your past effort.
I am now out of USA for investment in Iceland
Content analysis details: (14.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
[194.33.191.109 listed in dnsbl.sorbs.net]
2.6 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL
[194.33.191.109 listed in zen.spamhaus.org]
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[194.33.191.109 listed in zen.spamhaus.org]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[195.245.231.2 listed in list.dnswl.org]
1.6 SUBJ_ALL_CAPS Subject is all capitals
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
[pm(at)usa.com]
0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[195.245.231.2 listed in wl.mailspike.net]
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 LOTS_OF_MONEY Huge... sums of money
1.4 MONEY_NOHTML Lots of money in plain text
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
freemails
1.4 MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
1.0 SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail
reply-to
0.0 SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
Subject: {SPAM?} COMPLIMENT OF THE SEASON.
X-Antivirus: AVG (VPS 231225-6, 12/25/2023), Inbound message
X-Antivirus-Status: Clean
Hello,
Write Mr. Grenville through this email (fredgrenville@aliyun.com) and ask h=
im for your draft of (3,750.000 USD)
It is for your past effort. I am now out of USA for investment in Iceland
Regards,
Mrs. Precious Mph
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 25 Dec 2023 11:35:00 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97 (FreeBSD))
(envelope-from
id 1rHpn0-000000001u4-1Dv1
for dave@doctor.nl2k.ab.ca;
Mon, 25 Dec 2023 11:34:58 -0700
Resent-From: The Doctor
Resent-Date: Mon, 25 Dec 2023 11:34:58 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mail1.bemta34.messagelabs.com ([195.245.231.2]:40506)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.97 (FreeBSD))
(envelope-from
id 1rHnsy-00000000HGm-2xOx
for doctor@doctor.nl2k.ab.ca;
Mon, 25 Dec 2023 09:33:03 -0700
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGKsWRWlGSWpSXmKPExsVibNLVrmu3rjP
VYOEZUYs7t5+xWsxuOcFu8ffubRaLDWt/Mlt8nLSWzaJ/9w5Wi8XXbjBbXG5YxGjx5dJTZiC3
n8Xi4cRXjBaHXylbXNnQzWJx/HQLs8XrQ++ZLO5OOMti8eTwMRaL6Ve2M1rcfB9n8fvVEzYHE
Y8VrSeZPPad/cDi8eIIkFjfvYPV42zHQyaPrtYlLB7fZ1xk8Zg6+ymjx71zU5g8GrpfsHp8bM
3y2LRxKaPHsSV9rB6T1j9i9ri76S+7x9Zj15kCRKJYM/OS8isSWDNO/P/EUvCQseLOjlbmBsY
djF2MXBxCAt8YJc68X8gE4RxklNj05j17FyMnB7OAnsSNqVPYQGxeAUGJkzOfsEDEtSWWLXzN
3MXIAWSrSXztKgEJCwsoScy9/J4JxBYRkJZYen4dmM0moCDRvGcl2EgWAVWJiW8fgdlCAioSS
2f0M0OM95Nov3aLESIuLrHq4T2WCYy8s5BcMQvJFbOQXDEL4YoFjCyrGE2LU4vKUot0zfSSij
LTM0pyEzNz9BKrdBP1Ukt1y1OLS3SN9BLLi/VSi4v1iitzk3NS9PJSSzYxAqM6pVj5wg7GJ98
b9A8xSnIwKYnyvv/ZkSrEl5SfUpmRWJwRX1Sak1p8iFGPg0PgwtmHnxgFrnz41MQkxZKXn5eq
JMFbsaYzVUiwKDU9tSItMweYhGAaJDh4lER4FZKA0rzFBYm5xZnpEKlTjMYc23fu38vM8fnQl
b3MQmCTpMR5r4BMEgApzSjNgxsES46XGGWlhHkZGRgYhHgKUotyM0tQ5V8xinMwKgnzfloNNI
UnM68Ebt8roFOYgE7596UD5JSSRISUVANTd5dusPBBpS0r1KYe3dp4/YKKPtOSUDvGX411O/a
78W34+rD5zyQbcVktBnaeg4GNNsun6D64dWbR7aB7zHe+HCtsY42xYow8VdHnu9tke+83t5R3
105Y9prv6E+9uScrtDD6fvkqzvf7rxhPbFp+wdGz01t23/lZbQzTw588/DbNpOjjusrADXbJ8
k3qs+LeMtvrqjTdurS1Vp/LNvGthnDHiVMfJY5+tdhjpXD+cbLt7Y2PshzuT+g51br8qVF2TK
c4+0qOfW0s3kfYMi9eLjw8xX+j9/8HoQw+m6JqjJ6Y3Ww7yb8t33H7ujrPy0p220SOOixcdOt
d4O6dc1zOtlnbeHBOil5yK0BOhD9PiaU4I9FQi7moOBEAkEPh7wkEAAA=
X-Env-Sender: PM@usa.com
X-Msg-Ref: server-6.tower-565.messagelabs.com!1703521851!87671!11
X-Originating-IP: [51.52.138.135]
X-SYMC-ESS-Client-Auth: outbound-route-from=fail
X-StarScan-Received:
X-StarScan-Version: 9.110.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 22291 invoked from network); 25 Dec 2023 16:30:54 -0000
Received: from unknown (HELO Corp-Exch-02.globalcoal.com) (51.52.138.135)
by server-6.tower-565.messagelabs.com with ECDHE-RSA-AES256-SHA384 encrypted SMTP; 25 Dec 2023 16:30:54 -0000
Received: from Colo-Exch-02.globalcoal.com (10.2.1.189) by
Corp-Exch-02.globalcoal.com (10.2.1.185) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.2176.14; Mon, 25 Dec 2023 16:28:28 +0000
Received: from [194.33.191.109] (194.33.191.109) by
Colo-Exch-02.globalcoal.com (10.2.1.189) with Microsoft SMTP Server id
15.1.2507.34 via Frontend Transport; Mon, 25 Dec 2023 16:28:27 +0000
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: COMPLIMENT OF THE SEASON.
To: Recipients
From: Precious Mpho
Date: Mon, 25 Dec 2023 18:28:58 -0800
Reply-To:
Message-ID:
X-Spam_score: 14.0
X-Spam_score_int: 140
X-Spam_bar: ++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, Write Mr. Grenville through this email (fredgrenville@aliyun.com)
and ask him for your draft of (3,750.000 USD) It is for your past effort.
I am now out of USA for investment in Iceland
Content analysis details: (14.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
[194.33.191.109 listed in dnsbl.sorbs.net]
2.6 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL
[194.33.191.109 listed in zen.spamhaus.org]
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[194.33.191.109 listed in zen.spamhaus.org]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[195.245.231.2 listed in list.dnswl.org]
1.6 SUBJ_ALL_CAPS Subject is all capitals
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
[pm(at)usa.com]
0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[195.245.231.2 listed in wl.mailspike.net]
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 LOTS_OF_MONEY Huge... sums of money
1.4 MONEY_NOHTML Lots of money in plain text
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
freemails
1.4 MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
1.0 SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail
reply-to
0.0 SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
Subject: {SPAM?} COMPLIMENT OF THE SEASON.
X-Antivirus: AVG (VPS 231225-6, 12/25/2023), Inbound message
X-Antivirus-Status: Clean
Hello,
Write Mr. Grenville through this email (fredgrenville@aliyun.com) and ask h=
im for your draft of (3,750.000 USD)
It is for your past effort. I am now out of USA for investment in Iceland
Regards,
Mrs. Precious Mph