Amex Fraud Phish
Posted by Dave Yadallee on
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Wed, 27 Nov 2024 16:45:20 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98 (FreeBSD))
(envelope-from)
id 1tGRhl-00000000GOe-0FUC
for dave@doctor.nl2k.ab.ca;
Wed, 27 Nov 2024 16:44:21 -0700
Resent-From: The Doctor
Resent-Date: Wed, 27 Nov 2024 16:44:21 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mail.basa.school ([88.198.207.53]:36922 helo=elitzoo)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.98 (FreeBSD))
(envelope-from)
id 1tGRHU-000000001MF-2AgA
for doctor@nk.ca;
Wed, 27 Nov 2024 16:17:17 -0700
Received: from techno_group_usr by elitzoo with local (Exim 4.96)
(envelope-from)
id 1tGRFd-004bLq-0S
for doctor@nk.ca;
Thu, 28 Nov 2024 01:15:17 +0200
To: doctor@nk.ca
Subject: Action Needed: Verify Your Account to Restore Access
X-PHP-Originating-Script: 1009:ez.php
From: Amex Fraud Detection Team
Reply-To: support@techno-group.com.ua
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Message-Id:
Date: Thu, 28 Nov 2024 01:15:17 +0200
X-Spam_score: 10.9
X-Spam_score_int: 109
X-Spam_bar: ++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Account Security Notification Account Security Alert
Content analysis details: (10.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
[88.198.207.53 listed in dnsbl.ahbl.org]
[88.198.207.53 listed in dnsbl.ahbl.org]
[88.198.207.53 listed in dnsbl.ahbl.org]
0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
0.0 T_SPF_TEMPERROR SPF: test of record failed (temperror)
0.0 FSL_HELO_NON_FQDN_1 No description available.
1.5 TVD_PH_SEC BODY: Message includes a phrase commonly used in phishing
mails
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts
suspended", "account credited", "account
verification"
0.5 HELO_NO_DOMAIN Relay reports its domain incorrectly
0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.9 URI_PHISH Phishing using web form
1.0 ACCT_PHISHING Possible phishing for account information
Subject: {SPAM?} Action Needed: Verify Your Account to Restore Access
Account Security Notification
Review Your Account
X-Mozilla-Status2: 00000000
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Wed, 27 Nov 2024 16:45:20 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98 (FreeBSD))
(envelope-from
id 1tGRhl-00000000GOe-0FUC
for dave@doctor.nl2k.ab.ca;
Wed, 27 Nov 2024 16:44:21 -0700
Resent-From: The Doctor
Resent-Date: Wed, 27 Nov 2024 16:44:21 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mail.basa.school ([88.198.207.53]:36922 helo=elitzoo)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.98 (FreeBSD))
(envelope-from
id 1tGRHU-000000001MF-2AgA
for doctor@nk.ca;
Wed, 27 Nov 2024 16:17:17 -0700
Received: from techno_group_usr by elitzoo with local (Exim 4.96)
(envelope-from
id 1tGRFd-004bLq-0S
for doctor@nk.ca;
Thu, 28 Nov 2024 01:15:17 +0200
To: doctor@nk.ca
Subject: Action Needed: Verify Your Account to Restore Access
X-PHP-Originating-Script: 1009:ez.php
From: Amex Fraud Detection Team
Reply-To: support@techno-group.com.ua
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Message-Id:
Date: Thu, 28 Nov 2024 01:15:17 +0200
X-Spam_score: 10.9
X-Spam_score_int: 109
X-Spam_bar: ++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Account Security Notification Account Security Alert
Content analysis details: (10.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
[88.198.207.53 listed in dnsbl.ahbl.org]
[88.198.207.53 listed in dnsbl.ahbl.org]
[88.198.207.53 listed in dnsbl.ahbl.org]
0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org
[88.198.207.53 listed in dnsbl.ahbl.org]
0.0 T_SPF_TEMPERROR SPF: test of record failed (temperror)
0.0 FSL_HELO_NON_FQDN_1 No description available.
1.5 TVD_PH_SEC BODY: Message includes a phrase commonly used in phishing
mails
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts
suspended", "account credited", "account
verification"
0.5 HELO_NO_DOMAIN Relay reports its domain incorrectly
0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.9 URI_PHISH Phishing using web form
1.0 ACCT_PHISHING Possible phishing for account information
Subject: {SPAM?} Action Needed: Verify Your Account to Restore Access
Account Security Alert
Dear Valued Customer,
We recently detected unusual activity on your account, and as a precautionary measure, we need you to review your account details to ensure your account security.
To resolve this, please:
- Click the button below to access your account.
- Follow the verification steps provided.
Completing these steps will ensure your account remains secure. We sincerely apologize for any inconvenience and thank you for your cooperation.
Thank you for choosing American Express.
Sincerely,
The American Express Team
Review Your Account