legal phish
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Wed, 06 Jul 2022 14:13:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1o9BOA-000LVE-SX
for dave@doctor.nl2k.ab.ca;
Wed, 06 Jul 2022 14:12:46 -0600
Resent-From: The Doctor
Resent-Date: Wed, 6 Jul 2022 14:12:46 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from avs4-5.arnes.si ([193.2.0.109]:60153)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from)
id 1o99cJ-000Er9-8f
for root@nk.ca;
Wed, 06 Jul 2022 12:19:20 -0600
Received: from outlook.com (unknown [84.38.130.192])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
(Authenticated sender: jkonc@mail.arnes.si)
by avs4.arnes.si (Postfix) with ESMTPSA id 1B97748CB7
for; Wed, 6 Jul 2022 20:18:47 +0200 (CEST)
Reply-To: andicele084@gmail.com
From: Andrew Cele
To: root@nk.ca
Subject: Re: Transfer settlement
Date: 06 Jul 2022 21:18:47 +0300
Message-ID: <20220706211847.D4B00EB3CE10A205@outlook.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 1B97748CB7
X-Spamd-Result: default: False [10.90 / 7.50];
FREEMAIL_REPLYTO_NEQ_FROM_DOM(3.00)[];
DCC_REJECT(2.00)[bulk Body=many Fuz1=many Fuz2=many rep=99% ];
RBL_SPAMHAUS_PBL(2.00)[84.38.130.192:from];
INTRODUCTION(2.00)[];
FAKE_REPLY(1.00)[];
RBL_BARRACUDA_LISTED(1.00)[84.38.130.192:from];
MIME_GOOD(-0.10)[text/plain];
ASN(0.00)[asn:52048, ipnet:84.38.130.0/24, country:BZ];
RCVD_COUNT_ZERO(0.00)[0];
FROM_EQ_ENVFROM(0.00)[];
FREEMAIL_ENVFROM(0.00)[outlook.com];
MIME_TRACE(0.00)[0:+];
TO_DN_NONE(0.00)[];
R_RATELIMIT(0.00)[auth_users_cat3_weekdays(RLuuayto54rkagfw69anejqdr3)];
RCPT_COUNT_ONE(0.00)[1];
FROM_HAS_DN(0.00)[];
HAS_REPLYTO(0.00)[andicele084@gmail.com];
MID_RHS_MATCH_FROM(0.00)[];
FREEMAIL_FROM(0.00)[outlook.com];
FREEMAIL_REPLYTO(0.00)[gmail.com];
TO_MATCH_ENVRCPT_ALL(0.00)[];
REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
ARC_NA(0.00)[]
X-Rspamd-Server: scanner4.arnes.si
X-Spam-Flag: Yes
X-Spam_score: 17.6
X-Spam_score_int: 176
X-Spam_bar: +++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Good day, My name is Andrew Cele. We are unfamiliar with each
other but it takes a day for people to know. I would like to propose a legitimate
business to you and please take this seriously. I am proposing a d [...]
Content analysis details: (17.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in
digit
[andicele084[at]gmail.com]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
in digit
[andbotha074[at]outlook.com]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
[andbotha074[at]outlook.com ]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
2.5 HK_SCAM_N2 BODY: No description available.
0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and
EnvelopeFrom freemail headers are
different
0.0 LOTS_OF_MONEY Huge... sums of money
0.7 HK_SCAM No description available.
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 SHARE_50_50 Share the money 50/50
0.0 T_SHARE_50_50 Share the money 50/50
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain
different freemails
2.0 MONEY_FREEMAIL_REPTO Lots of money from someone using free
email?
0.0 T_MONEY_PERCENT X% of a lot of money for you
2.5 SPOOFED_FREEM_REPTO Forged freemail sender with freemail
reply-to
3.0 FROM_ADDR_WS Malformed From address
0.5 MONEY_FRAUD_8 Lots of money and very many fraud phrases
3.7 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
Subject: {SPAM?} Re: Transfer settlement
Good day,
My name is Andrew Cele. We are unfamiliar with each other but it=20
takes a day for people to know. I would like to propose a=20
legitimate business to you and please take this seriously. I am=20
proposing a deal that will make us richer and you are very=20
important to this deal as you will find out.
I am a senior accountant with my bank here in South Africa. I=20
have worked with the bank for more than 17 years now and I was=20
the personal accountant to one Engineer, a foreign contractor=20
with Royal Dutch Plc who has an investment account with my bank.
Unfortunately, my client died along with his immediate family in=20
France while on sabbatical in the summer of 2007, may their soul=20
rest in peace. He died without leaving a Will. Several efforts=20
were made to find his extended family through your embassy=20
without success.
I received a notice last week to provide the next of kin or risk=20
the account being transferred to the government (es-cheat) in 21=20
days time. I am contacting you to assist me in repatriating the=20
funds left behind by my late client since you both share the same=20
LAST NAME.
This claim will be executed without breaching any South Africa=20
laws and success is guaranteed if we cooperate on this. The bank=20
will release the account to you because of your last name and my=20
recommendation of you as the next of kin.
I am a very honest person and I cannot lie; I expect the same=20
from you. I will forward my International passport so you know=20
that I am not joking, when I get your response. The amount=20
involved is US$10, 500, 000.00. I propose we share the proceeds=20
50:50, I think this is fair. I will give you all the necessary=20
information about the deal when I get your response.
I anticipate your cooperation. Treat this proposal with utmost=20
confidentiality and urgency for a 100% success.
If you are not interested please delete this mail.
Regards,
Andrew Cele.
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Wed, 06 Jul 2022 14:13:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1o9BOA-000LVE-SX
for dave@doctor.nl2k.ab.ca;
Wed, 06 Jul 2022 14:12:46 -0600
Resent-From: The Doctor
Resent-Date: Wed, 6 Jul 2022 14:12:46 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from avs4-5.arnes.si ([193.2.0.109]:60153)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from
id 1o99cJ-000Er9-8f
for root@nk.ca;
Wed, 06 Jul 2022 12:19:20 -0600
Received: from outlook.com (unknown [84.38.130.192])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
(Authenticated sender: jkonc@mail.arnes.si)
by avs4.arnes.si (Postfix) with ESMTPSA id 1B97748CB7
for
Reply-To: andicele084@gmail.com
From: Andrew Cele
To: root@nk.ca
Subject: Re: Transfer settlement
Date: 06 Jul 2022 21:18:47 +0300
Message-ID: <20220706211847.D4B00EB3CE10A205@outlook.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 1B97748CB7
X-Spamd-Result: default: False [10.90 / 7.50];
FREEMAIL_REPLYTO_NEQ_FROM_DOM(3.00)[];
DCC_REJECT(2.00)[bulk Body=many Fuz1=many Fuz2=many rep=99% ];
RBL_SPAMHAUS_PBL(2.00)[84.38.130.192:from];
INTRODUCTION(2.00)[];
FAKE_REPLY(1.00)[];
RBL_BARRACUDA_LISTED(1.00)[84.38.130.192:from];
MIME_GOOD(-0.10)[text/plain];
ASN(0.00)[asn:52048, ipnet:84.38.130.0/24, country:BZ];
RCVD_COUNT_ZERO(0.00)[0];
FROM_EQ_ENVFROM(0.00)[];
FREEMAIL_ENVFROM(0.00)[outlook.com];
MIME_TRACE(0.00)[0:+];
TO_DN_NONE(0.00)[];
R_RATELIMIT(0.00)[auth_users_cat3_weekdays(RLuuayto54rkagfw69anejqdr3)];
RCPT_COUNT_ONE(0.00)[1];
FROM_HAS_DN(0.00)[];
HAS_REPLYTO(0.00)[andicele084@gmail.com];
MID_RHS_MATCH_FROM(0.00)[];
FREEMAIL_FROM(0.00)[outlook.com];
FREEMAIL_REPLYTO(0.00)[gmail.com];
TO_MATCH_ENVRCPT_ALL(0.00)[];
REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
ARC_NA(0.00)[]
X-Rspamd-Server: scanner4.arnes.si
X-Spam-Flag: Yes
X-Spam_score: 17.6
X-Spam_score_int: 176
X-Spam_bar: +++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Good day, My name is Andrew Cele. We are unfamiliar with each
other but it takes a day for people to know. I would like to propose a legitimate
business to you and please take this seriously. I am proposing a d [...]
Content analysis details: (17.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in
digit
[andicele084[at]gmail.com]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
in digit
[andbotha074[at]outlook.com]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
[andbotha074[at]outlook.com ]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
2.5 HK_SCAM_N2 BODY: No description available.
0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and
EnvelopeFrom freemail headers are
different
0.0 LOTS_OF_MONEY Huge... sums of money
0.7 HK_SCAM No description available.
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 SHARE_50_50 Share the money 50/50
0.0 T_SHARE_50_50 Share the money 50/50
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain
different freemails
2.0 MONEY_FREEMAIL_REPTO Lots of money from someone using free
email?
0.0 T_MONEY_PERCENT X% of a lot of money for you
2.5 SPOOFED_FREEM_REPTO Forged freemail sender with freemail
reply-to
3.0 FROM_ADDR_WS Malformed From address
0.5 MONEY_FRAUD_8 Lots of money and very many fraud phrases
3.7 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
Subject: {SPAM?} Re: Transfer settlement
Good day,
My name is Andrew Cele. We are unfamiliar with each other but it=20
takes a day for people to know. I would like to propose a=20
legitimate business to you and please take this seriously. I am=20
proposing a deal that will make us richer and you are very=20
important to this deal as you will find out.
I am a senior accountant with my bank here in South Africa. I=20
have worked with the bank for more than 17 years now and I was=20
the personal accountant to one Engineer, a foreign contractor=20
with Royal Dutch Plc who has an investment account with my bank.
Unfortunately, my client died along with his immediate family in=20
France while on sabbatical in the summer of 2007, may their soul=20
rest in peace. He died without leaving a Will. Several efforts=20
were made to find his extended family through your embassy=20
without success.
I received a notice last week to provide the next of kin or risk=20
the account being transferred to the government (es-cheat) in 21=20
days time. I am contacting you to assist me in repatriating the=20
funds left behind by my late client since you both share the same=20
LAST NAME.
This claim will be executed without breaching any South Africa=20
laws and success is guaranteed if we cooperate on this. The bank=20
will release the account to you because of your last name and my=20
recommendation of you as the next of kin.
I am a very honest person and I cannot lie; I expect the same=20
from you. I will forward my International passport so you know=20
that I am not joking, when I get your response. The amount=20
involved is US$10, 500, 000.00. I propose we share the proceeds=20
50:50, I think this is fair. I will give you all the necessary=20
information about the deal when I get your response.
I anticipate your cooperation. Treat this proposal with utmost=20
confidentiality and urgency for a 100% success.
If you are not interested please delete this mail.
Regards,
Andrew Cele.
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments