Phishing attempt to get Netknow user passwords

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 12 Sep 2022 12:03:02 -0600

Received: from nowe.biuroszeryfa.pl ([176.112.76.5]:48712)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oXnl8-00027E-AO

for dave@doctor.nl2k.ab.ca;

Mon, 12 Sep 2022 12:02:19 -0600

Received: from 223.221.90.34.bc.googleusercontent.com ([34.90.221.223] helo=[172.17.0.4])

by nowe.biuroszeryfa.pl with esmtp (Exim 4.94)

(envelope-from )

id 1oXnkg-0006fh-O1

for dave@doctor.nl2k.ab.ca; Mon, 12 Sep 2022 20:01:46 +0200

Content-Type: multipart/related; boundary="===============3851856881196521718=="

MIME-Version: 1.0

From: "12 September, 2022-Exchange-sms-DoctorMKTUlAbEKp"

To: dave@doctor.nl2k.ab.ca

Subject: =?utf-8?q?Your_password_expires_14_September=2C_2022?=

X-Priority: 2

Message-ID:

X-ACL-Warn: Adding Message-ID header because it is missing!

X-Spam_score: 10.3

X-Spam_score_int: 103

X-Spam_bar: ++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: DoctorWebmail Expires 14 September, 2022 Hi dave@doctor.nl2k.ab.ca,

Your password expires 14 September, 2022, Please follow bellow to update

or chnage your password.



Content analysis details: (10.3 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: agitproject.org]

0.6 HK_RANDOM_ENVFROM Envelope sender username looks random

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level

mail domains are different

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or

identical to background

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.4 MISSING_DATE Missing Date: header

0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML

tag

0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe

1.0 XPRIO Has X-Priority header

Subject: {SPAM?} =?utf-8?q?Your_password_expires_14_September=2C_2022?=



--===============3851856881196521718==

Content-Type: text/html; charset="utf-8"

MIME-Version: 1.0

Content-Transfer-Encoding: base64



PHRhYmxlIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiBzdHlsZT0i

d2lkdGg6IDU1MHB4OyBtYXJnaW46IGF1dG87Ij4KCTx0Ym9keT4KCQk8dHI+CgkJCTx0ZD4KCQkJ

PHRhYmxlIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiBzdHlsZT0i

d2lkdGg6IDEwMCU7Ij4KCQkJCTx0Ym9keT4KCQkJCQk8dHI+CgkJCQkJCTx0ZCBzdHlsZT0iZm9u

dC1zaXplOiA0cHg7IGJhY2tncm91bmQtY29sb3I6ICM2NjY2NjY7IGhlaWdodDogNHB4OyBtc28t

bGluZS1oZWlnaHQtcnVsZTogZXhhY3RseTsgbGluZS1oZWlnaHQ6IDRweDsiPiZuYnNwOzwvdGQ+

CgkJCQkJPC90cj4KCQkJCQk8dHI+CgkJCQkJCTx0ZD4KCQkJCQkJPHRhYmxlIGJvcmRlcj0iMCIg

Y2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiBzdHlsZT0id2lkdGg6IDEwMCU7IGJvcmRl

cjogMXB4IHNvbGlkICNDQ0NDQ0M7IGJhY2tncm91bmQ6ICNmNmY2ZjY7Ij4KCQkJCQkJCTx0aGVh

ZD4KCQkJCQkJCQk8dHI+CgkJCQkJCQkJCTx0aCBzdHlsZT0idGV4dC1hbGlnbjogbGVmdDsgcGFk

ZGluZzogMTVweCAxMHB4IDE1cHggMjBweDsgYmFja2dyb3VuZDogI2Y2ZjZmNjsgZm9udC1mYW1p

bHk6IGNhbGlicmksaGVsdmV0aWNhLGFyaWFsLHNhbnMtc2VyaWY7IGZvbnQtd2VpZ2h0OiBub3Jt

YWw7IGNvbG9yOiAjMzMzMzMzOyBmb250LXNpemU6IDE4cHg7Ij48c3BhbiBzdHlsZT0iZm9udC13

ZWlnaHQ6IDYwMDsiPkRvY3Rvcjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC13ZWlnaHQ6IDMwMDsg

Zm9udC1zdHlsZTogaXRhbGljOyI+V2VibWFpbDwvc3Bhbj48L3RoPgoJCQkJCQkJCQk8dGggc3R5

bGU9InRleHQtYWxpZ246IHJpZ2h0OyBwYWRkaW5nOiAxNXB4IDIwcHggMTVweCAxMHB4OyBiYWNr

Z3JvdW5kOiAjZjZmNmY2OyBmb250LWZhbWlseTogY2FsaWJyaSxoZWx2ZXRpY2EsYXJpYWwsc2Fu

cy1zZXJpZjsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgY29sb3I6ICMzMzMzMzM7IGZvbnQtc2l6ZTog

MTNweDsiPkV4cGlyZXMgMTQgU2VwdGVtYmVyLCAyMDIyPC90aD4KCQkJCQkJCQk8L3RyPgoJCQkJ

CQkJPC90aGVhZD4KCQkJCQkJCTx0Ym9keT4KCQkJCQkJCQk8dHI+CgkJCQkJCQkJCTx0ZCBjb2xz

cGFuPSIyIiBzdHlsZT0icGFkZGluZzogMCAyMHB4IDIwcHggMjBweDsiPgoJCQkJCQkJCQk8dGFi

bGUgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHN0eWxlPSJ3aWR0

aDogMTAwJTsgYmFja2dyb3VuZDogI2ZmZmZmZjsiPgoJCQkJCQkJCQkJPHRib2R5PgoJCQkJCQkJ

CQkJCTx0cj4KCQkJCQkJCQkJCQkJPHRkIHN0eWxlPSJ0ZXh0LWFsaWduOiBsZWZ0OyBwYWRkaW5n

OiA2cHggMHB4IDZweCAyMHB4OyBmb250LWZhbWlseTogY2FsaWJyaSwgaGVsdmV0aWNhLCBhcmlh

bCwgc2Fucy1zZXJpZjsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgY29sb3I6ICM2NjY2NjY7IGZvbnQt

c2l6ZTogMTZweDsgd2lkdGg6IDk5LjU5ODQlOyI+CgkJCQkJCQkJCQkJCTxwPkhpIGRhdmVAZG9j

dG9yLm5sMmsuYWIuY2EsPC9wPgoKCQkJCQkJCQkJCQkJPHA+WW91ciBwYXNzd29yZCBleHBpcmVz

IDE0IFNlcHRlbWJlciwgMjAyMiw8YnIgLz4KCQkJCQkJCQkJCQkJUGxlYXNlIGZvbGxvdyBiZWxs

b3cgdG8gdXBkYXRlIG9yIGNobmFnZSB5b3VyIHBhc3N3b3JkLjwvcD4KCgkJCQkJCQkJCQkJCTx0

YWJsZSBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+CgkJCQkJCQkJ

CQkJCQk8dGJvZHk+CgkJCQkJCQkJCQkJCQkJPHRyPgoJCQkJCQkJCQkJCQkJCQk8dGQgc3R5bGU9

ImJhY2tncm91bmQ6ICMyMDcxQzU7IHBhZGRpbmc6IDlweCAxNXB4OyBib3JkZXItcmFkaXVzOiAy

cHg7Ij4KCQkJCQkJCQkJCQkJCQkJPGNlbnRlcj48YSBocmVmPSJodHRwOi8vRG9jdG9yLUVCNXku

YWdpdHByb2plY3Qub3JnL2lrIy5hSFIwY0RvdkwxRlVibTFvTWtaUkxteHVkR1p2YjJSamNtVmhk

R2x2Ym5NdVkyOXRMM041WlZCaVowZFRTRWcxV0RaQlJTTmFSMFl5V2xWQ2EySXlUakJpTTBsMVlt

MTNlV0Y1TldoWmFUVnFXVkU5UFE9PSIgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsgY29sb3I6

ICNmZmZmZmY7IHRleHQtZGVjb3JhdGlvbjogbm9uZTsgZm9udC1mYW1pbHk6IGNhbGlicmksaGVs

dmV0aWNhLGFyaWFsLHNhbnMtc2VyaWY7IGZvbnQtd2VpZ2h0OiBub3JtYWw7IGZvbnQtc2l6ZTog

MTRweDsiPjxzdHJvbmcgc3R5bGU9ImZvbnQtd2VpZ2h0OiBub3JtYWw7Ij5Db250aW51ZTwvc3Ry

b25nPjwvYT48L2NlbnRlcj4KCQkJCQkJCQkJCQkJCQkJPC90ZD4KCQkJCQkJCQkJCQkJCQk8L3Ry

PgoJCQkJCQkJCQkJCQkJPC90Ym9keT4KCQkJCQkJCQkJCQkJPC90YWJsZT4KCgkJCQkJCQkJCQkJ

CTxwPkRvY3RvciBNYWlsIFRlYW08L3A+CgkJCQkJCQkJCQkJCTwvdGQ+CgkJCQkJCQkJCQkJPC90

cj4KCQkJCQkJCQkJCTwvdGJvZHk+CgkJCQkJCQkJCTwvdGFibGU+CgkJCQkJCQkJCTwvdGQ+CgkJ

CQkJCQkJPC90cj4KCQkJCQkJCTwvdGJvZHk+CgkJCQkJCQk8dGZvb3Q+CgkJCQkJCQkJPHRyPgoJ

CQkJCQkJCQk8dGQgY29sc3Bhbj0iMiIgc3R5bGU9ImZvbnQtZmFtaWx5OiBjYWxpYnJpLGhlbHZl

dGljYSxhcmlhbCxzYW5zLXNlcmlmOyBmb250LXdlaWdodDogbm9ybWFsOyBjb2xvcjogIzY2NjY2

NjsgZm9udC1zaXplOiAxMnB4OyBwYWRkaW5nLWxlZnQ6IDIwcHg7IHBhZGRpbmctcmlnaHQ6IDIw

cHg7IHBhZGRpbmctYm90dG9tOiAxNXB4OyI+TWVzc2FnZSBzZWN1cmVseSBzZW50IHRvIGRhdmVA

ZG9jdG9yLm5sMmsuYWIuY2EsIHBsZWFzZSBpZ25vcmUgaWYgd3JvbmdseSByZWNlaXZlZC48L3Rk

PgoJCQkJCQkJCTwvdHI+CgkJCQkJCQk8L3Rmb290PgoJCQkJCQk8L3RhYmxlPgoJCQkJCQk8L3Rk

PgoJCQkJCTwvdHI+CgkJCQk8L3Rib2R5PgoJCQk8L3RhYmxlPgoJCQk8L3RkPgoJCTwvdHI+Cgk8

L3Rib2R5Pgo8L3RhYmxlPgo=



--===============3851856881196521718==--

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA