payment phish
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Fri, 16 Sep 2022 11:35:01 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1oZFDF-0006cw-RM
for dave@doctor.nl2k.ab.ca;
Fri, 16 Sep 2022 11:33:13 -0600
Resent-From: The Doctor
Resent-Date: Fri, 16 Sep 2022 11:33:13 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from smtp108.ord1d.emailsrvr.com ([184.106.54.108]:42473)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from)
id 1oZD9E-0005sg-5P
for doctor@nl2k.ab.ca;
Fri, 16 Sep 2022 09:21:00 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=oldtown-guesthouse.com; s=20200515-4eovi7wq; t=1663341631;
bh=NReo46jhu3Fs8SffKblTsF9TZCB1yYx01JxNqL1OyKA=;
h=From:Subject:Date:From;
b=JurG5IFpuss3JCYAskxOzLfIrvi8wMgZSRXwIwRkNBulor2KIBRM4wfnUYfcLNuvW
GfeG/tMkEXMYwhkEu/2n93katuZEQsbRodj5U6820U8Hj7l/nc6XiRTcA1WnxsfAjW
rZz82lhXtnf/uyTv3Nhlu5buKn5G6aZuk3d1KSlE=
X-Auth-ID: relax@oldtown-guesthouse.com
Received: by smtp6.relay.ord1d.emailsrvr.com (Authenticated sender: relax-AT-oldtown-guesthouse.com) with ESMTPA id 1CB90E01BA;
Fri, 16 Sep 2022 11:20:06 -0400 (EDT)
From: "Dira"
Subject: Payment Confirmation
Date: Fri, 16 Sep 2022 15:20:31 -0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0041_01C2A9A6.28AEF300"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Classification-ID: 67668e34-8958-419c-83fb-1be73876ae52-1-1
X-Spam_score: 12.9
X-Spam_score_int: 129
X-Spam_bar: ++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, Please acknowledge upon receipt of my today payment
via (e-transfer) Transaction ID #: RGJORB04DNYUPSH06GS
Content analysis details: (12.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: oldtown-guesthouse.com]
-0.0 SPF_PASS SPF: sender matches SPF record
1.2 MISSING_HEADERS Missing To: header
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.1 MISSING_MID Missing Message-Id: header
0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
3.5 MALW_ATTACH Attachment filename suspicious, probable malware
exploit
0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
0.0 FROM_MISSPACED From: missing whitespace
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
Subject: {SPAM?} Payment Confirmation
This is a multi-part message in MIME format.
------=_NextPart_000_0041_01C2A9A6.28AEF300
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Hello,
Please acknowledge upon receipt of my today
payment via (e-transfer)
Transaction ID #: RGJORB04DNYUPSH06GS
Thanks...
------=_NextPart_000_0041_01C2A9A6.28AEF300
Content-Type: application/x-zip-compressed;
name="RGJORB04DNYUPSH06GS_pdf.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="RGJORB04DNYUPSH06GS_pdf.zip"
UEsDBBQAAAAAAHp3MFXO4DBXaAAAAGgAAAAcAAAAUkdKT1JCMDRETllVUFNI
MDZHU19wZGYuSFRNTDxib2R5IG9ubG9hZD0iamF2YXNjcmlwdDp3aW5kb3cu
bG9jYXRpb24uaHJlZj0naHR0cHM6Ly90cmFjay1kaHNlcnZpY2VzLmNvbS9S
R0pPUkIwNEROWVVQU0gwNkdTLklTTyc7Ij4KUEsBAhQAFAAAAAAAencwVc7g
MFdoAAAAaAAAABwAAAAAAAAAAQAgAAAAAAAAAFJHSk9SQjA0RE5ZVVBTSDA2
R1NfcGRmLkhUTUxQSwUGAAAAAAEAAQBKAAAAogAAAAAA
------=_NextPart_000_0041_01C2A9A6.28AEF300--
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Fri, 16 Sep 2022 11:35:01 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1oZFDF-0006cw-RM
for dave@doctor.nl2k.ab.ca;
Fri, 16 Sep 2022 11:33:13 -0600
Resent-From: The Doctor
Resent-Date: Fri, 16 Sep 2022 11:33:13 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from smtp108.ord1d.emailsrvr.com ([184.106.54.108]:42473)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from
id 1oZD9E-0005sg-5P
for doctor@nl2k.ab.ca;
Fri, 16 Sep 2022 09:21:00 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=oldtown-guesthouse.com; s=20200515-4eovi7wq; t=1663341631;
bh=NReo46jhu3Fs8SffKblTsF9TZCB1yYx01JxNqL1OyKA=;
h=From:Subject:Date:From;
b=JurG5IFpuss3JCYAskxOzLfIrvi8wMgZSRXwIwRkNBulor2KIBRM4wfnUYfcLNuvW
GfeG/tMkEXMYwhkEu/2n93katuZEQsbRodj5U6820U8Hj7l/nc6XiRTcA1WnxsfAjW
rZz82lhXtnf/uyTv3Nhlu5buKn5G6aZuk3d1KSlE=
X-Auth-ID: relax@oldtown-guesthouse.com
Received: by smtp6.relay.ord1d.emailsrvr.com (Authenticated sender: relax-AT-oldtown-guesthouse.com) with ESMTPA id 1CB90E01BA;
Fri, 16 Sep 2022 11:20:06 -0400 (EDT)
From: "Dira"
Subject: Payment Confirmation
Date: Fri, 16 Sep 2022 15:20:31 -0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0041_01C2A9A6.28AEF300"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Classification-ID: 67668e34-8958-419c-83fb-1be73876ae52-1-1
X-Spam_score: 12.9
X-Spam_score_int: 129
X-Spam_bar: ++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, Please acknowledge upon receipt of my today payment
via (e-transfer) Transaction ID #: RGJORB04DNYUPSH06GS
Content analysis details: (12.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: oldtown-guesthouse.com]
-0.0 SPF_PASS SPF: sender matches SPF record
1.2 MISSING_HEADERS Missing To: header
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.1 MISSING_MID Missing Message-Id: header
0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
3.5 MALW_ATTACH Attachment filename suspicious, probable malware
exploit
0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
0.0 FROM_MISSPACED From: missing whitespace
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
Subject: {SPAM?} Payment Confirmation
This is a multi-part message in MIME format.
------=_NextPart_000_0041_01C2A9A6.28AEF300
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Hello,
Please acknowledge upon receipt of my today
payment via (e-transfer)
Transaction ID #: RGJORB04DNYUPSH06GS
Thanks...
------=_NextPart_000_0041_01C2A9A6.28AEF300
Content-Type: application/x-zip-compressed;
name="RGJORB04DNYUPSH06GS_pdf.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="RGJORB04DNYUPSH06GS_pdf.zip"
UEsDBBQAAAAAAHp3MFXO4DBXaAAAAGgAAAAcAAAAUkdKT1JCMDRETllVUFNI
MDZHU19wZGYuSFRNTDxib2R5IG9ubG9hZD0iamF2YXNjcmlwdDp3aW5kb3cu
bG9jYXRpb24uaHJlZj0naHR0cHM6Ly90cmFjay1kaHNlcnZpY2VzLmNvbS9S
R0pPUkIwNEROWVVQU0gwNkdTLklTTyc7Ij4KUEsBAhQAFAAAAAAAencwVc7g
MFdoAAAAaAAAABwAAAAAAAAAAQAgAAAAAAAAAFJHSk9SQjA0RE5ZVVBTSDA2
R1NfcGRmLkhUTUxQSwUGAAAAAAEAAQBKAAAAogAAAAAA
------=_NextPart_000_0041_01C2A9A6.28AEF300--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments