Investment spam from Hotmail

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 02 Nov 2022 07:02:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oqDKT-000BKE-51

for dave@doctor.nl2k.ab.ca;

Wed, 02 Nov 2022 06:58:49 -0600

Resent-From: The Doctor

Resent-Date: Wed, 2 Nov 2022 06:58:49 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-bn1nam07hn2226.outbound.protection.outlook.com ([52.100.160.226]:20442 helo=NAM02-BN1-obe.outbound.protection.outlook.com)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oq6Q5-000G6p-MS

for root@nk.ca;

Tue, 01 Nov 2022 23:36:15 -0600

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

b=GN7cnyxIIqr8BF0tmOwpYhYN+7Els7BkWwvp6QxnioiyjyqXO3GT1YT/a9etg+Tc7dscpRWBRkD5lcyoDL1btaid+6fsYfbUK3OvytojZtjVRTiULQGeHlgoQli2X/6rAYOrGTGsSnUaFBtdfpCZ73JiGJSd0b2KWS2gqPHAspRIGC5PvdNTFK8FGBAcKT8E4e/s7m48kxITk0rlKO8rvOuTSe4zwVTo/UC0dwt4eZgtE4EMftdByPkmmrFCE1S7rRbgvMXMC7rRNxf/jGeQfd5Lysfg8SaREu/d9N/EnffiImVhQyY1ojD2xpPjcDl1dJ/QUiiUJwndFBYxfhOk8w==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

s=arcselector9901;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=mSLNISkTH5DIY5J9bcd9rj7xANlj4h/3C9mEl+WXyg4=;

b=RAszIV4PNCPXHQrGm1NI6S1oNsQEWbqmXftk1YswueHWOzlL17Zhc6w0W+Qt+a4qE17zAjsb3u+SIpsnIOhqZF3IHLybBhR7XnbLFQzdE8UD+CNawpL4TU6gPirNg3miU5Yrd8WawTaho6jHv4HVoidEaQ6Zihgys2w7vwFUHSNijb5c79ej8ugEFvMt+MmZ5YuVN7ii73IQhuOHFkVoVY89bFgkueR8fOXYtH9Z6RPH985lKhkxyXLI7kXcx2XCiRgr+blMqtNUMjMsRzIfMQx8GIHXsy44EYiFqpgfzYhlu7/ck/lJtAkz0+Hz17Mnvex4T4oth54D49HW2toa4A==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip

is 209.184.167.3) smtp.rcpttodomain=hotmail.com smtp.mailfrom=sheldonisd.com;

dmarc=none action=none header.from=sheldonisd.com; dkim=none (message not

signed); arc=none

Received: from DM6PR10CA0032.namprd10.prod.outlook.com (2603:10b6:5:60::45) by

MN0PR15MB5321.namprd15.prod.outlook.com (2603:10b6:208:370::14) with

Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.16; Wed, 2 Nov

2022 05:33:15 +0000

Received: from DM6NAM12FT040.eop-nam12.prod.protection.outlook.com

(2603:10b6:5:60:cafe::6) by DM6PR10CA0032.outlook.office365.com

(2603:10b6:5:60::45) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.20 via Frontend

Transport; Wed, 2 Nov 2022 05:33:15 +0000

X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is

209.184.167.3) smtp.mailfrom=sheldonisd.com; dkim=none (message not signed)

header.d=none;dmarc=none action=none header.from=sheldonisd.com;

Received-SPF: SoftFail (protection.outlook.com: domain of transitioning

sheldonisd.com discourages use of 209.184.167.3 as permitted sender)

Received: from mail.sheldonisd.com (209.184.167.3) by

DM6NAM12FT040.mail.protection.outlook.com (10.13.179.73) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id

15.20.5791.17 via Frontend Transport; Wed, 2 Nov 2022 05:33:15 +0000

Received: from MAIL-365.ad.sheldonisd.com (10.1.16.82) by

MAIL-365.ad.sheldonisd.com (10.1.16.82) with Microsoft SMTP Server

(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id

15.1.2106.2; Wed, 2 Nov 2022 00:33:05 -0500

Received: from User (193.47.61.107) by MAIL-365.ad.sheldonisd.com (10.1.16.82)

with Microsoft SMTP Server id 15.1.2106.2 via Frontend Transport; Wed, 2 Nov

2022 00:32:59 -0500

Reply-To:

From: JAMES SEALY

Subject: [EXTERNAL EMAIL - USE CAUTION] Attention Dear,

Date: Tue, 1 Nov 2022 22:33:05 -0700

MIME-Version: 1.0

Content-Type: text/plain; charset="Windows-1251"

Content-Transfer-Encoding: quoted-printable

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Message-ID:

To: Undisclosed recipients:;

X-EOPAttributedMessage: 0

X-MS-PublicTrafficType: Email

X-MS-TrafficTypeDiagnostic: DM6NAM12FT040:EE_|MN0PR15MB5321:EE_

X-MS-Office365-Filtering-Correlation-Id: a8e69124-f138-4af7-2d2b-08dabc93bdc8

X-MS-Exchange-SenderADCheck: 1

X-MS-Exchange-AntiSpam-Relay: 0

X-Microsoft-Antispam: BCL:0;

X-Microsoft-Antispam-Message-Info:

=?windows-1251?Q?e2IyRHlrAtgw8UBbJf+WJeRtq48HPVUOKR4NQoMIjO7qLbNEG/zcPQkU?=

=?windows-1251?Q?M68/cJ1pGm3MefOC8MoRpq3OBsI6cFCIXqa7ThAiUgf9/PGZzGBx61iz?=

=?windows-1251?Q?KydYKYDrc5XDtNqBN0awLzWor0IVfdmVNJrAIeSyR4dRmqsfM1PWBsQ+?=

=?windows-1251?Q?ZO8nZEgw5K/QA/RhMO7CVdicyqO5U+MrydNdRD4S27ErBDT02qIFIKVp?=

=?windows-1251?Q?kej6GwEXp05HCPIdPI7eyBLWSbTQ+ccxto4FBs3iXoWh37draG8pFqq7?=

=?windows-1251?Q?MBJkSegKIWv0X38VIkvzqdPj5fywDBglx4FrRJUksK5LufuFUcO0G35v?=

=?windows-1251?Q?WnQDbJZO1muOSXBZQnJKq6XRyVwpl3ifbBuHjdA3PFb2Bf8Iz8mdqgDs?=

=?windows-1251?Q?4qTyOvE2sTuCtvbEAdazip5DfEXfAu5htuCPf/xxC/7p+ggXWq0OZHDL?=

=?windows-1251?Q?z/60ZRkjgYTLN+8U7GTzE36wzvr4QX+hWlef3uIgZse7ygG4Qu0SrGBq?=

=?windows-1251?Q?qlAnCeGzFLhSq6MfqcYz8J4ad0aFJ39oYrQkC/VXYLm5fmrT84QKVmil?=

=?windows-1251?Q?6pTN4V7DQRba8kbk33Yd2UpK3D1gL+0G6WfvNVjCuv5dta6qX8d/SkHs?=

=?windows-1251?Q?yZx1WFjxEtFFyRL0iaGcrMd1jCrHR8vvXRFFMZMJsWAS1/HcY6kg+zQm?=

=?windows-1251?Q?OxQbtUosy3CE1m6yKnnlxL0GYRr8LbxvsTxhbRhaSh2LZ54PoxyOLIO8?=

=?windows-1251?Q?w8hrS3OyjR91E3t4L/WXLPGhMq0myaR4wFZwd9rqsNpzKutbPqRo2N+s?=

=?windows-1251?Q?v0rXCJ821EB37AM2ipwWY1E8PIHCK0QzmMZ59Jd/aAHp/07sfiuR2nQy?=

=?windows-1251?Q?8WmoghrFAYylzFkZQMzfIqtKEVlBAT/hCS2/u7W8U5VJwrTemgjwzX6H?=

=?windows-1251?Q?o10t/mYhupIXQKJ2Ee64lyx6VOF3r87cSGIwZiNnLPiBbv1TU5L2RhjR?=

=?windows-1251?Q?/7oVjI3TMZZ5Rku57kXy0PSjhz61/gb/iXRt21wbs4hRG8WmHX0V/Nbq?=

=?windows-1251?Q?wk2ZjubYfW0lyxgYG4Afo3Koo4oA6TevFKvzybPVIVlir6k5xe7+5UZh?=

=?windows-1251?Q?ok/3aBAQWmKbD0JcSbIqp25PxFUoCMyS4BLvUnLwy7EmiMPSmQG4aG8k?=

=?windows-1251?Q?PfLghMMkJkO9Q4QI/DNAMB2iNT1o8ocrdSRMSnBVHR3ncsdBX/Mnc5X3?=

=?windows-1251?Q?zRgxWywiao32crPZWCaPxcGFOlYI+H7sqaSJ2y2VFxv8BGOiqT8v4PyT?=

=?windows-1251?Q?1pAPtg=3D=3D?=

X-Forefront-Antispam-Report:

CIP:209.184.167.3;CTRY:US;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail.sheldonisd.com;PTR:mail.sheldonisd.com;CAT:OSPM;SFS:(13230022)(396003)(376002)(346002)(39860400002)(136003)(451199015)(109986013)(36840700001)(40470700004)(82740400003)(41300700001)(36860700001)(40480700001)(31686004)(26005)(32650700002)(70206006)(31696002)(786003)(8676002)(82310400005)(2860700004)(316002)(41320700001)(70586007)(4744005)(83170400001)(2906002)(40460700003)(956004)(7596003)(186003)(7416002)(8936002)(356005)(7636003)(7406005)(83380400001)(336012)(7366002)(42882007)(5660300002)(478600001)(426003)(6666004)(32550700012)(4001630100005);DIR:OUT;SFP:1501;

X-OriginatorOrg: sheldonisd.com

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2022 05:33:15.5792

(UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: a8e69124-f138-4af7-2d2b-08dabc93bdc8

X-MS-Exchange-CrossTenant-Id: 3237ab13-a154-4aab-bc15-73e6206d6acc

X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3237ab13-a154-4aab-bc15-73e6206d6acc;Ip=[209.184.167.3];Helo=[mail.sheldonisd.com]

X-MS-Exchange-CrossTenant-AuthSource:

DM6NAM12FT040.eop-nam12.prod.protection.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem

X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN0PR15MB5321

X-Spam_score: 9.3

X-Spam_score_int: 93

X-Spam_bar: +++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: CAUTION: This email originated from outside of the organization.

DO NOT click links, provide credentials or open attachments unless you validate

the sender and know the content is safe. Attention Dear,



Content analysis details: (9.3 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam

0.0 NSL_RCVD_FROM_USER Received from User

0.0 AXB_X_FF_SEZ_S Forefront sez this is spam

-0.0 SPF_PASS SPF: sender matches SPF record

0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in

digit

[jamessealy162[at]gmail.com]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail

provider

[wendyarandas[at]sheldonisdnoc.onmicrosoft.com]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level

mail domains are different

0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and

EnvelopeFrom freemail headers are

different

0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait

0.6 FSL_NEW_HELO_USER Spam's using Helo and User

0.0 LOTS_OF_MONEY Huge... sums of money

1.5 MONEY_FREEMAIL_REPTO Lots of money from someone using free

email?

2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook

1.0 XPRIO Has X-Priority header

2.9 UNDISC_MONEY Undisclosed recipients + money/fraud signs

Subject: {SPAM?} [EXTERNAL EMAIL - USE CAUTION] Attention Dear,

X-Antivirus: AVG (VPS 221102-0, 11/1/2022), Inbound message

X-Antivirus-Status: Clean



CAUTION: This email originated from outside of the organization. DO NOT cli=

ck links, provide credentials or open attachments unless you validate the s=

ender and know the content is safe.



Attention Dear,



A HIGH LEVEL INVESTMENT OPPORTUNITY IS AVAILABLE NOW. THE INVESTMENT CAPITA=

L IS USD48 MILLION.

REQUIREMENT: CAPABLE AND EXPERIENCED PROFESSIONAL FUND/INVESTMENT MANAGER E=

ITHER CORPORATE BODY OR INDIVIDUAL.



THE INVESTMENT FUND IS DOMICILED IN TURKEY. THE PROCESSING AND TRANSFER WIL=

L TAKE PLACE IN TURKEY AND AS SUCH YOU WILL BE REQUIRED TO COME TO TURKEY.



A ROUND TRIP TICKET WITH FULLY PAID HOTEL ACCOMMODATION FOR 3 NIGHTS IN A H=

OTEL WILL BE ARRANGED FOR YOUR TRIP TO TURKEY.



IF YOU HAVE THE CAPACITY AND WILLINGNESS TO HANDLE THIS PROJECT, KINDLY RES=

POND WITH YOUR DETAILS.



THANKS



BEST REGARDS,



JAMES SEALY

CONSULTANT/BROKER.

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA