USPS Phish from Italy

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 19 Jan 2023 19:59:40 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96)

(envelope-from )

id 1pIhcv-000EVq-2g

for dave@doctor.nl2k.ab.ca;

Thu, 19 Jan 2023 19:59:37 -0700

Resent-From: The Doctor

Resent-Date: Thu, 19 Jan 2023 19:59:37 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mailer.sfera.net ([80.91.49.218]:55385)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96)

(envelope-from )

id 1pIgcu-000C81-05

for doctor@nk.ca;

Thu, 19 Jan 2023 18:55:37 -0700

Received: from serverbis.sfera.net (unknown [80.91.49.226])

by mailer.sfera.net (Postfix) with ESMTP id 393871E86A5

for ; Fri, 20 Jan 2023 02:53:01 +0100 (CET)

Received: from serverbis.sfera.net (localhost.localdomain [127.0.0.1])

by serverbis.sfera.net (Postfix) with ESMTP id 2F7818809A

for ; Fri, 20 Jan 2023 02:53:01 +0100 (CET)

Received: (from apache@localhost)

by serverbis.sfera.net (8.13.8/8.13.8/Submit) id 30K1r0uI023848;

Fri, 20 Jan 2023 02:53:00 +0100

Date: Fri, 20 Jan 2023 02:53:00 +0100

Message-Id: <202301200153.30K1r0uI023848@serverbis.sfera.net>

To: doctor@nk.ca

Subject: Pay for your parcel number 92612927005044004682547103 : Important!

From: USPS - Canada

MIME-Version: 1.0

Content-Type: multipart/mixed;boundary=453f48a3c4116f2c1b908168489b1070

X-Spam_score: 7.8

X-Spam_score_int: 78

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear User, Package Tracking Number : 92612927005044004682547103.

Confirm payment to complete delivery as soon as possible.



Content analysis details: (7.8 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

[80.91.49.218 listed in bl.score.senderscore.com]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[80.91.49.218 listed in bl.score.senderscore.com]

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail

domains are different

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[80.91.49.218 listed in wl.mailspike.net]

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words

0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag

3.0 URI_WP_DIRINDEX URI for compromised WordPress site, possible malware

0.0 T_REMOTE_IMAGE Message contains an external image

Subject: {SPAM?} Pay for your parcel number 92612927005044004682547103 : Important!



--453f48a3c4116f2c1b908168489b1070

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: base64



PGRpdiBpZD0id3JhcHBlciIgc3R5bGU9ImJvcmRlcjogMXB4IHNvbGlkICNmZmZmZmY7IG1hcmdp

bjogMjBweCBhdXRvOyBwYWRkaW5nOiA3cHggMTNweDsgY29sb3I6ICMwMDAwMDA7IGZvbnQtZmFt

aWx5OiAnVGltZXMgTmV3IFJvbWFuJzsgZm9udC1zaXplOiBtZWRpdW07IGZvbnQtc3R5bGU6IG5v

cm1hbDsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgb3JwaGFu

czogMjsgdGV4dC1hbGlnbjogbGVmdDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06

IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdpZG93czogMjsgd29yZC1zcGFjaW5nOiAwcHg7

IHdpZHRoOiA0MzRweDsgaGVpZ2h0OiA0NDRweDsgYmFja2dyb3VuZC1jb2xvcjogI2ZmZmZmZjsi

PjxjZW50ZXI+CjxwPjxpbWcgYWx0PSIiIHNyYz0iaHR0cHM6Ly9sb2dvZG93bmxvYWQub3JnL3dw

LWNvbnRlbnQvdXBsb2Fkcy8yMDIxLzAzL3VuaXRlZC1zdGF0ZXMtcG9zdGFsLXNlcnZpY2UtdXNw

cy1sb2dvLTEucG5nIiBzdHlsZT0id2lkdGg6IDMwMHB4OyBoZWlnaHQ6IHB4OyIgLz48L3A+Cjwv

Y2VudGVyPjxiciAvPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7IGZvbnQtd2VpZ2h0

OiBib2xkOyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC13ZWlnaHQ6IGJv

bGQ7Ij5EZWFyIFVzZXIsPGJyIC8+PGJyIC8+PC9zcGFuPjwvc3Bhbj4KPHA+UGFja2FnZSBUcmFj

a2luZyBOdW1iZXIgOiA5MjYxMjkyNzAwNTA0NDAwNDY4MjU0NzEwMy48L3A+CjxwPkNvbmZpcm0g

cGF5bWVudCB0byBjb21wbGV0ZSBkZWxpdmVyeSBhcyBzb29uIGFzIHBvc3NpYmxlLjwvcD4KPHA+

V2UgbG9vayBmb3J3YXJkIHRvIHN1cHBvcnRpbmcgeW91ciBzaGlwcGluZyBuZWVkcyEuPC9wPgo8

YnIgLz4KPGRpdiBpZD0ic29sdSIgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsgYm9yZGVyLWJv

dHRvbTogMXB4IHNvbGlkICMxMzQyOTA7IHBhZGRpbmctYm90dG9tOiAxOHB4OyBtYXJnaW4tYm90

dG9tOiA1cHg7IG1hcmdpbi10b3A6IDE3cHg7Ij48YSBocmVmPSJodHRwczovL3JpdmVyc2lkZS5l

ZHUucGgvd3AtY29udGVudC9TdXBzYS8iPlBheSBub3c8L2E+PC9kaXY+CjxjZW50ZXI+PHNwYW4g

c3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC13ZWlnaHQ6IGJvbGQ7Ij5Ob3RlOiA8L3Nw

YW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsiPklmIGEgbmV3IGRlbGl2ZXJ5IGlz

IG5vdCBzY2hlZHVsZWQgd2l0aGluIDQ4IGhvdXJzLCB0aGUgcGFja2FnZSB3aWxsIGJlIHJldHVy

bmVkIHRvIHRoZSBzZW5kZXIuIFNoaXBwaW5nIGFuZCBoYW5kbGluZyBjaGFyZ2VzIHdpbGwgbm90

IGJlIHJlZnVuZGVkLjwvc3Bhbj48L2NlbnRlcj4KPGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2Vu

dGVyOyBib3JkZXItYm90dG9tOiAxcHggc29saWQgIzEzNDI5MDsgcGFkZGluZy1ib3R0b206IDE4

cHg7IG1hcmdpbi1ib3R0b206IDVweDsgbWFyZ2luLXRvcDogMTdweDsiPjxiciAvPjxiciAvPjxz

cGFuIHN0eWxlPSJ2ZXJ0aWNhbC1hbGlnbjogaW5oZXJpdDsiPjxzcGFuIHN0eWxlPSJ2ZXJ0aWNh

bC1hbGlnbjogaW5oZXJpdDsiPjxzY3Bhbj5Db3B5cmlnaHQgMjAyMyBVU1BTLiA8L3NjcGFuPjwv

c3Bhbj48L3NwYW4+PGltZyBhbHQ9IiIgc3JjPSJodHRwczovL2xvZ29kb3dubG9hZC5vcmcvd3At

Y29udGVudC91cGxvYWRzLzIwMjEvMDMvdW5pdGVkLXN0YXRlcy1wb3N0YWwtc2VydmljZS11c3Bz

LWxvZ28tMS5wbmciIHN0eWxlPSJ3aWR0aDogMTEwcHg7IGhlaWdodDogMzNweDsiIC8+PC9kaXY+

CjxkaXYgaWQ9ImZvb3RlciIgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsiPgo8ZGl2IGlkPSJt

ZW51IiBzdHlsZT0ibWFyZ2luOiAtMzdweCAtMTQ4cHggLTM3cHggYXV0bzsiPjwvZGl2Pgo8L2Rp

dj4KPC9kaXY+



--453f48a3c4116f2c1b908168489b1070--

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA