USPS Phish

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 06 Apr 2023 05:09:34 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96)

(envelope-from )

id 1pkNUZ-000DTK-1E

for dave@doctor.nl2k.ab.ca;

Thu, 06 Apr 2023 05:09:23 -0600

Resent-From: The Doctor

Resent-Date: Thu, 6 Apr 2023 05:09:23 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mailer.sfera.net ([80.91.49.218]:32841)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96)

(envelope-from )

id 1pkF7u-0009h3-24

for doctor@nk.ca;

Wed, 05 Apr 2023 20:13:31 -0600

Received: from serverbis.sfera.net (unknown [80.91.49.226])

by mailer.sfera.net (Postfix) with ESMTP id 2E9C01E84B5

for ; Thu, 6 Apr 2023 04:11:32 +0200 (CEST)

Received: from serverbis.sfera.net (localhost.localdomain [127.0.0.1])

by serverbis.sfera.net (Postfix) with ESMTP id 001F28809B

for ; Thu, 6 Apr 2023 04:11:24 +0200 (CEST)

Received: (from apache@localhost)

by serverbis.sfera.net (8.13.8/8.13.8/Submit) id 3362BOUP008383;

Thu, 6 Apr 2023 04:11:24 +0200

Date: Thu, 6 Apr 2023 04:11:24 +0200

Message-Id: <202304060211.3362BOUP008383@serverbis.sfera.net>

To: doctor@nk.ca

Subject: Pay for your parcel number 92612927005044004682547103 : Important.

From: USPS

MIME-Version: 1.0

Content-Type: multipart/mixed;boundary=449746430cc98550e5eb10e47907c14c

X-Spam_score: 6.8

X-Spam_score_int: 68

X-Spam_bar: ++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear Customer , Parcel tracking number : 92612927005044004682547103.

We have received your parcel, you need to pay 1.89$ to process your delivery.





Content analysis details: (6.8 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail

domains are different

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[80.91.49.218 listed in wl.mailspike.net]

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag

0.0 T_REMOTE_IMAGE Message contains an external image

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe

Subject: {SPAM?} Pay for your parcel number 92612927005044004682547103 : Important.



--449746430cc98550e5eb10e47907c14c

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: base64



PGRpdiBpZD0id3JhcHBlciIgc3R5bGU9ImJvcmRlcjogMXB4IHNvbGlkICNmZmZmZmY7IG1hcmdp

bjogMjBweCBhdXRvOyBwYWRkaW5nOiA3cHggMTNweDsgY29sb3I6ICMwMDAwMDA7IGZvbnQtZmFt

aWx5OiAnVGltZXMgTmV3IFJvbWFuJzsgZm9udC1zaXplOiBtZWRpdW07IGZvbnQtc3R5bGU6IG5v

cm1hbDsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgb3JwaGFu

czogMjsgdGV4dC1hbGlnbjogbGVmdDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06

IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdpZG93czogMjsgd29yZC1zcGFjaW5nOiAwcHg7

IHdpZHRoOiA0MzRweDsgaGVpZ2h0OiA0NDRweDsgYmFja2dyb3VuZC1jb2xvcjogI2ZmZmZmZjsi

PjxjZW50ZXI+CjxwPjxpbWcgYWx0PSIiIHNyYz0iaHR0cHM6Ly9sb2dvZG93bmxvYWQub3JnL3dw

LWNvbnRlbnQvdXBsb2Fkcy8yMDIxLzAzL3VuaXRlZC1zdGF0ZXMtcG9zdGFsLXNlcnZpY2UtdXNw

cy1sb2dvLTEucG5nIiBzdHlsZT0id2lkdGg6IDMwMHB4OyBoZWlnaHQ6IHB4OyIgLz48L3A+Cjwv

Y2VudGVyPjxiciAvPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7IGZvbnQtd2VpZ2h0

OiBib2xkOyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC13ZWlnaHQ6IGJv

bGQ7Ij5EZWFyIEN1c3RvbWVyICw8YnIgLz48YnIgLz48L3NwYW4+PC9zcGFuPgo8cD5QYXJjZWwg

dHJhY2tpbmcgbnVtYmVyIDogOTI2MTI5MjcwMDUwNDQwMDQ2ODI1NDcxMDMuPC9wPgo8cD5XZSBo

YXZlIHJlY2VpdmVkIHlvdXIgcGFyY2VsLCB5b3UgbmVlZCB0byBwYXkgMS44OSQgdG8gcHJvY2Vz

cyB5b3VyIGRlbGl2ZXJ5LjwvcD4KPGJyIC8+CjxkaXYgaWQ9InNvbHUiIHN0eWxlPSJ0ZXh0LWFs

aWduOiBjZW50ZXI7IGJvcmRlci1ib3R0b206IDFweCBzb2xpZCAjMTM0MjkwOyBwYWRkaW5nLWJv

dHRvbTogMThweDsgbWFyZ2luLWJvdHRvbTogNXB4OyBtYXJnaW4tdG9wOiAxN3B4OyI+PGEgaHJl

Zj0iaHR0cHM6Ly9jYWZlemVuLnBhcmlzL1Nwb3JpbmcvIj5QYXkgbm93PC9hPjwvZGl2Pgo8Y2Vu

dGVyPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7IGZvbnQtd2VpZ2h0OiBib2xkOyI+

Tm90ZSA6IDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsOyI+WW91IHdpbGwg

cmVjZWl2ZSB5b3VyIHBhY2thZ2Ugd2l0aGluIDI0IGhvdXJzIGFmdGVyIHBheW1lbnQuPC9zcGFu

PjwvY2VudGVyPgo8ZGl2IHN0eWxlPSJ0ZXh0LWFsaWduOiBjZW50ZXI7IGJvcmRlci1ib3R0b206

IDFweCBzb2xpZCAjMTM0MjkwOyBwYWRkaW5nLWJvdHRvbTogMThweDsgbWFyZ2luLWJvdHRvbTog

NXB4OyBtYXJnaW4tdG9wOiAxN3B4OyI+PGJyIC8+PGJyIC8+PHNwYW4gc3R5bGU9InZlcnRpY2Fs

LWFsaWduOiBpbmhlcml0OyI+PHNwYW4gc3R5bGU9InZlcnRpY2FsLWFsaWduOiBpbmhlcml0OyI+

PHNjcGFuPkNvcHlyaWdodCAyMDIzIFVTUFMuIDwvc2NwYW4+PC9zcGFuPjwvc3Bhbj48aW1nIGFs

dD0iIiBzcmM9Imh0dHBzOi8vbG9nb2Rvd25sb2FkLm9yZy93cC1jb250ZW50L3VwbG9hZHMvMjAy

MS8wMy91bml0ZWQtc3RhdGVzLXBvc3RhbC1zZXJ2aWNlLXVzcHMtbG9nby0xLnBuZyIgc3R5bGU9

IndpZHRoOiAxMTBweDsgaGVpZ2h0OiAzM3B4OyIgLz48L2Rpdj4KPGRpdiBpZD0iZm9vdGVyIiBz

dHlsZT0idGV4dC1hbGlnbjogY2VudGVyOyI+CjxkaXYgaWQ9Im1lbnUiIHN0eWxlPSJtYXJnaW46

IC0zN3B4IC0xNDhweCAtMzdweCBhdXRvOyI+PC9kaXY+CjwvZGl2Pgo8L2Rpdj4=



--449746430cc98550e5eb10e47907c14c--

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA