Canada REvenue Agency Phish from mailgun.net

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 02 Jun 2024 05:32:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1sDjRB-0000000059V-0Sgp

for dave@doctor.nl2k.ab.ca;

Sun, 02 Jun 2024 05:31:45 -0600

Resent-From: The Doctor

Resent-Date: Sun, 2 Jun 2024 05:31:45 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from m228-61.mailgun.net ([159.135.228.61]:27228)

by doctor.nl2k.ab.ca with utf8esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.97.1 (FreeBSD))

(envelope-from )

id 1sDiZP-00000000O1A-3pdb

for sales@nk.ca;

Sun, 02 Jun 2024 04:36:16 -0600

DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=bealshop.shop; q=dns/txt; s=pic; t=1717324439; x=1717331639;

h=Content-Transfer-Encoding: Content-Type: Subject: Subject: Date: To: To: From: From: Sender: Sender: MIME-Version: Message-Id;

bh=hYQ1MP4dvNO5/xgfxWChiukAwaO0gmehckZs6XswYjA=;

b=F9m3Ggh83Fs+2Cgc5ViE8aF8zHSbff77wsMcQgAnUc4YlljXOeMC457uZW9SqWx6Ori2cGmGZnibQGiL21t6X0KU2u0gUSV+PzrHwBbSBCLMD8OXIfcNrx7vK0Gkbt9KuY6JvnxLvQ/uAbE/qvPuZUlKVqbOtyprnZ789XQtjds=

X-Mailgun-Sending-Ip: 159.135.228.61

X-Mailgun-Sid: WyJkNjZmNiIsInNhbGVzQG5rLmNhIiwiODRmYzk0Il0=

Received: from DESKTOP-B0BVUS6 (bras-base-ktnron0923w-grc-14-74-12-34-111.dsl.bell.ca

[74.12.34.111]) by 465e1be10b75 with SMTP id 665c4a97369065a1296ce92a

(version=TLS1.3, cipher=TLS_AES_128_GCM_SHA256); Sun, 02 Jun 2024 10:33:59

GMT

Message-Id: <20240602103359.07fd33be812263b1@bealshop.shop>

MIME-Version: 1.0

Sender: "Canada Revenue Agency"

From: "Canada Revenue Agency"

To: sales@nk.ca

Date: 2 Jun 2024 06:33:58 -0400

Subject: Canada Revenue Agency

Content-Type: text/html; charset=utf-8

Content-Transfer-Encoding: base64

X-Spam_score: 9.4

X-Spam_score_int: 94

X-Spam_bar: +++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: English version ** La version française suit ** The Canada

Revenue Agency (CRA) sent you new mail online called:



Content analysis details: (9.4 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[159.135.228.61 listed in dnsbl.ahbl.org]

[159.135.228.61 listed in dnsbl.ahbl.org]

[159.135.228.61 listed in dnsbl.ahbl.org]

[159.135.228.61 listed in dnsbl.ahbl.org]

[74.12.34.111 listed in dnsbl.ahbl.org]

[74.12.34.111 listed in dnsbl.ahbl.org]

[74.12.34.111 listed in dnsbl.ahbl.org]

[74.12.34.111 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[159.135.228.61 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[159.135.228.61 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[159.135.228.61 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[159.135.228.61 listed in dnsbl.ahbl.org]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[74.12.34.111 listed in will-spam-for-food.eu.org]

[74.12.34.111 listed in will-spam-for-food.eu.org]

[74.12.34.111 listed in will-spam-for-food.eu.org]

[74.12.34.111 listed in will-spam-for-food.eu.org]

[74.12.34.111 listed in will-spam-for-food.eu.org]

[74.12.34.111 listed in will-spam-for-food.eu.org]

[74.12.34.111 listed in will-spam-for-food.eu.org]

[74.12.34.111 listed in will-spam-for-food.eu.org]

[159.135.228.61 listed in will-spam-for-food.eu.org]

[159.135.228.61 listed in will-spam-for-food.eu.org]

[159.135.228.61 listed in will-spam-for-food.eu.org]

[159.135.228.61 listed in will-spam-for-food.eu.org]

[159.135.228.61 listed in will-spam-for-food.eu.org]

[159.135.228.61 listed in will-spam-for-food.eu.org]

[159.135.228.61 listed in will-spam-for-food.eu.org]

[159.135.228.61 listed in will-spam-for-food.eu.org]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[159.135.228.61 listed in wl.mailspike.net]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[159.135.228.61 listed in list.dnswl.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from

envelope-from domain

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's

domain

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.8 MY_DSL I could use a BL for this.

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag

1.0 FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days

Subject: {SPAM?} Canada Revenue Agency



PHA+RW5nbGlzaCB2ZXJzaW9uJm5ic3A7KioqIExhIHZlcnNpb24gZnJhbsOnYWlzZSBz

dWl0ICoqKjwvcD4NCjxwPjxicj48YnI+VGhlIENhbmFkYSBSZXZlbnVlIEFnZW5jeSAo

Q1JBKSBzZW50IHlvdSBuZXcgbWFpbCBvbmxpbmUgY2FsbGVkOjxicj48YnI+VXBkYXRl

ZCBUYXggRG9jdW1lbnRzPGJyPjxicj5UaGlzIG1haWwgbWF5IHJlcXVpcmUgeW91ciBh

dHRlbnRpb24uPGJyPiZuYnNwOzwvcD4NCjxwPklmIHlvdSBoYXZlIE15IEFjY291bnQs

IHNpZ24taW4gYW5kIGNsaWNrIG9uICJNYWlsIiB0byByZWFkIHlvdXIgbWFpbC48L3A+

DQo8cD48YSB0YXJnZXQ9Il9ibGFuayIgcmVsPSJub29wZW5lciBub3JlZmVycmVyIiBo

cmVmPSJodHRwczovL3J5c3RvcmEuY29tLnR3Ij48c3Ryb25nPjx1PlZpZXcgRG9jdW1l

bnQgSGVyZTwvdT48L3N0cm9uZz48L2E+PC9wPg0KPHA+Jm5ic3A7PC9wPg0KPHA+PGJy

Pjxicj5JZiB5b3Ugc2lnbmVkIHVwIHRvIHJlY2VpdmUgbWFpbCBvbmxpbmUgYnV0IGRv

bid0IGhhdmUgTXkgQWNjb3VudCwgZ28gdG8gdGhlJm5ic3A7Q1JBJm5ic3A7d2ViIHBh

Z2UgdG8gcmVnaXN0ZXIuPGJyPjxicj5UaGlzIGlzIGFuIGF1dG9tYXRlZCBlbWFpbCBt

ZXNzYWdlLiBQbGVhc2UgZG8gbm90IHJlcGx5LjwvcD4NCjxwPlZlcnNpb24gZnJhbsOn

YWlzZSZuYnNwOyoqKiBUaGUgRW5nbGlzaCB2ZXJzaW9uIHByZWNlZGVzICoqKjwvcD4N

CjxwPjxicj48YnI+TCdBZ2VuY2UgZHUgcmV2ZW51IGR1IENhbmFkYSAoQVJDKSB2b3Vz

IGEgZW52b3nDqSBkdSBub3V2ZWF1IGNvdXJyaWVyIGVuIGxpZ25lIGludGl0dWzDqSA6

PGJyPjxicj48YnI+PGJyPkNlIGNvdXJyaWVyIHBldXQgbsOpY2Vzc2l0ZXIgdm90cmUg

YXR0ZW50aW9uLjxicj4mbmJzcDs8L3A+DQo8cD5TaSB2b3VzIMOqdGVzIGluc2NyaXQg

w6AgTW9uIGRvc3NpZXIsIG91dnJleiB1bmUgc2Vzc2lvbiBldCBjbGlxdWV6IHN1ciDC

qyBDb3VycmllciDCuyBwb3VyIGxpcmUgdm90cmUgY291cnJpZXIuPC9wPg0KPHA+PGEg

dGFyZ2V0PSJfYmxhbmsiIHJlbD0ibm9vcGVuZXIgbm9yZWZlcnJlciIgaHJlZj0iaHR0

cHM6Ly9yeXN0b3JhLmNvbS50dyI+PHN0cm9uZz48dT5WaWV3IERvY3VtZW50IEhlcmU8

L3U+PC9zdHJvbmc+PC9hPjwvcD4NCjxwPiZuYnNwOzwvcD4NCjxwPjxicj48YnI+U2kg

dm91cyB2b3VzIMOqdGVzIGluc2NyaXQgcG91ciByZWNldm9pciB2b3RyZSBjb3Vycmll

ciBlbiBsaWduZSwgbWFpcyBuJ8OqdGVzIHBhcyBpbnNjcml0IMOgIE1vbiBkb3NzaWVy

LCBhbGxleiDDoCBsYSBwYWdlIFdlYiBkZSBsJ0FSQyBwb3VyIHZvdXMgeSBpbnNjcmly

ZS48YnI+PGJyPkNlY2kgZXN0IHVuIG1lc3NhZ2Ugw6lsZWN0cm9uaXF1ZSBhdXRvbWF0

aXPDqS4gVmV1aWxsZXogbmUgcGFzIHkgcsOpcG9uZHJlLjwvcD4NCjxwPjxicj4mbmJz

cDs8L3A+

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA