Twitter/X credential phish Part 2
Posted by Dave Yadallee onContent analysis details: (6.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org
[35.89.44.36 listed in dnsbl.ahbl.org]
[35.89.44.36 listed in dnsbl.ahbl.org]
[35.89.44.36 listed in dnsbl.ahbl.org]
[35.89.44.36 listed in dnsbl.ahbl.org]
[108.167.190.86 listed in dnsbl.ahbl.org]
[108.167.190.86 listed in dnsbl.ahbl.org]
[108.167.190.86 listed in dnsbl.ahbl.org]
[108.167.190.86 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org
[35.89.44.36 listed in dnsbl.ahbl.org]
1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org
[35.89.44.36 listed in dnsbl.ahbl.org]
0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org
[35.89.44.36 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org
[35.89.44.36 listed in dnsbl.ahbl.org]
1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org
[108.167.190.86 listed in will-spam-for-food.eu.org]
[108.167.190.86 listed in will-spam-for-food.eu.org]
[108.167.190.86 listed in will-spam-for-food.eu.org]
[108.167.190.86 listed in will-spam-for-food.eu.org]
[108.167.190.86 listed in will-spam-for-food.eu.org]
[108.167.190.86 listed in will-spam-for-food.eu.org]
[108.167.190.86 listed in will-spam-for-food.eu.org]
[108.167.190.86 listed in will-spam-for-food.eu.org]
[35.89.44.36 listed in will-spam-for-food.eu.org]
[35.89.44.36 listed in will-spam-for-food.eu.org]
[35.89.44.36 listed in will-spam-for-food.eu.org]
[35.89.44.36 listed in will-spam-for-food.eu.org]
[35.89.44.36 listed in will-spam-for-food.eu.org]
[35.89.44.36 listed in will-spam-for-food.eu.org]
[35.89.44.36 listed in will-spam-for-food.eu.org]
[35.89.44.36 listed in will-spam-for-food.eu.org]
-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact
safe-sa@returnpath.net
[Excessive Number of Queries |
-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact
cert-sa@returnpath.net
[Excessive Number of Queries |
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
headers
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge
0.7 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
0.0 NO_RDNS2 Sending MTA has no reverse DNS
0.1 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.8 SARE_FROM_SPAM_WORD3 I don't know people named this!
2.5 PHP_SCRIPT Sent by PHP script
0.0 T_REMOTE_IMAGE Message contains an external image
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[35.89.44.36 listed in bl.score.senderscore.com]
Subject: {SPAM?} =?UTF-8?B?cm9vdG5rIFlvdXIgMkZBIHdhcyB0ZW1wb3JhcmlseSBwYXVzZWQg4oCTIHJlLWVuYWJsZSB3aXRoIG9uZSBjbGljaw==?=
------=_NextPart_c350e56a209a09f9e0a41a586fc62855
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X 2FA Manager
Hello rootnk, your two‑factor authentication was paused because of a configuration mismatch. This makes your account less secure.
With X 2FA Manager, you can re‑enable it instantly. Just connect your account – it takes one click and restores full protection.
Re‑enable 2FA
If you did not request this pause, we strongly advise re‑enabling 2FA immediately. No backup codes are required.
Help | Email security tips
X Corp. 1355 Market Street, Suite 900 San Francisco, CA 94103
------=_NextPart_c350e56a209a09f9e0a41a586fc62855
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
|
------=_NextPart_c350e56a209a09f9e0a41a586fc62855--