Canada Post Phish from Amazon
Posted by Dave Yadallee onEnvelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 26 Apr 2022 07:07:01 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1njKtV-0003df-2v
for dave@doctor.nl2k.ab.ca;
Tue, 26 Apr 2022 07:06:17 -0600
Resent-From: The Doctor
Resent-Date: Tue, 26 Apr 2022 07:06:17 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from ec2-35-72-201-243.ap-northeast-1.compute.amazonaws.com ([35.72.201.243]:44902 helo=multiweb.sdpi)
by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))
(envelope-from
id 1njH8W-0009Db-F4
for doctor@nl2k.ab.ca;
Tue, 26 Apr 2022 03:05:45 -0600
Received: by multiweb.sdpi (Postfix, from userid 48)
id 9AC573B5B4E4; Tue, 26 Apr 2022 17:56:45 +0900 (JST)
To: doctor@nl2k.ab.ca
Subject: =?UTF-8?B?VGhhbmtzIGZvciB1c2luZyBESExFeHByZXNz?=
X-PHP-Originating-Script: 48:Mailer8768790324SQDSQDSSQDSSQDSQDDSQDSQDSD.php
From: =?UTF-8?B?REhMRXhwcmVzcyBQb3N0?=
MIME-Version: 1.0;
Content-type: multipart/mixed; boundary="--OBFgEiKLIa"
Message-Id: <20220426085645.9AC573B5B4E4@multiweb.sdpi>
Date: Tue, 26 Apr 2022 17:56:45 +0900 (JST)
X-Spam_score: 7.2
X-Spam_score_int: 72
X-Spam_bar: +++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, Your package N [54246452-AV] is waiting for delivery.
Please confirm the payment (1,65 CAD) on the link below, the online verification
needs to be done in the next 14 days before it expires.​
Content analysis details: (7.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in
DNS
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ceshi.banhui.xyz (xyz)]
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 T_TVD_MIME_NO_HEADERS BODY: No description available.
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 URI_TRY_3LD URI: "Try it" URI, suspicious hostname
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.1 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
3.3 BOGUS_MIME_VERSION Mime version header is bogus
0.0 PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: banhui.xyz]
Subject: {SPAM?} =?UTF-8?B?VGhhbmtzIGZvciB1c2luZyBESExFeHByZXNz?=
----OBFgEiKLIa
Content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
Hello,
Your package N [54246452-AV] is waiting for delivery.
Please confirm the payment
t face="sans-serif, Arial, Verdana, Trebuchet MS" style="box-sizing: border-box; line-height: 1.4em;">(1,65 CAD) on the link below, the online verification needs to be done in the next 14 days before it expires.​
AN SMS VERIFICATION WILL BE REQUESTED. IN ORDER TO ENSURE YOUR IDENTITY.
2022 @ DHL International GmbH. All rights reserved.
----OBFgEiKLIa
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments