USPS Phish from Italy
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Thu, 19 Jan 2023 19:59:40 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96)
(envelope-from)
id 1pIhcv-000EVq-2g
for dave@doctor.nl2k.ab.ca;
Thu, 19 Jan 2023 19:59:37 -0700
Resent-From: The Doctor
Resent-Date: Thu, 19 Jan 2023 19:59:37 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mailer.sfera.net ([80.91.49.218]:55385)
by doctor.nl2k.ab.ca with esmtp (Exim 4.96)
(envelope-from)
id 1pIgcu-000C81-05
for doctor@nk.ca;
Thu, 19 Jan 2023 18:55:37 -0700
Received: from serverbis.sfera.net (unknown [80.91.49.226])
by mailer.sfera.net (Postfix) with ESMTP id 393871E86A5
for; Fri, 20 Jan 2023 02:53:01 +0100 (CET)
Received: from serverbis.sfera.net (localhost.localdomain [127.0.0.1])
by serverbis.sfera.net (Postfix) with ESMTP id 2F7818809A
for; Fri, 20 Jan 2023 02:53:01 +0100 (CET)
Received: (from apache@localhost)
by serverbis.sfera.net (8.13.8/8.13.8/Submit) id 30K1r0uI023848;
Fri, 20 Jan 2023 02:53:00 +0100
Date: Fri, 20 Jan 2023 02:53:00 +0100
Message-Id: <202301200153.30K1r0uI023848@serverbis.sfera.net>
To: doctor@nk.ca
Subject: Pay for your parcel number 92612927005044004682547103 : Important!
From: USPS - Canada
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary=453f48a3c4116f2c1b908168489b1070
X-Spam_score: 7.8
X-Spam_score_int: 78
X-Spam_bar: +++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear User, Package Tracking Number : 92612927005044004682547103.
Confirm payment to complete delivery as soon as possible.
Content analysis details: (7.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
https://senderscore.org/blocklistlookup/
[80.91.49.218 listed in bl.score.senderscore.com]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[80.91.49.218 listed in bl.score.senderscore.com]
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[80.91.49.218 listed in wl.mailspike.net]
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
3.0 URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
0.0 T_REMOTE_IMAGE Message contains an external image
Subject: {SPAM?} Pay for your parcel number 92612927005044004682547103 : Important!
--453f48a3c4116f2c1b908168489b1070
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64
PGRpdiBpZD0id3JhcHBlciIgc3R5bGU9ImJvcmRlcjogMXB4IHNvbGlkICNmZmZmZmY7IG1hcmdp
bjogMjBweCBhdXRvOyBwYWRkaW5nOiA3cHggMTNweDsgY29sb3I6ICMwMDAwMDA7IGZvbnQtZmFt
aWx5OiAnVGltZXMgTmV3IFJvbWFuJzsgZm9udC1zaXplOiBtZWRpdW07IGZvbnQtc3R5bGU6IG5v
cm1hbDsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgb3JwaGFu
czogMjsgdGV4dC1hbGlnbjogbGVmdDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06
IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdpZG93czogMjsgd29yZC1zcGFjaW5nOiAwcHg7
IHdpZHRoOiA0MzRweDsgaGVpZ2h0OiA0NDRweDsgYmFja2dyb3VuZC1jb2xvcjogI2ZmZmZmZjsi
PjxjZW50ZXI+CjxwPjxpbWcgYWx0PSIiIHNyYz0iaHR0cHM6Ly9sb2dvZG93bmxvYWQub3JnL3dw
LWNvbnRlbnQvdXBsb2Fkcy8yMDIxLzAzL3VuaXRlZC1zdGF0ZXMtcG9zdGFsLXNlcnZpY2UtdXNw
cy1sb2dvLTEucG5nIiBzdHlsZT0id2lkdGg6IDMwMHB4OyBoZWlnaHQ6IHB4OyIgLz48L3A+Cjwv
Y2VudGVyPjxiciAvPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7IGZvbnQtd2VpZ2h0
OiBib2xkOyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC13ZWlnaHQ6IGJv
bGQ7Ij5EZWFyIFVzZXIsPGJyIC8+PGJyIC8+PC9zcGFuPjwvc3Bhbj4KPHA+UGFja2FnZSBUcmFj
a2luZyBOdW1iZXIgOiA5MjYxMjkyNzAwNTA0NDAwNDY4MjU0NzEwMy48L3A+CjxwPkNvbmZpcm0g
cGF5bWVudCB0byBjb21wbGV0ZSBkZWxpdmVyeSBhcyBzb29uIGFzIHBvc3NpYmxlLjwvcD4KPHA+
V2UgbG9vayBmb3J3YXJkIHRvIHN1cHBvcnRpbmcgeW91ciBzaGlwcGluZyBuZWVkcyEuPC9wPgo8
YnIgLz4KPGRpdiBpZD0ic29sdSIgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsgYm9yZGVyLWJv
dHRvbTogMXB4IHNvbGlkICMxMzQyOTA7IHBhZGRpbmctYm90dG9tOiAxOHB4OyBtYXJnaW4tYm90
dG9tOiA1cHg7IG1hcmdpbi10b3A6IDE3cHg7Ij48YSBocmVmPSJodHRwczovL3JpdmVyc2lkZS5l
ZHUucGgvd3AtY29udGVudC9TdXBzYS8iPlBheSBub3c8L2E+PC9kaXY+CjxjZW50ZXI+PHNwYW4g
c3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC13ZWlnaHQ6IGJvbGQ7Ij5Ob3RlOiA8L3Nw
YW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsiPklmIGEgbmV3IGRlbGl2ZXJ5IGlz
IG5vdCBzY2hlZHVsZWQgd2l0aGluIDQ4IGhvdXJzLCB0aGUgcGFja2FnZSB3aWxsIGJlIHJldHVy
bmVkIHRvIHRoZSBzZW5kZXIuIFNoaXBwaW5nIGFuZCBoYW5kbGluZyBjaGFyZ2VzIHdpbGwgbm90
IGJlIHJlZnVuZGVkLjwvc3Bhbj48L2NlbnRlcj4KPGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2Vu
dGVyOyBib3JkZXItYm90dG9tOiAxcHggc29saWQgIzEzNDI5MDsgcGFkZGluZy1ib3R0b206IDE4
cHg7IG1hcmdpbi1ib3R0b206IDVweDsgbWFyZ2luLXRvcDogMTdweDsiPjxiciAvPjxiciAvPjxz
cGFuIHN0eWxlPSJ2ZXJ0aWNhbC1hbGlnbjogaW5oZXJpdDsiPjxzcGFuIHN0eWxlPSJ2ZXJ0aWNh
bC1hbGlnbjogaW5oZXJpdDsiPjxzY3Bhbj5Db3B5cmlnaHQgMjAyMyBVU1BTLiA8L3NjcGFuPjwv
c3Bhbj48L3NwYW4+PGltZyBhbHQ9IiIgc3JjPSJodHRwczovL2xvZ29kb3dubG9hZC5vcmcvd3At
Y29udGVudC91cGxvYWRzLzIwMjEvMDMvdW5pdGVkLXN0YXRlcy1wb3N0YWwtc2VydmljZS11c3Bz
LWxvZ28tMS5wbmciIHN0eWxlPSJ3aWR0aDogMTEwcHg7IGhlaWdodDogMzNweDsiIC8+PC9kaXY+
CjxkaXYgaWQ9ImZvb3RlciIgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsiPgo8ZGl2IGlkPSJt
ZW51IiBzdHlsZT0ibWFyZ2luOiAtMzdweCAtMTQ4cHggLTM3cHggYXV0bzsiPjwvZGl2Pgo8L2Rp
dj4KPC9kaXY+
--453f48a3c4116f2c1b908168489b1070--
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Thu, 19 Jan 2023 19:59:40 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96)
(envelope-from
id 1pIhcv-000EVq-2g
for dave@doctor.nl2k.ab.ca;
Thu, 19 Jan 2023 19:59:37 -0700
Resent-From: The Doctor
Resent-Date: Thu, 19 Jan 2023 19:59:37 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from mailer.sfera.net ([80.91.49.218]:55385)
by doctor.nl2k.ab.ca with esmtp (Exim 4.96)
(envelope-from
id 1pIgcu-000C81-05
for doctor@nk.ca;
Thu, 19 Jan 2023 18:55:37 -0700
Received: from serverbis.sfera.net (unknown [80.91.49.226])
by mailer.sfera.net (Postfix) with ESMTP id 393871E86A5
for
Received: from serverbis.sfera.net (localhost.localdomain [127.0.0.1])
by serverbis.sfera.net (Postfix) with ESMTP id 2F7818809A
for
Received: (from apache@localhost)
by serverbis.sfera.net (8.13.8/8.13.8/Submit) id 30K1r0uI023848;
Fri, 20 Jan 2023 02:53:00 +0100
Date: Fri, 20 Jan 2023 02:53:00 +0100
Message-Id: <202301200153.30K1r0uI023848@serverbis.sfera.net>
To: doctor@nk.ca
Subject: Pay for your parcel number 92612927005044004682547103 : Important!
From: USPS - Canada
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary=453f48a3c4116f2c1b908168489b1070
X-Spam_score: 7.8
X-Spam_score_int: 78
X-Spam_bar: +++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear User, Package Tracking Number : 92612927005044004682547103.
Confirm payment to complete delivery as soon as possible.
Content analysis details: (7.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,
https://senderscore.org/blocklistlookup/
[80.91.49.218 listed in bl.score.senderscore.com]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[80.91.49.218 listed in bl.score.senderscore.com]
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[80.91.49.218 listed in wl.mailspike.net]
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
3.0 URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
0.0 T_REMOTE_IMAGE Message contains an external image
Subject: {SPAM?} Pay for your parcel number 92612927005044004682547103 : Important!
--453f48a3c4116f2c1b908168489b1070
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64
PGRpdiBpZD0id3JhcHBlciIgc3R5bGU9ImJvcmRlcjogMXB4IHNvbGlkICNmZmZmZmY7IG1hcmdp
bjogMjBweCBhdXRvOyBwYWRkaW5nOiA3cHggMTNweDsgY29sb3I6ICMwMDAwMDA7IGZvbnQtZmFt
aWx5OiAnVGltZXMgTmV3IFJvbWFuJzsgZm9udC1zaXplOiBtZWRpdW07IGZvbnQtc3R5bGU6IG5v
cm1hbDsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgb3JwaGFu
czogMjsgdGV4dC1hbGlnbjogbGVmdDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06
IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdpZG93czogMjsgd29yZC1zcGFjaW5nOiAwcHg7
IHdpZHRoOiA0MzRweDsgaGVpZ2h0OiA0NDRweDsgYmFja2dyb3VuZC1jb2xvcjogI2ZmZmZmZjsi
PjxjZW50ZXI+CjxwPjxpbWcgYWx0PSIiIHNyYz0iaHR0cHM6Ly9sb2dvZG93bmxvYWQub3JnL3dw
LWNvbnRlbnQvdXBsb2Fkcy8yMDIxLzAzL3VuaXRlZC1zdGF0ZXMtcG9zdGFsLXNlcnZpY2UtdXNw
cy1sb2dvLTEucG5nIiBzdHlsZT0id2lkdGg6IDMwMHB4OyBoZWlnaHQ6IHB4OyIgLz48L3A+Cjwv
Y2VudGVyPjxiciAvPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7IGZvbnQtd2VpZ2h0
OiBib2xkOyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC13ZWlnaHQ6IGJv
bGQ7Ij5EZWFyIFVzZXIsPGJyIC8+PGJyIC8+PC9zcGFuPjwvc3Bhbj4KPHA+UGFja2FnZSBUcmFj
a2luZyBOdW1iZXIgOiA5MjYxMjkyNzAwNTA0NDAwNDY4MjU0NzEwMy48L3A+CjxwPkNvbmZpcm0g
cGF5bWVudCB0byBjb21wbGV0ZSBkZWxpdmVyeSBhcyBzb29uIGFzIHBvc3NpYmxlLjwvcD4KPHA+
V2UgbG9vayBmb3J3YXJkIHRvIHN1cHBvcnRpbmcgeW91ciBzaGlwcGluZyBuZWVkcyEuPC9wPgo8
YnIgLz4KPGRpdiBpZD0ic29sdSIgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsgYm9yZGVyLWJv
dHRvbTogMXB4IHNvbGlkICMxMzQyOTA7IHBhZGRpbmctYm90dG9tOiAxOHB4OyBtYXJnaW4tYm90
dG9tOiA1cHg7IG1hcmdpbi10b3A6IDE3cHg7Ij48YSBocmVmPSJodHRwczovL3JpdmVyc2lkZS5l
ZHUucGgvd3AtY29udGVudC9TdXBzYS8iPlBheSBub3c8L2E+PC9kaXY+CjxjZW50ZXI+PHNwYW4g
c3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC13ZWlnaHQ6IGJvbGQ7Ij5Ob3RlOiA8L3Nw
YW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsiPklmIGEgbmV3IGRlbGl2ZXJ5IGlz
IG5vdCBzY2hlZHVsZWQgd2l0aGluIDQ4IGhvdXJzLCB0aGUgcGFja2FnZSB3aWxsIGJlIHJldHVy
bmVkIHRvIHRoZSBzZW5kZXIuIFNoaXBwaW5nIGFuZCBoYW5kbGluZyBjaGFyZ2VzIHdpbGwgbm90
IGJlIHJlZnVuZGVkLjwvc3Bhbj48L2NlbnRlcj4KPGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2Vu
dGVyOyBib3JkZXItYm90dG9tOiAxcHggc29saWQgIzEzNDI5MDsgcGFkZGluZy1ib3R0b206IDE4
cHg7IG1hcmdpbi1ib3R0b206IDVweDsgbWFyZ2luLXRvcDogMTdweDsiPjxiciAvPjxiciAvPjxz
cGFuIHN0eWxlPSJ2ZXJ0aWNhbC1hbGlnbjogaW5oZXJpdDsiPjxzcGFuIHN0eWxlPSJ2ZXJ0aWNh
bC1hbGlnbjogaW5oZXJpdDsiPjxzY3Bhbj5Db3B5cmlnaHQgMjAyMyBVU1BTLiA8L3NjcGFuPjwv
c3Bhbj48L3NwYW4+PGltZyBhbHQ9IiIgc3JjPSJodHRwczovL2xvZ29kb3dubG9hZC5vcmcvd3At
Y29udGVudC91cGxvYWRzLzIwMjEvMDMvdW5pdGVkLXN0YXRlcy1wb3N0YWwtc2VydmljZS11c3Bz
LWxvZ28tMS5wbmciIHN0eWxlPSJ3aWR0aDogMTEwcHg7IGhlaWdodDogMzNweDsiIC8+PC9kaXY+
CjxkaXYgaWQ9ImZvb3RlciIgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsiPgo8ZGl2IGlkPSJt
ZW51IiBzdHlsZT0ibWFyZ2luOiAtMzdweCAtMTQ4cHggLTM3cHggYXV0bzsiPjwvZGl2Pgo8L2Rp
dj4KPC9kaXY+
--453f48a3c4116f2c1b908168489b1070--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments