diff --git a/content/spam/2024-04-29-another-good-fake/index.md b/content/spam/2024-04-29-another-good-fake/index.md new file mode 100644 index 0000000..a7fecb6 --- /dev/null +++ b/content/spam/2024-04-29-another-good-fake/index.md @@ -0,0 +1,456 @@ +--- +title: Another good fake +summary: +date: 2024-04-29T21:12:44+0200 +# lastmod: +# categories: +#- spam +# tags: + +# showBreadcrumbs: true +# showDate: false +# showReadingTime: false +# showWordCount: false +# showPagination: false + +# feed_exclude: true +# site_exclude: true + +draft: true + +--- + +This one is another good fake mail that does not look like spam at the +first sight -- but in the end they're all the same mails with faked +recipients/senders/links etc. + +## The mail body + +~~~ + + + Mit Drei immer bestens informiert. + [1][DreiInfoConsumerKletterer] + Lieber Drei Kunde, + + Ich hoffe, es geht Ihnen gut. Ich möchte Sie über ein wichtiges Update + bezüglich Ihrer Telefonnummer informieren. Wir haben kürzlich festgestellt, + dass Ihre Nummer aufgrund einiger Änderungen in unserem System + irrtümlicherweise deaktiviert wurde. + + Um Ihren Telefondienst wiederherzustellen, bitten wir Sie, diese einfachen + Schritte zu befolgen: + + Klicken Sie auf [2]Link. Dies wird Sie zu unserer Plattform weiterleiten, wo + Sie die Reaktivierung Ihrer Telefonnummer bestätigen können. + + + Sobald Sie auf den Link geklickt und die Reaktivierung bestätigt haben, sollte + Ihre Telefonnummer in Kürze wieder betriebsbereit sein. + + + Um Ihr Telefon zu reaktivieren, klicken Sie bitte auf den folgenden Link: + + + + [3]https://www.drei.at/selfcare/Verification.do?optInKey=id8630763 + + + + Wenn Sie zusätzliche Unterstützung benötigen oder Probleme bei der + Reaktivierung Ihrer Nummer haben, zögern Sie nicht. + + + + Wir danken Ihnen für Ihre Mitarbeit und Ihr Verständnis. Wir sind hier, um + Ihnen so schnell wie möglich bei der Wiederherstellung Ihres Telefondienstes zu + helfen. + + Freundliche Grüße + Ihr Drei Service-Team + + [4][footerblue] + [5]Facebook [6]Instagram [7]Twitter [8]Youtube [9]Linkedin [10]Xing + [11][machtseinf] + + Es gelten die AGB von Hutchison Drei Austria GmbH. Details auf [12]www.drei.at, + HG Wien, FN 140132b + + [13]Kontakt | [14]Impressum + +References: + +[1] https://www.drei.at/de/index.html +[2] https://wid.chh.mybluehost.me/website_7fb0c4ce/at/1 +[3] https://wid.chh.mybluehost.me/website_7fb0c4ce/at/1 +[4] https://www.drei.at/webmail/de/index?attachment=2&fld=%2fINBOX%2fTrash&id=1&mode=html&task=datatable_imap_mail_download +[5] https://www.facebook.com/dreioesterreich +[6] https://www.instagram.com/dreioesterreich +[7] https://twitter.com/dreioesterreich +[8] https://www.youtube.com/dreioesterreich +[9] https://www.linkedin.com/company/drei-oesterreich +[10] https://www.xing.com/company/dreioesterreich +[11] https://www.drei.at/webmail/de/index?attachment=2&fld=%2fINBOX%2fTrash&id=1&mode=html&task=datatable_imap_mail_download +[12] http://www.drei.at/ +[13] https://www.drei.at/selfcare/contact.do?utm_campaign=kontakt&utm_source=alle&utm_medium=shortlink&utm_content=onsite +[14] https://www.drei.at/de/footernavigation/impressum/ +~~~ + +The list of links on the bottom already gives a clue about the mail. + +## The mail body source (html) + +~~~html {hl_lines="59 78"} + + + + + + + +

 

+ + + + + + + + + + + + + +
+ + + + + + + + +
+ + + + + + + +
+ + + + + + +
+ + + + + + +
+ + + + + + +
+ + + + + + + +
+ + + + + + + +
+ + + + + + + + + + + +
+
+ + + + + + + + + +

Es gelten die AGB von Hutchison Drei Austria GmbH. Details auf www.drei.at, HG Wien, FN 140132b

+ +
Kontakt | Impressum
+
+
+
+ + +~~~ + +## Some mail headers + +~~~plain {hl_lines="18 130"} +Return-Path: <3serviceteam24@drei.at> +Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) + by sloti44n20 (Cyrus 3.11.0-alpha0-386-g4cb8e397f9-fm-20240415.001-g4cb8e397) with LMTPA; + Mon, 29 Apr 2024 05:32:26 -0400 +X-Cyrus-Session-Id: sloti44n20-1714383146-1563527-2-12093189089660363855 +X-Sieve: CMU Sieve 3.0 +X-Spam-known-sender: no ("Email failed DMARC policy for domain") +X-Spam-sender-reputation: 1000 (domain; noauth) +X-Spam-score: 0.0 +X-Spam-hits: BAYES_50 0.8, HTML_IMAGE_RATIO_08 0.001, HTML_MESSAGE 0.001, + ME_NOAUTH 0.01, ME_SC_SENDERREP -100, ME_SENDERREP_ALLOW -4, + SHORTCIRCUIT -0.0001, SPF_FAIL 0.001, SPF_HELO_PASS -0.001, LANGUAGES de, + BAYES_USED user, SA_VERSION 3.4.6 +X-Spam-source: IP='222.227.81.166', Host='mta-sp-e06.jcom.zaq.ne.jp', Country='JP', + FromHeader='at', MailFrom='at' +X-Spam-charsets: plain='utf-8', html='utf-8' +X-Resolved-to: {my-mail-account} +X-Delivered-to: {my-real-mail-address} +X-Mail-from: 3serviceteam24@drei.at +Received: from mx3 ([10.202.2.202]) + by compute1.internal (LMTPProxy); Mon, 29 Apr 2024 05:32:26 -0400 +Received: from mx3.messagingengine.com (localhost [127.0.0.1]) + by mailmx.nyi.internal (Postfix) with ESMTP id 4FE1D19600BA + for <{my-real-mail-address}>; Mon, 29 Apr 2024 05:32:26 -0400 (EDT) +Received: from mailmx.nyi.internal (localhost [127.0.0.1]) + by mx3.messagingengine.com (Authentication Milter) with ESMTP + id 85CCEACF945.3D7B519600AE; + Mon, 29 Apr 2024 05:32:26 -0400 +ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm3; t= + 1714383146; b=NPrVm6ZPLeSZvNVXB5VH+DGhxZXOt/uuITUES+D/cHZDn5V4/J + ysZe5nOrK/SzTnf0DQJJyB+KY+6Po0iChnS4lJMVnDlT+Fsj0tHCsTJY267yd1rr + fRpM8GtoztzVR7ncPgOjCcjYZfl07gdK2jzUTr8x4MUonsoQLaauzHyc+wQMQNw2 + LyWftCK4jJhId7sPzjjdro6D5LB0yQSEeFJsr67ziA3YtLvIPr41hW1QsKtDspuw + WJmhcWc+Rqd95admdtIyNFpdQH5M5hX4vph5/kL3/KpMg7atX+CSo55+O2MXufm/ + g929r+iT++JL5653hpEZK+N5c66h4dG3xoiA== +ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= + messagingengine.com; h=message-id:mime-version:from:to:subject + :date:content-type; s=fm3; t=1714383146; bh=ni8L8QRbTLgYTToOyOoV + KdbZKcUhLPS9kMfX3IVjuMg=; b=UEu8RBqgakH+Ht/jHWF4NEMYKXiX+wk02qn0 + xrHfLZhS305RLQCXOZPxc4Y2iUGLRQcaFISGGVopjcxM5vn5Buzi93rdwmOFPcav + gkEJt12U/hQ94wzD+ukuARr5X0QcHY4Jhzecsk1gybMproDFdshRqqA/4HR1d3cv + 9mTJCf/b64y5JJocAMcfBnKc1PO6PLVQ8Gcvz3nJVqKH7n4VEMKIX9vjbgrmo20v + GuKI34vYPiNvjj9Y7VXWfCMHMtDn3UdPv0qLb997sDjQmV331Vzuom6eS9WD/Dcv + xKtAG7dZMO2xndQorcZKzp6e3fZTGVb379cnJHgV1AoNcMljKw== +ARC-Authentication-Results: i=1; mx3.messagingengine.com; + x-csa=none; + x-me-sender=none; + x-ptr=pass smtp.helo=mta-sp-e06.jcom.zaq.ne.jp + policy.ptr=mta-sp-e06.jcom.zaq.ne.jp; + bimi=skipped (DMARC did not pass); + arc=none (no signatures found); + dkim=none (no signatures found); + dmarc=fail policy.published-domain-policy=none + policy.applied-disposition=none policy.evaluated-disposition=none + policy.arc-aware-result=fail + (p=none,d=none,d.eval=none,arc_aware_result=fail) policy.policy-from=p + header.from=drei.at; + iprev=pass smtp.remote-ip=222.227.81.166 (mta-sp-e06.jcom.zaq.ne.jp); + spf=fail smtp.mailfrom=3serviceteam24@drei.at + smtp.helo=mta-sp-e06.jcom.zaq.ne.jp +X-ME-Authentication-Results: mx3.messagingengine.com; + x-aligned-from=pass (Address match); + x-return-mx=pass header.domain=drei.at policy.is_org=yes + (MX Records found: mail.drei.at); + x-return-mx=pass smtp.domain=drei.at policy.is_org=yes + (MX Records found: mail.drei.at); + x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384 + smtp.bits=256/256; + x-vs=commercial:mce score=17 state=11 +Authentication-Results: mx3.messagingengine.com; + x-csa=none; + x-me-sender=none; + x-ptr=pass smtp.helo=mta-sp-e06.jcom.zaq.ne.jp + policy.ptr=mta-sp-e06.jcom.zaq.ne.jp +Authentication-Results: mx3.messagingengine.com; + bimi=skipped (DMARC did not pass) +Authentication-Results: mx3.messagingengine.com; + arc=none (no signatures found) +Authentication-Results: mx3.messagingengine.com; + dkim=none (no signatures found); + dmarc=fail policy.published-domain-policy=none + policy.applied-disposition=none policy.evaluated-disposition=none + policy.arc-aware-result=fail + (p=none,d=none,d.eval=none,arc_aware_result=fail) policy.policy-from=p + header.from=drei.at; + iprev=pass smtp.remote-ip=222.227.81.166 (mta-sp-e06.jcom.zaq.ne.jp); + spf=fail smtp.mailfrom=3serviceteam24@drei.at + smtp.helo=mta-sp-e06.jcom.zaq.ne.jp +X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvledrvdduuddgudehucetufdoteggodetrfdotf + fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu + rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucdnofetkffnkffpifculd + dujedmnecujfgurhepkfgghffuffgtsegrtdfttfdttdejnecuhfhrohhmpeefufgvrhhv + ihgtvgfvvggrmhcuoeefshgvrhhvihgtvghtvggrmhdvgeesughrvghirdgrtheqnecugg + ftrfgrthhtvghrnhepfedttefffeeugeehvddtgeelheetleeftddtveetfeeulefhjedt + geehudetveetnecuffhomhgrihhnpegurhgvihdrrghtpdhmhigslhhuvghhohhsthdrmh + gvpdhfrggtvggsohhokhdrtghomhdpihhnshhtrghgrhgrmhdrtghomhdpthifihhtthgv + rhdrtghomhdphihouhhtuhgsvgdrtghomhdplhhinhhkvgguihhnrdgtohhmpdigihhngh + drtghomhenucfkphepvddvvddrvddvjedrkedurdduieeinecuvehluhhsthgvrhfuihii + vgeptdenucfrrghrrghmpehinhgvthepvddvvddrvddvjedrkedurdduieeipdhhvghloh + epmhhtrgdqshhpqdgvtdeirdhjtghomhdriigrqhdrnhgvrdhjphdpmhgrihhlfhhrohhm + peeofehsvghrvhhitggvthgvrghmvdegsegurhgvihdrrghtqedpnhgspghrtghpthhtoh + epuddprhgtphhtthhopeeoughomhhinhhitgesthhmshhnrdgrtheq +X-ME-VSScore: 17 +X-ME-VSCategory: commercial:mce +X-ME-CSA: none +X-ME-Received: +Received-SPF: fail + (drei.at: Sender is not authorized by default to use '3serviceteam24@drei.at' in 'mfrom' identity (mechanism '-all' matched)) + receiver=mx3.messagingengine.com; + identity=mailfrom; + envelope-from="3serviceteam24@drei.at"; + helo=mta-sp-e06.jcom.zaq.ne.jp; + client-ip=222.227.81.166 +Received: from mta-sp-e06.jcom.zaq.ne.jp (mta-sp-e06.jcom.zaq.ne.jp [222.227.81.166]) + (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) + (No client certificate requested) + by mx3.messagingengine.com (Postfix) with ESMTPS id 3D7B519600AE + for <{my-real-mail-address}>; Mon, 29 Apr 2024 05:32:24 -0400 (EDT) +Received: from mta-or-e02.jcom.zaq.ne.jp by osmta0018-jc.im.kddi.ne.jp + with ESMTP + id <20240429093221436.SZEY.122160.mta-or-e02.jcom.zaq.ne.jp@mta-sp-e06.jcom.zaq.ne.jp>; + Mon, 29 Apr 2024 18:32:21 +0900 +Received: from [10.0.0.5] by omta0018-jc.im.kddi.ne.jp with SMTP + id <20240429093220189.NMLB.117143.[10.0.0.5]@mta-or-e02.jcom.zaq.ne.jp>; + Mon, 29 Apr 2024 18:32:20 +0900 +Message-Id: <2T3NM7B-CNQT-PAAQ-1X6G-7N1FUVMMY2K@drei.at> +Mime-Version: 1.0 +From: 3ServiceTeam <3serviceteam24@drei.at> +To: Undisclosed-Recipients:; +Subject: RufnummerDeaktivierung. +Date: Mon, 29 Apr 2024 09:32:20 GMT +Content-Type: multipart/alternative; Boundary="--=BOUNDARY_429932_FDVJ_NVIO_WXTI_WHEC" +X-TUID: NXL/rD0xTYmM +Content-Length: 17904 +~~~ + +"Undisclosed-Recipients" is used when the sender does not provide a recipient in +the "To:" field but instead uses the "Bcc:" field. + +The line `X-Delivered-to` shows the real recipient though. + +## Notes + +The email went through some japanese network when it finally hit the mailservers of +my mail provider. + +Always check the destination of links in HTML mails! The link on line 78 for example +looks like (re-formatted): + +~~~html +
+ + + + https://www.drei.at/selfcare/Verification.do?optInKey=id8630763 + + + +
+~~~ + +Also look at the Subject -- it looks a bit disturbing: + +~~~plain +Subject: RufnummerDeaktivierung. +~~~ +