new post (spam)

2023-07-29 18:09:07 +02:00 · 2023-07-29 18:09:07 +02:00 · e78245283c
commit e78245283c
parent 3647c1d4ae
1 changed files with 279 additions and 0 deletions
--- a/content/spam/2023-07-29-regionaldirektion-fuer-zoelle-und-indirekte-steuern/index.md
+++ b/content/spam/2023-07-29-regionaldirektion-fuer-zoelle-und-indirekte-steuern/index.md
@ -0,0 +1,279 @@
+++
+# vim: ft=markdown
+title = 'Regionaldirektion fuer Zölle und indirekte Steuern'
+summary = ''
+date = '2023-07-29T17:01:28+02:00'
+# lastmod = ''
+# categories = [ 'spam' ]
+# tags = []
+
+# showBreadcrumbs = true
+# showDate = false
+# showReadingTime = false
+# showWordCount = false
+# showPagination = false
+
+feed_exclude = true
+#site_exclude = true
+
+++
+
+Okay this is probably one of the “better” mails that I got in my Junk mail folder.
+
+
+## The mail body
+
+```
+Sehr geehrter Kunde,
+
+Ihr Post Ag Paket: Nr. CA001550110AT, versandt am 28.07.2023, wird bearbeitet.
+Damit wir Ihr Paket liefern können, werden dem Importeur die
+Mehrwertsteuerkosten erneut in Rechnung gestellt.
+Nach den geltenden Zollbestimmungen ist jede Einfuhr aus einem Land außerhalb
+der Europäischen Gemeinschaft mit einem Handelswert von mehr als 22 EUR
+unabhängig von der Art der Waren steuerpflichtig *.
+* Artikel 134-I und II-1 ° des CGI: GESETZ Nr. 2012-1510 vom 03. Mai 2017 –
+Art. 68 (V) Die Validierung des Paysafecard-Guthabens für die Zahlung von
+Zollgebühren ist gültig.
+Um die Zustellung Ihres Pakets für Ihre Heimatadresse zu ermöglichen, bitten
+wir Sie, Ihre nicht bezahlten Zollgebühren zu regulieren, indem Sie die
+folgenden Schritte ausführen, um die Zustellung Ihres Pakets abzuschließen:
+
+1. Kaufen Sie einen Paysafecard PIN-Code online (50 EUR)
+2. Senden Sie den PIN-Code (16 Ziffern) an folgende Adresse:
+contact@bpostpay.com
+
+
+
+
+Grüße,
+Zoll Kundendienst
+```
+
+This is by far the best german that I've seen so far in spam mails (although
+it is not perfect).
+
+## The mail body source (html)
+
+```html
+<p><strong>Sehr geehrter Kunde,</strong></p>
+
+<p>Ihr Post Ag Paket: Nr. CA001550110AT, versandt am 28.07.2023, wird bearbeitet. Damit wir Ihr Paket liefern k&ouml;nnen, werden dem Importeur die Mehrwertsteuerkosten erneut in Rechnung gestellt.<br />
+Nach den geltenden Zollbestimmungen ist jede Einfuhr aus einem Land au&szlig;erhalb der Europ&auml;ischen Gemeinschaft mit einem Handelswert von mehr als 22 EUR unabh&auml;ngig von der Art der Waren steuerpflichtig *.<br />
+* Artikel 134-I und II-1 &deg; des CGI: GESETZ Nr. 2012-1510 vom 03. Mai 2017 &ndash; Art. 68 (V) Die Validierung des Paysafecard-Guthabens f&uuml;r die Zahlung von Zollgeb&uuml;hren ist g&uuml;ltig.<br />
+Um die Zustellung Ihres Pakets f&uuml;r Ihre Heimatadresse zu erm&ouml;glichen, bitten wir Sie, Ihre nicht bezahlten Zollgeb&uuml;hren zu regulieren, indem Sie die folgenden Schritte ausf&uuml;hren, um die Zustellung Ihres Pakets abzuschlie&szlig;en:<br />
+&nbsp;<br />
+<a href="https://wkv.com" rel="noreferrer" target="_blank">1. Kaufen Sie einen Paysafecard PIN-Code online (50 EUR)</a><br />
+2. Senden Sie den PIN-Code (16 Ziffern) an folgende Adresse:&nbsp;&nbsp;<a href="mailto:contact@bpostpay.com">contact@bpostpay.com</a></p>
+
+<p>&nbsp;</p>
+
+<p><br />
+Gr&uuml;&szlig;e,<br />
+Zoll Kundendienst</p>
+
+<p>&nbsp;</p>
+```
+
+## The mail source (base64)
+
+Some information has been removed for privacy.
+
+```mail
+Return-Path: <www-data@universal.at>
+Received: from compute6.internal (compute6.nyi.internal [10.202.x.xx])
+	 by sloti44n20 (Cyrus 3.9.0-alpha0-592-ga9d4a09b4b-fm-defalarms-20230725.001-ga9d4a09b) with LMTPA;
+	 Sat, 29 Jul 2023 10:14:11 -0400
+X-Cyrus-Session-Id: sloti44n20-1690640051-1433308-2-7816971425445839177
+X-Sieve: CMU Sieve 3.0
+X-Spam-known-sender: no ("Email failed DMARC policy for domain")
+X-Spam-sender-reputation: 563 (domain; noauth)
+X-Spam-score: 26.0
+X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.1, DCC_REPUT_99_100 1.4,
+  HEADER_FROM_DIFFERENT_DOMAINS 0.249, HTML_MESSAGE 0.001,
+  HTML_MIME_NO_HTML_TAG 0.377, KHOP_HELO_FCRDNS 0.001, ME_NOAUTH 0.01,
+  ME_QUARANTINE 5, ME_SC_NH -0.001, ME_SENDERREP_NEUTRAL 0.001,
+  ME_VADESPAM_HIGH 3, ME_VADE_X1 0.001, MIME_HTML_ONLY 0.1,
+  RCVD_IN_INVALUEMENT24 2, RCVD_IN_SBL_CSS 3, RCVD_IN_ZEN_LASTEXTERNAL 8,
+  RDNS_DYNAMIC 0.982, SPF_FAIL 0.001, SPF_HELO_FAIL 0.001,
+  T_SCC_BODY_TEXT_LINE -0.01, LANGUAGES de, BAYES_USED user,
+  SA_VERSION 3.4.6
+X-Spam-source: IP='202.151.182.86', Host='ppp-202.151.182.86.revip.proen.co.th',
+  Country='TH', FromHeader='at', MailFrom='at'
+X-Spam-charsets: from='utf-8', subject='utf-8', html='UTF-8'
+X-IgnoreVacation: yes ("Email failed DMARC policy for domain")
+X-Resolved-to: dominic@...
+X-Delivered-to: dominic@...
+X-Mail-from: www-data@universal.at
+Received: from mx5 ([10.202.2.204])
+  by compute6.internal (LMTPProxy); Sat, 29 Jul 2023 10:14:11 -0400
+Received: from mx5.messagingengine.com (localhost [127.0.0.1])
+	by mailmx.nyi.internal (Postfix) with ESMTP id 6F2E727200BB
+	for <dominic@...>; Sat, 29 Jul 2023 10:14:10 -0400 (EDT)
+Received: from mailmx.nyi.internal (localhost [127.0.0.1])
+    by mx5.messagingengine.com (Authentication Milter) with ESMTP
+    id 5CC9613B011.38BA027200B3;
+    Sat, 29 Jul 2023 10:14:10 -0400
+ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm3; t=
+    1690640050; b=RB8RZH6MaPuZaUbzTFgaC/5rRbzXOq7TE/Vm82v8OREaZ9vMNn
+    83TLV8ZQPRNVDRYlEyx0o1U7HgFxlHBtjDTdyos8NF3dcaXF2i4sRHV36OmQyrBA
+    pbX2RBVqk16STfLZNDJzJPHUm/kqVa58wu/PiGwOcJDsqqjhMwHrgtaY7xnk6yaY
+    pI8Unbd8IEmWCF1oFkd7/m6bi2gP155WzrQ+ODNb/5Eg7d6aL3YjM5bPgMiKb6Lq
+    3xZkpuZrCwRvz3jfR4+hotROsrBajIaw7gTF8WCWHK2HMqa0OCjHMqmImU09V6rz
+    QBZa6FGnpsUIrn7eZl6SN5HGHTSQOW3Rne2g==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
+    messagingengine.com; h=date:to:from:subject:message-id
+    :mime-version:content-type:content-transfer-encoding; s=fm3; t=
+    1690640050; bh=w6oJ3S7Y/Us7PijzHL1aoBLxm4XbhO51kHjEeQQTcrY=; b=D
+    BUheUZvKRDgkQ24PtWSGgyiglWyhYTY35uyvqlP19C6QYo4r9qC1wU+IccuDFR1N
+    U0rE2UA4HAmvwxlzl/GQn9hB2hvY+VGSL1Olfi6VhboUITHkbAy6qYYLEvMvzIvR
+    HLrjKBTEWe8y88UFCI0YDXr0iZRURoKwKcPlgOXCAj7cHNZMauHM76i04GlE+Sdf
+    fByK+dkRNrzIR3wCchRc2vQT95QeTL6l1GfxksjEum5s9cnjdvM12Om8HiKe2gV2
+    Ncx+sCNuyLaSl6zg8sjgRkfEheEYj5EeH5F5qrPnYIxVEUo6Lv/ye0LNVAbKMxcl
+    S21gpYpzGzcLyLmWKQJHA==
+ARC-Authentication-Results: i=1; mx5.messagingengine.com;
+    x-csa=none;
+    x-me-sender=none;
+    x-ptr=fail smtp.helo=universal.at
+    policy.ptr=ppp-202.151.182.86.revip.proen.co.th;
+    bimi=skipped (DMARC did not pass);
+    arc=none (no signatures found);
+    dkim=none (no signatures found);
+    dmarc=fail policy.published-domain-policy=reject
+    policy.applied-disposition=quarantine
+    policy.evaluated-disposition=reject
+    policy.override-reason=local_policy policy.arc-aware-result=fail
+    (p=reject,d=quarantine,d.eval=reject,override=local_policy,arc_aware_result=fail)
+    policy.policy-from=p header.from=post.at;
+    iprev=pass smtp.remote-ip=202.151.182.86
+    (ppp-202.151.182.86.revip.proen.co.th);
+    spf=fail smtp.mailfrom=www-data@universal.at smtp.helo=universal.at
+X-Disposition-Quarantine: Quarantined due to DMARC policy
+X-ME-Authentication-Results: mx5.messagingengine.com;
+    x-aligned-from=fail;
+    x-return-mx=pass header.domain=post.at policy.is_org=yes
+      (MX Records found: mxb-00221601.gslb.pphosted.com,mxa-00221601.gslb.pphosted.com);
+    x-return-mx=pass smtp.domain=universal.at policy.is_org=yes
+      (MX Records found: universal-at.mail.protection.outlook.com);
+    x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
+      smtp.bits=256/256;
+    x-vs=spam:high score=500 state=1
+Authentication-Results: mx5.messagingengine.com;
+    x-csa=none;
+    x-me-sender=none;
+    x-ptr=fail smtp.helo=universal.at
+      policy.ptr=ppp-202.151.182.86.revip.proen.co.th
+Authentication-Results: mx5.messagingengine.com;
+    bimi=skipped (DMARC did not pass)
+Authentication-Results: mx5.messagingengine.com;
+    arc=none (no signatures found)
+Authentication-Results: mx5.messagingengine.com;
+    dkim=none (no signatures found);
+    dmarc=fail policy.published-domain-policy=reject
+      policy.applied-disposition=quarantine
+      policy.evaluated-disposition=reject
+      policy.override-reason=local_policy policy.arc-aware-result=fail
+      (p=reject,d=quarantine,d.eval=reject,override=local_policy,arc_aware_result=fail)
+      policy.policy-from=p header.from=post.at;
+    iprev=pass smtp.remote-ip=202.151.182.86
+      (ppp-202.151.182.86.revip.proen.co.th);
+    spf=fail smtp.mailfrom=www-data@universal.at smtp.helo=universal.at
+X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedviedrieekgdejudcutefuodetggdotefrodftvf
+    curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr
+    tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogfhohhrsghiugguvghnff
+    homhgrihhnucdlhedttddmnecujfgurhepfffvhffukffrgggtgfeshhgsjhdttddtjeen
+    ucfhrhhomheprfhoshhtrdgrthcuoehnohhrvghplhihsehpohhsthdrrghtqeenucggtf
+    frrghtthgvrhhnpeehgfelhefgieeiheekkeelvdfgleehieffvdeivdeufeffveehteej
+    udevhfejieenucffohhmrghinhepfihkvhdrtghomhenucfkphepvddtvddrudehuddrud
+    ekvddrkeeinecuufhprghmkfhppedvtddvrdduhedurddukedvrdekieenucfhohhrsghi
+    ugguvghnffhomhgrihhnpeifkhhvrdgtohhmnecuufhprghmufhusghjvggtthepreertf
+    gvghhiohhnrghlughirhgvkhhtihhonhcufhptrhcukgpnlhhlvgcuuhhnugcuihhnughi
+    rhgvkhhtvgcuufhtvghuvghrnhenucfuphgrmhetlhhphhgrufhusghjvggttheprhgvgh
+    hiohhnrghlughirhgvkhhtihhonhhfuhhriiholhhlvghunhguihhnughirhgvkhhtvghs
+    thgvuhgvrhhnnecuufhprghmtehlihgrsheprfhoshhtrdgrthenucfuphgrmhetlhhphh
+    grtehlihgrshepphhoshhtrghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm
+    pehinhgvthepvddtvddrudehuddrudekvddrkeeipdhhvghlohepuhhnihhvvghrshgrlh
+    drrghtpdhmrghilhhfrhhomhepoeiffiifqdgurghtrgesuhhnihhvvghrshgrlhdrrght
+    qe
+X-ME-VSScore: 500
+X-ME-VSCategory: spam:high
+X-ME-CSA: none
+Received-SPF: fail
+    (universal.at: Sender is not authorized by default to use 'www-data@universal.at' in 'mfrom' identity (mechanism '-all' matched))
+    receiver=mx5.messagingengine.com;
+    identity=mailfrom;
+    envelope-from="www-data@universal.at";
+    helo=universal.at;
+    client-ip=202.151.182.86
+Received: from universal.at (ppp-202.151.182.86.revip.proen.co.th [202.151.182.86])
+	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
+	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
+	(No client certificate requested)
+	by mx5.messagingengine.com (Postfix) with ESMTPS id 38BA027200B3
+	for <dominic@...>; Sat, 29 Jul 2023 10:14:09 -0400 (EDT)
+Received: by universal.at (Postfix, from userid 33)
+	id 2537762620; Sat, 29 Jul 2023 11:35:30 +0000 (UTC)
+Date: Sat, 29 Jul 2023 11:35:30 +0000
+To: dominic@...
+From: =?utf-8?Q?Post=2eat?= <noreply@post.at>
+Subject: =?utf-8?Q?=e2=9c=88=ef=b8=8fRegionaldirektion=20f=c3=bcr=20Z=c3=b6lle=20und=20indirekte=20Steuern?=
+Message-ID: <2cf35f10e46774fe43c684a13bae1866@202.151.182.86>
+X-Priority: 3
+MIME-Version: 1.0
+Content-Type: text/html; charset=UTF-8
+Content-Transfer-Encoding: base64
+X-TUID: jE8aYgkCdmDh
+
+PHA+PHN0cm9uZz5TZWhyIGdlZWhydGVyIEt1bmRlLDwvc3Ryb25nPjwvcD4NCg0KPHA+SWhyIFBv
+c3QgQWcgUGFrZXQ6IE5yLiBDQTAwMTU1MDExMEFULCB2ZXJzYW5kdCBhbSAyOC4wNy4yMDIzLCB3
+aXJkIGJlYXJiZWl0ZXQuIERhbWl0IHdpciBJaHIgUGFrZXQgbGllZmVybiBrJm91bWw7bm5lbiwg
+d2VyZGVuIGRlbSBJbXBvcnRldXIgZGllIE1laHJ3ZXJ0c3RldWVya29zdGVuIGVybmV1dCBpbiBS
+ZWNobnVuZyBnZXN0ZWxsdC48YnIgLz4NCk5hY2ggZGVuIGdlbHRlbmRlbiBab2xsYmVzdGltbXVu
+Z2VuIGlzdCBqZWRlIEVpbmZ1aHIgYXVzIGVpbmVtIExhbmQgYXUmc3psaWc7ZXJoYWxiIGRlciBF
+dXJvcCZhdW1sO2lzY2hlbiBHZW1laW5zY2hhZnQgbWl0IGVpbmVtIEhhbmRlbHN3ZXJ0IHZvbiBt
+ZWhyIGFscyAyMiBFVVIgdW5hYmgmYXVtbDtuZ2lnIHZvbiBkZXIgQXJ0IGRlciBXYXJlbiBzdGV1
+ZXJwZmxpY2h0aWcgKi48YnIgLz4NCiogQXJ0aWtlbCAxMzQtSSB1bmQgSUktMSAmZGVnOyBkZXMg
+Q0dJOiBHRVNFVFogTnIuIDIwMTItMTUxMCB2b20gMDMuIE1haSAyMDE3ICZuZGFzaDsgQXJ0LiA2
+OCAoVikgRGllIFZhbGlkaWVydW5nIGRlcyBQYXlzYWZlY2FyZC1HdXRoYWJlbnMgZiZ1dW1sO3Ig
+ZGllIFphaGx1bmcgdm9uIFpvbGxnZWImdXVtbDtocmVuIGlzdCBnJnV1bWw7bHRpZy48YnIgLz4N
+ClVtIGRpZSBadXN0ZWxsdW5nIElocmVzIFBha2V0cyBmJnV1bWw7ciBJaHJlIEhlaW1hdGFkcmVz
+c2UgenUgZXJtJm91bWw7Z2xpY2hlbiwgYml0dGVuIHdpciBTaWUsIElocmUgbmljaHQgYmV6YWhs
+dGVuIFpvbGxnZWImdXVtbDtocmVuIHp1IHJlZ3VsaWVyZW4sIGluZGVtIFNpZSBkaWUgZm9sZ2Vu
+ZGVuIFNjaHJpdHRlIGF1c2YmdXVtbDtocmVuLCB1bSBkaWUgWnVzdGVsbHVuZyBJaHJlcyBQYWtl
+dHMgYWJ6dXNjaGxpZSZzemxpZztlbjo8YnIgLz4NCiZuYnNwOzxiciAvPg0KPGEgaHJlZj0iaHR0
+cHM6Ly93a3YuY29tIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj4xLiBLYXVmZW4g
+U2llIGVpbmVuIFBheXNhZmVjYXJkIFBJTi1Db2RlIG9ubGluZSAoNTAgRVVSKTwvYT48YnIgLz4N
+CjIuIFNlbmRlbiBTaWUgZGVuIFBJTi1Db2RlICgxNiBaaWZmZXJuKSBhbiBmb2xnZW5kZSBBZHJl
+c3NlOiZuYnNwOyZuYnNwOzxhIGhyZWY9Im1haWx0bzpjb250YWN0QGJwb3N0cGF5LmNvbSI+Y29u
+dGFjdEBicG9zdHBheS5jb208L2E+PC9wPg0KDQo8cD4mbmJzcDs8L3A+DQoNCjxwPjxiciAvPg0K
+R3ImdXVtbDsmc3psaWc7ZSw8YnIgLz4NClpvbGwgS3VuZGVuZGllbnN0PC9wPg0KDQo8cD4mbmJz
+cDs8L3A+
+```
+
+
+## Why is this email invalid?
+
+As from the headers we can see that this was probably a host called `universal.at`
+that accepted some email from the webserver (probably using mod_php, mod_cgi or
+something like that). That host then sent the email to the MX server of my mail
+provider using _ESMTPS_. Several mechanism failed (DMARC/SPF), the remote ip address
+translated into `ppp-202.151.182.86.revip.proen.co.th`.
+
+Besides all that technical stuff, customs service will never ask for money via
+email. Usually you get a notification in your letter box that tells you where you
+can get your letter/parcel and what you have to pay for customs.
+
+I got already a bunch of parcels from outside Austria and they never billed round
+values like 50€.
+
+If you get mails from users that actually **authenticate** on their SMTP servers,
+you usually read something like **ESMTPA** in one of the first `Received:` headers.
+Where SMTP is the protocol, E tells you the connection was encrypted and A means the
+user has been authenticated. Now you gonna look on which server the authentication
+took place; the first `Received:` header of an email from me typically looks like this:
+
+```
+Received: by mail.messagingengine.com (Postfix) with ESMTPA for <dominic@...>;
+ Sun, 23 Jul 2023 14:14:27 -0400 (EDT)
+```
+