diff --git a/content/spam/2023-07-29-regionaldirektion-fuer-zoelle-und-indirekte-steuern/index.md b/content/spam/2023-07-29-regionaldirektion-fuer-zoelle-und-indirekte-steuern/index.md
new file mode 100644
index 0000000..03d7509
--- /dev/null
+++ b/content/spam/2023-07-29-regionaldirektion-fuer-zoelle-und-indirekte-steuern/index.md
@@ -0,0 +1,279 @@
++++
+# vim: ft=markdown
+title = 'Regionaldirektion fuer Zölle und indirekte Steuern'
+summary = ''
+date = '2023-07-29T17:01:28+02:00'
+# lastmod = ''
+# categories = [ 'spam' ]
+# tags = []
+
+# showBreadcrumbs = true
+# showDate = false
+# showReadingTime = false
+# showWordCount = false
+# showPagination = false
+
+feed_exclude = true
+#site_exclude = true
+
++++
+
+Okay this is probably one of the “better” mails that I got in my Junk mail folder.
+
+
+## The mail body
+
+```
+Sehr geehrter Kunde,
+
+Ihr Post Ag Paket: Nr. CA001550110AT, versandt am 28.07.2023, wird bearbeitet.
+Damit wir Ihr Paket liefern können, werden dem Importeur die
+Mehrwertsteuerkosten erneut in Rechnung gestellt.
+Nach den geltenden Zollbestimmungen ist jede Einfuhr aus einem Land außerhalb
+der Europäischen Gemeinschaft mit einem Handelswert von mehr als 22 EUR
+unabhängig von der Art der Waren steuerpflichtig *.
+* Artikel 134-I und II-1 ° des CGI: GESETZ Nr. 2012-1510 vom 03. Mai 2017 –
+Art. 68 (V) Die Validierung des Paysafecard-Guthabens für die Zahlung von
+Zollgebühren ist gültig.
+Um die Zustellung Ihres Pakets für Ihre Heimatadresse zu ermöglichen, bitten
+wir Sie, Ihre nicht bezahlten Zollgebühren zu regulieren, indem Sie die
+folgenden Schritte ausführen, um die Zustellung Ihres Pakets abzuschließen:
+
+1. Kaufen Sie einen Paysafecard PIN-Code online (50 EUR)
+2. Senden Sie den PIN-Code (16 Ziffern) an folgende Adresse:
+contact@bpostpay.com
+
+
+
+
+Grüße,
+Zoll Kundendienst
+```
+
+This is by far the best german that I've seen so far in spam mails (although
+it is not perfect).
+
+## The mail body source (html)
+
+```html
+Sehr geehrter Kunde,
+
+Ihr Post Ag Paket: Nr. CA001550110AT, versandt am 28.07.2023, wird bearbeitet. Damit wir Ihr Paket liefern können, werden dem Importeur die Mehrwertsteuerkosten erneut in Rechnung gestellt.
+Nach den geltenden Zollbestimmungen ist jede Einfuhr aus einem Land außerhalb der Europäischen Gemeinschaft mit einem Handelswert von mehr als 22 EUR unabhängig von der Art der Waren steuerpflichtig *.
+* Artikel 134-I und II-1 ° des CGI: GESETZ Nr. 2012-1510 vom 03. Mai 2017 – Art. 68 (V) Die Validierung des Paysafecard-Guthabens für die Zahlung von Zollgebühren ist gültig.
+Um die Zustellung Ihres Pakets für Ihre Heimatadresse zu ermöglichen, bitten wir Sie, Ihre nicht bezahlten Zollgebühren zu regulieren, indem Sie die folgenden Schritte ausführen, um die Zustellung Ihres Pakets abzuschließen:
+
+1. Kaufen Sie einen Paysafecard PIN-Code online (50 EUR)
+2. Senden Sie den PIN-Code (16 Ziffern) an folgende Adresse: contact@bpostpay.com
+
+
+
+
+Grüße,
+Zoll Kundendienst
+
+
+```
+
+## The mail source (base64)
+
+Some information has been removed for privacy.
+
+```mail
+Return-Path:
+Received: from compute6.internal (compute6.nyi.internal [10.202.x.xx])
+ by sloti44n20 (Cyrus 3.9.0-alpha0-592-ga9d4a09b4b-fm-defalarms-20230725.001-ga9d4a09b) with LMTPA;
+ Sat, 29 Jul 2023 10:14:11 -0400
+X-Cyrus-Session-Id: sloti44n20-1690640051-1433308-2-7816971425445839177
+X-Sieve: CMU Sieve 3.0
+X-Spam-known-sender: no ("Email failed DMARC policy for domain")
+X-Spam-sender-reputation: 563 (domain; noauth)
+X-Spam-score: 26.0
+X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.1, DCC_REPUT_99_100 1.4,
+ HEADER_FROM_DIFFERENT_DOMAINS 0.249, HTML_MESSAGE 0.001,
+ HTML_MIME_NO_HTML_TAG 0.377, KHOP_HELO_FCRDNS 0.001, ME_NOAUTH 0.01,
+ ME_QUARANTINE 5, ME_SC_NH -0.001, ME_SENDERREP_NEUTRAL 0.001,
+ ME_VADESPAM_HIGH 3, ME_VADE_X1 0.001, MIME_HTML_ONLY 0.1,
+ RCVD_IN_INVALUEMENT24 2, RCVD_IN_SBL_CSS 3, RCVD_IN_ZEN_LASTEXTERNAL 8,
+ RDNS_DYNAMIC 0.982, SPF_FAIL 0.001, SPF_HELO_FAIL 0.001,
+ T_SCC_BODY_TEXT_LINE -0.01, LANGUAGES de, BAYES_USED user,
+ SA_VERSION 3.4.6
+X-Spam-source: IP='202.151.182.86', Host='ppp-202.151.182.86.revip.proen.co.th',
+ Country='TH', FromHeader='at', MailFrom='at'
+X-Spam-charsets: from='utf-8', subject='utf-8', html='UTF-8'
+X-IgnoreVacation: yes ("Email failed DMARC policy for domain")
+X-Resolved-to: dominic@...
+X-Delivered-to: dominic@...
+X-Mail-from: www-data@universal.at
+Received: from mx5 ([10.202.2.204])
+ by compute6.internal (LMTPProxy); Sat, 29 Jul 2023 10:14:11 -0400
+Received: from mx5.messagingengine.com (localhost [127.0.0.1])
+ by mailmx.nyi.internal (Postfix) with ESMTP id 6F2E727200BB
+ for ; Sat, 29 Jul 2023 10:14:10 -0400 (EDT)
+Received: from mailmx.nyi.internal (localhost [127.0.0.1])
+ by mx5.messagingengine.com (Authentication Milter) with ESMTP
+ id 5CC9613B011.38BA027200B3;
+ Sat, 29 Jul 2023 10:14:10 -0400
+ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm3; t=
+ 1690640050; b=RB8RZH6MaPuZaUbzTFgaC/5rRbzXOq7TE/Vm82v8OREaZ9vMNn
+ 83TLV8ZQPRNVDRYlEyx0o1U7HgFxlHBtjDTdyos8NF3dcaXF2i4sRHV36OmQyrBA
+ pbX2RBVqk16STfLZNDJzJPHUm/kqVa58wu/PiGwOcJDsqqjhMwHrgtaY7xnk6yaY
+ pI8Unbd8IEmWCF1oFkd7/m6bi2gP155WzrQ+ODNb/5Eg7d6aL3YjM5bPgMiKb6Lq
+ 3xZkpuZrCwRvz3jfR4+hotROsrBajIaw7gTF8WCWHK2HMqa0OCjHMqmImU09V6rz
+ QBZa6FGnpsUIrn7eZl6SN5HGHTSQOW3Rne2g==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
+ messagingengine.com; h=date:to:from:subject:message-id
+ :mime-version:content-type:content-transfer-encoding; s=fm3; t=
+ 1690640050; bh=w6oJ3S7Y/Us7PijzHL1aoBLxm4XbhO51kHjEeQQTcrY=; b=D
+ BUheUZvKRDgkQ24PtWSGgyiglWyhYTY35uyvqlP19C6QYo4r9qC1wU+IccuDFR1N
+ U0rE2UA4HAmvwxlzl/GQn9hB2hvY+VGSL1Olfi6VhboUITHkbAy6qYYLEvMvzIvR
+ HLrjKBTEWe8y88UFCI0YDXr0iZRURoKwKcPlgOXCAj7cHNZMauHM76i04GlE+Sdf
+ fByK+dkRNrzIR3wCchRc2vQT95QeTL6l1GfxksjEum5s9cnjdvM12Om8HiKe2gV2
+ Ncx+sCNuyLaSl6zg8sjgRkfEheEYj5EeH5F5qrPnYIxVEUo6Lv/ye0LNVAbKMxcl
+ S21gpYpzGzcLyLmWKQJHA==
+ARC-Authentication-Results: i=1; mx5.messagingengine.com;
+ x-csa=none;
+ x-me-sender=none;
+ x-ptr=fail smtp.helo=universal.at
+ policy.ptr=ppp-202.151.182.86.revip.proen.co.th;
+ bimi=skipped (DMARC did not pass);
+ arc=none (no signatures found);
+ dkim=none (no signatures found);
+ dmarc=fail policy.published-domain-policy=reject
+ policy.applied-disposition=quarantine
+ policy.evaluated-disposition=reject
+ policy.override-reason=local_policy policy.arc-aware-result=fail
+ (p=reject,d=quarantine,d.eval=reject,override=local_policy,arc_aware_result=fail)
+ policy.policy-from=p header.from=post.at;
+ iprev=pass smtp.remote-ip=202.151.182.86
+ (ppp-202.151.182.86.revip.proen.co.th);
+ spf=fail smtp.mailfrom=www-data@universal.at smtp.helo=universal.at
+X-Disposition-Quarantine: Quarantined due to DMARC policy
+X-ME-Authentication-Results: mx5.messagingengine.com;
+ x-aligned-from=fail;
+ x-return-mx=pass header.domain=post.at policy.is_org=yes
+ (MX Records found: mxb-00221601.gslb.pphosted.com,mxa-00221601.gslb.pphosted.com);
+ x-return-mx=pass smtp.domain=universal.at policy.is_org=yes
+ (MX Records found: universal-at.mail.protection.outlook.com);
+ x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
+ smtp.bits=256/256;
+ x-vs=spam:high score=500 state=1
+Authentication-Results: mx5.messagingengine.com;
+ x-csa=none;
+ x-me-sender=none;
+ x-ptr=fail smtp.helo=universal.at
+ policy.ptr=ppp-202.151.182.86.revip.proen.co.th
+Authentication-Results: mx5.messagingengine.com;
+ bimi=skipped (DMARC did not pass)
+Authentication-Results: mx5.messagingengine.com;
+ arc=none (no signatures found)
+Authentication-Results: mx5.messagingengine.com;
+ dkim=none (no signatures found);
+ dmarc=fail policy.published-domain-policy=reject
+ policy.applied-disposition=quarantine
+ policy.evaluated-disposition=reject
+ policy.override-reason=local_policy policy.arc-aware-result=fail
+ (p=reject,d=quarantine,d.eval=reject,override=local_policy,arc_aware_result=fail)
+ policy.policy-from=p header.from=post.at;
+ iprev=pass smtp.remote-ip=202.151.182.86
+ (ppp-202.151.182.86.revip.proen.co.th);
+ spf=fail smtp.mailfrom=www-data@universal.at smtp.helo=universal.at
+X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedviedrieekgdejudcutefuodetggdotefrodftvf
+ curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr
+ tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogfhohhrsghiugguvghnff
+ homhgrihhnucdlhedttddmnecujfgurhepfffvhffukffrgggtgfeshhgsjhdttddtjeen
+ ucfhrhhomheprfhoshhtrdgrthcuoehnohhrvghplhihsehpohhsthdrrghtqeenucggtf
+ frrghtthgvrhhnpeehgfelhefgieeiheekkeelvdfgleehieffvdeivdeufeffveehteej
+ udevhfejieenucffohhmrghinhepfihkvhdrtghomhenucfkphepvddtvddrudehuddrud
+ ekvddrkeeinecuufhprghmkfhppedvtddvrdduhedurddukedvrdekieenucfhohhrsghi
+ ugguvghnffhomhgrihhnpeifkhhvrdgtohhmnecuufhprghmufhusghjvggtthepreertf
+ gvghhiohhnrghlughirhgvkhhtihhonhcufhptrhcukgpnlhhlvgcuuhhnugcuihhnughi
+ rhgvkhhtvgcuufhtvghuvghrnhenucfuphgrmhetlhhphhgrufhusghjvggttheprhgvgh
+ hiohhnrghlughirhgvkhhtihhonhhfuhhriiholhhlvghunhguihhnughirhgvkhhtvghs
+ thgvuhgvrhhnnecuufhprghmtehlihgrsheprfhoshhtrdgrthenucfuphgrmhetlhhphh
+ grtehlihgrshepphhoshhtrghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm
+ pehinhgvthepvddtvddrudehuddrudekvddrkeeipdhhvghlohepuhhnihhvvghrshgrlh
+ drrghtpdhmrghilhhfrhhomhepoeiffiifqdgurghtrgesuhhnihhvvghrshgrlhdrrght
+ qe
+X-ME-VSScore: 500
+X-ME-VSCategory: spam:high
+X-ME-CSA: none
+Received-SPF: fail
+ (universal.at: Sender is not authorized by default to use 'www-data@universal.at' in 'mfrom' identity (mechanism '-all' matched))
+ receiver=mx5.messagingengine.com;
+ identity=mailfrom;
+ envelope-from="www-data@universal.at";
+ helo=universal.at;
+ client-ip=202.151.182.86
+Received: from universal.at (ppp-202.151.182.86.revip.proen.co.th [202.151.182.86])
+ (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
+ key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
+ (No client certificate requested)
+ by mx5.messagingengine.com (Postfix) with ESMTPS id 38BA027200B3
+ for ; Sat, 29 Jul 2023 10:14:09 -0400 (EDT)
+Received: by universal.at (Postfix, from userid 33)
+ id 2537762620; Sat, 29 Jul 2023 11:35:30 +0000 (UTC)
+Date: Sat, 29 Jul 2023 11:35:30 +0000
+To: dominic@...
+From: =?utf-8?Q?Post=2eat?=
+Subject: =?utf-8?Q?=e2=9c=88=ef=b8=8fRegionaldirektion=20f=c3=bcr=20Z=c3=b6lle=20und=20indirekte=20Steuern?=
+Message-ID: <2cf35f10e46774fe43c684a13bae1866@202.151.182.86>
+X-Priority: 3
+MIME-Version: 1.0
+Content-Type: text/html; charset=UTF-8
+Content-Transfer-Encoding: base64
+X-TUID: jE8aYgkCdmDh
+
+PHA+PHN0cm9uZz5TZWhyIGdlZWhydGVyIEt1bmRlLDwvc3Ryb25nPjwvcD4NCg0KPHA+SWhyIFBv
+c3QgQWcgUGFrZXQ6IE5yLiBDQTAwMTU1MDExMEFULCB2ZXJzYW5kdCBhbSAyOC4wNy4yMDIzLCB3
+aXJkIGJlYXJiZWl0ZXQuIERhbWl0IHdpciBJaHIgUGFrZXQgbGllZmVybiBrJm91bWw7bm5lbiwg
+d2VyZGVuIGRlbSBJbXBvcnRldXIgZGllIE1laHJ3ZXJ0c3RldWVya29zdGVuIGVybmV1dCBpbiBS
+ZWNobnVuZyBnZXN0ZWxsdC48YnIgLz4NCk5hY2ggZGVuIGdlbHRlbmRlbiBab2xsYmVzdGltbXVu
+Z2VuIGlzdCBqZWRlIEVpbmZ1aHIgYXVzIGVpbmVtIExhbmQgYXUmc3psaWc7ZXJoYWxiIGRlciBF
+dXJvcCZhdW1sO2lzY2hlbiBHZW1laW5zY2hhZnQgbWl0IGVpbmVtIEhhbmRlbHN3ZXJ0IHZvbiBt
+ZWhyIGFscyAyMiBFVVIgdW5hYmgmYXVtbDtuZ2lnIHZvbiBkZXIgQXJ0IGRlciBXYXJlbiBzdGV1
+ZXJwZmxpY2h0aWcgKi48YnIgLz4NCiogQXJ0aWtlbCAxMzQtSSB1bmQgSUktMSAmZGVnOyBkZXMg
+Q0dJOiBHRVNFVFogTnIuIDIwMTItMTUxMCB2b20gMDMuIE1haSAyMDE3ICZuZGFzaDsgQXJ0LiA2
+OCAoVikgRGllIFZhbGlkaWVydW5nIGRlcyBQYXlzYWZlY2FyZC1HdXRoYWJlbnMgZiZ1dW1sO3Ig
+ZGllIFphaGx1bmcgdm9uIFpvbGxnZWImdXVtbDtocmVuIGlzdCBnJnV1bWw7bHRpZy48YnIgLz4N
+ClVtIGRpZSBadXN0ZWxsdW5nIElocmVzIFBha2V0cyBmJnV1bWw7ciBJaHJlIEhlaW1hdGFkcmVz
+c2UgenUgZXJtJm91bWw7Z2xpY2hlbiwgYml0dGVuIHdpciBTaWUsIElocmUgbmljaHQgYmV6YWhs
+dGVuIFpvbGxnZWImdXVtbDtocmVuIHp1IHJlZ3VsaWVyZW4sIGluZGVtIFNpZSBkaWUgZm9sZ2Vu
+ZGVuIFNjaHJpdHRlIGF1c2YmdXVtbDtocmVuLCB1bSBkaWUgWnVzdGVsbHVuZyBJaHJlcyBQYWtl
+dHMgYWJ6dXNjaGxpZSZzemxpZztlbjo8YnIgLz4NCiZuYnNwOzxiciAvPg0KPGEgaHJlZj0iaHR0
+cHM6Ly93a3YuY29tIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj4xLiBLYXVmZW4g
+U2llIGVpbmVuIFBheXNhZmVjYXJkIFBJTi1Db2RlIG9ubGluZSAoNTAgRVVSKTwvYT48YnIgLz4N
+CjIuIFNlbmRlbiBTaWUgZGVuIFBJTi1Db2RlICgxNiBaaWZmZXJuKSBhbiBmb2xnZW5kZSBBZHJl
+c3NlOiZuYnNwOyZuYnNwOzxhIGhyZWY9Im1haWx0bzpjb250YWN0QGJwb3N0cGF5LmNvbSI+Y29u
+dGFjdEBicG9zdHBheS5jb208L2E+PC9wPg0KDQo8cD4mbmJzcDs8L3A+DQoNCjxwPjxiciAvPg0K
+R3ImdXVtbDsmc3psaWc7ZSw8YnIgLz4NClpvbGwgS3VuZGVuZGllbnN0PC9wPg0KDQo8cD4mbmJz
+cDs8L3A+
+```
+
+
+## Why is this email invalid?
+
+As from the headers we can see that this was probably a host called `universal.at`
+that accepted some email from the webserver (probably using mod_php, mod_cgi or
+something like that). That host then sent the email to the MX server of my mail
+provider using _ESMTPS_. Several mechanism failed (DMARC/SPF), the remote ip address
+translated into `ppp-202.151.182.86.revip.proen.co.th`.
+
+Besides all that technical stuff, customs service will never ask for money via
+email. Usually you get a notification in your letter box that tells you where you
+can get your letter/parcel and what you have to pay for customs.
+
+I got already a bunch of parcels from outside Austria and they never billed round
+values like 50€.
+
+If you get mails from users that actually **authenticate** on their SMTP servers,
+you usually read something like **ESMTPA** in one of the first `Received:` headers.
+Where SMTP is the protocol, E tells you the connection was encrypted and A means the
+user has been authenticated. Now you gonna look on which server the authentication
+took place; the first `Received:` header of an email from me typically looks like this:
+
+```
+Received: by mail.messagingengine.com (Postfix) with ESMTPA for ;
+ Sun, 23 Jul 2023 14:14:27 -0400 (EDT)
+```
+