---
title: Regionaldirektion fuer Zölle und indirekte Steuern
summary:
date: 2023-07-29T17:01:28+02:00
# lastmod:
# categories:
#- spam
# tags:
# showBreadcrumbs: true
# showDate: false
# showReadingTime: false
# showWordCount: false
# showPagination: false
#feed_exclude: true
#site_exclude: true
---
Okay this is probably one of the “better” mails that I got in my Junk mail folder.
## The mail body
```plain
Sehr geehrter Kunde,
Ihr Post Ag Paket: Nr. CA001550110AT, versandt am 28.07.2023, wird bearbeitet.
Damit wir Ihr Paket liefern können, werden dem Importeur die
Mehrwertsteuerkosten erneut in Rechnung gestellt.
Nach den geltenden Zollbestimmungen ist jede Einfuhr aus einem Land außerhalb
der Europäischen Gemeinschaft mit einem Handelswert von mehr als 22 EUR
unabhängig von der Art der Waren steuerpflichtig *.
* Artikel 134-I und II-1 ° des CGI: GESETZ Nr. 2012-1510 vom 03. Mai 2017 –
Art. 68 (V) Die Validierung des Paysafecard-Guthabens für die Zahlung von
Zollgebühren ist gültig.
Um die Zustellung Ihres Pakets für Ihre Heimatadresse zu ermöglichen, bitten
wir Sie, Ihre nicht bezahlten Zollgebühren zu regulieren, indem Sie die
folgenden Schritte ausführen, um die Zustellung Ihres Pakets abzuschließen:
1. Kaufen Sie einen Paysafecard PIN-Code online (50 EUR)
2. Senden Sie den PIN-Code (16 Ziffern) an folgende Adresse:
contact@bpostpay.com
Grüße,
Zoll Kundendienst
```
This is by far the best german that I've seen so far in spam mails (although
it is not perfect).
## The mail body source (html)
```html
Sehr geehrter Kunde,
Ihr Post Ag Paket: Nr. CA001550110AT, versandt am 28.07.2023, wird bearbeitet. Damit wir Ihr Paket liefern können, werden dem Importeur die Mehrwertsteuerkosten erneut in Rechnung gestellt.
Nach den geltenden Zollbestimmungen ist jede Einfuhr aus einem Land außerhalb der Europäischen Gemeinschaft mit einem Handelswert von mehr als 22 EUR unabhängig von der Art der Waren steuerpflichtig *.
* Artikel 134-I und II-1 ° des CGI: GESETZ Nr. 2012-1510 vom 03. Mai 2017 – Art. 68 (V) Die Validierung des Paysafecard-Guthabens für die Zahlung von Zollgebühren ist gültig.
Um die Zustellung Ihres Pakets für Ihre Heimatadresse zu ermöglichen, bitten wir Sie, Ihre nicht bezahlten Zollgebühren zu regulieren, indem Sie die folgenden Schritte ausführen, um die Zustellung Ihres Pakets abzuschließen:
1. Kaufen Sie einen Paysafecard PIN-Code online (50 EUR)
2. Senden Sie den PIN-Code (16 Ziffern) an folgende Adresse: contact@bpostpay.com
Grüße,
Zoll Kundendienst
```
## The mail source (base64)
Some information has been removed for privacy.
```plain
Return-Path:
Received: from compute6.internal (compute6.nyi.internal [10.202.x.xx])
by sloti44n20 (Cyrus 3.9.0-alpha0-592-ga9d4a09b4b-fm-defalarms-20230725.001-ga9d4a09b) with LMTPA;
Sat, 29 Jul 2023 10:14:11 -0400
X-Cyrus-Session-Id: sloti44n20-1690640051-1433308-2-7816971425445839177
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no ("Email failed DMARC policy for domain")
X-Spam-sender-reputation: 563 (domain; noauth)
X-Spam-score: 26.0
X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.1, DCC_REPUT_99_100 1.4,
HEADER_FROM_DIFFERENT_DOMAINS 0.249, HTML_MESSAGE 0.001,
HTML_MIME_NO_HTML_TAG 0.377, KHOP_HELO_FCRDNS 0.001, ME_NOAUTH 0.01,
ME_QUARANTINE 5, ME_SC_NH -0.001, ME_SENDERREP_NEUTRAL 0.001,
ME_VADESPAM_HIGH 3, ME_VADE_X1 0.001, MIME_HTML_ONLY 0.1,
RCVD_IN_INVALUEMENT24 2, RCVD_IN_SBL_CSS 3, RCVD_IN_ZEN_LASTEXTERNAL 8,
RDNS_DYNAMIC 0.982, SPF_FAIL 0.001, SPF_HELO_FAIL 0.001,
T_SCC_BODY_TEXT_LINE -0.01, LANGUAGES de, BAYES_USED user,
SA_VERSION 3.4.6
X-Spam-source: IP='202.151.182.86', Host='ppp-202.151.182.86.revip.proen.co.th',
Country='TH', FromHeader='at', MailFrom='at'
X-Spam-charsets: from='utf-8', subject='utf-8', html='UTF-8'
X-IgnoreVacation: yes ("Email failed DMARC policy for domain")
X-Resolved-to: dominic@...
X-Delivered-to: dominic@...
X-Mail-from: www-data@universal.at
Received: from mx5 ([10.202.2.204])
by compute6.internal (LMTPProxy); Sat, 29 Jul 2023 10:14:11 -0400
Received: from mx5.messagingengine.com (localhost [127.0.0.1])
by mailmx.nyi.internal (Postfix) with ESMTP id 6F2E727200BB
for ; Sat, 29 Jul 2023 10:14:10 -0400 (EDT)
Received: from mailmx.nyi.internal (localhost [127.0.0.1])
by mx5.messagingengine.com (Authentication Milter) with ESMTP
id 5CC9613B011.38BA027200B3;
Sat, 29 Jul 2023 10:14:10 -0400
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm3; t=
1690640050; b=RB8RZH6MaPuZaUbzTFgaC/5rRbzXOq7TE/Vm82v8OREaZ9vMNn
83TLV8ZQPRNVDRYlEyx0o1U7HgFxlHBtjDTdyos8NF3dcaXF2i4sRHV36OmQyrBA
pbX2RBVqk16STfLZNDJzJPHUm/kqVa58wu/PiGwOcJDsqqjhMwHrgtaY7xnk6yaY
pI8Unbd8IEmWCF1oFkd7/m6bi2gP155WzrQ+ODNb/5Eg7d6aL3YjM5bPgMiKb6Lq
3xZkpuZrCwRvz3jfR4+hotROsrBajIaw7gTF8WCWHK2HMqa0OCjHMqmImU09V6rz
QBZa6FGnpsUIrn7eZl6SN5HGHTSQOW3Rne2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=date:to:from:subject:message-id
:mime-version:content-type:content-transfer-encoding; s=fm3; t=
1690640050; bh=w6oJ3S7Y/Us7PijzHL1aoBLxm4XbhO51kHjEeQQTcrY=; b=D
BUheUZvKRDgkQ24PtWSGgyiglWyhYTY35uyvqlP19C6QYo4r9qC1wU+IccuDFR1N
U0rE2UA4HAmvwxlzl/GQn9hB2hvY+VGSL1Olfi6VhboUITHkbAy6qYYLEvMvzIvR
HLrjKBTEWe8y88UFCI0YDXr0iZRURoKwKcPlgOXCAj7cHNZMauHM76i04GlE+Sdf
fByK+dkRNrzIR3wCchRc2vQT95QeTL6l1GfxksjEum5s9cnjdvM12Om8HiKe2gV2
Ncx+sCNuyLaSl6zg8sjgRkfEheEYj5EeH5F5qrPnYIxVEUo6Lv/ye0LNVAbKMxcl
S21gpYpzGzcLyLmWKQJHA==
ARC-Authentication-Results: i=1; mx5.messagingengine.com;
x-csa=none;
x-me-sender=none;
x-ptr=fail smtp.helo=universal.at
policy.ptr=ppp-202.151.182.86.revip.proen.co.th;
bimi=skipped (DMARC did not pass);
arc=none (no signatures found);
dkim=none (no signatures found);
dmarc=fail policy.published-domain-policy=reject
policy.applied-disposition=quarantine
policy.evaluated-disposition=reject
policy.override-reason=local_policy policy.arc-aware-result=fail
(p=reject,d=quarantine,d.eval=reject,override=local_policy,arc_aware_result=fail)
policy.policy-from=p header.from=post.at;
iprev=pass smtp.remote-ip=202.151.182.86
(ppp-202.151.182.86.revip.proen.co.th);
spf=fail smtp.mailfrom=www-data@universal.at smtp.helo=universal.at
X-Disposition-Quarantine: Quarantined due to DMARC policy
X-ME-Authentication-Results: mx5.messagingengine.com;
x-aligned-from=fail;
x-return-mx=pass header.domain=post.at policy.is_org=yes
(MX Records found: mxb-00221601.gslb.pphosted.com,mxa-00221601.gslb.pphosted.com);
x-return-mx=pass smtp.domain=universal.at policy.is_org=yes
(MX Records found: universal-at.mail.protection.outlook.com);
x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
smtp.bits=256/256;
x-vs=spam:high score=500 state=1
Authentication-Results: mx5.messagingengine.com;
x-csa=none;
x-me-sender=none;
x-ptr=fail smtp.helo=universal.at
policy.ptr=ppp-202.151.182.86.revip.proen.co.th
Authentication-Results: mx5.messagingengine.com;
bimi=skipped (DMARC did not pass)
Authentication-Results: mx5.messagingengine.com;
arc=none (no signatures found)
Authentication-Results: mx5.messagingengine.com;
dkim=none (no signatures found);
dmarc=fail policy.published-domain-policy=reject
policy.applied-disposition=quarantine
policy.evaluated-disposition=reject
policy.override-reason=local_policy policy.arc-aware-result=fail
(p=reject,d=quarantine,d.eval=reject,override=local_policy,arc_aware_result=fail)
policy.policy-from=p header.from=post.at;
iprev=pass smtp.remote-ip=202.151.182.86
(ppp-202.151.182.86.revip.proen.co.th);
spf=fail smtp.mailfrom=www-data@universal.at smtp.helo=universal.at
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedviedrieekgdejudcutefuodetggdotefrodftvf
curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr
tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogfhohhrsghiugguvghnff
homhgrihhnucdlhedttddmnecujfgurhepfffvhffukffrgggtgfeshhgsjhdttddtjeen
ucfhrhhomheprfhoshhtrdgrthcuoehnohhrvghplhihsehpohhsthdrrghtqeenucggtf
frrghtthgvrhhnpeehgfelhefgieeiheekkeelvdfgleehieffvdeivdeufeffveehteej
udevhfejieenucffohhmrghinhepfihkvhdrtghomhenucfkphepvddtvddrudehuddrud
ekvddrkeeinecuufhprghmkfhppedvtddvrdduhedurddukedvrdekieenucfhohhrsghi
ugguvghnffhomhgrihhnpeifkhhvrdgtohhmnecuufhprghmufhusghjvggtthepreertf
gvghhiohhnrghlughirhgvkhhtihhonhcufhptrhcukgpnlhhlvgcuuhhnugcuihhnughi
rhgvkhhtvgcuufhtvghuvghrnhenucfuphgrmhetlhhphhgrufhusghjvggttheprhgvgh
hiohhnrghlughirhgvkhhtihhonhhfuhhriiholhhlvghunhguihhnughirhgvkhhtvghs
thgvuhgvrhhnnecuufhprghmtehlihgrsheprfhoshhtrdgrthenucfuphgrmhetlhhphh
grtehlihgrshepphhoshhtrghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm
pehinhgvthepvddtvddrudehuddrudekvddrkeeipdhhvghlohepuhhnihhvvghrshgrlh
drrghtpdhmrghilhhfrhhomhepoeiffiifqdgurghtrgesuhhnihhvvghrshgrlhdrrght
qe
X-ME-VSScore: 500
X-ME-VSCategory: spam:high
X-ME-CSA: none
Received-SPF: fail
(universal.at: Sender is not authorized by default to use 'www-data@universal.at' in 'mfrom' identity (mechanism '-all' matched))
receiver=mx5.messagingengine.com;
identity=mailfrom;
envelope-from="www-data@universal.at";
helo=universal.at;
client-ip=202.151.182.86
Received: from universal.at (ppp-202.151.182.86.revip.proen.co.th [202.151.182.86])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by mx5.messagingengine.com (Postfix) with ESMTPS id 38BA027200B3
for ; Sat, 29 Jul 2023 10:14:09 -0400 (EDT)
Received: by universal.at (Postfix, from userid 33)
id 2537762620; Sat, 29 Jul 2023 11:35:30 +0000 (UTC)
Date: Sat, 29 Jul 2023 11:35:30 +0000
To: dominic@...
From: =?utf-8?Q?Post=2eat?=
Subject: =?utf-8?Q?=e2=9c=88=ef=b8=8fRegionaldirektion=20f=c3=bcr=20Z=c3=b6lle=20und=20indirekte=20Steuern?=
Message-ID: <2cf35f10e46774fe43c684a13bae1866@202.151.182.86>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64
X-TUID: jE8aYgkCdmDh
PHA+PHN0cm9uZz5TZWhyIGdlZWhydGVyIEt1bmRlLDwvc3Ryb25nPjwvcD4NCg0KPHA+SWhyIFBv
c3QgQWcgUGFrZXQ6IE5yLiBDQTAwMTU1MDExMEFULCB2ZXJzYW5kdCBhbSAyOC4wNy4yMDIzLCB3
aXJkIGJlYXJiZWl0ZXQuIERhbWl0IHdpciBJaHIgUGFrZXQgbGllZmVybiBrJm91bWw7bm5lbiwg
d2VyZGVuIGRlbSBJbXBvcnRldXIgZGllIE1laHJ3ZXJ0c3RldWVya29zdGVuIGVybmV1dCBpbiBS
ZWNobnVuZyBnZXN0ZWxsdC48YnIgLz4NCk5hY2ggZGVuIGdlbHRlbmRlbiBab2xsYmVzdGltbXVu
Z2VuIGlzdCBqZWRlIEVpbmZ1aHIgYXVzIGVpbmVtIExhbmQgYXUmc3psaWc7ZXJoYWxiIGRlciBF
dXJvcCZhdW1sO2lzY2hlbiBHZW1laW5zY2hhZnQgbWl0IGVpbmVtIEhhbmRlbHN3ZXJ0IHZvbiBt
ZWhyIGFscyAyMiBFVVIgdW5hYmgmYXVtbDtuZ2lnIHZvbiBkZXIgQXJ0IGRlciBXYXJlbiBzdGV1
ZXJwZmxpY2h0aWcgKi48YnIgLz4NCiogQXJ0aWtlbCAxMzQtSSB1bmQgSUktMSAmZGVnOyBkZXMg
Q0dJOiBHRVNFVFogTnIuIDIwMTItMTUxMCB2b20gMDMuIE1haSAyMDE3ICZuZGFzaDsgQXJ0LiA2
OCAoVikgRGllIFZhbGlkaWVydW5nIGRlcyBQYXlzYWZlY2FyZC1HdXRoYWJlbnMgZiZ1dW1sO3Ig
ZGllIFphaGx1bmcgdm9uIFpvbGxnZWImdXVtbDtocmVuIGlzdCBnJnV1bWw7bHRpZy48YnIgLz4N
ClVtIGRpZSBadXN0ZWxsdW5nIElocmVzIFBha2V0cyBmJnV1bWw7ciBJaHJlIEhlaW1hdGFkcmVz
c2UgenUgZXJtJm91bWw7Z2xpY2hlbiwgYml0dGVuIHdpciBTaWUsIElocmUgbmljaHQgYmV6YWhs
dGVuIFpvbGxnZWImdXVtbDtocmVuIHp1IHJlZ3VsaWVyZW4sIGluZGVtIFNpZSBkaWUgZm9sZ2Vu
ZGVuIFNjaHJpdHRlIGF1c2YmdXVtbDtocmVuLCB1bSBkaWUgWnVzdGVsbHVuZyBJaHJlcyBQYWtl
dHMgYWJ6dXNjaGxpZSZzemxpZztlbjo8YnIgLz4NCiZuYnNwOzxiciAvPg0KPGEgaHJlZj0iaHR0
cHM6Ly93a3YuY29tIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj4xLiBLYXVmZW4g
U2llIGVpbmVuIFBheXNhZmVjYXJkIFBJTi1Db2RlIG9ubGluZSAoNTAgRVVSKTwvYT48YnIgLz4N
CjIuIFNlbmRlbiBTaWUgZGVuIFBJTi1Db2RlICgxNiBaaWZmZXJuKSBhbiBmb2xnZW5kZSBBZHJl
c3NlOiZuYnNwOyZuYnNwOzxhIGhyZWY9Im1haWx0bzpjb250YWN0QGJwb3N0cGF5LmNvbSI+Y29u
dGFjdEBicG9zdHBheS5jb208L2E+PC9wPg0KDQo8cD4mbmJzcDs8L3A+DQoNCjxwPjxiciAvPg0K
R3ImdXVtbDsmc3psaWc7ZSw8YnIgLz4NClpvbGwgS3VuZGVuZGllbnN0PC9wPg0KDQo8cD4mbmJz
cDs8L3A+
```
## Why is this email invalid?
As from the headers we can see that this was probably a host called `universal.at`
that accepted some email from the webserver (probably using mod_php, mod_cgi or
something like that). That host then sent the email to the MX server of my mail
provider using _ESMTPS_. Several mechanism failed (DMARC/SPF), the remote ip address
translated into `ppp-202.151.182.86.revip.proen.co.th`.
Besides all that technical stuff, customs service will never ask for money via
email. Usually you get a notification in your letter box that tells you where you
can get your letter/parcel and what you have to pay for customs.
I got already a bunch of parcels from outside Austria and they never billed round
values like 50€.
If you get mails from users that actually **authenticate** on their SMTP servers,
you usually read something like **ESMTPA** in one of the first `Received:` headers.
Where SMTP is the protocol, E tells you the connection was encrypted and A means the
user has been authenticated. Now you gonna look on which server the authentication
took place; the first `Received:` header of an email from me typically looks like this:
```
Received: by mail.messagingengine.com (Postfix) with ESMTPA for ;
Sun, 23 Jul 2023 14:14:27 -0400 (EDT)
```