|
|
+++
|
|
|
# vim: ft=markdown
|
|
|
title = 'Regionaldirektion fuer Zölle und indirekte Steuern'
|
|
|
summary = ''
|
|
|
date = '2023-07-29T17:01:28+02:00'
|
|
|
# lastmod = ''
|
|
|
# categories = [ 'spam' ]
|
|
|
# tags = []
|
|
|
|
|
|
# showBreadcrumbs = true
|
|
|
# showDate = false
|
|
|
# showReadingTime = false
|
|
|
# showWordCount = false
|
|
|
# showPagination = false
|
|
|
|
|
|
#feed_exclude = true
|
|
|
#site_exclude = true
|
|
|
|
|
|
+++
|
|
|
|
|
|
Okay this is probably one of the “better” mails that I got in my Junk mail folder.
|
|
|
|
|
|
|
|
|
## The mail body
|
|
|
|
|
|
```
|
|
|
Sehr geehrter Kunde,
|
|
|
|
|
|
Ihr Post Ag Paket: Nr. CA001550110AT, versandt am 28.07.2023, wird bearbeitet.
|
|
|
Damit wir Ihr Paket liefern können, werden dem Importeur die
|
|
|
Mehrwertsteuerkosten erneut in Rechnung gestellt.
|
|
|
Nach den geltenden Zollbestimmungen ist jede Einfuhr aus einem Land außerhalb
|
|
|
der Europäischen Gemeinschaft mit einem Handelswert von mehr als 22 EUR
|
|
|
unabhängig von der Art der Waren steuerpflichtig *.
|
|
|
* Artikel 134-I und II-1 ° des CGI: GESETZ Nr. 2012-1510 vom 03. Mai 2017 –
|
|
|
Art. 68 (V) Die Validierung des Paysafecard-Guthabens für die Zahlung von
|
|
|
Zollgebühren ist gültig.
|
|
|
Um die Zustellung Ihres Pakets für Ihre Heimatadresse zu ermöglichen, bitten
|
|
|
wir Sie, Ihre nicht bezahlten Zollgebühren zu regulieren, indem Sie die
|
|
|
folgenden Schritte ausführen, um die Zustellung Ihres Pakets abzuschließen:
|
|
|
|
|
|
1. Kaufen Sie einen Paysafecard PIN-Code online (50 EUR)
|
|
|
2. Senden Sie den PIN-Code (16 Ziffern) an folgende Adresse:
|
|
|
contact@bpostpay.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Grüße,
|
|
|
Zoll Kundendienst
|
|
|
```
|
|
|
|
|
|
This is by far the best german that I've seen so far in spam mails (although
|
|
|
it is not perfect).
|
|
|
|
|
|
## The mail body source (html)
|
|
|
|
|
|
```html
|
|
|
<p><strong>Sehr geehrter Kunde,</strong></p>
|
|
|
|
|
|
<p>Ihr Post Ag Paket: Nr. CA001550110AT, versandt am 28.07.2023, wird bearbeitet. Damit wir Ihr Paket liefern können, werden dem Importeur die Mehrwertsteuerkosten erneut in Rechnung gestellt.<br />
|
|
|
Nach den geltenden Zollbestimmungen ist jede Einfuhr aus einem Land außerhalb der Europäischen Gemeinschaft mit einem Handelswert von mehr als 22 EUR unabhängig von der Art der Waren steuerpflichtig *.<br />
|
|
|
* Artikel 134-I und II-1 ° des CGI: GESETZ Nr. 2012-1510 vom 03. Mai 2017 – Art. 68 (V) Die Validierung des Paysafecard-Guthabens für die Zahlung von Zollgebühren ist gültig.<br />
|
|
|
Um die Zustellung Ihres Pakets für Ihre Heimatadresse zu ermöglichen, bitten wir Sie, Ihre nicht bezahlten Zollgebühren zu regulieren, indem Sie die folgenden Schritte ausführen, um die Zustellung Ihres Pakets abzuschließen:<br />
|
|
|
<br />
|
|
|
<a href="https://wkv.com" rel="noreferrer" target="_blank">1. Kaufen Sie einen Paysafecard PIN-Code online (50 EUR)</a><br />
|
|
|
2. Senden Sie den PIN-Code (16 Ziffern) an folgende Adresse: <a href="mailto:contact@bpostpay.com">contact@bpostpay.com</a></p>
|
|
|
|
|
|
<p> </p>
|
|
|
|
|
|
<p><br />
|
|
|
Grüße,<br />
|
|
|
Zoll Kundendienst</p>
|
|
|
|
|
|
<p> </p>
|
|
|
```
|
|
|
|
|
|
## The mail source (base64)
|
|
|
|
|
|
Some information has been removed for privacy.
|
|
|
|
|
|
```mail
|
|
|
Return-Path: <www-data@universal.at>
|
|
|
Received: from compute6.internal (compute6.nyi.internal [10.202.x.xx])
|
|
|
by sloti44n20 (Cyrus 3.9.0-alpha0-592-ga9d4a09b4b-fm-defalarms-20230725.001-ga9d4a09b) with LMTPA;
|
|
|
Sat, 29 Jul 2023 10:14:11 -0400
|
|
|
X-Cyrus-Session-Id: sloti44n20-1690640051-1433308-2-7816971425445839177
|
|
|
X-Sieve: CMU Sieve 3.0
|
|
|
X-Spam-known-sender: no ("Email failed DMARC policy for domain")
|
|
|
X-Spam-sender-reputation: 563 (domain; noauth)
|
|
|
X-Spam-score: 26.0
|
|
|
X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.1, DCC_REPUT_99_100 1.4,
|
|
|
HEADER_FROM_DIFFERENT_DOMAINS 0.249, HTML_MESSAGE 0.001,
|
|
|
HTML_MIME_NO_HTML_TAG 0.377, KHOP_HELO_FCRDNS 0.001, ME_NOAUTH 0.01,
|
|
|
ME_QUARANTINE 5, ME_SC_NH -0.001, ME_SENDERREP_NEUTRAL 0.001,
|
|
|
ME_VADESPAM_HIGH 3, ME_VADE_X1 0.001, MIME_HTML_ONLY 0.1,
|
|
|
RCVD_IN_INVALUEMENT24 2, RCVD_IN_SBL_CSS 3, RCVD_IN_ZEN_LASTEXTERNAL 8,
|
|
|
RDNS_DYNAMIC 0.982, SPF_FAIL 0.001, SPF_HELO_FAIL 0.001,
|
|
|
T_SCC_BODY_TEXT_LINE -0.01, LANGUAGES de, BAYES_USED user,
|
|
|
SA_VERSION 3.4.6
|
|
|
X-Spam-source: IP='202.151.182.86', Host='ppp-202.151.182.86.revip.proen.co.th',
|
|
|
Country='TH', FromHeader='at', MailFrom='at'
|
|
|
X-Spam-charsets: from='utf-8', subject='utf-8', html='UTF-8'
|
|
|
X-IgnoreVacation: yes ("Email failed DMARC policy for domain")
|
|
|
X-Resolved-to: dominic@...
|
|
|
X-Delivered-to: dominic@...
|
|
|
X-Mail-from: www-data@universal.at
|
|
|
Received: from mx5 ([10.202.2.204])
|
|
|
by compute6.internal (LMTPProxy); Sat, 29 Jul 2023 10:14:11 -0400
|
|
|
Received: from mx5.messagingengine.com (localhost [127.0.0.1])
|
|
|
by mailmx.nyi.internal (Postfix) with ESMTP id 6F2E727200BB
|
|
|
for <dominic@...>; Sat, 29 Jul 2023 10:14:10 -0400 (EDT)
|
|
|
Received: from mailmx.nyi.internal (localhost [127.0.0.1])
|
|
|
by mx5.messagingengine.com (Authentication Milter) with ESMTP
|
|
|
id 5CC9613B011.38BA027200B3;
|
|
|
Sat, 29 Jul 2023 10:14:10 -0400
|
|
|
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm3; t=
|
|
|
1690640050; b=RB8RZH6MaPuZaUbzTFgaC/5rRbzXOq7TE/Vm82v8OREaZ9vMNn
|
|
|
83TLV8ZQPRNVDRYlEyx0o1U7HgFxlHBtjDTdyos8NF3dcaXF2i4sRHV36OmQyrBA
|
|
|
pbX2RBVqk16STfLZNDJzJPHUm/kqVa58wu/PiGwOcJDsqqjhMwHrgtaY7xnk6yaY
|
|
|
pI8Unbd8IEmWCF1oFkd7/m6bi2gP155WzrQ+ODNb/5Eg7d6aL3YjM5bPgMiKb6Lq
|
|
|
3xZkpuZrCwRvz3jfR4+hotROsrBajIaw7gTF8WCWHK2HMqa0OCjHMqmImU09V6rz
|
|
|
QBZa6FGnpsUIrn7eZl6SN5HGHTSQOW3Rne2g==
|
|
|
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
|
|
|
messagingengine.com; h=date:to:from:subject:message-id
|
|
|
:mime-version:content-type:content-transfer-encoding; s=fm3; t=
|
|
|
1690640050; bh=w6oJ3S7Y/Us7PijzHL1aoBLxm4XbhO51kHjEeQQTcrY=; b=D
|
|
|
BUheUZvKRDgkQ24PtWSGgyiglWyhYTY35uyvqlP19C6QYo4r9qC1wU+IccuDFR1N
|
|
|
U0rE2UA4HAmvwxlzl/GQn9hB2hvY+VGSL1Olfi6VhboUITHkbAy6qYYLEvMvzIvR
|
|
|
HLrjKBTEWe8y88UFCI0YDXr0iZRURoKwKcPlgOXCAj7cHNZMauHM76i04GlE+Sdf
|
|
|
fByK+dkRNrzIR3wCchRc2vQT95QeTL6l1GfxksjEum5s9cnjdvM12Om8HiKe2gV2
|
|
|
Ncx+sCNuyLaSl6zg8sjgRkfEheEYj5EeH5F5qrPnYIxVEUo6Lv/ye0LNVAbKMxcl
|
|
|
S21gpYpzGzcLyLmWKQJHA==
|
|
|
ARC-Authentication-Results: i=1; mx5.messagingengine.com;
|
|
|
x-csa=none;
|
|
|
x-me-sender=none;
|
|
|
x-ptr=fail smtp.helo=universal.at
|
|
|
policy.ptr=ppp-202.151.182.86.revip.proen.co.th;
|
|
|
bimi=skipped (DMARC did not pass);
|
|
|
arc=none (no signatures found);
|
|
|
dkim=none (no signatures found);
|
|
|
dmarc=fail policy.published-domain-policy=reject
|
|
|
policy.applied-disposition=quarantine
|
|
|
policy.evaluated-disposition=reject
|
|
|
policy.override-reason=local_policy policy.arc-aware-result=fail
|
|
|
(p=reject,d=quarantine,d.eval=reject,override=local_policy,arc_aware_result=fail)
|
|
|
policy.policy-from=p header.from=post.at;
|
|
|
iprev=pass smtp.remote-ip=202.151.182.86
|
|
|
(ppp-202.151.182.86.revip.proen.co.th);
|
|
|
spf=fail smtp.mailfrom=www-data@universal.at smtp.helo=universal.at
|
|
|
X-Disposition-Quarantine: Quarantined due to DMARC policy
|
|
|
X-ME-Authentication-Results: mx5.messagingengine.com;
|
|
|
x-aligned-from=fail;
|
|
|
x-return-mx=pass header.domain=post.at policy.is_org=yes
|
|
|
(MX Records found: mxb-00221601.gslb.pphosted.com,mxa-00221601.gslb.pphosted.com);
|
|
|
x-return-mx=pass smtp.domain=universal.at policy.is_org=yes
|
|
|
(MX Records found: universal-at.mail.protection.outlook.com);
|
|
|
x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
|
|
|
smtp.bits=256/256;
|
|
|
x-vs=spam:high score=500 state=1
|
|
|
Authentication-Results: mx5.messagingengine.com;
|
|
|
x-csa=none;
|
|
|
x-me-sender=none;
|
|
|
x-ptr=fail smtp.helo=universal.at
|
|
|
policy.ptr=ppp-202.151.182.86.revip.proen.co.th
|
|
|
Authentication-Results: mx5.messagingengine.com;
|
|
|
bimi=skipped (DMARC did not pass)
|
|
|
Authentication-Results: mx5.messagingengine.com;
|
|
|
arc=none (no signatures found)
|
|
|
Authentication-Results: mx5.messagingengine.com;
|
|
|
dkim=none (no signatures found);
|
|
|
dmarc=fail policy.published-domain-policy=reject
|
|
|
policy.applied-disposition=quarantine
|
|
|
policy.evaluated-disposition=reject
|
|
|
policy.override-reason=local_policy policy.arc-aware-result=fail
|
|
|
(p=reject,d=quarantine,d.eval=reject,override=local_policy,arc_aware_result=fail)
|
|
|
policy.policy-from=p header.from=post.at;
|
|
|
iprev=pass smtp.remote-ip=202.151.182.86
|
|
|
(ppp-202.151.182.86.revip.proen.co.th);
|
|
|
spf=fail smtp.mailfrom=www-data@universal.at smtp.helo=universal.at
|
|
|
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedviedrieekgdejudcutefuodetggdotefrodftvf
|
|
|
curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr
|
|
|
tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogfhohhrsghiugguvghnff
|
|
|
homhgrihhnucdlhedttddmnecujfgurhepfffvhffukffrgggtgfeshhgsjhdttddtjeen
|
|
|
ucfhrhhomheprfhoshhtrdgrthcuoehnohhrvghplhihsehpohhsthdrrghtqeenucggtf
|
|
|
frrghtthgvrhhnpeehgfelhefgieeiheekkeelvdfgleehieffvdeivdeufeffveehteej
|
|
|
udevhfejieenucffohhmrghinhepfihkvhdrtghomhenucfkphepvddtvddrudehuddrud
|
|
|
ekvddrkeeinecuufhprghmkfhppedvtddvrdduhedurddukedvrdekieenucfhohhrsghi
|
|
|
ugguvghnffhomhgrihhnpeifkhhvrdgtohhmnecuufhprghmufhusghjvggtthepreertf
|
|
|
gvghhiohhnrghlughirhgvkhhtihhonhcufhptrhcukgpnlhhlvgcuuhhnugcuihhnughi
|
|
|
rhgvkhhtvgcuufhtvghuvghrnhenucfuphgrmhetlhhphhgrufhusghjvggttheprhgvgh
|
|
|
hiohhnrghlughirhgvkhhtihhonhhfuhhriiholhhlvghunhguihhnughirhgvkhhtvghs
|
|
|
thgvuhgvrhhnnecuufhprghmtehlihgrsheprfhoshhtrdgrthenucfuphgrmhetlhhphh
|
|
|
grtehlihgrshepphhoshhtrghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm
|
|
|
pehinhgvthepvddtvddrudehuddrudekvddrkeeipdhhvghlohepuhhnihhvvghrshgrlh
|
|
|
drrghtpdhmrghilhhfrhhomhepoeiffiifqdgurghtrgesuhhnihhvvghrshgrlhdrrght
|
|
|
qe
|
|
|
X-ME-VSScore: 500
|
|
|
X-ME-VSCategory: spam:high
|
|
|
X-ME-CSA: none
|
|
|
Received-SPF: fail
|
|
|
(universal.at: Sender is not authorized by default to use 'www-data@universal.at' in 'mfrom' identity (mechanism '-all' matched))
|
|
|
receiver=mx5.messagingengine.com;
|
|
|
identity=mailfrom;
|
|
|
envelope-from="www-data@universal.at";
|
|
|
helo=universal.at;
|
|
|
client-ip=202.151.182.86
|
|
|
Received: from universal.at (ppp-202.151.182.86.revip.proen.co.th [202.151.182.86])
|
|
|
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
|
|
|
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
|
|
|
(No client certificate requested)
|
|
|
by mx5.messagingengine.com (Postfix) with ESMTPS id 38BA027200B3
|
|
|
for <dominic@...>; Sat, 29 Jul 2023 10:14:09 -0400 (EDT)
|
|
|
Received: by universal.at (Postfix, from userid 33)
|
|
|
id 2537762620; Sat, 29 Jul 2023 11:35:30 +0000 (UTC)
|
|
|
Date: Sat, 29 Jul 2023 11:35:30 +0000
|
|
|
To: dominic@...
|
|
|
From: =?utf-8?Q?Post=2eat?= <noreply@post.at>
|
|
|
Subject: =?utf-8?Q?=e2=9c=88=ef=b8=8fRegionaldirektion=20f=c3=bcr=20Z=c3=b6lle=20und=20indirekte=20Steuern?=
|
|
|
Message-ID: <2cf35f10e46774fe43c684a13bae1866@202.151.182.86>
|
|
|
X-Priority: 3
|
|
|
MIME-Version: 1.0
|
|
|
Content-Type: text/html; charset=UTF-8
|
|
|
Content-Transfer-Encoding: base64
|
|
|
X-TUID: jE8aYgkCdmDh
|
|
|
|
|
|
PHA+PHN0cm9uZz5TZWhyIGdlZWhydGVyIEt1bmRlLDwvc3Ryb25nPjwvcD4NCg0KPHA+SWhyIFBv
|
|
|
c3QgQWcgUGFrZXQ6IE5yLiBDQTAwMTU1MDExMEFULCB2ZXJzYW5kdCBhbSAyOC4wNy4yMDIzLCB3
|
|
|
aXJkIGJlYXJiZWl0ZXQuIERhbWl0IHdpciBJaHIgUGFrZXQgbGllZmVybiBrJm91bWw7bm5lbiwg
|
|
|
d2VyZGVuIGRlbSBJbXBvcnRldXIgZGllIE1laHJ3ZXJ0c3RldWVya29zdGVuIGVybmV1dCBpbiBS
|
|
|
ZWNobnVuZyBnZXN0ZWxsdC48YnIgLz4NCk5hY2ggZGVuIGdlbHRlbmRlbiBab2xsYmVzdGltbXVu
|
|
|
Z2VuIGlzdCBqZWRlIEVpbmZ1aHIgYXVzIGVpbmVtIExhbmQgYXUmc3psaWc7ZXJoYWxiIGRlciBF
|
|
|
dXJvcCZhdW1sO2lzY2hlbiBHZW1laW5zY2hhZnQgbWl0IGVpbmVtIEhhbmRlbHN3ZXJ0IHZvbiBt
|
|
|
ZWhyIGFscyAyMiBFVVIgdW5hYmgmYXVtbDtuZ2lnIHZvbiBkZXIgQXJ0IGRlciBXYXJlbiBzdGV1
|
|
|
ZXJwZmxpY2h0aWcgKi48YnIgLz4NCiogQXJ0aWtlbCAxMzQtSSB1bmQgSUktMSAmZGVnOyBkZXMg
|
|
|
Q0dJOiBHRVNFVFogTnIuIDIwMTItMTUxMCB2b20gMDMuIE1haSAyMDE3ICZuZGFzaDsgQXJ0LiA2
|
|
|
OCAoVikgRGllIFZhbGlkaWVydW5nIGRlcyBQYXlzYWZlY2FyZC1HdXRoYWJlbnMgZiZ1dW1sO3Ig
|
|
|
ZGllIFphaGx1bmcgdm9uIFpvbGxnZWImdXVtbDtocmVuIGlzdCBnJnV1bWw7bHRpZy48YnIgLz4N
|
|
|
ClVtIGRpZSBadXN0ZWxsdW5nIElocmVzIFBha2V0cyBmJnV1bWw7ciBJaHJlIEhlaW1hdGFkcmVz
|
|
|
c2UgenUgZXJtJm91bWw7Z2xpY2hlbiwgYml0dGVuIHdpciBTaWUsIElocmUgbmljaHQgYmV6YWhs
|
|
|
dGVuIFpvbGxnZWImdXVtbDtocmVuIHp1IHJlZ3VsaWVyZW4sIGluZGVtIFNpZSBkaWUgZm9sZ2Vu
|
|
|
ZGVuIFNjaHJpdHRlIGF1c2YmdXVtbDtocmVuLCB1bSBkaWUgWnVzdGVsbHVuZyBJaHJlcyBQYWtl
|
|
|
dHMgYWJ6dXNjaGxpZSZzemxpZztlbjo8YnIgLz4NCiZuYnNwOzxiciAvPg0KPGEgaHJlZj0iaHR0
|
|
|
cHM6Ly93a3YuY29tIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj4xLiBLYXVmZW4g
|
|
|
U2llIGVpbmVuIFBheXNhZmVjYXJkIFBJTi1Db2RlIG9ubGluZSAoNTAgRVVSKTwvYT48YnIgLz4N
|
|
|
CjIuIFNlbmRlbiBTaWUgZGVuIFBJTi1Db2RlICgxNiBaaWZmZXJuKSBhbiBmb2xnZW5kZSBBZHJl
|
|
|
c3NlOiZuYnNwOyZuYnNwOzxhIGhyZWY9Im1haWx0bzpjb250YWN0QGJwb3N0cGF5LmNvbSI+Y29u
|
|
|
dGFjdEBicG9zdHBheS5jb208L2E+PC9wPg0KDQo8cD4mbmJzcDs8L3A+DQoNCjxwPjxiciAvPg0K
|
|
|
R3ImdXVtbDsmc3psaWc7ZSw8YnIgLz4NClpvbGwgS3VuZGVuZGllbnN0PC9wPg0KDQo8cD4mbmJz
|
|
|
cDs8L3A+
|
|
|
```
|
|
|
|
|
|
|
|
|
## Why is this email invalid?
|
|
|
|
|
|
As from the headers we can see that this was probably a host called `universal.at`
|
|
|
that accepted some email from the webserver (probably using mod_php, mod_cgi or
|
|
|
something like that). That host then sent the email to the MX server of my mail
|
|
|
provider using _ESMTPS_. Several mechanism failed (DMARC/SPF), the remote ip address
|
|
|
translated into `ppp-202.151.182.86.revip.proen.co.th`.
|
|
|
|
|
|
Besides all that technical stuff, customs service will never ask for money via
|
|
|
email. Usually you get a notification in your letter box that tells you where you
|
|
|
can get your letter/parcel and what you have to pay for customs.
|
|
|
|
|
|
I got already a bunch of parcels from outside Austria and they never billed round
|
|
|
values like 50€.
|
|
|
|
|
|
If you get mails from users that actually **authenticate** on their SMTP servers,
|
|
|
you usually read something like **ESMTPA** in one of the first `Received:` headers.
|
|
|
Where SMTP is the protocol, E tells you the connection was encrypted and A means the
|
|
|
user has been authenticated. Now you gonna look on which server the authentication
|
|
|
took place; the first `Received:` header of an email from me typically looks like this:
|
|
|
|
|
|
```
|
|
|
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <dominic@...>;
|
|
|
Sun, 23 Jul 2023 14:14:27 -0400 (EDT)
|
|
|
```
|
|
|
|