SPAM de nogueramonique.now147.site : mailamomo@gmail.com

En passant

Source de l’email :

Return-Path: <bounces+15758027-5951-farias=cyber-neurones.org@em1869.nogueramonique.now147.site>
...
Received: from chfztvsd.outbound-mail.sendgrid.net (chfztvsd.outbound-mail.sendgrid.net [192.254.120.109])
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nogueramonique.now147.site;
...
Date: Thu, 06 Aug 2020 09:52:42 +0000 (UTC)
From: Noguera Monique <noguera-monique@nogueramonique.now147.site>
Mime-Version: 1.0
Message-ID: <qfAv4sHmQ1OvQLHZ-4ZRSQ@ismtpd0092p1mdw1.sendgrid.net>
Subject: Latest News from Noguera Monique
Reply-To: mailamomo@gmail.com
...

Fishing : Remboursement des impot.gouv.fr

J’ai recu du fishing pour ce faire passer pour les impôts :

Return-Path: <info@forasmile.org>
Delivered-To: ....
Received: (qmail 96024 invoked by uid 65534); 18 Apr 2020 12:33:28 -0000
Received: from unknown (HELO mxin7.phpnet.org) (10.52.1.13)
  by mails18.phpnet.org with SMTP; 18 Apr 2020 12:33:28 -0000
Received: by mxin7.phpnet.org (Postfix, from userid 1001)
	id 494C6w44Hvz2xGc; Sat, 18 Apr 2020 14:33:28 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on spamd14.phpnet.org
X-Spam-Level: ***
X-Spam-Status: No, score=3.8 required=5.0 tests=BAYES_50,FROM_EXCESS_BASE64,
	HTML_MESSAGE,INVALID_DATE,MISSING_MIMEOLE,SPF_HELO_NONE,SPF_NONE,
	T_KAM_HTML_FONT_INVALID,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.2
Received: from cus09-08.cs.nexin.it (cus09-08.cs.nexin.it [194.113.88.208])
	by mxin7.phpnet.org (Postfix) with ESMTPS id 494C6t6w55z2xFw
	for ....; Sat, 18 Apr 2020 14:33:26 +0200 (CEST)
Received: by cus09-08.cs.nexin.it (Postfix, from userid 5078)
	id A55D63C0D7; Sat, 18 Apr 2020 14:32:07 +0200 (CEST)
To: ....
Subject: =?UTF-8?B?W1Byw6lhdmlzXSAtIFJlbWJvdXJzZW1lbnQgTjAwNzg4Nzk1IDA0LzE4LzIwMjAgMDI6MzI6MDcgcG0u?=
X-PHP-Originating-Script: 5078:newsletter.php
Date: Sat, 18 Apr 2020 14:32:07 +0200
From: =?UTF-8?B?SW1wb3RzLmdvdXYuZnI=?= <info@forasmile.org>
Message-ID: <163e1bfa4bc5a6ef187307d3062ba8@www.forasmile.org>
X-Mailer: X-mailer: nlserver, Build 6.1.0.8192
List-Unsubscribe: <mailto:unsubscribe@www.forasmile.org?subject=/wf/unsubscribe*q*upn=ICUNALTOHVYZDRSEWKXPMBQJGF-27OJSNCA0BZPXGIE15LFHYDT34MQRU89V6WKDHCsvjNSlJrp3AVB7OqoFQf0E1YbhaxTtd2Xicn8GK94emyUgZIkMWuwPLRz65-3D>
X-MSMail-Priority: High
Importance: High
Organization: www.forasmile.org
X-mailer: nlserver, Build 6.1.0.8192
Date: 18/04/2020 02:32:07
X-AntiAbuse: This is a solicited email for - www.forasmile.org mailing list.
X-AntiAbuse: Servername - www.forasmile.org
X-OriginalArrivalTime: 16 Nov 2019 13:39:39.0481 (UTC) FILETIME=[7BF24490:01D0E3F2]
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_21e63db75a4b0eae8ad576d4a763d98a"

This is a multi-part message in MIME format.

Le message est :

Notification d’impôts – Remboursement

Après les derniers calculs annuels de l’exercice de votre activité, nous avons déterminé que

vous êtes admissible à recevoir un remboursement d’impôt de 169,73€

Les noms de domaines :

  • cus09-08.cs.nexin.it ( Italie ) 
  • forasmile.org ( chez register.it : Italie ) 
  • L’Url du faux site : remboursement.impots.fr.zunket.com ( chez whoisguard.com : Panama )

SPAM de server59.powerteam.com : DIRECTION GENERALE DES IMPOTS : Nouveaux remboursement disponibles

Un SPAM de server59.powerteam.com , à noter que le SPF passe … merci powerteam.com ( cela envoi vers https://usersidlimited.com/remboursement/ : NE PAS CLIQUER SUR LE LIEN )  :

Return-Path: <service@userchecksecurity.com>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on spamd14.phpnet.org
X-Spam-Level: 
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,
	NORDNS_LOW_CONTRAST,SPF_HELO_NONE,SPF_SOFTFAIL,T_KAM_HTML_FONT_INVALID,
	URIBL_BLOCKED,URI_TRUNCATED autolearn=no autolearn_force=no
	version=3.4.2
Received: from server59.powerteam.com (unknown [185.67.1.85])
...
Authentication-Results: server59.powerteam.com;
	spf=pass (sender IP is 93.115.96.181) smtp.mailfrom=service@userchecksecurity.com smtp.helo=[93.115.96.181]
Received-SPF: pass (server59.powerteam.com: connection is authenticated)
...
Subject: Nouveaux remboursement disponibles
Message-ID: <cbd03706a3c4724ea0337688b69973d1@93.115.96.181>
Date: Mon, 16 Dec 2019 00:10:13 +0100

Whois :

  • powerteam.com :
Registrant Contact Information:
NameDomain Administrator
Organization SPX FLOW, Inc.
Address 13320 Ballantyne Corporate Place
City Charlotte
State / Province NC
Postal Code 28277
Country US
Phone +1.7047524626
Email
  • usersidlimited.com
    •  OVH : Merci …. c’est bien quand on reste sur du français … Misère.

Le message est assez bien fait …. on progresse :

Encore une demande de rançon : 15MNVJ1eQvoY2osLxqZDEszckA73V7KPa1

En regardant en détail dans l’email :

Return-Path: <alex@email.no>
..
Received: from epost.no (unknown [188.166.48.88])
...
X-Sender: <alex@email.no>
...
Message-ID: <70.2569.7562.DA93A@email.no>
...
X-Complaints-To: <abuse@mail.email.no>
...
List-Subscribe: <https://email.no/lists/?p=subscribe>
...
Date: Thu, 13 Jun 2019 17:34:47 +0200
...
X-CSA-Complaints: whitelistcomplaints@email.no
...
X-Sender-Info: <alex@email.no>
...
Abuse-Reports-To: abuse@email.no
...

Le message :