by ourston » Wed May 26, 2021 1:39 pm
I received an email from an entity that is trying to spoof a message from Netflix. Has a file attachment that I suspect is malware enabled. I am not sure if others on Sonic are being targeted, so I am posting the header here.


X-Account-Key: account1
X-UIDL: 1622001470.21805_0.a.local-delivery,S=21188
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <admin@gregormail.net>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on e.spam.sonic.net
X-Spam-Level: ***
X-Spam-Status: No, score=3.2 required=4.0 tests=DCC_CHECK,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,SNF4SA,SPF_HELO_NONE,
TVD_FW_GRAPHIC_NAME_MID,URIBL_DBL_ABUSE_REDIR shortcircuit=no
autolearn=disabled version=3.4.6
X-Spam-SNF-Result: 0 (Standard White Rules)
X-Spam-MessageSniffer-Scan-Result:
X-Spam-MessageSniffer-Rules:
0-0-0-21780-c
X-Spam-GBUdb-Analysis: 0, 157.131.224.145, Ugly c=1 p=-0.785401 Source Normal
Received: from b.mx.sonic.net (a.spam-proxy.sonic.net [157.131.224.145])
by a.local-delivery (8.14.7/8.14.7) with ESMTP id 14Q3vn6D021803
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
for <o*****n@lds.sonic.net>; Tue, 25 May 2021 20:57:49 -0700
Received: from mail.gregormail.net (mail.gregormail.net [185.164.7.194])
by b.mx.sonic.net (8.14.7/8.14.7) with ESMTP id 14Q3vkVL239946
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
for <o*****n@sonic.net>; Tue, 25 May 2021 20:57:48 -0700
Received: from mail.gregormail.net (mail.gregormail.net [127.0.0.1])
by mail.gregormail.net (Postfix) with ESMTP id 4FqcZz6NJzz74Fg
for <o*****n@sonic.net>; Wed, 26 May 2021 05:56:59 +0200 (CEST)
Authentication-Results: mail.gregormail.net (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=gregormail.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gregormail.net;
h=content-type:mime-version:message-id:date:subject:to:from; s=
dkim; t=1622001419; x=1624593420; bh=ylI660GT+R3mui7Hg4C8KZO506K
rprYb7C9QEZysS3A=; b=Epq0j+FxVT/gHYyGcUjbQN6MCDQ0lA0A54cOIMwWfiV
JNLdSzBiqs8XD7yeGXfiGC+ywuQmsybVgC1WVf5CUCn8mVMuqT8o6FjlVxADnlIw
baxAs9Cl3xNQLDfgM6wcnbnH6ILUFCtHlmsvspGwXvBQj71nWqLDrz0n8jMfleNj
vrXj2PI9kWWfIq05bCwpzvBLHaBK0X8di/a7GzIl41z9JjvQDDltWN4tS6zTT083
RJPWok3Y3qTiAtoeETivW0B3U49nu2S6Wem5yJIexE4tN2cKmjQOQcqkwb4MxTOR
2akVr+bzZBHPzVZBf1l16MCLbKIz7is822jbv3kXDmw==
X-Virus-Scanned: Debian amavisd-new at localhost.localdomain
Received: from mail.gregormail.net ([127.0.0.1])
by mail.gregormail.net (mail.gregormail.net [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 4U0l9asUAl_B for <o*****n@sonic.net>;
Wed, 26 May 2021 05:56:59 +0200 (CEST)
Received: from mail.gregormail.net (ec2-54-191-50-88.us-west-2.compute.amazonaws.com [54.191.50.88])
by mail.gregormail.net (Postfix) with ESMTPSA id 4FqcYk5mC7z75vW
for <o*****n@sonic.net>; Wed, 26 May 2021 05:55:54 +0200 (CEST)
From: NeIflix <admin@gregormail.net>
To: o*****n@sonic.net
Subject: We are unable to renew your membership
Date: 26 May 2021 03:55:57 +0000
Message-ID: <20210526034727.2E35657ED00D3FC8@gregormail.net>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0012_308CEC60.1C206A6E"
X-Orthrus: tar=0 grey=no co=AT os=Linux/3.11 and newer/12 spf=permerror dkim=pass[/color]