Hello All!

An amateur operating from Austria/Belgium in cahoots with Italy:

Looks genuine enough: https://photos.kolico.ca/tmp/dhl-3.jpg

BUT..

Return-Path: <[email protected]>
Delivered-To: [email protected]
Envelope-to: [email protected]
Delivery-date: Wed, 03 Mar 2021 23:02:31 -0500
X-EN-OrigIP: 213.33.87.16
Received: from [192.168.43.137] (19-176-62-37.mobileinternet.proximus.be [37.62.176.19])
From: [email protected]
To: "books" <[email protected]>
Subject: DHL EXPRESS : Your Package is waiting for delivery
X-Mailer: Microsoft Office Outlook 12.0

This is a multi-part message in MIME format.

------=_NextPart_000_0001_37E711D9.D58E9144
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Dear Client,Your Package is waiting for delivery. Please
confirm the payment (4,99 $) on the link below, the online
verification needs to be done in the next 2 days before it expires

Click here. Thank you for your trust,
DHL EXPRESS

------=_NextPart_000_0001_37E711D9.D58E9144

The "Click here" boils down to:

"h##p://gadfi.andrewbasso.it/fadujk"

Any dibs that this guy's name is Andre Basso?

This is almost enough to make me want to switch entirely to pure
TEXT email.
--
../|ug

--- OpenXP 5.0.49
* Origin: (1:396/45.29)

Hi August,

On 2021-03-03 23:41:00, you wrote to All:

An amateur operating from Austria/Belgium in cahoots with Italy:

Looks genuine enough: https://photos.kolico.ca/tmp/dhl-3.jpg

BUT..

Return-Path: <[email protected]>
Delivered-To: [email protected]
Envelope-to: [email protected]
Delivery-date: Wed, 03 Mar 2021 23:02:31 -0500
X-EN-OrigIP: 213.33.87.16
Received: from [192.168.43.137] (19-176-62-37.mobileinternet.proximus.be [37.62.176.19])
From: [email protected]
To: "books" <[email protected]>
Subject: DHL EXPRESS : Your Package is waiting for delivery
X-Mailer: Microsoft Office Outlook 12.0

This is a multi-part message in MIME format.

------=_NextPart_000_0001_37E711D9.D58E9144
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Dear Client,Your Package is waiting for delivery. Please
confirm the payment (4,99 $) on the link below, the online
verification needs to be done in the next 2 days before it expires

Click here. Thank you for your trust,
DHL EXPRESS

------=_NextPart_000_0001_37E711D9.D58E9144

The "Click here" boils down to:

"h##p://gadfi.andrewbasso.it/fadujk"

Any dibs that this guy's name is Andre Basso?

This is almost enough to make me want to switch entirely to pure
TEXT email.

Why do you spend time on these obvious scams? I don't even see most of them, because my spam filter takes care of them. The few ones that get through I just delete... ;)

Bye, Wilfred.

--- FMail-lnx64 2.1.0.18-B20170815
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

** On Thursday 04.03.21 - 10:41, you wrote:

The "Click here" boils down to:

"h##p://gadfi.andrewbasso.it/fadujk"

Why do you spend time on these obvious scams? I don't even
see most of them, because my spam filter takes care of
them. The few ones that get through I just delete... ;)

Why? Partly because they don't look entirely obvious. I don't
use any special spam filters except for what Outlook (desktop)
might deem suspicious. Gmail seems to do things pretty well
autonomously (I've seen repeated spam/scam there) And my ISP's
web interface using Roundcube has filters that I built to ignore
certain annoying and obvious ones like the .buzz TLD.

The domain/link above looks entirely benign, although it was
hidden with the "graphic" button that the html message produced.

And.. I find it rather interesting how persistent some scammers
are with old techniques.

One of the emails that utilized a header field to trigger the
potential launch of a script - really pissed me off.

Perhaps the best strategy would be not to share and disclose
"discoveries" like these in general, anywhere. That way, the
perpetrator wouldn't understand why their cleverly designed
"DHL" emails for example are never taken as bait.

Maybe I am preaching to the choir about these things in this
echo of followers - albiet the choir is small. :/
--
../|ug

--- OpenXP 5.0.49
* Origin: (2:221/1.58)

Hi August,

On 2021-03-04 07:58:00, you wrote to me:

Why do you spend time on these obvious scams? I don't even
see most of them, because my spam filter takes care of
them. The few ones that get through I just delete... ;)

Why? Partly because they don't look entirely obvious. I don't
use any special spam filters except for what Outlook (desktop)
might deem suspicious. Gmail seems to do things pretty well
autonomously (I've seen repeated spam/scam there) And my ISP's
web interface using Roundcube has filters that I built to ignore
certain annoying and obvious ones like the .buzz TLD.

My ISP has their own spamfilter, which is managed by fulltime professionals. And I also use gmail, which probably has even more professionals dealing with this. As an amateur you can't do better, so I trust them.

The domain/link above looks entirely benign, although it was
hidden with the "graphic" button that the html message produced.

And.. I find it rather interesting how persistent some scammers
are with old techniques.

They don't care, as long as they get a couple of responses to the millions of messages the send out (at very little cost), it's worth there while...

One of the emails that utilized a header field to trigger the
potential launch of a script - really pissed me off.

Perhaps the best strategy would be not to share and disclose
"discoveries" like these in general, anywhere. That way, the
perpetrator wouldn't understand why their cleverly designed
"DHL" emails for example are never taken as bait.

See above. And let the professionals deal with it.


Bye, Wilfred.

--- FMail-lnx64 2.1.0.18-B20170815
* Origin: FMail development HQ (2:280/464)

August Abolins said to All <-

Hello All!

An amateur operating from Austria/Belgium in cahoots with Italy:

Click here. Thank you for your trust,
DHL EXPRESS

------=_NextPart_000_0001_37E711D9.D58E9144

The "Click here" boils down to:

"h##p://gadfi.andrewbasso.it/fadujk"

Any dibs that this guy's name is Andre Basso?

My rule is if I get emails from a company I don't deal with and nobody I know has supposedly sent me something I ignore it, so far not once, has a package been returned to some on. However, clicking links like those could confirm to a possible spammer that yours is an active email. Which means more lovely spam. :(



... Not now ... I have to go mow the laundry.
___ MultiMail/Linux v0.49

--- Mystic BBS/QWK v1.12 A46 2020/08/26 (Windows/32)
* Origin: Communication Connection 1:120/457 (1:120/457)

Hello Mark Seifert!

** On Thursday 04.03.21 - 19:59, you wrote to me:

The "Click here" boils down to:

"h##p://gadfi.andrewbasso.it/fadujk"

My rule is if I get emails from a company I don't deal with
and nobody I know has supposedly sent me something I ignore
it, ...

Yes. Excellent. But the problem was that the link above was
obscured by the email program. Thankfully, by just hovering
over any links, I can see the bogus redirects.

But I don't think those links are revealed in webmail
interfaces. And webmail use is probably becoming more and more
prominent.

..However, clicking links like those could confirm to a
possible spammer that yours is an active email. Which
means more lovely spam. :(

Correct. In cases like that it is best to do what I've heard
some folks say: shoot, shovel, and shut up.

--
../|ug

--- OpenXP 5.0.49
* Origin: (2:221/1.58)

Re: Austria/Belgium in cahoots with Italy
By: August Abolins to Mark Seifert on Thu Mar 04 2021 21:17:00

But I don't think those links are revealed in webmail
interfaces. And webmail use is probably becoming more and more
prominent.

IMPO, that's a poorly written webmail interface...


)\/(ark
--- SBBSecho 3.11-Linux
* Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)