• Austria/Belgium in cahoots with Italy

    From August Abolins@1:396/45.29 to All on Wed Mar 3 23:41:00 2021
    Hello All!

    An amateur operating from Austria/Belgium in cahoots with Italy:

    Looks genuine enough: https://photos.kolico.ca/tmp/dhl-3.jpg

    BUT..

    Return-Path: <akalo@dictavoice.at>
    Delivered-To: august@ashlies.ca
    Envelope-to: books@ashlies.ca
    Delivery-date: Wed, 03 Mar 2021 23:02:31 -0500
    X-EN-OrigIP: 213.33.87.16
    Received: from [192.168.43.137] (19-176-62-37.mobileinternet.proximus.be [37.62.176.19])
    From: noreply@dhlverification.com
    To: "books" <books@ashlies.ca>
    Subject: DHL EXPRESS : Your Package is waiting for delivery
    X-Mailer: Microsoft Office Outlook 12.0

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0001_37E711D9.D58E9144
    Content-Type: text/plain;
    charset="utf-8"
    Content-Transfer-Encoding: quoted-printable

    Dear Client,Your Package is waiting for delivery. Please
    confirm the payment (4,99 $) on the link below, the online
    verification needs to be done in the next 2 days before it expires

    Click here. Thank you for your trust,
    DHL EXPRESS

    ------=_NextPart_000_0001_37E711D9.D58E9144

    The "Click here" boils down to:

    "h##p://gadfi.andrewbasso.it/fadujk"

    Any dibs that this guy's name is Andre Basso?

    This is almost enough to make me want to switch entirely to pure
    TEXT email.
    --
    ../|ug

    --- OpenXP 5.0.49
    * Origin: (1:396/45.29)
  • From Wilfred van Velzen@2:280/464 to August Abolins on Thu Mar 4 10:41:30 2021
    Hi August,

    On 2021-03-03 23:41:00, you wrote to All:

    An amateur operating from Austria/Belgium in cahoots with Italy:

    Looks genuine enough: https://photos.kolico.ca/tmp/dhl-3.jpg

    BUT..

    Return-Path: <akalo@dictavoice.at>
    Delivered-To: august@ashlies.ca
    Envelope-to: books@ashlies.ca
    Delivery-date: Wed, 03 Mar 2021 23:02:31 -0500
    X-EN-OrigIP: 213.33.87.16
    Received: from [192.168.43.137] (19-176-62-37.mobileinternet.proximus.be [37.62.176.19])
    From: noreply@dhlverification.com
    To: "books" <books@ashlies.ca>
    Subject: DHL EXPRESS : Your Package is waiting for delivery
    X-Mailer: Microsoft Office Outlook 12.0

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0001_37E711D9.D58E9144
    Content-Type: text/plain;
    charset="utf-8"
    Content-Transfer-Encoding: quoted-printable

    Dear Client,Your Package is waiting for delivery. Please
    confirm the payment (4,99 $) on the link below, the online
    verification needs to be done in the next 2 days before it expires

    Click here. Thank you for your trust,
    DHL EXPRESS

    ------=_NextPart_000_0001_37E711D9.D58E9144

    The "Click here" boils down to:

    "h##p://gadfi.andrewbasso.it/fadujk"

    Any dibs that this guy's name is Andre Basso?

    This is almost enough to make me want to switch entirely to pure
    TEXT email.

    Why do you spend time on these obvious scams? I don't even see most of them, because my spam filter takes care of them. The few ones that get through I just delete... ;)

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From August Abolins@2:221/1.58 to Wilfred van Velzen on Thu Mar 4 07:58:00 2021
    Hello Wilfred!

    ** On Thursday 04.03.21 - 10:41, you wrote:

    The "Click here" boils down to:

    "h##p://gadfi.andrewbasso.it/fadujk"

    Why do you spend time on these obvious scams? I don't even
    see most of them, because my spam filter takes care of
    them. The few ones that get through I just delete... ;)

    Why? Partly because they don't look entirely obvious. I don't
    use any special spam filters except for what Outlook (desktop)
    might deem suspicious. Gmail seems to do things pretty well
    autonomously (I've seen repeated spam/scam there) And my ISP's
    web interface using Roundcube has filters that I built to ignore
    certain annoying and obvious ones like the .buzz TLD.

    The domain/link above looks entirely benign, although it was
    hidden with the "graphic" button that the html message produced.

    And.. I find it rather interesting how persistent some scammers
    are with old techniques.

    One of the emails that utilized a header field to trigger the
    potential launch of a script - really pissed me off.

    Perhaps the best strategy would be not to share and disclose
    "discoveries" like these in general, anywhere. That way, the
    perpetrator wouldn't understand why their cleverly designed
    "DHL" emails for example are never taken as bait.

    Maybe I am preaching to the choir about these things in this
    echo of followers - albiet the choir is small. :/
    --
    ../|ug

    --- OpenXP 5.0.49
    * Origin: (2:221/1.58)
  • From Wilfred van Velzen@2:280/464 to August Abolins on Thu Mar 4 14:47:08 2021
    Hi August,

    On 2021-03-04 07:58:00, you wrote to me:

    Why do you spend time on these obvious scams? I don't even
    see most of them, because my spam filter takes care of
    them. The few ones that get through I just delete... ;)

    Why? Partly because they don't look entirely obvious. I don't
    use any special spam filters except for what Outlook (desktop)
    might deem suspicious. Gmail seems to do things pretty well
    autonomously (I've seen repeated spam/scam there) And my ISP's
    web interface using Roundcube has filters that I built to ignore
    certain annoying and obvious ones like the .buzz TLD.

    My ISP has their own spamfilter, which is managed by fulltime professionals. And I also use gmail, which probably has even more professionals dealing with this. As an amateur you can't do better, so I trust them.

    The domain/link above looks entirely benign, although it was
    hidden with the "graphic" button that the html message produced.

    And.. I find it rather interesting how persistent some scammers
    are with old techniques.

    They don't care, as long as they get a couple of responses to the millions of messages the send out (at very little cost), it's worth there while...

    One of the emails that utilized a header field to trigger the
    potential launch of a script - really pissed me off.

    Perhaps the best strategy would be not to share and disclose
    "discoveries" like these in general, anywhere. That way, the
    perpetrator wouldn't understand why their cleverly designed
    "DHL" emails for example are never taken as bait.

    See above. And let the professionals deal with it.


    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Mark Seifert@1:120/457 to August Abolins on Thu Mar 4 19:59:48 2021
    August Abolins said to All <-

    Hello All!

    An amateur operating from Austria/Belgium in cahoots with Italy:

    Click here. Thank you for your trust,
    DHL EXPRESS

    ------=_NextPart_000_0001_37E711D9.D58E9144

    The "Click here" boils down to:

    "h##p://gadfi.andrewbasso.it/fadujk"

    Any dibs that this guy's name is Andre Basso?

    My rule is if I get emails from a company I don't deal with and nobody I know has supposedly sent me something I ignore it, so far not once, has a package been returned to some on. However, clicking links like those could confirm to a possible spammer that yours is an active email. Which means more lovely spam. :(



    ... Not now ... I have to go mow the laundry.
    ___ MultiMail/Linux v0.49

    --- Mystic BBS/QWK v1.12 A46 2020/08/26 (Windows/32)
    * Origin: Communication Connection 1:120/457 (1:120/457)
  • From August Abolins@2:221/1.58 to Mark Seifert on Thu Mar 4 21:17:00 2021
    Hello Mark Seifert!

    ** On Thursday 04.03.21 - 19:59, you wrote to me:

    The "Click here" boils down to:

    "h##p://gadfi.andrewbasso.it/fadujk"

    My rule is if I get emails from a company I don't deal with
    and nobody I know has supposedly sent me something I ignore
    it, ...

    Yes. Excellent. But the problem was that the link above was
    obscured by the email program. Thankfully, by just hovering
    over any links, I can see the bogus redirects.

    But I don't think those links are revealed in webmail
    interfaces. And webmail use is probably becoming more and more
    prominent.

    ..However, clicking links like those could confirm to a
    possible spammer that yours is an active email. Which
    means more lovely spam. :(

    Correct. In cases like that it is best to do what I've heard
    some folks say: shoot, shovel, and shut up.

    --
    ../|ug

    --- OpenXP 5.0.49
    * Origin: (2:221/1.58)
  • From mark lewis@1:3634/12 to August Abolins on Fri Mar 5 06:49:20 2021
    Re: Austria/Belgium in cahoots with Italy
    By: August Abolins to Mark Seifert on Thu Mar 04 2021 21:17:00


    But I don't think those links are revealed in webmail
    interfaces. And webmail use is probably becoming more and more
    prominent.

    IMPO, that's a poorly written webmail interface...


    )\/(ark
    --- SBBSecho 3.11-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)