[nmglug] Spam question additional

sam s at mnoble.net
Thu Jun 2 11:26:01 PDT 2022


On June 2, 2022 12:03:11 PM MDT, Brian O'Keefe <okeefe at cybermesa.com> wrote:
>Hi All,
>
>I checked the message source on one of the spam emails and got this which seems more than suspicious. Maybe I need to change my security preferences.
>
>From - Thu Jun  2 11:12:43 2022
>X-Account-Key: account4
>X-UIDL: UID365990-1240367566
>X-Mozilla-Status: 0001
>X-Mozilla-Status2: 00000000
>X-Mozilla-Keys:
>Return-Path: <MAILER-DAEMON>
>Delivered-To:okeefe at cybermesa.com
>Received: from pmg-001.cybermesa.com (smtp-in.cybermesa.com [65.19.2.51])
>	by smtp-in-006.cybermesa.com (Postfix) with ESMTPS id 5BEF9C0E9E
>	for<okeefe at cybermesa.com>; Thu,  2 Jun 2022 05:47:28 -0600 (MDT)
>Received: from pmg-001.cybermesa.com (localhost.localdomain [127.0.0.1])
>	by pmg-001.cybermesa.com (Proxmox) with ESMTP id 4D17C52008A
>	for<okeefe at cybermesa.com>; Thu,  2 Jun 2022 05:47:28 -0600 (MDT)
>Received: from pilottoviaggi.com (unknown [89.32.41.152])
>	by pmg-001.cybermesa.com (Proxmox) with ESMTP id 90263520089
>	for<okeefe at cybermesa.com>; Thu,  2 Jun 2022 05:47:27 -0600 (MDT)
>Received: from 10.197.36.138
> by atlas108.aol.mail.bf1.yahoo.com with HTTPS; Fri, 13 May 2026 09:57:26 +0000
>X-Originating-Ip: [209.85.221.42]
>Received-SPF: pass (domain of gmail.com designates 209.85.221.42 as permitted sender)
>Authentication-Results: atlas108.aol.mail.bf1.yahoo.com;
> dkim=passheader.i=@gmail.com  header.s=20210112;
> spf=pass smtp.mailfrom=gmail.com;
> dmarc=pass(p=NONE,sp=QUARANTINE) header.from=gmail.com;
>X-Apparently-To:okeefe at cybermesa.com; Fri, 13 May 2026 09:57:26 +0000
>X-YMailAVSC: 9bu5NVU3bBvL1AGHBmn.v9ZA3l5suZareI2UB07dq4E5E0Y
> cUyFisabDaOIUd093svieeH7pW53fKBlYMRCu9XwPQmGBclPTiGJBl9SfNza
> x4Is_E8pzLn2sQ4OjyJV6RWkOXcb0wZXWWzmt_WswlqShcUAoqyR2eE5.hYL
> 3716ltxpjn4fPv5IXF1LHt2XnhcFjO2gEN_dDB_RzTfhOzeSFyzAaZ.qBf6C
> lI1FgLohJy2o_nZ01hrO6eeevHoTqvJVKHI8mpUQZs47V4OSNupOJuG0B6Zy
> awpbS01XyGuSX_62ZNjtn7jGA8GxthxeOHmzrxzqsZXYJqweZ1D_NJSdlXg-
> -
>X-YMailISG: _pRhm6EWLDsyR3t72mysPSU1uMGh07G9YyHYhP2ilwQQwwl1
> .hq7KnciIaR7zKl5YAHVEScFHe_EeUKoW_vnChP6kPvDrL.k.pLbefWP3OnE
> 0ZgdA3crqR9dLe7FUzdY6KAT_4DScFseDncv_APeRN_UDZfq5TA9QlSw5.yY
> 7IJctE5bGUeeDvz8DJAbnbc6FefvueRxRU55NtUIcrfvPKyAT3HFiKg7MUgq
> NbCzKlV4wBZHYC4ApPneadYEQ_nrHfMm_ZaGtWDzHwiRSvp97kOn1W4eQGFw
> 1E5.X9t.fkIhazSjkQaEoyggQ7PQ08OIxZ._GVp0kMYVGAs3zb4vd4FAySGT
> rvYfgsRYY4CjGdj59bfHF7Y5HcSas5GZg7THbFW3nf2ix9tKHf3y_sZzH8OG
> BqkLp8e9aKuM0uIoh5o18GJJVqx_zpr3oR09w8xVmRaTB7MTIYc96_YOIhYF
> 0zErhZll1_nLCsaHmcEvyIy05cWQNvF8VvmdNt5xlkJ8rdAHSUVmhB9ji4eE
> w7RJf.czDS7039kcuOtGf2vvzDzA5rdQ.4hSNiDF6WcxnpE9IHW8ydD8aH.M
> zR3CZF4B6fLtl_OKosGfpXJ2vCTV5GT95q_bBocJB4OMmjPl.lRmCQ.H1.47
> 6ULU1Z6G7EoyL4Nx9F6pbXU764BkWVUFHkOYywDUxvbXf9HR6X8oHlOLq24j
> d1sYUbgpN86D8O2V_puahid.jCnbXPyZBTHhMykDVbgP78Osh7yT68EHQoog
> aWJ0.MebNgAlIgVt3Yz5dQNrqE1cnWfHEyY48fLYkJPEBk25AtAbvKPL9hOq
> n0SMygVzoXFrSP3B7S3OYA6GlEQxWfVSdnKdcIcpVUgHm8beN.D8xN6NfLUj
> EYtcgI80e9La8xfCRQrk0UK0XOBNbcN5Y27cvt_.qEQ762BB4YIjMV7okwCc
> pt_fqcbsRf3QBqeDL9B2c7OIEcs5m4Q7Ear5S6Uqwrcdx3fri0PhnpQL_iQ2
> yfluF67taZZ9URGsCN6iaBcjLO_Doz.zTiB_u7Mu2qNmyv6iRtTTYCcQ3ZNY
> 9oTQEhi21kq4EAZ6boR_YRWRitqWhv7_Z4uLRGn8hAmTIHsgLNW.GZDb50kP
> s2X62fW8Ufy0y1FvqqMTGO7tFMiHHsjn_6Payzz0HxTIqN3gBJp7GnUMYVuC
> kUvucFZ1.N7xy_TACDZvybNU3oCY7v5NzGhYdcfO8RzwTmK_iqAUDHai6J7E
> SUEXEQchHz.askRPwGZuKV2M4NGHbR7SFFj0yCYWsrDIRqwuTg9jdffHTzRG
> TsnfzkHEITW2rCJl
>Received: from 209.85.221.42 (EHLO mail-wr1-f42.google.com)
> by 10.197.36.138 with SMTPs
> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
> Fri, 13 May 2026 09:57:26 +0000
>Received: by mail-wr1-f42.google.com with SMTP id t6so10727479wra.4
>        for<okeefe at cybermesa.com>; Fri, 13 May 2026 02:57:26 -0700 (PDT)
>DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>        d=gmail.com; s=20210112;
>        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
>        bh=hWVfw9TTlJCN5Vxd8HOhY22WAdU7pcrs5h4JmLPPJcI=;
>        b=Mwd4WhChvWEtyiIgFgcTSxs5upIyDgRU5DsjKdgw8ruYhjzVxRz4nbsPAzeVP3DWqx
>         lsVdcU4N5tvUFFohmu4GYo0n+cfJKzpjZzxJkT5LY0I906llAHt774eZUbWmUkW8F0bI
>         eEAWoWu6hVV0/DB58+Rha++mTxCX5IW9+FYwIsDzec5FbGf/tqqaw1NX3fhwXNEx8qV/
>         Iv/UAv/6wzguzMV5Y57QIN4IQXQBLP1Nm2r5b5Lnk+3LRGVXCgXlksj8BwtmS4R8I3Tg
>         hEsPF92/pjUYmtYKXHSk/U7mkQP+3Ppnq/LeBsipA/a7lRp8ayh5WiLlXeK7feND2Xx1
>         ox0A==
>X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>        d=1e100.net; s=20210112;
>        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
>         :message-id:subject:to;
>        bh=hWVfw9TTlJCN5Vxd8HOhY22WAdU7pcrs5h4JmLPPJcI=;
>        b=5NSXhLAD3jSuFVmFR87A3M++7CHwWBbI5Z1QPj4SCN5bo7m/yb+eleOh2t11N77lIp
>         eaAjyP41jBTEtlBgOARjgkg7QJpLp9p0O7O7n7aCxiaWTj/+p+KFelHdLpSAIW3tYpkn
>         AglZ5M8odAgqcPsZjlixcGXgduLn6qoyOivKIjHnP2MkV/tswyqrLZUap5ayAcdfnPv3
>         cFnjjHRXk6y83WsaIv+yyW5QLhpMbPKd8xh2gRCZ5LyKEJgtJrp83Lb7JNcBHZvR3xnr
>         G/XeesIrCVRr/j5jkBzhNnKSN7OH7losq5FXCPzgpu7E35qQfLTo7SM/B8KGIHwUd8cn
>         c+tA==
>X-Gm-Message-State: AOAM5310qk11pGFZpfmhIBQRE3Qp2WX4jhVibyYuQaIDtNDHUlZsxJEy
>	sBF9171zO6V+lxDPcMo0bcp2/bMV/CVQbilNp3HTRWRTo9fs7A==
>X-Google-Smtp-Source: ABdhPJxualjsu85sMjeLXylxQd+iNskvFVaFCKlo50ZVw096E94ptHc7uRGcDe598UgMLxrBSi80mG+VRI8qQPk9yjc=
>X-Received: by 2002:adf:dcc9:0:b0:20c:f517:c130 with SMTP id
> x9-20020adfdcc9000000b0020cf517c130mr193277wrm.677.1652435846164; Fri, 13 May
> 2026 02:57:26 -0700 (PDT)
>MIME-Version: 1.0
>References:<2073398516.2890515.1652435792098.ref at mail.yahoo.com>
> <2073398516.2890515.1652435792098 at mail.yahoo.com>  <DB9P193MB1580510D8F402F5E5082C037CDCA9 at DB9P193MB1580.EURP193.PROD.OUTLOOK.COM>
>From: "T-Mobile"<okeefe at cybermesa.com>
>Date: Fri, 13 May 2026 02:57:15 -0700
>Message-ID:<CAPrzedXupjsoVYoe8CYpNKMhBS_GxeJMoRV_xUWXcQSdLm2HmA at mail.gmail.com>
>Subject: thank you for completing our survey, you can receive your reward
>To: okeefe<okeefe at cybermesa.com>
>Content-Type: text/html;
>X-SPAM-LEVEL: Spam detection results:  20
>	DKIM_INVALID              0.1 DKIM or DK signature exists, but is not valid
>	DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
>	HTML_FONT_SIZE_LARGE    0.001 HTML font size is large
>	HTML_IMAGE_RATIO_02     0.001 HTML has a low ratio of text to image area
>	HTML_MESSAGE            0.001 HTML included in message
>	HTML_MIME_NO_HTML_TAG   0.635 HTML-only message, but there is no HTML tag
>	KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
>	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
>	KAM_SHORT               0.001 Use of a URL Shortener for very short URL
>	KAM_STORAGE_GOOGLE       2.25 Google Storage API being abused by spammers
>	MIME_HTML_ONLY              1 Message only has text/html MIME parts
>	PDM_URI_GOOGLEAPIS          3 Rule to look for spammy Google API usage
>	RCVD_IN_BL_SPAMCOP_NET  1.246 Received via a relay in bl.spamcop.net
>	RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
>	RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
>	RCVD_IN_PBL             3.558 Received via a relay in Spamhaus PBL
>	RCVD_IN_SBL_CSS         3.558 Received via a relay in Spamhaus SBL-CSS
>	RDNS_NONE               1.274 Delivered to internal network by a host with no rDNS
>	SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
>	T_SCC_BODY_TEXT_LINE    -0.01 -
>	URIBL_ABUSE_SURBL       1.948 Contains an URL listed in the ABUSE SURBL blocklist [iili.io]
>	URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  Seehttp://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block  for more information. [iili.io,storage.googleapis.com]
>
><p align="center"><br>
></p>
><p align="center"><a moz-do-not-send="true"
>href="https://storage.googleapis.com/92052e935fcd9d8cebcd08c576d53d/b9cf10b58f90d4c019eedb9f4bf83d#cl/38389_md/8/50267/5704/1551/951155"><font
>      color="#ff0000"><u><font size="6" face="Times New Roman"><font
>            color="#ff0080"><b>**</b></font></font></u></font><font
>      color="#ff0000"><u><font size="6" face="Times New Roman"><font
>            color="#ff0080"><b>Congratulations! **</b></font><br>
>        </font></u></font></a></p>
><p align="center"><a moz-do-not-send="true"
>href="https://storage.googleapis.com/92052e935fcd9d8cebcd08c576d53d/b9cf10b58f90d4c019eedb9f4bf83d#cl/38389_md/8/50267/5704/1551/951155"><font
>      color="#ff0000"><u><font size="6" face="Times New Roman"><font
>            color="#8000ff">*</font></font></u></font><font
>      color="#ff0000"><u><font size="6" face="Times New Roman"><font
>            color="#8000ff"> okeefe *</font></font></u></font></a></p>
><p align="center"><a moz-do-not-send="true"
>href="https://storage.googleapis.com/92052e935fcd9d8cebcd08c576d53d/b9cf10b58f90d4c019eedb9f4bf83d#cl/38389_md/8/50267/5704/1551/951155"><font
>      color="#ff0000"><u><font size="6" face="Times New Roman"><a><font
>              size="4" color="#008040">✓ Successfully redeemed coupon
>              code SECRETSHOP2022</font></a></font></u></font></a><br>
></p>
><div align="center"><a
>href="https://storage.googleapis.com/92052e935fcd9d8cebcd08c576d53d/b9cf10b58f90d4c019eedb9f4bf83d#cl/38389_md/8/50267/5704/1551/951155"><img
>      moz-do-not-send="true" src="https://iili.io/Wkht9a.png"  alt=""
>      width="895" height="410" border="0"></a></div>
><p align="center"><span style="color: rgb(0, 0, 0); font-family:
>    "Times New Roman"; font-size: medium; font-style: normal;
>    font-variant-ligatures: normal; font-variant-caps: normal;
>    font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
>    center; text-indent: 0px; text-transform: none; white-space: normal;
>    widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
>    text-decoration-thickness: initial; text-decoration-style: initial;
>    text-decoration-color: initial; display: inline !important; float:
>    none;">If you no longer wish to receive these emails, you may
>    unsubscribe by </span><a
>href="https://storage.googleapis.com/92052e935fcd9d8cebcd08c576d53d/b9cf10b58f90d4c019eedb9f4bf83d#un/38389_md/8/50267/5704/1551/951155"
>    style="font-family: "Times New Roman"; font-size: medium;
>    font-style: normal; font-variant-ligatures: normal;
>    font-variant-caps: normal; font-weight: 400; letter-spacing: normal;
>    orphans: 2; text-align: center; text-indent: 0px; text-transform:
>    none; white-space: normal; widows: 2; word-spacing: 0px;
>    -webkit-text-stroke-width: 0px;" moz-do-not-send="true">clicking
>    here</a></p>
><p align="center"><span style="color: rgb(136, 136, 136); font-family:
>    verdana; font-size: 11px; font-style: normal;
>    font-variant-ligatures: normal; font-variant-caps: normal;
>    font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
>    center; text-indent: 0px; text-transform: none; white-space: normal;
>    widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
>    text-decoration-thickness: initial; text-decoration-style: initial;
>    text-decoration-color: initial; display: inline !important; float:
>    none;">click<span> </span></span><a
>href="https://storage.googleapis.com/92052e935fcd9d8cebcd08c576d53d/b9cf10b58f90d4c019eedb9f4bf83d#oop/38389_md/8/50267/5704/1551/951155"
>    style="font-family: verdana; font-size: 11px; font-style: normal;
>    font-variant-ligatures: normal; font-variant-caps: normal;
>    font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
>    center; text-indent: 0px; text-transform: none; white-space: normal;
>    widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;"
>    moz-do-not-send="true">here</a><span style="color: rgb(136, 136,
>    136); font-family: verdana; font-size: 11px; font-style: normal;
>    font-variant-ligatures: normal; font-variant-caps: normal;
>    font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
>    center; text-indent: 0px; text-transform: none; white-space: normal;
>    widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
>    text-decoration-thickness: initial; text-decoration-style: initial;
>    text-decoration-color: initial; display: inline !important; float:
>    none;"><span> </span>to remove yourself from our emails list</span></p>
>
>-- 
Looks like cybermesa's running SpamAssassin for you, so the messages are coming in already scored. You should be able to filter message delivery based on that score ( 20 in the example header) using any of the tutorials I found web searching 'x-spam-level thunderbird'
E.g.: https://support.tigertech.net/thunderbird-assassin
-- 
Sent from my $DEVICE with $SOFTWARE. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nmglug.org/pipermail/nmglug-nmglug.org/attachments/20220602/5f263698/attachment.html>


More information about the nmglug mailing list