Bezbedan Balkan Bezbednost privatnih resursa Phishing / Scam / Spam kampanje v
Phishing sa zastrašujućom porukom

Threaded Mode
Phishing sa zastrašujućom porukom
1van Offline
Posting Freak
*****
Posts: 1,728
Threads: 664
Joined: Sep 2022
Reputation: 126
#11
03-28-2023, 09:33 AM
Evo još jednog:

Quote:Received: from 127.0.0.1
by atlas-production.v2-mail-prod1-gq1.omega.yahoo.com pod-id atlas--production-gq1-6bbcff96b9-tgpgf.gq1.yahoo.com with HTTP; Wed, 30 Nov 2022 12:44:32 +0000
Return-Path: <[email protected]>
X-Originating-Ip: [209.85.216.45]
Received-SPF: pass (domain of parisnanterre.fr designates 209.85.216.45 as permitted sender)
Authentication-Results: atlas-production.v2-mail-prod1-gq1.omega.yahoo.com;
dkim=pass [email protected] header.s=google;
spf=pass smtp.mailfrom=parisnanterre.fr;
dmarc=pass(p=QUARANTINE) header.from=parisnanterre.fr;
X-Apparently-To: [email protected]; Wed, 30 Nov 2022 12:44:32 +0000
X-YMailAVSC: niX7EL03bBtAvc708z.XcIHT3psrJ8ne18ZJSyDlSxG5xkq
fE1dnYBismxZmMdx0cLdakbFTXo8WSRVXbcNf.RHBjwDQgC7jJqjnrT0sIld
qJsA7BGiapcIDtfdJGD3eE9hgpSCr.m.cSwF3.BTOTx12Si4pasqbZSkCc4Z
ynMTGKyftmaOyKNh0W1e9.LKSWnHz2_uOnOvVmuni5y1GlsGed5jjYjWrn8_
Kjf0k05VBB6UCuVxKJ7PjBOeAceWByP_Dit2CRIgtgjeIg1xctzvPNolRwTq
gmEQx8qqMbnqYY6ZQxuonLzhoqEomogcGdoCYMZ6XrMreWUPulU1WfHnb_6_
bXQawVufMf2_W8gyrN6_ZBZxwKPwl0nuj4UGr6DSOiWXAddSvBvkrWX1C7N4
ORW6.69ULmgOFAKCXxKrx2TIawFduLLblmNKCn1BVpgSXZz.gXuvrDNZV7uQ
WsUczwe2MFpYGZrnS1xnIjxhhc94twBJW081OzQu6oXWvZXx9IjLlKp60eM0
UdFPyMk8MysoxG7n8ckAIx2qT4eTmFWm8g_rHxbtOlE2AcG9OGkQkSYDhQEZ
VY5bHoKTc0r4kYCEJEw3vpOMQGpjLkiesUdVv_lKOH2aIk4rSvdci3VCI_iq
AgjjpxAzXFUOM9qUyh4Gk6qZyCMJc2FODbCaG31MTS5v3gOZt1QsLVl.fmxa
Ezh0LzbiYPDS8VcMNu_jzp8HXEQJaJ4H84LHVzTj.FU3JSCJju0bXrez3QhH
oDLMCxQ2Vfyk1PUom5WWzJbkSXsfrQ1Xy9bzdxhqUt9Fen_lmtc0CeZP2f8M
H2FOXVxMpsbaxDUBPZ2TjX0JW1qRoEY4.fyZ8LAx05ES3Z6XN.TPOpeUGx1G
2IZOPJwSFqPB97Ead32vxgrBc68GyIvOuqBmsa7M7yDZ2FiwfQoz62g_uEk3
BqCeXxuNrT.vDHFDFyrtn_zjGPsuK0plQW1Y8vIhMYf6aCSzoatEt7zktfHH
KxDOwz8GDvaW_moJ7lp_FW7CKjR1dmI1ngAgxyJwH0Yr393HcR.FEVI63.89
pOcM_nvKQsxx9yVwYVCeNOjyOg..uzx_8NSEKC0q3Iev1TAXrAnqQDmgTiNA
1ViLptomCFGezcKE-
X-YMailISG: 4pzEO.8WLDtXpyWhh2LMLGXhNLf_oCMUgxQdiCv.kXGWYCQc
oxnNDxQmwU268y79eH6ahUwaVfyypyfEWhuqt25ykUEglZ0s5.JCh8zEOXrO
mSGH6y4lPqcXyC4a9xugzy5Ql6hhX6Z9CCj0r7Qo30dxElbKtg5Us.9iLgjN
owtcBWUTIvdvutZzFjDH4ZGdxiINdorS5qet4OhXVviAHlcaWcJoVLAR1Ua6
j_mVBx.apWDz6_7J1Ym6BDnousuz5N.lOc8MHFc_mDpKVP.y924JMAYYnxY.
ucOBn75Q8zYejcLw8GVVc6eidlO5SG_LDjurXch6Mig6kEmr0T8o4_zIM06l
2n10Wy7HrmDjpMwhFz1AxrfohIavdYPM0qhhThZm1t_wv3Daowfy5vFtwEsS
K8qahsz0QrzwSlTW9YlsETdsktNn7hycmjZEVr8K1KVByyEibGcchbNyQTX2
m5mUKT3TM_aKwHycsslQDLwZajZ5QWiZYXOveff7pGgkbNqGcMScaipmlzZB
HOoc90.mcoXICw6RJX89HJGZ.mXf1a4sosvmMHjqs.75_QLBJdUmWu7oHd4L
xQzx683KZR5oSRPPnYUdZq6QameEbeej_5nl2fp8wKSI2gHAiijtmyVC6B7.
YPufOQNNNXCFs3P8rY9flBeyfIZsPdwmkOF3Kx9rDHzERJ9Ebg5ejzJmuKgr
F7E9WRPUqP3h5qDWAHne.4T3wCUIIk_HFDH6LVt76MsUD6sZbf7ftgEU_D2k
MVa_iNlXJwwd_uaL.xV2hQVkJzTcd7vOdAz400Tn1eLjLF146fAQHf079mdu
kw7sR_gng_tg8Vrh.dCprkTrORB87XninPbBqDRFwc5MBHnHOjYt6b32UElr
p7vAGDx4Chr.qFxfJUMenq2TTEMK.S8n0MgyHAN8CdmTcJ41JUFuqgYE6vhj
z9gE6iYEnNI5U0wFASuGAZGIpua2y8ezoZ5k8DRe3PH0A1uudzCeY3UmbV7Q
XiDNOzRIQm6tBlWUtFoF6eKqEqC78SMeBO_wJpGvt10Kb.NbgpYVVjmrkCJi
fw8idYVUdXQ9CKR9Q1dp72Juy6F3nd3I57cgSeSyjfMvdsI__8fx4ghen1hi
o0t1HsbJAZHS4ZrQuc7QdQ8GF5zYi0VyYcohH27labTaCt70teQjy1_ortes
gzq0ElnePuRjGqf9txA0UDu_z7ziWApk66tmiaInuXJS94pnWMt.J4XKR8_O
N7nPH.gc4IiSKkjQcaiCHSR_Mj1Y9WXO2QqqhoNs0jviPFnK5CyUG_4pdm94
XUp6mPtyesIhi5lWkyPx2.sjAHNK4R8AZ5kyPvfn3J_bsSnZb5iUcslKaRea
0uJMSs5Xiebg.mJtOGaDhg6.VQ--
Received: from 209.85.216.45 (EHLO mail-pj1-f45.google.com)
by 10.214.167.142 with SMTPs
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
Wed, 30 Nov 2022 12:44:32 +0000
Received: by mail-pj1-f45.google.com with SMTP id k5so15577226pjo.5
        for <[email protected]>; Wed, 30 Nov 2022 04:44:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=parisnanterre.fr; s=google;
        h=toConfusedubject:message-id:date:from:reply-to:mime-version:from:to:cc
        Confusedubject:date:message-id:reply-to;
        bh=g+qHjqt2xYqUzZOvesBBHhYGnRJw1I+erQ+rnIBE7iI=;
        b=P0VmAsZEFXqUlyrGnD6U6wKNdqmKSqyUXN4KWL65hWxHHRNwW8I+wS15G3aRIrPxyt
        xWQI5dGRFsnonmZZDARkmTWL2N+PrqY3b/68U72bmMGgX9/mROpBpE+6W/HQWKhwSGgQ
        xJ+dPA+/gRDeIleltOGhgA6MCA1v5CvXf5MoU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=toConfusedubject:message-id:date:from:reply-to:mime-version
        :x-gm-message-state:from:to:ccConfusedubject:date:message-id:reply-to;
        bh=g+qHjqt2xYqUzZOvesBBHhYGnRJw1I+erQ+rnIBE7iI=;
        b=YHBd1kfmvVzHYE94N0rdYbWUrQNcT5TX8OT5n77TDhNN1ZmfJPVxfJTAkJPepmKi4/
        Na4VKqMaBS0c3BQN5A0X4ttJxk7DbaexsP5+nWUaDvw7BEaj0nXoZD4oFSzdh8g1P6pZ
        4BI6szfECd3XqXdaIe8QGjPnDybiQgloKqJVxITJLw3pRwLQaRHrXkslCjxC/1vWnDU7
        pawQbYVWVwGNYQ2R1u0C2zQcj+WlKRpF9kZov5wFM+ib3uGhB+QqbwJhUOGZ9KSTTfUF
        l2WjfKGl1QUeCAemRvZ7u7QTsBtwqlRw386vB03T3MgMos8CLe50xGENOAd2TmdcmmwO
        O2uw==
X-Gm-Message-State: ANoB5pkmU5G8PSes6fRGcqH35LUROv6m9L/vgyGrJMYZh5Mr6MWrwlHn
zC4uu6GvCAJEPAQe5CdJPUtuiyBoRhvXwQkn34jo8A==
X-Google-Smtp-Source: AA0mqf5SvL9kVswwsCXimYiJWJlEHuJuXNTpiP4yvedfbM1xcbrm6ghzAt0X3R0LFBEn31AqjgG1Co/0+AfyHpEM2mo=
X-Received: by 2002:a17:903:1341:b0:189:9a36:accf with SMTP id
jl1-20020a170903134100b001899a36accfmr8921167plb.19.1669812272070; Wed, 30
Nov 2022 04:44:32 -0800 (PST)
MIME-Version: 1.0
Reply-To: [email protected]
From: =?UTF-8?B?0JTQuNGA0LXQutGC0L7RgCDQv9C+0LvQuNGG0LjRmNC1?= <[email protected]>
Date: Wed, 30 Nov 2022 12:44:18 +0000
Message-ID: <CALmHAJzeDM_O7xHbyVPLEJx=NXM8kkA9zVe=A22vdfz2H7dOdA@mail.gmail.com>
Subject: =?UTF-8?B?4puU0JTQntCh0JjQiNCVINCdwrAgMTA3LdCm0KHQoQ==?=
To: undisclosed-recipients:;
Content-Type: multipart/mixed; boundary="00000000000051d22f05eeaf77c7"
Bcc: [email protected]
Content-Length: 925128

--00000000000051d22f05eeaf77c7
Content-Type: multipart/alternative; boundary="00000000000051d22c05eeaf77c5"

--00000000000051d22c05eeaf77c5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64


Attached Files
.txt   phishing_sa_zastrasujucom_porukom_005.txt (Size: 920.83 KB / Downloads: 105)
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
facyber_ Offline
Junior Member
**
Posts: 23
Threads: 5
Joined: Sep 2022
Reputation: 23
#12
03-28-2023, 12:49 PM
Da deluje mi kao da parisnanterre.fr koristi Google servis, a opet i kao da imaju svoje SMTP servere sa kojih se šalju mejlovi. Vidim da je to neki francuski univerzitet, doduše mi ne razrešava web sajt. Shodan prikazuje zanimljive informacije, možda su zbog tih nekih stvari i probili, tj. na taj način upali u mrežu.

https://www.shodan.io/search?query=parisnanterre.fr

Kao što je Ivan spomenuo ranije, [email protected] se spominje i na drugim izvorima, vezuju je za dečiju pronografiju i slične prevare. Evo i linka sa sličnim PDF sadržajem ali na francuskom, koji je prijavljen pre nego što je kod nas došao ako nisam omašio timeline, što mi onda govori da nije bio ciljani napad, već random se šalje svima, Google translate tekst i to je to.

https://www.signal-arnaques.com/scam/view/449104

Malo me buni što prikazuje sending IP da je gmail, a opet MX se razrešava na 193.50.151.164, barem meni. Ili mi je nešto promaklo pa sam pobrkao neke stvari. Ali ne deluje da je spoof, već da je baš poslat sa servera univerziteta. Zanimljivo svakako. Hvala za header-e.
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)