This one is also new
·1506 words·8 mins
Table of Contents
Hi there, some time went by and another good spam mail reached me today.
Although I’m currently short on time I could not wait to look deeper into this kind of email.
The mail body #
in text/plain
--=_010556a0ce8435b6915c010a97c53f6e
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowed
[1]
This is an automated email. Please do not reply
Your guide to trading basics--concepts, markets, and pitfalls to avoid.
A new webinar episode goes live tomorrow! Watch Ross place real trades
on live charts as he applies proven strategies, explains his decisions,
and answers your questions.
We'll cover:
* How a professional trader executes trades under live conditions
* Real-time market analysis and trade setups
* Live insights from experts
Webinar Details
Topic: Live Trading Session 2.0
Speaker: Ross Maxwell, Global Strategy Operations Lead, VT Markets
Date: 22 Sept 2025
Time: 10AM UK (BST)
About the Speaker:
Ross Maxwell brings over 20 years of experience in key financial hubs in
London and Hong Kong.
Register Now [2]
[3]
[4]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[10]
Risk Warning: CFD trading carries heightened risks due to leverage and
may not be suitable for all investors. Fully comprehend the associated
risks [11] before committing to trade. The Company disclaims any
liability for loss or damage arising from transactions involving CFDs.
VT Markets is a brand name of regulated companies authorised and
registered in various jurisdictions. For details, visit our official
website [4].
This email is not intended for distribution or use in any country or
jurisdiction where it would contravene local law or regulation.
Click here to unsubscribe [12]. Copyright 2025 VT Markets.
Links:
------
[1]
https://s3.amazonaws.com/coursera-assessments/assessments/1753567124646/1db6843d-52b2-4583-8d2c-baa77c402dd2/api.html?url=aHR0cHM6Ly9zZWN1cmVjbHVzdGVyLnNicy9mYXN0bWFpbC8=
[2]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6DlqKbki_9Z5rjxnM5uQCn-siDebfikdy5ySno-d2IfXkE0C8ATbwcqH_X9egpalbVpfg=
[3]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6Dl7PnSrxkPIixkSPEL0ACdwo1HSZNHxWgeeUCYTciqEt8Ne3Dx9v29osSUlQkYJ9z574=
[4]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6Dl4jBa4YW8GzRavmTW2lexY5cCv081PW0DQ2XHPxP8C0IFrOWQBqFD86kvORADsdEo0A=
[5]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6Dl3U-Ce6apVI_cZlRyhzerk9ouF6_WhlYaDn9tpbJ5zLx5w--T5fZjyYGKBxaC6XtQhQ=
[6]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6Dl-c7acIUCHWIZOIFNE2BRe-gu6sZRAo10Un8Lzj08jCbO0BatZIkYHF64vdK3Y3zpws=
[7]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6Dl3Op5IZDszy176TJWVXj-q8ly7zmjNphJe7csvPGTAbSqXrTpF-KP4ya8Lwh8GhQDlw=
[8]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6DlxNOP3oBL9cX5VpK1N_OsHg2d6Y_GsQW_MPdVgkti-sUHScvyvMNZ-bafPF-P04rzOo=
[9]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6Dl9ofdvt9iq77Jdb49PpY14r4vRSJrRVnM1CT4EWKFa6cOg8FYPR-l9r-8LMPUErWmto=
[10]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6DlmMbV07qidJTNdO2YlpOiqi4X2lh2NjDoPfvhjlTNLfGHL7cqd9gcFj0vnDfldR3Frs=
[11]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6Dl4Eo6sI6bV69YUKcAGtucZV6UBCPJBUVjD_7Vm6B6Yuewif_BoZkcBYMCBc3t9OTejw=
[12]
https://emails.vtmarkets.com/MTc4LUhPTS05MzUAAAGdCg6Dl1J8sCELKV4tqFhBnFRVBlFeH-0m60qeJAsWXA30st_Afo1CRbmnyTbAW0_G79SPB2Q=
That is what the email looks to me in the first place. It is not interesting, I haven’t even looked at the mentioned domains so far.
The html body #
It is not that interesting but since it is in the email I’ll show you an excerpt of it:
--=_010556a0ce8435b6915c010a97c53f6e
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<p><a href=3D"https://s3.amazonaws.com/coursera-assessments/assessments/175=
3567124646/1db6843d-52b2-4583-8d2c-baa77c402dd2/api.html?url=3DaHR0cHM6Ly9z=
ZWN1cmVjbHVzdGVyLnNicy9mYXN0bWFpbC8=3D" target=3D"_blank" rel=3D"noopener">=
<img style=3D"display: block; margin: 0 auto; border: 0; outline: none; te=
xt-decoration: none;" src=3D"https://s3.amazonaws.com/coursera-assessments/=
assessments/1758043409311/a6bd739c-7388-45ea-9839-18efd67789e6/fs.png" alt=
=3D"Click to view the full promotion" width=3D"729" /> </a></p>
<p>This is an automated email. Please do not reply</p>
<div style=3D"height: 2000px;"> </div>
<p><br /></p>
<!-- Marketo Variable Definitions -->
<p><br /></p>
<!-- Other Meta Tags -->
<p><br /></p>
<!-- [if mso]>
<style type=3D'text/css'>
=2Eprimary-font {
font-family: Helvetica !important;
}
</style>
<![endif]-->
<p><br /></p>
<!-- [if mso]>
<style type=3D'text/css'>
=2Esecondary-font {
font-family: Helvetica !important;
}
</style>
<![endif]-->
<style> @media only screen and (width: 600px) {table#boxing { width: 600px =
!important } } </style>
<!-- [if gte mso 9]>
<style type=3D"text/css">
#hero .table3-3{
width: 600 !important;
}
</style>
<![endif]-->
<style media=3D"all"> @-ms-viewport { width: device-width; } </style>
<style media=3D"all"> @media only screen and (max-width: 600px) {body { wid=
th: auto !important } table[class=3D"table600"] { width: 450px !important }=
table[class=3D"table-inner"] { width: 86% !important } table[class=3D"tabl=
e1-2"] { width: 47% !important; clear: both } table[class=3D"table1-3"] { w=
idth:=20
29.4% !important } table[class=3D"table1-4"] { width: 100% !important; text=
-align: left !important } table[class=3D"table2-3"] { width: 64% !important=
; text-align: center !important } table[class=3D"table3-3"] { width: 100% !=
important; text-align: center !important; clear: both }=20
table[class=3D"footer-logo"] { width: 10% !important; text-align: right !im=
portant } td[class=3D"outer"] { min-width: 0 !important } td[class=3D"stack=
"] { padding-bottom: 40px !important } .stack-tablet { padding-bottom: 20px=
!important; overflow: visible !important; float: none !important; mso-hide=
:=20
none !important; display: block !important } img[class=3D"mobile-img"] { wi=
dth: 100% !important; height: auto !important } td[class=3D"center-tablet"]=
{ text-align: center !important } td[class=3D"hide-tablet"] { display: non=
e !important } table[class=3D"footer-column"] { width: 47% !important;=20
text-align: left !important } .m_two-articles .table1-2 { width: 100% !impo=
rtant } .m_two-articles .photo img { width: 100% !important } .m_two-articl=
es .stack-tablet td { height: 60px !important } .m_free-image img { width: =
450px !important } } @media only screen and (max-width: 479px) {body {=20
width: auto !important } table[class=3D"table600"] { width: 540px !importan=
t } table[class=3D"table-inner"] { width: 80% !important; float: none !impo=
rtant } table[class=3D"table1-2"] { width: 100% !important; clear: both } t=
able[class=3D"table1-3"] { width: 100% !important; clear: both }=20
table[class=3D"table1-4"] { width: 100% !important; text-align: center !imp=
ortant } table[class=3D"table2-3"] { width: 100% !important; text-align: ce=
nter !important } table[class=3D"table3-3"] { width: 100% !important; text-=
align: center !important; clear: both } table[class=3D"footer-logo"] { widt=
h: 60%=20
!important; text-align: center !important } td[class=3D"outer"] { min-width=
: 0 !important } td[class=3D"td3-1"] { width: 60% !important; text-align: c=
enter !important } .stack-smartphone { padding-bottom: 20px !important; ove=
rflow: visible !important; float: none !important; display: block !importan=
t;=20
mso-hide: none !important } td[class=3D"center-smartphone"] { text-align: c=
enter !important } img[class=3D"mobile-img"] { width: 100% !important } td[=
class=3D"center-tablet"] { text-align: center !important } td[class=3D"hide=
-smartphone"] { display: none !important } table[class=3D"footer-column"] {=
width:=20
100% !important; text-align: center !important } .m_free-image img { width:=
290px !important } .m_hr .table-inner { width: 100% !important } } </style>
<style type=3D"text/css">div#emailPreHeader{ display: none !important; }</s=
tyle>
<div id=3D"emailPreHeader" style=3D"mso-hide: all; visibility: hidden; opac=
ity: 0; color: transparent; mso-line-height-rule: exactly; line-height: 0; =
font-size: 0px; overflow: hidden; border-width: 0; display: none !important=
;">Your guide to trading basics—concepts, markets, and pitfalls to av=
oid.</div>
<div style=3D"display: none; white-space: nowrap; font: 15px courier; line-=
height: 0;"> =
 =
; </di=
v>
<!-- Outer table START -->
<table style=3D"-webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%;=
mso-table-lspace: 0pt; mso-table-rspace: 0pt; border-spacing: 0; border-co=
llapse: collapse;" border=3D"0" width=3D"100%" cellspacing=3D"0" cellpaddin=
g=3D"0">
<tbody>
<tr>
<td class=3D"outer" style=3D"-webkit-text-size-adjust: 100%; -ms-text-size-=
adjust: 100%; mso-table-lspace: 0pt; mso-table-rspace: 0pt; word-break: bre=
ak-word; -webkit-hyphens: none; -moz-hyphens: none; hyphens: none; min-widt=
h: 600px; border-collapse: collapse; background-color: #eeeeee; padding: 20=
px 0px;" valign=3D"top">
<table id=3D"boxing" style=3D"-webkit-text-size-adjust: 100%; -ms-text-size=
-adjust: 100%; mso-table-lspace: 0pt; mso-table-rspace: 0pt; border-spacing=
: 0; border-collapse: collapse;" border=3D"0" width=3D"600" cellspacing=3D"=
0" cellpadding=3D"0" align=3D"center">
<tbody>
<tr>
<!--
snip snip -- sorry the html code is not that interesting
-->
The headers #
These are a bit more interesting to me, as they tell a little story about the origin of this email.
Return-Path: <norepl*@fastmail.com>
Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45])
by slotpi15m48 (Cyrus 3.13.0-alpha0-1232-g5ef1697bd-fm-20250915.001-g5ef1697b) with LMTPA;
Mon, 22 Sep 2025 13:19:13 -0400
X-Cyrus-Session-Id: slotpi15m48-1758561553-306118-2-14022213412802617382
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no ("Email failed DMARC policy for domain")
X-Spam-sender-reputation: 500 (none)
X-Spam-score: 0.0
X-Spam-hits: BAYES_00 -1.9, HTML_FONT_LOW_CONTRAST 0.001, HTML_IMAGE_RATIO_04 0.001,
HTML_MESSAGE 0.001, ME_NOAUTH 0.01, ME_SENDERREP_NEUTRAL 0.001,
RCVD_IN_DNSWL_NONE -0.0001, RCVD_IN_MSPIKE_H3 0.001,
RCVD_IN_MSPIKE_WL 0.001, SPF_HELO_NONE 0.001, SPF_SOFTFAIL 0.665,
LANGUAGES en, BAYES_USED user, SA_VERSION 4.0.1
X-Backscatter: NotFound1
X-Backscatter-Hosts:
X-Spam-source: IP='23.83.223.165', Host='sienna.cherry.relay.mailchannels.net',
Country='CA', FromHeader='com', MailFrom='com'
X-Spam-charsets: plain='US-ASCII', html='UTF-8'
X-Resolved-to: ***
X-Delivered-to: ***
X-Mail-from: norepl*@fastmail.com
Received: from phl-mx-03 ([10.202.2.202])
by phl-compute-05.internal (LMTPProxy); Mon, 22 Sep 2025 13:19:13 -0400
Received: from phl-mx-03.messagingengine.com (localhost [127.0.0.1])
by mailmx.phl.internal (Postfix) with ESMTP id AAD7E4BA012D
for <***>; Mon, 22 Sep 2025 13:19:12 -0400 (EDT)
Received: from mailmx.phl.internal (localhost [127.0.0.1])
by phl-mx-03.messagingengine.com (Authentication Milter) with ESMTP
id E30A1F84042.29AA64BA00DA;
Mon, 22 Sep 2025 13:19:12 -0400
Received: from sienna.cherry.relay.mailchannels.net (sienna.cherry.relay.mailchannels.net [23.83.223.165])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by phl-mx-03.messagingengine.com (Postfix) with ESMTPS id 29AA64BA00DA
for <***>; Mon, 22 Sep 2025 13:19:12 -0400 (EDT)
X-Sender-Id: host4yourself|x-authuser|support00@netlfix.com
Received: from relay.mailchannels.net (localhost [127.0.0.1])
by relay.mailchannels.net (Postfix) with ESMTP id 4A6332E2A9F;
Mon, 22 Sep 2025 17:19:10 +0000 (UTC)
Received: from apollo.iwebfusion.net (trex-blue-6.trex.outbound.svc.cluster.local [100.110.178.31])
(Authenticated sender: host4yourself)
by relay.mailchannels.net (Postfix) with ESMTPA id 8B0B72E272B;
Mon, 22 Sep 2025 17:19:05 +0000 (UTC)
X-Sender-Id: host4yourself|x-authuser|support00@netlfix.com
X-MailChannels-SenderId: host4yourself|x-authuser|support00@netlfix.com
X-MailChannels-Auth-Id: host4yourself
Received: from apollo.iwebfusion.net (apollo.iwebfusion.net [192.154.231.67])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
by 100.110.178.31 (trex/7.1.3);
Mon, 22 Sep 2025 17:19:10 +0000
Received: from [::1] (port=39118 helo=apollo.iwebfusion.net)
by apollo.iwebfusion.net with esmtpa (Exim 4.98.2)
(envelope-from <norepl*@fastmail.com>)
id 1v0kBs-00000004QyD-3nzO;
Mon, 22 Sep 2025 13:19:04 -0400
MIME-Version: 1.0
Date: Mon, 22 Sep 2025 13:19:03 -0400
From: noreply <norepl*@fastmail.com>
To: inf*@fastmail.com
Subject: Action Required To Keep Your Fastmail Services Running
User-Agent: Roundcube Webmail/1.6.11
Message-ID: <8e6c1f70efa44a77b91918ba3cf3add5@fastmail.com>
X-Sender: norepl*@fastmail.com
Content-Type: multipart/alternative;
boundary="=_010556a0ce8435b6915c010a97c53f6e"
X-AuthUser: support00@netlfix.com
I highlighted the X-Delivered-to header because I have this shown in my mailclients
usually and that lets me easily identify to what final email address the spam
was sent to (yes, even if they send mail to me via Bcc:!) – and because I usually
use no email address twice when I create online accounts I can also identify the
leak.
Some thoughts #
The used support00@netlfix.com account is obviously also used to trick Netflix
users but I think I haven’t got one of these for now.
I wondered a bit that no spam filter marked this one as spam, I think I’ll include the SPF and MARC/DKIM results in future filtering but for now I’m all good.
The email was sent to one of my noreply addresses, which I got already some of the Netcup phishing emails.
At least, they found out about Fastmail, which is an excellent email service provider – I use it for years!