This is the 2nd of these ransom spams I've received where the body of the message is a .jpg. Below is the body and also a link to the headers and body
https://photos.app.goo.gl/DGcjySsnEHL3uKBa7 https://pastebin.com/xNRZ5UeC The SA Markup is: Content analysis details: (12.2 points, 5.0 required) pts rule name description ---- ---------------------- ----------------------------------------- --------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [54.240.8.24 listed in list.dnswl.org] 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5590] 3.3 KB_FORGED_MOZ4 Mozilla 4 uses X-Mailer 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 HTML_MESSAGE BODY: HTML included in message 1.7 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DCC_CHECK_NEGATIVE Not listed in DCC 2.2 DCC_CHECK listed in DCC ( http://rhyolite.com/anti-spam/dcc/) 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.8 KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware 2.3 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla 1.0 SAGREY Adds 1.0 to spam from first-time senders DCC Results are localhost 104; Body=1 Fuz1=1 Fuz2=many DCC Brand is x.dcc-servers PYZOR Results are Reported 0 times. I don't know if a rule exists for something like this or not. -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 20:04:36 up 9 days, 12:23, 1 user, load average: 1.15, 1.15, 1.12 Description: Ubuntu 18.04.2 LTS, kernel 4.15.0-50-generic
signature.asc
Description: This is a digitally signed message part
