Tag: Phishing

Posts with this tag mean they generally were about the topic of fraudulent phishing attempts in addition to how an AI might have responded.

Grok: Facebook Meta Business Phishing Attempts

Facebook Meta Business Phishing Attempts in Grok

These queries to Gemini, ChatGPT and Grok were made as a result of continued emails we had been receiving at CharlesWorks from Meta Business. They indicated someone was attempting admin access to manage a Facebook account that perhaps we managed. I suspected they were Facebook Meta Business phishing attempts messages although was not entirely sure. The AI systems all verified my suspicions.

Included with this prompt was a 15k text file containing the text from the email in question as well as its header information from my Outlook web mail. While my raw file was accepted in ChatGPT and Gemini, I had to change the file’s encoding for Grok to accept it. I originally received an error when trying to upload the text file:
{“code”:12,”message”:”Unsupported text encoding [WKE=file:type-not-supported]”,”details”:[]}

Here is my Grok raw conversation. The ChatGPT conversation and Gemini conversation were in my previous two posts.

I keep getting these emails indicating they are from Facebook and from what I gather, they are indications that someone is attempting to manage a Facebook page we are an admin on. I have marked them as phishing attempts. Is that what they are?

Grok AI logoYes, these are phishing/scam attempts, even though the emails themselves are technically sent by Meta’s real systems.

What’s happening:

Scammers create a fake Business Manager account (often with a deceptive name like “Meta Platforms” or something that sounds official) and send partner requests to your Facebook Page or ad account through Meta’s own platform. Meta then automatically generates and sends a legitimate notification email from no*****@***************ok.com.

This is why:
– The email passes SPF/DKIM/DMARC checks.
– The headers look authentic (as seen in your file).
– It includes real Meta branding and warnings about fraud.

The goal is to trick you into going to Business Suite and approving the partner request. If you do, the scammers gain access to your Page, ad accounts, pixels, etc., which they can then hijack, run unauthorized ads, steal money, or lock you out.

Specifics from your email:

– The “This request is from: Meta Platforms” part is the scammers abusing the system (they name their fake business something official-sounding).
– The m.me/111998437174036 link is suspicious (it’s just a generic Messenger link with no useful public info).
– The email includes the standard “Protect yourself from fraud” text — which is Meta’s own disclaimer, ironically being used against you.

What you should do:

1. Never approve unknown partner requests. Ignore or reject them in Business Suite.
2. Do not click any links in these emails. Instead, log in directly to [business.facebook.com](https://business.facebook.com) or the Meta Business Suite app (type the URL yourself).
3. Review your current partners and remove any you don’t recognize.
4. Check who has admin access to your Pages and ad accounts.
5. Enable extra security like two-factor authentication and login alerts.

You’re right to treat them as suspicious and mark them as phishing — that’s the correct instinct. Unfortunately, this is a widespread campaign right now, and Meta’s system makes it very convincing because the emails are genuine notifications about real (but malicious) requests.

If you go into Business Suite and see pending requests from unknown businesses, deny them immediately. Stay safe!

ChatGPT: Facebook Meta Business Phishing Attempts

Facebook Meta Business Phishing Attempts in ChatGPT

This query to both Gemini and ChatGPT was made as a result of continued emails we received at CharlesWorks indicating they were from Meta Business. They said someone was attempting admin access approval to purportedly manage a Facebook account that perhaps we managed. I suspected they were Facebook Meta Business phishing attempts messages although was not entirely sure. The AI systems both verified my suspicions.

Here is my ChatGPT raw conversation. The Gemini conversation was in the previous post.

I keep getting these emails indicating they are from Facebook and from what I gather, they are indications that someone is attempting to manage a Facebook page we are an admin on. I have marked them as phishing attempts. Is that what they are?

OpenAI ChatGPT LogoYes — I would treat these as hostile/phishing attempts, even though this particular email appears to have been sent through Facebook/Meta’s real mail system.

That sounds contradictory, but here’s the key point: the email authentication looks legitimate, but the request itself is suspicious.

The headers show:

spf=pass
dkim=pass
dmarc=pass
smtp.mailfrom=business.facebook.com
From: "Facebook" <no*****@***************ok.com>

So this does not look like an ordinary spoofed email. It appears to have genuinely come from Meta/Facebook’s system. The uploaded email also says it was sent to su*****@**********ks.com and describes a Business Manager partner request.

However, the suspicious part is the requester and wording:

“This request is from: Meta Platforms, please see the support link above for more details.”

That is odd. A normal partner request should usually come from a real agency, client, marketing company, or known business — not vaguely from “Meta Platforms.” Also, the message includes m.me/111998437174036, which is a Messenger link, and the email itself warns that “Other links is not part of or affiliated with Meta.”

This matches a newer scam pattern where attackers abuse the real Meta Business Manager partner request system. In those cases, the notification can pass SPF, DKIM, and DMARC because Meta really sent the notification, but the attacker created the underlying business request to trick you into clicking or granting access. Security writeups in 2026 describe this exact tactic: real-looking Meta Business Manager partner request emails generated through legitimate Meta workflows, sometimes with phishing links or malicious business names embedded in the request. (Prophet Security)

So your instinct was right. 👍

Do not approve it. Do not click the email links. Instead, go directly in your browser to:

https://business.facebook.com/

Then check:

Business Settings → Requests → Received

If you see this request there and you do not recognize the business, decline it. If there is a report option, report it there as well.

My practical recommendation:

  1. Keep marking them as phishing/junk.
  2. Do not click “View request” from the email.
  3. Log into Meta Business Suite directly at https://business.facebook.com/.
  4. Decline any unknown partner requests.
  5. Review current Page/business admins and partners.
  6. Make sure every CharlesWorks Facebook admin has two-factor authentication enabled.

Bottom line: the email may be technically authentic, but the access request is almost certainly unwanted and potentially dangerous. It is the Facebook version of somebody rattling the doorknob while wearing a fake badge.

Gemini: Facebook Meta Business Phishing Attempts

Facebook Meta Business Phishing Attempts in Gemini

These queries to Gemini and ChatGPT were made as a result of continued emails we had been receiving at CharlesWorks from Meta Business. They indicate someone was attempting admin access to manage a Facebook account that perhaps we managed. I suspected they were Facebook Meta Business phishing attempts messages although was not entirely sure. The AI systems verified my suspicions.

Included with this prompt was a 15k text file containing the text from the email in question as well as its header information from my Outlook web mail. Here is my Gemini raw conversation. My ChatGPT conversation on this topic follows in the next post and my Grok conversation follows in the one after that.

I keep getting these emails indicating they are from Facebook and from what I gather, they are indications that someone is attempting to manage a Facebook page we are an admin on. I have marked them as phishing attempts. Is that what they are?

Gemini AI LogoInterestingly, the email headers reveal that this specific message is actually technically legitimate, but the intent behind it is highly malicious.

You are completely right to treat this as a phishing and scam attempt. Here is the breakdown of what is happening.

The Technical Reality: It’s a “Legitimate” Notification

The email headers show that this message genuinely originated from Meta’s servers:

  • Sender Verification: The Authentication-Results show that SPF, DKIM, and DMARC all passed perfectly for the domain business.facebook.com.

  • Sender IP: The sending IP (66.220.144.149) belongs directly to Facebook.

This means a scammer did not spoof the email itself. Instead, they are exploiting Meta’s actual Business Manager system to send you a real notification for a fraudulent request.

The Scam: Rogue Partner Requests

Scammers routinely set up fake Meta Business accounts, naming them things like “Meta Platforms,” “Meta Security,” or “Community Support.”

They then flood random Business Manager IDs with “Partner Requests.” Because they are using the official platform, Meta automatically triggers a real notification email to you.

What Happens If You Approve It?

If you click through and accept the partnership request in your Meta Business Suite, you will manually grant the scammers admin-level access to your business assets. This allows them to:

  • Hijack your Facebook Pages.

  • Lock you out of your own accounts.

  • Run fraudulent advertisements using your attached credit lines or payment methods.

Why the Email Looks Weird

Take a look at the text inside the email body:

Your Business Is Approved for Partnership m.me/111998437174036 Other links is not part of or affiliated with Meta.

The text containing the random Messenger link (m.me/...) was typed into a customizable field by the scammer when they submitted the partner request. They are trying to trick you into clicking that chat link to pull you into a secondary phishing conversation.

What You Should Do

You handled this perfectly by marking it as phishing. To protect your business assets going forward:

  • Do Not Click Links: Avoid clicking any links inside these emails or the m.me chat links.

  • Check Meta Business Suite Directly: If you ever want to verify a request, open a browser window, log in as root/admin directly at business.facebook.com, and check your requests notifications dashboard there.

  • Reject and Report: If you see the request sitting in your actual Meta Business Suite, reject it immediately and report the requesting business entity to Meta.

Chasing the Japanese Keyword Hack using Gemini

Gemini AI LogoThis is an example of how cleaning a site can be accomplished using artificial intelligence. Following is the prompt I used with Gemini (not showing the actual domain name of the site) after I used the Sucuri site to determine the site contained malware:

One of the sites on my server started using a lot of bandwidth and upon checking with Sucuri it shows as being infected by malware:
https://sitecheck.sucuri.net/results/domain.com

The malware it appears to be infected with is described here:
https://labs.sucuri.net/signatures/sitecheck/spam-seo/?japanese.2

The customer said she hired someone to boost her SEO and keywords and drive more traffic to her site and all but after working with him a while she couldn’t undertand his English so she stopped working with him.

The site is not listed anywhere (like Google or in Firefox) as infected or dangerous.

Can you give me a plan in the form of a descriptive article to clean her WordPress site in Virtualmin on Debian 12 of this?

The raw output (with the exception of the actual domain name) follows.

Gemini Raw Output

It sounds like your client’s site has fallen victim to a Japanese Keyword Hack. This is a common and aggressive SEO spam attack where thousands of pages of auto-generated Japanese text (often promoting counterfeit goods or gambling) are injected into the site. Because these pages are designed to be seen by search engine bots rather than human users (cloaking), they often go unnoticed until bandwidth spikes or search rankings plummet.

Since the site is hosted on Virtualmin (Debian 12), you have full root access, which makes the cleanup much more effective than on shared hosting.

Here is a comprehensive plan to sanitize the WordPress installation and harden the server.

Cleaning the Japanese SEO Spam Malware: A Step-by-Step Guide

1. Pre-Cleanup Preparation

Before touching the code, ensure you have a “safety net.”

  • Full Backup: Use Virtualmin’s backup feature to create a snapshot of the virtual server (Files + Database).

  • Go Offline: Install a “Maintenance Mode” plugin or use an .htaccess rule to redirect traffic. This prevents the malware from potentially executing further scripts while you work.

2. Identify the Entry Point

The “SEO specialist” the client hired likely had admin credentials or FTP access.

  • Check Users: In the WordPress Dashboard, look for unrecognized Administrator accounts.

  • Virtualmin Logs: Check the access logs at /var/log/virtualmin/domain.com_access_log. Look for suspicious POST requests to unknown .php files or unusual activity from foreign IP addresses around the time the “specialist” was active.

3. Core WordPress Reinstallation

Malware often modifies core WordPress files. The cleanest way to fix this is to replace them entirely.

  1. Connect via SSH or use the Virtualmin File Manager.

  2. Delete the wp-admin and wp-includes directories.

  3. Delete all .php files in the root directory (except wp-config.php).

  4. Download a fresh copy of WordPress from WordPress.org and upload the new wp-admin, wp-includes, and root .php files.

4. Sanitizing the wp-content Folder

This is where the malware usually hides.

  • Plugins: Delete the entire /wp-content/plugins/ directory and reinstall them from the WordPress repository. Do not “update” them; delete and replace.

  • Themes: If using a stock theme, delete and reinstall. If it’s a custom theme, manually inspect the functions.php and header/footer files for base64 encoded strings or eval() functions.

  • Uploads: Check /wp-content/uploads/. There should be no .php files here. Use the terminal to find them:

    Bash

    find /home/linuxusername/public_html/wp-content/uploads -name "*.php"

    If any appear, delete them immediately.

5. Cleaning the .htaccess and index.php

Japanese SEO spam heavily relies on the .htaccess file to rewrite URLs for the fake pages.

  • Open your .htaccess file. If you see complex rules redirecting to strange files, delete them. Revert to the standard WordPress .htaccess.

  • Check the root index.php. It should only contain the standard WordPress bootstrap code.

6. Database Sanitization

The “Japanese keywords” are often stored in the wp_posts table or injected into the wp_options table.

  • Log into phpMyAdmin or use the Virtualmin database tool.

  • Search the wp_posts table for Japanese characters or titles related to the spam keywords.

  • Check the wp_options table for siteurl or home changes.

7. Virtualmin/Debian Level Hardening

Since you are on Debian 12, take advantage of system-level security:

  • Update System: Ensure Debian is patched: apt update && apt upgrade.

  • Change All Credentials: Change the Virtualmin user password, the MySQL database password (update wp-config.php accordingly), and all WordPress admin passwords.

  • Permissions: Ensure files are owned by the Virtualmin user and permissions are set correctly (644 for files, 755 for directories).

    Bash

    chown -R linuxusername:linuxusername /home/linuxusername/public_html

8. Handling Search Engine Results

Even after the site is clean, Google may still have thousands of Japanese pages indexed.

  1. Google Search Console: Register the site immediately.

  2. Sitemap: Generate a new, clean XML sitemap and submit it.

  3. Removals Tool: Use the “Removals” tool in Search Console to temporarily hide the spam URLs.

  4. 404 Errors: The spam URLs will now lead to 404 pages. This is good. Eventually, Google will see the pages are gone and drop them from the index.

9. Ongoing Protection

  • Install a Security Plugin: Wordfence or Sucuri’s plugin can provide a firewall and scheduled scanning.

  • Disable File Editing: Add define( 'DISALLOW_FILE_EDIT', true ); to your wp-config.php to prevent even admins from editing code through the dashboard.

  • Fail2Ban: Ensure Fail2Ban is active in Virtualmin to block brute-force attempts on SSH and WordPress logins.

Summary: You are essentially performing a “surgical replacement.” By replacing the core, plugins, and themes while auditing the uploads and .htaccess, you remove the malware’s ability to run. The rest is simply convincing Google that the “new” site is the legitimate one.

Gemini – Check Notification/Bounce Email for Phishing

In an article on the Artificial Intelligence blog, the author shares a personal experience with a clever phishing email disguised as a mail delivery delay notice. The fraudulent email, which included a suspicious attachment, claimed a message from the author’s alias, we******@**********ks.com, was stuck in a Czech mail queue. The author, suspicious of the message, analyzed the email headers and provided the information to an AI for a more detailed analysis. The AI’s response confirmed the email was backscatter spam, not a legitimate bounce, and was likely a lure for malware. Both the author and the AI advised deleting the message and never opening the attachment.

Gemini AI Logo
I received what I believed was cleverly designed phishing attempt in my inbox.

My thought was to examine it to determine a little more detail about it and see what AI thought of it. The “———-” characters are something I tend to use as delineators when inserting these long streams of data in as part of my prompt. My experience with all of the AI systems I use has been that they are understood as delineation strings.

I discovered that email addresses were automatically wiped from the material as displayed in this site by a great anti-spam plugin called CleanTalk. I highly recommend CleanTalk and it can be checked out here using our affiliate link. This helps support us as well.

This was my output after feeding all the info I had to Gemini.

My Prompt

I have gotten this message in my inbox. I am leery of it because it has an attachment. Here is the text of the message:

----------
Delivery delayed:Portal document ready statement available

Mail Delivery System<Ma***********@*****et.cz>
​zo*******@***oo.com​
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 48 hours on the queue on smtp.starnet.cz.
The message identifier is:     1usP7V-00EFty-2r
The subject of the message is: Portal document ready statement available
The date of the message is:    Sat, 30 Aug 2025 19:12:06 +0200
The address to which the message has not yet been delivered is:
zo*******@***oo.com
host mta6.am0.yahoodns.net [98.136.96.91]
Delay reason: SMTP error from remote mail server after pipelined MAIL FROM:<we******@**********ks.com> SIZE=5077:
421 4.7.0 [TSS04] Messages from 92.62.225.36 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes
SMTP Error Codes
SMTP Error Codes
postmaster.yahooinc.com
No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.
----------

And here is the “View Message Details” from my Outlook webmail, I notice that someplace it seems to indicate it was received from we******@**********ks.com which I believe is not really possible since we******@**********ks.com is an alias to our su*****@**********ks.com email address:

----------
Message Details
Received: from SJ5PPF92ECB6678.namprd11.prod.outlook.com
(2603:10b6:a0f:fc02::846) by PH8PR11MB6803.namprd11.prod.outlook.com with
HTTPS; Mon, 1 Sep 2025 19:11:46 +0000
Received: from MN2PR15CA0041.namprd15.prod.outlook.com (2603:10b6:208:237::10)
by SJ5PPF92ECB6678.namprd11.prod.outlook.com (2603:10b6:a0f:fc02::846) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9073.25; Mon, 1 Sep
2025 19:11:44 +0000
Received: from BN3PEPF0000B070.namprd21.prod.outlook.com
(2603:10b6:208:237:cafe::c5) by MN2PR15CA0041.outlook.office365.com
(2603:10b6:208:237::10) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.9073.27 via Frontend Transport; Mon,
1 Sep 2025 19:11:44 +0000
Authentication-Results: spf=none (sender IP is 92.62.225.36)
smtp.helo=smtp.starnet.cz; dkim=none (message not signed)
header.d=none;dmarc=fail action=none header.from=starnet.cz;compauth=pass
reason=105
Received-SPF: None (protection.outlook.com: smtp.starnet.cz does not designate
permitted sender hosts)
Received: from smtp.starnet.cz (92.62.225.36) by
BN3PEPF0000B070.mail.protection.outlook.com (10.167.243.75) with Microsoft
SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9115.0
via Frontend Transport; Mon, 1 Sep 2025 19:11:43 +0000
Received: from Debian-exim by smtp.starnet.cz with local (Exim 4.96)
id 1ut9wD-005kL4-08
for we******@**********ks.com;
Mon, 01 Sep 2025 21:11:33 +0200
Auto-Submitted: auto-replied
From: Mail Delivery System <Ma***********@*****et.cz>
To: we******@**********ks.com
References: <68**********************************@***co.net>
Content-Type: multipart/report; report-type=delivery-status; boundary=1756753893-eximdsn-642087814
MIME-Version: 1.0
Subject: Warning: message 1usP7V-00EFty-2r delayed 48 hours
Message-Id: <E1***************@**********et.cz>
Date: Mon, 01 Sep 2025 21:11:33 +0200
Return-Path: <>
X-MS-Exchange-Organization-ExpirationStartTime: 01 Sep 2025 19:11:43.7145
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
e54132a9-871b-4e6e-8961-08dde98b6398
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 87733afe-0d9d-4701-bcd1-865bd5674a0b:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
BN3PEPF0000B070:EE_|SJ5PPF92ECB6678:EE_|PH8PR11MB6803:EE_
X-MS-Exchange-Organization-AuthSource:
BN3PEPF0000B070.namprd21.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: e54132a9-871b-4e6e-8961-08dde98b6398
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam:
BCL:0;ARA:13230040|1930700014|12012899012|4013099003|4053099003;
X-Forefront-Antispam-Report:
CIP:92.62.225.36;CTRY:CZ;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:smtp.starnet.cz;PTR:smtp.starnet.cz;CAT:NONE;SFS:(13230040)(1930700014)(12012899012)(4013099003)(4053099003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2025 19:11:43.4764
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e54132a9-871b-4e6e-8961-08dde98b6398
X-MS-Exchange-CrossTenant-Id: 87733afe-0d9d-4701-bcd1-865bd5674a0b
X-MS-Exchange-CrossTenant-AuthSource:
BN3PEPF0000B070.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF92ECB6678
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.7834666
X-MS-Exchange-Processed-By-BccFoldering: 15.20.9052.000
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4713098)(4999163)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?5OVkyT0/RNWSaYutxJj077THwB9/PdRBuOcypuY4fdwzhHTozjfQsr21QcQe?=
=?us-ascii?Q?NlkVZwdxRcwD1qP0Cj/LeQciqNNJg0lbR1sV7ZBL/+hbiJydtx6tb7UP4HB4?=
=?us-ascii?Q?vSopbVg/FAl3IcJNTyrT7w4+nDXRr2JrSf5a5zQfIxcuBGLkTkVd+Be/t6x/?=
=?us-ascii?Q?BmAzftsRcoYhZTaS3zJP7FvLEP39lahyS74sRNEJdUA9XXRJ7OFA3W+9D4xB?=
=?us-ascii?Q?SNBfJ62DkBWkHJhU8cbCiXwG2kAQ851fIRm149UL+MMCyKNTx2IfSuiuPCIE?=
=?us-ascii?Q?8qKQ30lLORUEF6L762+5GncbnOWlY+pQB4umU6UVz0doun01sgNmJP7557rz?=
=?us-ascii?Q?Cc3nJbQLVFXR6QoHEAlwF8OLIB25x2MMCx1izo/uMfQtatHQysWnCrHUIROP?=
=?us-ascii?Q?Plk3eMOUGo79Q8xffqXNwC1bJyxoSXGYEutfYgohJ1eNcl3kbB7TaDQ0GgFL?=
=?us-ascii?Q?yrLREXENlpXKZ8ZrliD/5duDJuU2nkgxkry4f9icgwG/3oWTzfK+IIyGwPYu?=
=?us-ascii?Q?6HJyZu0T8Q5C+odyVNcnAw2b92FEMQZgDcIL786i4Trc5EpDUXdE40fuoJjr?=
=?us-ascii?Q?WAMg6ZAIXCE6TIyRJ2NcY/YIrE7WN3NgKgIbjYsDRYxjHaTPyyPYZltgWCIL?=
=?us-ascii?Q?Tvk/7Ci8O2vzPv1gnblZwAujV8tjGKtELysMLpQwfpD5Yf0vXi3hmsAWFSJd?=
=?us-ascii?Q?Qm++Vm1ziaH4pshpmDh+OqFPwE84vQslZDL45IudrIDSx+ZghKOdgtUUWPVQ?=
=?us-ascii?Q?cBHE2ymfPjToTG9n8bxksikVQi17JzMchnOb2iPivFeCEg5jwe3K6SOP6rM3?=
=?us-ascii?Q?ZTbrP/2Q2CPNA0TCxOGpn82N68BnXOzrIXIxjX2w9P0LGELPfzB9fiwmBFvP?=
=?us-ascii?Q?D8Y8I/fufUftBp2T/vPlU/Rpt8CyGWZXVv46lyr6AQjCJsrhTMEfVALhENFp?=
=?us-ascii?Q?/cnRi/5y2QQ5zcUH+vpl+j2LgKy0scYUdunfLt2lMgtcm9VCBs3aD7Q+fs7R?=
=?us-ascii?Q?STDliRDKLIFRbc/w4UWr0R5k2YtYoCiPfGb9dLPT4rW6b+q+mBjyBdH6ZcNm?=
=?us-ascii?Q?M5mI7k/OeyESkiU7EqcqlNVUp5WXtKwYC4XFBMPpa/G/vw0g3Lf5s4Dh2x1h?=
=?us-ascii?Q?pbJSnlU47l5JfYaUVOFtd2dtIb/P/MxAadCdjK4+VNeb+GE24nPQOodYuKq7?=
=?us-ascii?Q?b7aQj4QiI5GHLZtigvUBPjaVLihk9DgzWgtDU0uD0sPPcUeYS0lqpNn/pXO3?=
=?us-ascii?Q?uoVfZZEW+WbUkX4p6Hbc2DOdNhf7JolbHhutiV/af6HG1JP6XyRpPql9ktqY?=
=?us-ascii?Q?UjPctaNohn6SnD/eTOMc5h940DpnSxmK8Sit6zzjkskO5Oh2loHXzLZx9K6h?=
=?us-ascii?Q?3Z7ALPCOmJYZ5/8HTfffnmpTmJqtA4b59A7wzB1ioi5eyzGz8XWUpDTUG9I7?=
=?us-ascii?Q?o7FXtzDdnizQM3Gp89GOYKqwL5YjUM2SGAWWAD6fEUYc1m76yNNWW208cPiU?=
=?us-ascii?Q?HqT7SYDu4UHplLHTdM+hogeWNzkzlPWcbescWpfa7mI2F1SA1B3+lTwmqFr8?=
=?us-ascii?Q?h0jrZ7+2LlOIrY73TcJLlx3KgpYx6aHVZN1vw2x1sYnVU62Zs9mCE+evJuBp?=
=?us-ascii?Q?ycrgY//qeKOctC4R6uBsDjKiLQhKnGtvw0+3+IHqt1X2i9BnWv/aNl86oJoE?=
=?us-ascii?Q?w5SEqnkMAXwQUcEnghREl9BbldfT2Wwy2G9wUlOm9MBVpmr1viO99rfSZnTk?=
=?us-ascii?Q?yaft+ZphGO7Ic6DRgRudljAnEIJ0z5+3cs4nn8zfYh/FKCOIkFFaVDG2e6xg?=
=?us-ascii?Q?livk6Ljgh0MlfcOLHID6g+whbvaukhKyFnYBdxB83kRjXIdGFfXmd9/zM9LC?=
=?us-ascii?Q?vCVxAJW2xzC64Hs2uZn+axHU21jD8XWeEt2PhD0io1RoUWmU3RtT4POX7NoX?=
=?us-ascii?Q?ONSD83WNfBTEfjDgSvhlAc75Stcu13bvB5y2v5ykPPvusjr6Nk87pUYB+IGL?=
=?us-ascii?Q?As7XH/WcIK7f88X6KWbjKbdTRuTgoBKMpGmTqRdC9JAAVJe1Ryn8r0uDzGCb?=
=?us-ascii?Q?bv0UMzmC?=
----------

Gemini’s Response

That email is phishing, and you should delete it immediately. The attachment is very likely malicious. Although the email seems like a legitimate “mail delivery system” message, several red flags in the headers you provided confirm it is a forgery.

Why the Email is a Phishing Scam

The email is a scam designed to deceive you into opening a malicious attachment. Here’s a breakdown of the clues:

  • Forged Sender and Recipient: The email is a forged bounce message. A bounce message is an automated notification from a mail server when it cannot deliver an email. The sender, Ma***********@*****et.cz, is a real type of automated sender, but it’s being spoofed. The message claims to be a delivery failure for an email you sent to zo*******@***oo.com, but you likely never sent an email to that address. Attackers often use real, known email formats to trick recipients.
  • Mismatched Information: Your email address, we******@**********ks.com, is in the “To” field of the email, but the body of the message says the failed delivery was to zo*******@***oo.com. A legitimate bounce message would show the delivery failure for the email address you originally tried to send to, not a random, unrelated one.
  • Suspicious Sender Domain: The email originates from smtp.starnet.cz, which is a legitimate Czech internet service provider. However, the message claims it’s a delivery failure for an email supposedly sent from we******@**********ks.com. It’s highly unlikely that your company’s email server would use a third-party server in a different country to send mail. This is a common tactic to hide the true origin.
  • The “websites@” Email Alias: As you suspected, the websites@ email address is a local alias for support@. A genuine email would be addressed to your actual mailbox, not just the alias, unless the original sender was explicitly addressing the alias. The spoofer likely found your address on the web and guessed at the alias.
  • Inconsistent Return Path: The Return-Path header is <>. A genuine mail delivery system email would have the same return path as the sender, which is Ma***********@*****et.cz. An empty return path is a common sign of a forged message.

The Danger of the Attachment

This type of phishing attack is a classic delivery method for malware. The goal is to make you believe there’s a problem with a document you supposedly sent. To “fix” the issue or view the “statement,” you’d be prompted to open the attached file. That file will almost certainly contain a virus, a trojan, or some other type of malicious software. It could be a ransomware executable that locks your files, a keylogger to steal your passwords, or a botnet client to turn your computer into a spam zombie.

What to Do Now

  1. Do not open the attachment under any circumstances.
  2. Delete the email immediately from your inbox and your deleted items folder.
  3. Do not reply to the email. Replying confirms your address is active.
  4. If your organization has an IT department, you should forward the email to them so they can be aware of the scam and potentially block the sender. You can also report it to your email provider.

ChatGPT5 – Check Notification/Bounce Email for Phishing

I spotted a clever phishing attempt that looked like a mail-delivery delay notice. It claimed a message from our alias, we******@**********ks.com
, was stuck in a Czech mail queue. But the headers failed SPF, DKIM, and DMARC checks. That means the email didn’t come from our systems—it was likely forged. Plus, real bounce messages usually include the undelivered email in plain text—not a suspicious attachment from a weird server. Bottom line: it’s backscatter spam, not a legitimate bounce. Don’t open the attachment. Just delete it and stay cautious.

OpenAI ChatGPT Logo
I received what I believed was cleverly designed phishing attempt in my inbox.

My thought was to examine it to determine a little more detail about it and see what AI thought of it. The “———-” characters are something I tend to use as delineators when inserting these long streams of data in as part of my prompt. My experience with all of the AI systems I use has been that they are understood as delineation strings.

I discovered that email addresses were automatically wiped from the material as displayed in this site by a great anti-spam plugin called CleanTalk. I highly recommend CleanTalk and it can be checked out here using our affiliate link. This helps support us as well.

This was my output after feeding all the info I had to ChatGPT5.

My Lengthy Prompt Containing Data to Examine the Email

I have gotten this message in my inbox. I am leery of it because it has an attachment. Here is the text of the message:

----------

Delivery delayed:Portal document ready statement available

Mail Delivery System<Ma***********@*****et.cz>
​zo*******@***oo.com​
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 48 hours on the queue on smtp.starnet.cz.

The message identifier is:     1usP7V-00EFty-2r
The subject of the message is: Portal document ready statement available
The date of the message is:    Sat, 30 Aug 2025 19:12:06 +0200

The address to which the message has not yet been delivered is:

zo*******@***oo.com
host mta6.am0.yahoodns.net [98.136.96.91]
Delay reason: SMTP error from remote mail server after pipelined MAIL FROM:<we******@**********ks.com> SIZE=5077:
421 4.7.0 [TSS04] Messages from 92.62.225.36 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes
SMTP Error Codes
SMTP Error Codes
postmaster.yahooinc.com

No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.

----------

And here is the “View Message Details” from my Outlook webmail, I notice that someplace it seems to indicate it was received from we******@**********ks.com which I believe is not really possible since we******@**********ks.com is an alias to our su*****@**********ks.com email address:

----------

Message Details
Received: from SJ5PPF92ECB6678.namprd11.prod.outlook.com
(2603:10b6:a0f:fc02::846) by PH8PR11MB6803.namprd11.prod.outlook.com with
HTTPS; Mon, 1 Sep 2025 19:11:46 +0000
Received: from MN2PR15CA0041.namprd15.prod.outlook.com (2603:10b6:208:237::10)
by SJ5PPF92ECB6678.namprd11.prod.outlook.com (2603:10b6:a0f:fc02::846) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9073.25; Mon, 1 Sep
2025 19:11:44 +0000
Received: from BN3PEPF0000B070.namprd21.prod.outlook.com
(2603:10b6:208:237:cafe::c5) by MN2PR15CA0041.outlook.office365.com
(2603:10b6:208:237::10) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.9073.27 via Frontend Transport; Mon,
1 Sep 2025 19:11:44 +0000
Authentication-Results: spf=none (sender IP is 92.62.225.36)
smtp.helo=smtp.starnet.cz; dkim=none (message not signed)
header.d=none;dmarc=fail action=none header.from=starnet.cz;compauth=pass
reason=105
Received-SPF: None (protection.outlook.com: smtp.starnet.cz does not designate
permitted sender hosts)
Received: from smtp.starnet.cz (92.62.225.36) by
BN3PEPF0000B070.mail.protection.outlook.com (10.167.243.75) with Microsoft
SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9115.0
via Frontend Transport; Mon, 1 Sep 2025 19:11:43 +0000
Received: from Debian-exim by smtp.starnet.cz with local (Exim 4.96)
id 1ut9wD-005kL4-08
for we******@**********ks.com;
Mon, 01 Sep 2025 21:11:33 +0200
Auto-Submitted: auto-replied
From: Mail Delivery System <Ma***********@*****et.cz>
To: we******@**********ks.com
References: <68**********************************@***co.net>
Content-Type: multipart/report; report-type=delivery-status; boundary=1756753893-eximdsn-642087814
MIME-Version: 1.0
Subject: Warning: message 1usP7V-00EFty-2r delayed 48 hours
Message-Id: <E1***************@**********et.cz>
Date: Mon, 01 Sep 2025 21:11:33 +0200
Return-Path: <>
X-MS-Exchange-Organization-ExpirationStartTime: 01 Sep 2025 19:11:43.7145
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
e54132a9-871b-4e6e-8961-08dde98b6398
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 87733afe-0d9d-4701-bcd1-865bd5674a0b:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
BN3PEPF0000B070:EE_|SJ5PPF92ECB6678:EE_|PH8PR11MB6803:EE_
X-MS-Exchange-Organization-AuthSource:
BN3PEPF0000B070.namprd21.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: e54132a9-871b-4e6e-8961-08dde98b6398
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam:
BCL:0;ARA:13230040|1930700014|12012899012|4013099003|4053099003;
X-Forefront-Antispam-Report:
CIP:92.62.225.36;CTRY:CZ;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:smtp.starnet.cz;PTR:smtp.starnet.cz;CAT:NONE;SFS:(13230040)(1930700014)(12012899012)(4013099003)(4053099003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2025 19:11:43.4764
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e54132a9-871b-4e6e-8961-08dde98b6398
X-MS-Exchange-CrossTenant-Id: 87733afe-0d9d-4701-bcd1-865bd5674a0b
X-MS-Exchange-CrossTenant-AuthSource:
BN3PEPF0000B070.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF92ECB6678
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.7834666
X-MS-Exchange-Processed-By-BccFoldering: 15.20.9052.000
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4713098)(4999163)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?5OVkyT0/RNWSaYutxJj077THwB9/PdRBuOcypuY4fdwzhHTozjfQsr21QcQe?=
=?us-ascii?Q?NlkVZwdxRcwD1qP0Cj/LeQciqNNJg0lbR1sV7ZBL/+hbiJydtx6tb7UP4HB4?=
=?us-ascii?Q?vSopbVg/FAl3IcJNTyrT7w4+nDXRr2JrSf5a5zQfIxcuBGLkTkVd+Be/t6x/?=
=?us-ascii?Q?BmAzftsRcoYhZTaS3zJP7FvLEP39lahyS74sRNEJdUA9XXRJ7OFA3W+9D4xB?=
=?us-ascii?Q?SNBfJ62DkBWkHJhU8cbCiXwG2kAQ851fIRm149UL+MMCyKNTx2IfSuiuPCIE?=
=?us-ascii?Q?8qKQ30lLORUEF6L762+5GncbnOWlY+pQB4umU6UVz0doun01sgNmJP7557rz?=
=?us-ascii?Q?Cc3nJbQLVFXR6QoHEAlwF8OLIB25x2MMCx1izo/uMfQtatHQysWnCrHUIROP?=
=?us-ascii?Q?Plk3eMOUGo79Q8xffqXNwC1bJyxoSXGYEutfYgohJ1eNcl3kbB7TaDQ0GgFL?=
=?us-ascii?Q?yrLREXENlpXKZ8ZrliD/5duDJuU2nkgxkry4f9icgwG/3oWTzfK+IIyGwPYu?=
=?us-ascii?Q?6HJyZu0T8Q5C+odyVNcnAw2b92FEMQZgDcIL786i4Trc5EpDUXdE40fuoJjr?=
=?us-ascii?Q?WAMg6ZAIXCE6TIyRJ2NcY/YIrE7WN3NgKgIbjYsDRYxjHaTPyyPYZltgWCIL?=
=?us-ascii?Q?Tvk/7Ci8O2vzPv1gnblZwAujV8tjGKtELysMLpQwfpD5Yf0vXi3hmsAWFSJd?=
=?us-ascii?Q?Qm++Vm1ziaH4pshpmDh+OqFPwE84vQslZDL45IudrIDSx+ZghKOdgtUUWPVQ?=
=?us-ascii?Q?cBHE2ymfPjToTG9n8bxksikVQi17JzMchnOb2iPivFeCEg5jwe3K6SOP6rM3?=
=?us-ascii?Q?ZTbrP/2Q2CPNA0TCxOGpn82N68BnXOzrIXIxjX2w9P0LGELPfzB9fiwmBFvP?=
=?us-ascii?Q?D8Y8I/fufUftBp2T/vPlU/Rpt8CyGWZXVv46lyr6AQjCJsrhTMEfVALhENFp?=
=?us-ascii?Q?/cnRi/5y2QQ5zcUH+vpl+j2LgKy0scYUdunfLt2lMgtcm9VCBs3aD7Q+fs7R?=
=?us-ascii?Q?STDliRDKLIFRbc/w4UWr0R5k2YtYoCiPfGb9dLPT4rW6b+q+mBjyBdH6ZcNm?=
=?us-ascii?Q?M5mI7k/OeyESkiU7EqcqlNVUp5WXtKwYC4XFBMPpa/G/vw0g3Lf5s4Dh2x1h?=
=?us-ascii?Q?pbJSnlU47l5JfYaUVOFtd2dtIb/P/MxAadCdjK4+VNeb+GE24nPQOodYuKq7?=
=?us-ascii?Q?b7aQj4QiI5GHLZtigvUBPjaVLihk9DgzWgtDU0uD0sPPcUeYS0lqpNn/pXO3?=
=?us-ascii?Q?uoVfZZEW+WbUkX4p6Hbc2DOdNhf7JolbHhutiV/af6HG1JP6XyRpPql9ktqY?=
=?us-ascii?Q?UjPctaNohn6SnD/eTOMc5h940DpnSxmK8Sit6zzjkskO5Oh2loHXzLZx9K6h?=
=?us-ascii?Q?3Z7ALPCOmJYZ5/8HTfffnmpTmJqtA4b59A7wzB1ioi5eyzGz8XWUpDTUG9I7?=
=?us-ascii?Q?o7FXtzDdnizQM3Gp89GOYKqwL5YjUM2SGAWWAD6fEUYc1m76yNNWW208cPiU?=
=?us-ascii?Q?HqT7SYDu4UHplLHTdM+hogeWNzkzlPWcbescWpfa7mI2F1SA1B3+lTwmqFr8?=
=?us-ascii?Q?h0jrZ7+2LlOIrY73TcJLlx3KgpYx6aHVZN1vw2x1sYnVU62Zs9mCE+evJuBp?=
=?us-ascii?Q?ycrgY//qeKOctC4R6uBsDjKiLQhKnGtvw0+3+IHqt1X2i9BnWv/aNl86oJoE?=
=?us-ascii?Q?w5SEqnkMAXwQUcEnghREl9BbldfT2Wwy2G9wUlOm9MBVpmr1viO99rfSZnTk?=
=?us-ascii?Q?yaft+ZphGO7Ic6DRgRudljAnEIJ0z5+3cs4nn8zfYh/FKCOIkFFaVDG2e6xg?=
=?us-ascii?Q?livk6Ljgh0MlfcOLHID6g+whbvaukhKyFnYBdxB83kRjXIdGFfXmd9/zM9LC?=
=?us-ascii?Q?vCVxAJW2xzC64Hs2uZn+axHU21jD8XWeEt2PhD0io1RoUWmU3RtT4POX7NoX?=
=?us-ascii?Q?ONSD83WNfBTEfjDgSvhlAc75Stcu13bvB5y2v5ykPPvusjr6Nk87pUYB+IGL?=
=?us-ascii?Q?As7XH/WcIK7f88X6KWbjKbdTRuTgoBKMpGmTqRdC9JAAVJe1Ryn8r0uDzGCb?=
=?us-ascii?Q?bv0UMzmC?=

----------

ChatGPT5’s Response

Charles, you’re right to be suspicious of this one. Let me break down what’s going on:

Why this message looks suspicious

  1. It claims to be a bounce/delay notice (“Delivery delayed…”) but:
    • It references we******@**********ks.com as the sender, even though you said that’s only an alias to support@. Bounce messages should go to the true return-path, not a made-up alias.
    • The headers show it was generated at smtp.starnet.cz (a Czech mail host you don’t use), not at any CharlesWorks system.
    • The “From” address is Ma***********@*****et.cz, but the bounce references your domain—classic sign of backscatter spam or spoofing.
  2. SPF, DKIM, DMARC failures
    • Authentication results show spf=none, dkim=none, dmarc=fail. That means the message did not pass the checks expected for a real bounce from your systems.
  3. Attachment present
    • A genuine bounce or delay notice usually has the undelivered email inline as plain text, sometimes with a small attachment containing delivery-status info. But because this came from an unrelated server in another country, the attachment is likely malicious (a lure to get you to open malware).

What probably happened

  • Spammers forged your address (we******@**********ks.com) as the envelope sender on junk mail sent to zo*******@***oo.com.
  • Yahoo deferred it (the 421 error you see).
  • The spammer’s sending server (starnet.cz) generated a “delay” notice back to the forged sender—you.
  • So this “bounce” is not really about mail you sent, but collateral noise from someone abusing your domain.

What you should do

  • Do not open the attachment. Treat it as malicious. Delete the whole message.
  • No action needed to “fix” delivery—since you didn’t send this, there’s nothing to re-deliver.
  • Best practices for protection:
    • Keep your SPF, DKIM, and DMARC records in place and correct (with DMARC set at least to p=quarantine when you’re comfortable).
    • Monitor your mail logs on your real servers if you want reassurance that no real messages are stuck.
    • Be aware that “backscatter” like this is unfortunately common when spammers forge your domain.

👉 Bottom line: This was not a legitimate bounce of your own mail. It’s a spoof/backscatter with a dangerous attachment. Safest move is just delete it.

Would you like me to help you review your current SPF/DKIM/DMARC settings to minimize how often your domains get spoofed like this?