One of my users got mail that really looks like a phish. They are
unaware of having an adobe account. It is DKIM signed, but looks a bit
spammy in terms of the content (low-quality HTML markup, missing
text/plain content).
Is anyone else seeing this?
Opinions on if it's real, if adobe is compromised, or ?
Return-Path: <camp@mail.adobe.com>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on mail.example.com
X-Spam-Level:
X-Spam-Status: No, score=-7.3 required=1.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_IMAGE_RATIO_08,
HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_HOSTKARMA_W,
RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_SAFE,SPF_HELO_NONE,
SPF_PASS,TXREP shortcircuit=no autolearn=disabled version=4.0.0
X-Original-To: user@example.com
Delivered-To: user@mail.example.com
Received: from r42.mail.adobe.com (r42.mail.adobe.com [192.243.226.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.example.com (Postfix) with ESMTPS id E7096410756
for <user@example.com>; Wed, 22 Feb 2023 11:05:08 -0500 (EST)
Authentication-Results: mail.example.com;
dkim=pass (1024-bit key) header.d=mail.adobe.com header.i=@mail.adobe.com header.b=EtgaivIv
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.adobe.com;
s=neolane; t=1677081908;
bh=IfJX78+kf+++BGIgmI6NTSU3ZUI1dzDwNJ5pRlW6Y+w=;
h=From:Subject:Date:To:MIME-Version:Message-ID:List-Unsubscribe:
Content-Type;
b=EtgaivIvUiNOiiVI5kpGQONOWfcAOQvbfpJrGiR0xQQvORkDfj5uVp6LH3JftKL1+
E/DIsY896w9NajMG7AOHNBrDnN6+BpBx+J0OOWy62EcdYBntSnDiifQmat0CH0p7Xg
Ozw4G3a2zZc/nJ+QRBK75/Zgg2Nyg9rF+y23gufI=
X-MSFBL: XsGvftOJ+4LnDyzV1Q3igtbyPwQxb/rf8JNpMfEpA0E=|eyJyIjoibWV0QGxleG9
ydC5jb20iLCJnIjoibWlkLnJlYWN0aXZhdGlvbl8xZDBlNjMxMS02Zjk4LTRjNWI
tOGIwZS04ZGY4MGQ1Yjc3MzkiLCJiIjoiYXdzX2Fkb2JlaW50X3Byb2Q2X21pZC5
yZWFjdGl2YXRpb25fbW9tZW50dW0xOV9tdGEwMDJfMTkyLjI0My4yMjYuNDIiLCJ
yY3B0X21ldGEiOnsgImluIjogImFkb2JlaW5fbWlkX3Byb2Q2IiwgInIiOiAibWV
0QGxleG9ydC5jb20iLCAibSI6ICItMTcyMjM2MjU0IiwgImQiOiAiNjI5NTEzOTM
iLCAiaSI6ICIiIH19
Received: from [10.139.37.161] ([10.139.37.161:12939] helo=r42.mail.adobe.com)
by momentum19.or1.cpt.adobe.net (envelope-from <camp@mail.adobe.com>)
(ecelerity 4.2.38.62370 r(:)) with ESMTP
id 97/FA-14171-43D36F36; Wed, 22 Feb 2023 08:05:08 -0800
From: "Adobe" <mail@mail.adobe.com>
Subject: =?utf-8?B?SW1wb3J0YW50IGluZm9ybWF0aW9uIGFib3V0IHlvdXIgQWRvYg==?=
=?utf-8?B?ZSBhY2NvdW50?=
Date: Wed, 22 Feb 2023 08:05:07 -0800
To: <user@example.com>
Reply-To: "Adobe" <mail@mail.adobe.com>
MIME-Version: 1.0
X-mailer: nlserver, Build 6.7.0
Message-ID: <NM6C822A64203C08FE1adobein_mid_prod6@mail.adobe.com>
List-Unsubscribe: List-Unsubscribe: <mailto: camp@mail.adobe.com?subject=unsubscribe%3CNM6C822A64203C08FE1adobein_mid_prod6@mail.adobe.com%3E>
X-CSA-Complaints: whitelist-complaints@eco.de
List-Id: <-1193003540.neolane.client.com>
Precedence: bulk
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Content-Type: multipart/alternative;
charset="windows-1252";
boundary="----=_NextPart_166_5CA8CB4B.5CA8CB4B"
[SNIP]
Dear Adobe customer,<br/><br/>
We've noticed you have not logged in to your Adobe account in more =
than a year. In keeping with our policies, we are contacting you to let you=
know your Adobe ID will expire 90 days from now. If you take no action wit=
hin the next 90 days, your <a href=3D"https://t-info.mail.adobe.com/r/=3Fid=
=[RANDOM_BASE64_SUFF]" target=3D"_blank" style=3D"color:#505050; text-dec=
oration:underline;">Adobe ID</a> will no longer be valid, you will no longe=
r have access to content you may have stored on our servers and this accoun=
t will be closed.<br/><br/>
Your Adobe ID is: <strong style=3D"word-break:break-all;"><USER@E=
XAMPLE.COM></strong>
<br/><br/>
If you would like to maintain your Adobe ID listed above, you can l=
og in now to keep it active.<strong></strong></strong>
unaware of having an adobe account. It is DKIM signed, but looks a bit
spammy in terms of the content (low-quality HTML markup, missing
text/plain content).
Is anyone else seeing this?
Opinions on if it's real, if adobe is compromised, or ?
Return-Path: <camp@mail.adobe.com>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on mail.example.com
X-Spam-Level:
X-Spam-Status: No, score=-7.3 required=1.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_IMAGE_RATIO_08,
HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_HOSTKARMA_W,
RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_SAFE,SPF_HELO_NONE,
SPF_PASS,TXREP shortcircuit=no autolearn=disabled version=4.0.0
X-Original-To: user@example.com
Delivered-To: user@mail.example.com
Received: from r42.mail.adobe.com (r42.mail.adobe.com [192.243.226.42])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.example.com (Postfix) with ESMTPS id E7096410756
for <user@example.com>; Wed, 22 Feb 2023 11:05:08 -0500 (EST)
Authentication-Results: mail.example.com;
dkim=pass (1024-bit key) header.d=mail.adobe.com header.i=@mail.adobe.com header.b=EtgaivIv
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.adobe.com;
s=neolane; t=1677081908;
bh=IfJX78+kf+++BGIgmI6NTSU3ZUI1dzDwNJ5pRlW6Y+w=;
h=From:Subject:Date:To:MIME-Version:Message-ID:List-Unsubscribe:
Content-Type;
b=EtgaivIvUiNOiiVI5kpGQONOWfcAOQvbfpJrGiR0xQQvORkDfj5uVp6LH3JftKL1+
E/DIsY896w9NajMG7AOHNBrDnN6+BpBx+J0OOWy62EcdYBntSnDiifQmat0CH0p7Xg
Ozw4G3a2zZc/nJ+QRBK75/Zgg2Nyg9rF+y23gufI=
X-MSFBL: XsGvftOJ+4LnDyzV1Q3igtbyPwQxb/rf8JNpMfEpA0E=|eyJyIjoibWV0QGxleG9
ydC5jb20iLCJnIjoibWlkLnJlYWN0aXZhdGlvbl8xZDBlNjMxMS02Zjk4LTRjNWI
tOGIwZS04ZGY4MGQ1Yjc3MzkiLCJiIjoiYXdzX2Fkb2JlaW50X3Byb2Q2X21pZC5
yZWFjdGl2YXRpb25fbW9tZW50dW0xOV9tdGEwMDJfMTkyLjI0My4yMjYuNDIiLCJ
yY3B0X21ldGEiOnsgImluIjogImFkb2JlaW5fbWlkX3Byb2Q2IiwgInIiOiAibWV
0QGxleG9ydC5jb20iLCAibSI6ICItMTcyMjM2MjU0IiwgImQiOiAiNjI5NTEzOTM
iLCAiaSI6ICIiIH19
Received: from [10.139.37.161] ([10.139.37.161:12939] helo=r42.mail.adobe.com)
by momentum19.or1.cpt.adobe.net (envelope-from <camp@mail.adobe.com>)
(ecelerity 4.2.38.62370 r(:)) with ESMTP
id 97/FA-14171-43D36F36; Wed, 22 Feb 2023 08:05:08 -0800
From: "Adobe" <mail@mail.adobe.com>
Subject: =?utf-8?B?SW1wb3J0YW50IGluZm9ybWF0aW9uIGFib3V0IHlvdXIgQWRvYg==?=
=?utf-8?B?ZSBhY2NvdW50?=
Date: Wed, 22 Feb 2023 08:05:07 -0800
To: <user@example.com>
Reply-To: "Adobe" <mail@mail.adobe.com>
MIME-Version: 1.0
X-mailer: nlserver, Build 6.7.0
Message-ID: <NM6C822A64203C08FE1adobein_mid_prod6@mail.adobe.com>
List-Unsubscribe: List-Unsubscribe: <mailto: camp@mail.adobe.com?subject=unsubscribe%3CNM6C822A64203C08FE1adobein_mid_prod6@mail.adobe.com%3E>
X-CSA-Complaints: whitelist-complaints@eco.de
List-Id: <-1193003540.neolane.client.com>
Precedence: bulk
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Content-Type: multipart/alternative;
charset="windows-1252";
boundary="----=_NextPart_166_5CA8CB4B.5CA8CB4B"
[SNIP]
Dear Adobe customer,<br/><br/>
We've noticed you have not logged in to your Adobe account in more =
than a year. In keeping with our policies, we are contacting you to let you=
know your Adobe ID will expire 90 days from now. If you take no action wit=
hin the next 90 days, your <a href=3D"https://t-info.mail.adobe.com/r/=3Fid=
=[RANDOM_BASE64_SUFF]" target=3D"_blank" style=3D"color:#505050; text-dec=
oration:underline;">Adobe ID</a> will no longer be valid, you will no longe=
r have access to content you may have stored on our servers and this accoun=
t will be closed.<br/><br/>
Your Adobe ID is: <strong style=3D"word-break:break-all;"><USER@E=
XAMPLE.COM></strong>
<br/><br/>
If you would like to maintain your Adobe ID listed above, you can l=
og in now to keep it active.<strong></strong></strong>