Subj : Re: .pls?
To   : All
From : August Abolins
Date : Tue Mar 02 2021 09:53 am

 > A new one. I've never seen a .PLS used as bait.

 > https://photos.kolico.ca/tmp/dhl.jpg
 > https://photos.kolico.ca/tmp/dhl-1.jpg


Another interesting thing about that one. Although the .pls file registers as
59B in the mail header, the actual file is 0B.

Looking at the raw message:

X-EN-OrigIP: 192.163.245.86
Received: from crystalnet by host.anmoul.net.in with local (Exim 4.93)
	(envelope-from <crystalnet@host.anmoul.net.in>)
	id 1lH1yz-00038T-AP
	for books@ashlies.ca; Tue, 02 Mar 2021 10:10:25 +0000
To: books@ashlies.ca
Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZvcm1zIHlvdSB0aGF0IHlvdXIgc2hpcG1lbnQg
TsKwIDk0MzAyNDU5Njg1IGlzIHN0aWxsIHBlbmRpbmcgIQ==?=
X-PHP-Script: crystal.net.in/mat/metoo.php for 20.52.179.36
                                 ^^^^^^^^^

From: =?UTF-8?B?REhMIEVYUFJFU1M=?= <no-reply@certideal.com>
Message-Id: <E1lH1yz-00038T-AP@host.anmoul.net.in>

Looks like this is sneaky attempt to launch a remote .php file.

I also did not realize that the header contents could be obfuscated with UTF-8
prefixes:

Subject: =?UTF-8?B?UmVtaW5kZXIsIERITCBpbmZ...

Buggers.
--- SBBSecho 3.13-Linux
 * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757.2)

.