Confirmed scam — delete it
Our AI analyst read the message body and judged it likely to be phishing.
MalwareTips analyst · message material
credential_theftThis email uses a fake fax delivery notification to trick you into opening a potentially malicious attachment.
- The sender domain is listed on the URIBL DNSBL, indicating it is associated with known spam or malicious activity.
- The email contains a suspicious URL that uses an '@' symbol trick to potentially mask the true destination of the link.
- The message uses a generic 'Dear Customer' greeting rather than addressing the recipient by name.
- The SPF record for the sender domain resulted in a soft-fail, suggesting the email may not have originated from an authorized server.
- The visual layout contains broken image placeholders and an external sender warning, which are common traits of automated phishing templates.
Do not open any attachments or click any links within this email. Delete the message immediately and do not call the phone numbers provided.
Every scoring adjustment, in dominance order. Shows exactly how we got from 100 to the final trust number.
Why this verdict
100 → 2The scorer starts every address at 100 trust and applies each signal below in turn. Negative deltas are penalties (red), positive deltas are bonuses (emerald). Final clamped trust: 2.
- AI analyst flagged 92% phishing likelihood (credential_theft).ai_phishing_detected-46
- Screenshot OCR + visual pass flagged 85/100 phishing risk: The email uses a common fax delivery lure with broken image assets and a generic 'Dear Customer' greeting. The presence of a PDF attachment combined with an external sender warning suggests a high risk of malware delivery via the attachment.screenshot_phishing_visual-26
- Listed on 1 DNSBL: URIBL.dnsbl_listed-15
- AI analyst flagged 85% spam likelihood.ai_spam_detected-13
- Domain publishes strong authentication policy: DMARC p=none · SPF soft-fail.auth_dns_published+5
Display name, domain reputation, and authentication checks for the From address.
Display-name impersonation
NO BRAND CLAIMThe display name doesn't resemble any of the top phished brands we track — this isn't a brand-impersonation attempt.
Brand-lookalike radar
okNo typosquat or homoglyph match against the top 50 phished brands.
Domain age
timeoutRDAP check did not run.
Signals extracted from the message body, embedded URLs, and uploaded screenshot.
Phishing-pattern signals
1 signalRule-based pattern matches we ran across the message body and OCR text BEFORE the AI analyst. Each is a hint, not a verdict.
- Uses a generic, impersonal greetinglow“l-Free Fax Number 8882801168 Dear Customer, From: 980 224-6995 Pages: 1”
Links extracted from this email
1 shownEach link was scored against a host-level suspicion heuristic. Click Scan link to run our full URL scanner on the destination — it'll show our verdict alongside Google Safe Browsing, VirusTotal, URLhaus, and the others.
- deluxeforbusiness.comLink uses plain HTTP, not HTTPSURL uses a user-info `@` trick that hides the real destinationSuspicion30
Screenshot vision analysis
VISUAL · 85/100The email uses a common fax delivery lure with broken image assets and a generic 'Dear Customer' greeting. The presence of a PDF attachment combined with an external sender warning suggests a high risk of malware delivery via the attachment.
- Broken image placeholders
- Generic greeting
- External sender warning banner
- Unexpected PDF attachment
- Fax delivery lure
- http://support@deluxeforbusiness.com
MX records, deliverability probe, provider classification, and DNS blocklists.
Deliverability
ok- RFC 5322 syntax valid
- 3 MX records publishedmx1c40.carrierzone.commx2c40.carrierzone.commx3c40.carrierzone.com
- SMTP probe · unknown — SMTP probe disabled (set SMTP_PROBE_ENABLED=true to enable)
Provider classification
okNot on our disposable-provider list and not a recognised consumer freemail (Gmail / Outlook / Yahoo etc.) — likely a custom domain.
DNS blocklists
okListed by 1 of 3 blocklists:
Breach history for this address and the structural identity of the sending domain.
Breach exposure (HIBP)
okHIBP_API_KEY not configured