You wonder why so many people fall for the fake delivery notifications pretending to come from postal, delivery and parcel companies.
This genuine delivery notification I received this morning explains why! Just look at the glaring errors that encourage phishing and malware spreading:
- From: states Yodel but is from hdnl.co.uk ( hdnl.co.uk is a genuine yodel domain that redirects to yodel.co.uk ) why not use yodel.co.uk to send the emails?
- No https on tracking links. A company the size of Yodel ( or any other parcel delivery company) should be using https by default.
- Incorrect SPF ( that is an unforgivable error from a company the size of Yodel. See the SPF report http://mxtoolbox.com/SuperTool.aspx?action=spf%3ahdnl.co.uk&run=toolpage which shows that the only allowed sending IPs or domains is outlook.com. They appear to have changed and are sending from 126.96.36.199 esmtp2.svc.netdespatch.com GB AS15395 Rackspace Ltd. Also no DKIM authentication. After a bit more digging, it appears that Yodel ( as well as many other courier / delivery companies) allow retailers to use a 3rd Party system http://www.netdespatch.com/services that sends emails directly but pretends to send from the courier company. This sort of behaviour is why so many phishing or malware attacks work.
You are so used to delivery notifications not passing email authentication, that you just ignore that part and think “Oh well! I am expecting a parcel, lets see what excuse they give for the delay today ”
Original email looks like
Server report looks like