Von den Betreffs her Bitcoin-Spam, von der Gestaltung her passt es aber nicht ins übliche Schema

1. Spam
„lNVESTlEREN SlE JETZT, BEV0R ES ZU SPAT lST“

header:
01: Received: from full.pressat.co.uk (ec2-34-237-41-251.compute-1.amazonaws.com
02: [34.237.41.251])
03: by fra1frontrelay01.vodafonemail.de (8.15.2/8.15.2/Debian-10) with ESMTP ID: [ID filtered]
04: for <poor [at] spamvictim.tld>; Fri, 12 Feb 2021 xx:xx:xx +0100
IP 34.237.41.251 = Amazon

In Ansicht „ReinerText“
0dkpyz zndb8r g56z60 tsorr8 ltdrvu ctfi9z 61objl 24pbyt 1cqtjn apjrba r5lv76
zfdz4z hexp9x 4qft34 kgfpj0 w83roh i35w62 c2y3lu 3feofo qfmodj psj4t3 6l9zgj
rxqcvb t4t72l nocu5u qh8rgm f3pnf7 qc5to2 1yktqv yjne2z gxogpx x1470e 2nwcfb
kmqjsn 38nkit jvvkcp v34h5l x49efx e74e5a o7j16l nlrajj d907h8 mi3bsp hzosgp
l0ovnt twjyj8 xnuom6 tgbwz1 xioh64 q0yn5p rj102f 4vdqnu 7qbtg5 kue3cf 3bi2f5
ucfvsc 9mvo6i zt9mvi hgnhcv dqe7zw aters8 pp881d dd3qgr 4cnqi5 a2umil exmr87
...
...

Meine E-Mail-Adresse
whois:http://t158.adsage.com/trc/track/x.gif?acc=schnapp

Fri, 12 Feb 2021 13:16:46 +0000 Meine E-Mail-Adresse
Die letzte Zeile steht nicht weniger als 71 Mal da.


2. Spam, mit interessantem Header
„~ 'So verdreifachen Sie Ihre Bitcoin-Investition' ~“

header:
01: Delivered-To: [color=red]meine aidi bei Vodafone[/color]
02: ...
03: ...
04: Received: from webwerks.com (ec2-34-202-108-247.compute-1.amazonaws.com
05: [34.202.108.247])
06: by fra1frontrelay11.vodafonemail.de (8.15.2/8.15.2/Debian-10) with ESMTP ID: [ID filtered]
07: [color=red]Meine E-Mail-Adresse[/color]; Wed, 17 Feb 2021 xx:xx:xx +0100
08: Authentication-Results: fra1frontrelay11.vodafonemail.de; dmarc=fail (p=none dis=none)
09: header.from=nebenan.de
10: Authentication-Results: fra1frontrelay11.vodafonemail.de;
11: dkim=fail reason="unknown key version" (0-bit key; unprotected) header.d=nebenan.de
12: header.i=no-reply [at] nebenan.de header.b="CbeOAIts";
13: dkim=fail reason="signature verification failed" (2048-bit key; unprotected)
14: header.d=nebenan.de header.i=@nebenan.de header.b="UbC6bvpP";
15: dkim-atps=neutral
16: DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=smtp; d=nebenan.de;
17: h=Date:From:To:Message-ID:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding;
18: i=no-reply [at] nebenan.de;
19: ...
20: ...
21: Delivered-To: [color=red]Vodafone-aidi von jemand anderem[/color]
22: Received: from imap-director-5.dovecot.xion.oxcs.net ([10.10.5.5])
23: by imap-backend-26.dovecot.xion.oxcs.net with LMTP
24: ID: [ID filtered]
25: (envelope-from <no-reply [at] nebenan.de>)
26: [color=red]Vodafone-aidi von jemand anderem[/color]; Sun, 14 Feb 2021
27: xx:xx:xx +0000
28: Received: from mx020l.vodafonemail.xion.oxcs.net ([10.10.2.20])
29: by imap-director-5.dovecot.xion.oxcs.net with LMTP ID: [ID filtered]
30: ; Sun, 14 Feb 2021 xx:xx:xx +0000
31: Received: from vsmx001.vodafonemail.xion.oxcs.net (mta-5.mta.xion.oxcs.net
32: [10.10.2.5])
33: (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
34: (No client certificate requested)
35: by mx020l.vodafonemail.xion.oxcs.net (Postfix) with ESMTPS ID: [ID filtered]
36: [color=red]fremde E-Mail-Adresse[/color]; Sun, 14 Feb 2021 xx:xx:xx +0000
37: (UTC)
38: Received: from fra1frontrelay14.vodafonemail.de (unknown [2.207.150.239])
39: (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
40: (No client certificate requested)
41: by vsmx001.vodafonemail.xion.oxcs.net (Postfix) with ESMTPS ID: [ID filtered]
42: [color=red]fremde E-Mail-Adresse[/color]; Sun, 14 Feb 2021 xx:xx:xx +0000
43: (UTC)
44: Received: from smtp170-20.mail.nebenan.de (smtp170-20.mail.nebenan.de
45: [188.40.170.20])
46: by fra1frontrelay14.vodafonemail.de (8.15.2/8.15.2/Debian-10) with ESMTPS ID: [ID filtered]
47: (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
48: [color=red]fremde E-Mail-Adresse[/color]; Sun, 14 Feb 2021 xx:xx:xx +0100
49: Authentication-Results: fra1frontrelay14.vodafonemail.de; dmarc=pass (p=none dis=none)
50: header.from=nebenan.de
51: Authentication-Results: fra1frontrelay14.vodafonemail.de;
52: dkim=pass (2048-bit key; unprotected) header.d=nebenan.de header.i=@nebenan.de
53: header.b="UbC6bvpP";
54: dkim-atps=neutral
55: Received: from nebenan-job-10-3-129-128.localdomain (inbound.mail.nebenan.de
56: [188.40.170.1])
57: by smtp170-20.mail.nebenan.de (Postfix) with ESMTP ID: [ID filtered]
58: [color=red]fremde E-Mail-Adresse[/color]; Sun, 14 Feb 2021 xx:xx:xx +0000
59: (UTC)
60: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nebenan.de; s=250920;
61: t=1613311347; bh=BjIkD80MDNZw5OIM/0tN+FvpKNZAMp7wVO3nuF22Ttg=;
62: h=Date:From:To:Subject:From;
63: b=UbC6bvpPkbHR0phnWiTrhTf+Whvze51TBGbEIh9DbqTTm6BaWOJVqC7HigA8fMS5o
64: GgVDJheA6KMur3ZOO5mErSmJhqI00YNkMiOdDRR2tpERaT/HyiH6OuG3+Ka0Z4QfWJ
65: zNBl53ebufAQDmMXwNatGMO2v3BVs4AJuskx0ks1+P59oPtC6W/RejaSH5HAmavpS1
66: Mx2K/3euztnNO5PmOKaqYUPnIUzmyDjgA1YMiefrUXS/SWaFcMBXuT5VKJb1btolwQ
67: zjgcYnWJYX3YKetURsHwbnB2+6HRz+yiOWSPfq9z9vQicgEdkLn+emrn3/0pnUsU21
68: XEv3+5tN/tIbA==
69: Received: from nebenan.de (localhost [127.0.0.1])
70: by nebenan-job-10-3-129-128.localdomain (Postfix) with ESMTP ID: [ID filtered]
71: [color=red]fremde E-Mail-Adresse[/color]; Sun, 14 Feb 2021 xx:xx:xx +0100
72: (CET)
73: Date: Sun, 14 Feb 2021 xx:xx:xx +0100
74: From: "2DF.DE" <no-reply [at] nebenan.de>
75: To: [color=red]fremde E-Mail-Adresse[/color]
(aidi = ID, wenn ich ID schreibe wird mein Text aber automatisch geändert; leider schaffe ich es auch nicht, im Header rot zu färben)

IP 34.202.108.247 = Amazon
IP 188.40.170.1 und 188.40.170.20 = Schwarzhut Hetzner

Vom Header her sieht das erst mal so aus, als ob der zweite Spam am 14.2.21 erst an wen anderes geschickt worden wäre und von dort am 17.2.21 an mich weitergeleitet worden wäre, freiwillig oder unfreiwillig.

Der Inhalt des Spams spricht aber dagegen:

In „Reiner Text“ gibt es gar nichts.
In vereinfachtem HTML
d0gkmd5jv wr5fde88k jei6ef01b 1fa4sjshr osg9ehj43 18x40knp0 y0oepnsuo c80weoevs 8z85goecu 2aoiqn5vq r8pswpld0 acl33saur 42vuzx6c7 1rxp8hyt4 4kvurbvrq 8rub80m2g xv8ubrpyy elmas9ony 7dk8oc47z 5txrz9tiz sygrr6dly 54pfryxhd 8hr005bqw v6yuui30x yoz4baohm b8dcy7x7a fi0no8ucq tew4p6zkl wkjyf44gw ld8vb5wl6 kor4dsurq yaveziia1 3n0e4zf73 upwvdvifi fut5l7gws 869lg0x0x
...
...

Meine E-Mail-Adresse *)

Wed, 17 Feb 2021 11:51:07 +0000 Meine E-Mail-Adresse
Die letzte Zeile steht 31 Mal da.

*) hier verbirgt sich der Link whois:http://0120731761.com/blog/?wptouch_switch=mobile&redirect=//schnapp

Was hat die Spammerbande da gedreht?
Oder sollte das System von Vodafone undicht sein?