password phish

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 06 May 2022 16:10:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nn68H-0006Re-Ff

for dave@doctor.nl2k.ab.ca;

Fri, 06 May 2022 16:09:05 -0600

Resent-From: The Doctor

Resent-Date: Fri, 6 May 2022 16:09:05 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from marula.iwayafrica.co.zw ([41.190.32.8]:52008 helo=smtp11.utande.co.zw)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1nn3xA-000Lsm-OL

for root@nl2k.ab.ca;

Fri, 06 May 2022 13:49:33 -0600

Received: from [196.44.176.151] (port=39354 helo=pop3.utande.co.zw)

by smtp11.utande.co.zw with esmtp (Exim 4.94)

(envelope-from )

id 1nn3wo-0001Uk-2N

for root@nl2k.ab.ca; Fri, 06 May 2022 21:49:06 +0200

Received: from [192.168.1.101] (unknown [85.237.194.26])

by pop3.utande.co.zw (Postfix) with ESMTPSA id 082222005A5039

for ; Fri, 6 May 2022 21:49:03 +0200 (CAT)

Content-Type: multipart/alternative; boundary="===============0977781784=="

MIME-Version: 1.0

Subject: Account Deactivation Request for root@nl2k.ab.ca

To: root@nl2k.ab.ca

From: "ITHELP DESK"

Date: Fri, 06 May 2022 12:48:58 -0700

Message-Id: ac449dabff3c898a2a93ba86b377fe48@smtp11.utande.co.zw

X-Spam_score: 8.1

X-Spam_score_int: 81

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear root@nl2k.ab.ca , Series of account deactivation requests

have been made from your Email Address root@nl2k.ab.ca . If you did not make

this request, stop the process by clicking Stop Deactivation and follow the

instruc [...]



Content analysis details: (8.1 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.0 HTML_MESSAGE BODY: HTML included in message

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.5 FSL_BULK_SIG Bulk signature with no Unsubscribe

1.2 INVALID_MSGID Message-Id is not valid, according to RFC 2822

0.0 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: 360autodisplayusa.com, cranstonfamilyclinic.com]

Subject: {SPAM?} Account Deactivation Request for root@nl2k.ab.ca



You will not see this in a MIME-aware mail reader.

--===============0977781784==

Content-Type: text/plain; charset="utf-8"

MIME-Version: 1.0

Content-Transfer-Encoding: quoted-printable

Content-Description: Mail message body



Dear root@nl2k.ab.ca ,



Series of account deactivation requests have been made from your Email Addr=

ess root@nl2k.ab.ca . If you did not make this request, stop the process b=

y clicking Stop Deactivation and follow the instruction.



You have 12 Hours after Notification or your account will be closed. =



Note:Move the email to your Inbox to stop the deactivation



=A9 Support Team- Support Team.



--===============0977781784==

Content-Type: text/html; charset="utf-8"

MIME-Version: 1.0

Content-Transfer-Encoding: quoted-printable

Content-Description: Mail message body




=3Dutf-8"/>
)">Dear 
 
30)">root@nl2k.ab.ca
  
R: rgb(32,31,30)">,


COLOR: rgb(32,31,30)">

R: rgb(32,31,30)">Ser=

ies of account deactivation requests have been made from your Email Address=

  root@nl2k.ab.ca . If you did not make this request, stop the process=

by clicking 

x; BORDER-RIGHT-WIDTH: 0px; VERTICAL-ALIGN: baseline; BORDER-BOTTOM-WIDTH: =

0px; COLOR: rgb(17,85,204); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-=

LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BORDER-TOP-WIDTH: 0px; font-var=

iant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inhe=

rit" href=3D"https://cranstonfamilyclinic.com/zimbra/webner/" rel=3D"noopen=

er noreferrer" target=3D_blank data-saferedirecturl=3D"https://www.google.c=

om/url?q=3Dhttps://www.360autodisplayusa.com/SDCFVSD/97884/38840/&sourc=

e=3Dgmail&ust=3D1651946190854000&usg=3DAOvVaw34_KBx6BqJneO9I9txdpVD=

">Stop Deactivation

"> and follow the instruction.


ONT-SIZE: 15px; COLOR: rgb(32,31,30)">

SIZE: 15px; COLOR: rgb(32,31,30)">
b(32,31,30)">You have 12 Hours after Notification or your account will be c=

losed. 



0px; VERTICAL-ALIGN: baseline; BORDER-BOTTOM-WIDTH: 0px; COLOR: rgb(32,31,3=

0); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; =

PADDING-RIGHT: 0px; BORDER-TOP-WIDTH: 0px; font-variant-numeric: inherit; f=

ont-variant-east-asian: inherit; font-stretch: inherit">

rue>



0px; VERTICAL-ALIGN: baseline; BORDER-BOTTOM-WIDTH: 0px; COLOR: rgb(32,31,3=

0); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; =

PADDING-RIGHT: 0px; BORDER-TOP-WIDTH: 0px; font-variant-numeric: inherit; f=

ont-variant-east-asian: inherit; font-stretch: inherit">Note:Move the email=

to your Inbox to stop the deactivation


en=3Dtrue>=C2=A9 Support Team- Support Team.

ONT-FAMILY: Arial, Helvetica, sans-serif; WHITE-SPACE: normal; WORD-SPACING=

: 0px; TEXT-TRANSFORM: none; FONT-WEIGHT: 400; COLOR: rgb(32,31,30); FONT-S=

TYLE: normal; ORPHANS: 2; WIDOWS: 2; LETTER-SPACING: normal; BACKGROUND-COL=

OR: rgb(255,255,255); TEXT-INDENT: 0px; font-variant-ligatures: normal; fon=

t-variant-caps: normal; -webkit-text-stroke-width: 0px; text-decoration-thi=

ckness: initial; text-decoration-style: initial; text-decoration-color: ini=

tial">


--===============0977781784==--

Sexual Blackmail phishing scam

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 06 May 2022 16:01:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nn5zk-0005mu-0b

for dave@doctor.nl2k.ab.ca;

Fri, 06 May 2022 16:00:16 -0600

Resent-From: The Doctor

Resent-Date: Fri, 6 May 2022 16:00:15 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from r186-55-16-17.dialup.adsl.anteldata.net.uy ([186.55.16.17]:14617)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nn0St-0003OF-FG

for root@nk.ca;

Fri, 06 May 2022 10:06:05 -0600

Message-ID: <002301d86149$0269536f$47a7d4ad@uaegrxss>

From:

To:

Subject: You have an outstanding payment. Debt settlement required.

Date: 6 May 2022 08:44:40 -0400

MIME-Version: 1.0

Content-Type: text/plain;

charset="windows-1250"

Content-Transfer-Encoding: 8bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-Spam_score: 14.5

X-Spam_score_int: 145

X-Spam_bar: ++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello! Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all

devices that you use to browse internet. Afterwards, I have proceeded with

[...]



Content analysis details: (14.5 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or

Generic rPTR

1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.

[186.55.16.17 listed in bb.barracudacentral.org]

1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait

0.4 RDNS_DYNAMIC Delivered to internal network by host with

dynamic-looking rDNS

0.5 PDS_BTC_ID FP reduced Bitcoin ID

3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP

addr 1)

2.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)

0.0 BITCOIN_XPRIO Bitcoin + priority

0.2 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam

(FTSDMCXX/boundary variant) + direct-to-MX

0.0 PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2

1.7 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX

3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers

Subject: {SPAM?} You have an outstanding payment. Debt settlement required.



Hello!



Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all devices that you use to browse internet.

Afterwards, I have proceeded with monitoring all internet activities of yours.



You can check out the sequence of events summarize below:

Previously I have bought from hackers a special access to various email accounts (currently, it is rather a straightforward thing that can be done online).

Clearly, I could effortlessly log in to your email account as well (root@nk.ca).



One week after that, I proceeded with installing a Trojan virus in Operating Systems of all your devices, which are used by you to login to your email.

Actually, that was rather a simple thing to do (because you have opened a few links from your inbox emails previously).

Genius is in simplicity. ( ~_^)



Thanks to that software I can get access to all controllers inside your devices (such as your video camera, microphone, keyboard etc.).

I could easily download all your data, photos, web browsing history and other information to my servers.

I can access all your social networks accounts, messengers, emails, including chat history as well as contacts list.

This virus of mine unceasingly keeps refreshing its signatures (since it is controlled by a driver), and as result stays unnoticed by antivirus software.



Hereby, I believe by this time it is already clear for you why I was never detected until I sent this letter...



While compiling all the information related to you, I have also found out that you are a true fan and frequent visitor of adult websites.

You truly enjoy browsing through porn websites, while watching arousing videos and experiencing an unimaginable satisfaction.

To be honest, I could not resist but to record some of your kinky solo sessions and compiled them in several videos, which demonstrate you masturbating and cumming in the end.



If you still don't trust me, all it takes me is several mouse clicks to distribute all those videos with your colleagues, friends and even relatives.

In addition, I can upload them online for entire public to access.

I truly believe, you absolutely don't want such things to occur, bearing in mind the kinky stuff exposed in those videos that you usually watch, (you definitely understand what I am trying to say) it will result in a complete disaster for you.



We can still resolve it in the following manner:

You perform a transfer of $1590 USD to me (a bitcoin equivalent based on the exchange rate during the funds transfer), so after I receive the transfer, I will straight away remove all those lecherous videos without hesitation.

Then we can pretend like it has never happened before. In addition, I assure that all the harmful software will be deactivated and removed from all devices of yours. Don't worry, I am a man of my word.



It is really a good deal with a considerably low the price, bearing in mind that I was monitoring your profile as well as traffic over an extended period.

If you still unaware about the purchase and transfer process of bitcoins - all you can do is find the necessary information online.



My bitcoin wallet is as follows: 1MW4maqRuqi62YiRNMaBiHT65WJJMEAvQw



You are left with 48 hours and the countdown starts right after you open this email (2 days to be specific).



Don't forget to keep in mind and abstain from doing the following:

> Do not attempt to reply my email (this email was generated in your inbox together with the return address).

> Do not attempt to call police as well as other security services. Moreover, don't even think of sharing it with your friends. If I get to know about it (based on my skills, that would be very easy, since that I have all your systems under my control and constant monitoring) - your dirty video will become public without delay.

> Don't attempt searching for me - it is completely useless. Cryptocurrency transactions always remain anonymous.

> Don't attempt reinstalling the OS of your devices or even getting rid of them. It is meaningless too, because all your private videos are already been available on remote servers.



Things you should be concerned about:

> That I will not receive the funds transfer you make.

Relax, I will be able to track it immediately, after you complete the funds transfer, because I unceasingly monitor all activities that you do (trojan virus of mine can control remotely all processes, same as TeamViewer).

> That I will still distribute your videos after you have sent the money to me.

Believe me, it is pointless for me to proceed with troubling you after that. Besides that, if that really was my intention, it would happen long time ago!



It all will be settled on fair conditions and terms!



One last advice from me... Moving forward make sure you don't get involved in such type of incidents again!

My suggestion - make sure you change all your passwords as often as possible.



Canada post phish from Russia

Return-path: <>

Envelope-to: dave@nk.ca

Delivery-date: Thu, 05 May 2022 05:04:00 -0600

Received: from [109.237.96.57] (port=60331 helo=businessbuy.ru)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

id 1nmZG6-0001po-7L

for dave@nk.ca;

Thu, 05 May 2022 05:03:03 -0600

MIME-Version: 1.0

Message-Id:

From:Canada Post

Subject:Distribution On hold,Open immediately!!

Reply-To: reply_to@businessbuy.ru

To: dave@nk.ca

Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset=UTF-8

Date: Thu, 05 May 2022 13:00:21 +0200

X-Spam_score: 18.3

X-Spam_score_int: 183

X-Spam_bar: ++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Delivery failed. Your delivery has been redirected. The shipment

371-34632900 from a webshop has been detained, due to missing information.





Content analysis details: (18.3 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in

bl.spamcop.net

[Blocked - see ]

2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL

[109.237.96.57 listed in psbl.surriel.com]

0.5 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel

letters

2.2 FROM_WSP_TRAIL Trailing whitespace before '>' in From header

field

1.0 HK_RANDOM_FROM From username looks random

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[109.237.96.57 listed in wl.mailspike.net]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.5 FSL_BULK_SIG Bulk signature with no Unsubscribe

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

2.0 HDRS_MISSP Misspaced headers

0.4 FROM_ADDR_WS Malformed From address

Subject: {SPAM?} Distribution On hold,Open immediately!!