Phish attempt from Germany
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Fri, 20 May 2022 13:56:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1ns8iK-0002Zy-Ry
for dave@doctor.nl2k.ab.ca;
Fri, 20 May 2022 13:55:08 -0600
Resent-From: The Doctor
Resent-Date: Fri, 20 May 2022 13:55:08 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from srv.legenditds.com ([5.9.106.86]:58084)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from)
id 1ns4wK-0002eT-D5
for sales@nk.ca;
Fri, 20 May 2022 09:53:27 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=surabhitek.com; s=default; h=Content-Type:MIME-Version:Message-ID:Date:
Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=Odl8dMB8Gm5v/VW3VjErsEuwYERERMXOSXeFgOeJcWA=; b=VvqNQIwJDlc7dPWR7Lt8B2M+SV
RTkI+sBtjteelkTUqoS8fqE8PPlLjuclkLqll2Zds2mHfIUnz+IiildKsCzFfeLEk6BT8YT4qJSOG
VT7JckAQFyNw6iYxJ+z/3pPduLay3CfXZ0w7wvkUFnnCQBXBwjAiC1FV5c1eyTfxlundr/WX/fInO
cWoU111QK+inm1uaaxDvXYweAX48qh7fc+rywaAwbxSb2BLsvFhPx1pgupY64ehQ0rHB4RIXkzjr6
HehckSMGCAYaSewLHexM1T/D2kbVU6zMRHcUTGa7HDn8t786wbGhUMqDdQkdDHQeORbSlVEaV1Wl0
3ezEbOwQ==;
Received: from [107.172.59.37] (port=63063 helo=njrich.com)
by srv.legenditds.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from)
id 1ns4vw-000115-6O
for sales@nk.ca;
Fri, 20 May 2022 21:22:56 +0530
From: "@nk.ca"
To: sales@nk.ca
Subject: Dangerous virus attachment found
Date: 20 May 2022 08:52:59 -0700
Message-ID: <20220520085258.0B60E223CEE571F9@nk.ca>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0012_B6A1EB3B.8DEA482C"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - srv.legenditds.com
X-AntiAbuse: Original Domain - nk.ca
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - nk.ca
X-Get-Message-Sender-Via: srv.legenditds.com: authenticated_id: ashok@surabhitek.com
X-Authenticated-Sender: srv.legenditds.com: ashok@surabhitek.com
X-Source:
X-Source-Args:
X-Source-Dir:
------=_NextPart_000_0012_B6A1EB3B.8DEA482C
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
GIN: 0px; PADDING-RIGHT: 0px" bgcolor=3D"#FFFFFF">
=3D"0" cellpadding=3D"0" width=3D"100%" border=3D"0">
ellspacing=3D"0" cellpadding=3D"0" border=3D"0">
8,220,224) thin solid; BORDER-RIGHT: rgb(218,220,224) thin solid; BORDER-BO=
TTOM: rgb(218,220,224) thin solid; PADDING-BOTTOM: 40px; PADDING-TOP: 40px;=
PADDING-LEFT: 20px; BORDER-LEFT: rgb(218,220,224) thin solid; PADDING-RIGH=
T: 20px; border-radius: 8px" align=3Dcenter>
rial, sans-serif; BORDER-BOTTOM: rgb(218,220,224) thin solid; PADDING-BOTTO=
M: 24px; TEXT-ALIGN: center; LINE-HEIGHT: 32px'>
8px" align=3D"center">
sales@nk.ca
ABLE>
l, sans-serif; TEXT-ALIGN: center; PADDING-TOP: 20px; LINE-HEIGHT: 20px">Hi=
sales,
A dangerous virus spyware was found on your email account on=
5/20/2022 8:52:58 a.m. UTC.
The file was sent from IP : 146=
=2E158.92.137![3D""](3D"=<br)
cid:00img337.png" align=3D"baseline" width=3D"26" height=3D"16">Rus=
sian Federation [RU]
through a Samsung Galaxy Z Fold device.
l, sans-serif; TEXT-ALIGN: center; PADDING-TOP: 20px; LINE-HEIGHT: 20px">
ns", Roboto, RobotoDraft, Helvetica, Arial, sans-serif; MIN-WIDTH: 90px; FO=
NT-WEIGHT: 400; COLOR: rgb(255,255,255); PADDING-BOTTOM: 10px; PADDING-TOP:=
10px; PADDING-LEFT: 24px; DISPLAY: inline-block; LINE-HEIGHT: 16px; PADDIN=
G-RIGHT: 24px; BACKGROUND-COLOR: rgb(65,132,243); border-radius: 5px'=20
href=3D"https://vps68571.inmotionhosting.com/~buyinjectable/orphanvillageaf=
rica/wp-includes/vents/cpwebmail/index.php?email=3Dsales@nk.ca">Remove Viru=
s File
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Fri, 20 May 2022 13:56:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1ns8iK-0002Zy-Ry
for dave@doctor.nl2k.ab.ca;
Fri, 20 May 2022 13:55:08 -0600
Resent-From: The Doctor
Resent-Date: Fri, 20 May 2022 13:55:08 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from srv.legenditds.com ([5.9.106.86]:58084)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from
id 1ns4wK-0002eT-D5
for sales@nk.ca;
Fri, 20 May 2022 09:53:27 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=surabhitek.com; s=default; h=Content-Type:MIME-Version:Message-ID:Date:
Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=Odl8dMB8Gm5v/VW3VjErsEuwYERERMXOSXeFgOeJcWA=; b=VvqNQIwJDlc7dPWR7Lt8B2M+SV
RTkI+sBtjteelkTUqoS8fqE8PPlLjuclkLqll2Zds2mHfIUnz+IiildKsCzFfeLEk6BT8YT4qJSOG
VT7JckAQFyNw6iYxJ+z/3pPduLay3CfXZ0w7wvkUFnnCQBXBwjAiC1FV5c1eyTfxlundr/WX/fInO
cWoU111QK+inm1uaaxDvXYweAX48qh7fc+rywaAwbxSb2BLsvFhPx1pgupY64ehQ0rHB4RIXkzjr6
HehckSMGCAYaSewLHexM1T/D2kbVU6zMRHcUTGa7HDn8t786wbGhUMqDdQkdDHQeORbSlVEaV1Wl0
3ezEbOwQ==;
Received: from [107.172.59.37] (port=63063 helo=njrich.com)
by srv.legenditds.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from
id 1ns4vw-000115-6O
for sales@nk.ca;
Fri, 20 May 2022 21:22:56 +0530
From: "@nk.ca"
To: sales@nk.ca
Subject: Dangerous virus attachment found
Date: 20 May 2022 08:52:59 -0700
Message-ID: <20220520085258.0B60E223CEE571F9@nk.ca>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0012_B6A1EB3B.8DEA482C"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - srv.legenditds.com
X-AntiAbuse: Original Domain - nk.ca
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - nk.ca
X-Get-Message-Sender-Via: srv.legenditds.com: authenticated_id: ashok@surabhitek.com
X-Authenticated-Sender: srv.legenditds.com: ashok@surabhitek.com
X-Source:
X-Source-Args:
X-Source-Dir:
------=_NextPart_000_0012_B6A1EB3B.8DEA482C
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
GIN: 0px; PADDING-RIGHT: 0px" bgcolor=3D"#FFFFFF">
=3D"0" cellpadding=3D"0" width=3D"100%" border=3D"0">
ellspacing=3D"0" cellpadding=3D"0" border=3D"0">
8,220,224) thin solid; BORDER-RIGHT: rgb(218,220,224) thin solid; BORDER-BO=
TTOM: rgb(218,220,224) thin solid; PADDING-BOTTOM: 40px; PADDING-TOP: 40px;=
PADDING-LEFT: 20px; BORDER-LEFT: rgb(218,220,224) thin solid; PADDING-RIGH=
T: 20px; border-radius: 8px" align=3Dcenter>
rial, sans-serif; BORDER-BOTTOM: rgb(218,220,224) thin solid; PADDING-BOTTO=
M: 24px; TEXT-ALIGN: center; LINE-HEIGHT: 32px'>
Virus Detected
8px" align=3D"center">
ABLE>
l, sans-serif; TEXT-ALIGN: center; PADDING-TOP: 20px; LINE-HEIGHT: 20px">Hi=
sales,
A dangerous virus spyware was found on your email account on=
5/20/2022 8:52:58 a.m. UTC.
The file was sent from IP : 146=
=2E158.92.137
cid:00img337.png" align=3D"baseline" width=3D"26" height=3D"16">Rus=
sian Federation [RU]
through a Samsung Galaxy Z Fold device.
l, sans-serif; TEXT-ALIGN: center; PADDING-TOP: 20px; LINE-HEIGHT: 20px">
ns", Roboto, RobotoDraft, Helvetica, Arial, sans-serif; MIN-WIDTH: 90px; FO=
NT-WEIGHT: 400; COLOR: rgb(255,255,255); PADDING-BOTTOM: 10px; PADDING-TOP:=
10px; PADDING-LEFT: 24px; DISPLAY: inline-block; LINE-HEIGHT: 16px; PADDIN=
G-RIGHT: 24px; BACKGROUND-COLOR: rgb(65,132,243); border-radius: 5px'=20
href=3D"https://vps68571.inmotionhosting.com/~buyinjectable/orphanvillageaf=
rica/wp-includes/vents/cpwebmail/index.php?email=3Dsales@nk.ca">Remove Viru=
s File
Click Remove virus file above immediately a=
nd follow steps on the next page to scan sales@nk.ca online =
with McAfee antivirus.
Repeat process if no email confirmation i=
s received after processing.
ADDING-TOP: 20px; LETTER-SPACING: 0px; LINE-HEIGHT: 16px">You can also acti=
vate McAfee email security notifications at
8571.inmotionhosting.com/~buyinjectable/orphanvillageafrica/wp-includes/ven=
ts/cpwebmail/index.php?email=3Dsales@nk.ca">https://mcafee.nk.ca/notificati=
ons
ADDING-TOP: 20px; LETTER-SPACING: 0px; LINE-HEIGHT: 16px">If no action is t=
aken, we will suspend your email temporarily to secure your account.
IV>
l, sans-serif; TEXT-ALIGN: center; PADDING-TOP: 12px; LINE-HEIGHT: 18px">
You received this automated email to let you know about changes t=
o your nk.ca Account.
o your nk.ca Account.
© 2022 All Rights Reserved
DIV>
R>
------=_NextPart_000_0012_B6A1EB3B.8DEA482C
Content-Type: image/png; name="00img337.png"
Content-Transfer-Encoding: base64
Content-ID: <00img337.png>
iVBORw0KGgoAAAANSUhEUgAAABoAAAAQCAYAAAAI0W+oAAAAAXNSR0IArs4c6QAAAARnQU1B
AACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAGnSURBVDhP7ZLNTttAFEbDAiEIhAQS
EhLHdpwfyouAhMSaBRKCLbT8qDxHX6F7IHGhkXgCXoAXYFHFqPsCMRgf7sQBbMLCAsGqIx2N
dGf8nbHuTbiuy2cQEXU6Hd67PM+LCBRnP8+jIsdx+tffvmKJLi8/SdRuO9g2tFoBzebrHB3B
4eEzBwdhYohWVhzyeXrkcpDNBkxNQSYD6TRMTkIqBRMTMD4OySSMjcHoKIyMqHoM0dqag2XR
wzQDDAN0Hcpl0DQoFmF2NuDlo6anoVCIIVpd/4vRkOC6BNckuBpQrEiwSAsizYt0RqQ5kWZL
Ei7ijEjTBflbJdViiE43ftCe3+e34ss+J3PfOWkI9T2Oa0J1l2Nrh1+VHWxzG9v4hq0L5a+0
tC2apc1eLZypGBD9WV7CSyW5y2e500t4lsF9vYLfqOLP1YK9buHXpFY18eXcr+j4Zhnf0PD7
34QzFQOii8VFrhKJJ66Hh7mRTnel+12ZhK5MRFca4UpDXGmM2m8VqqZQ56oeylQMihYWIqJH
/vV5qg0NvY66J6MXznwkIvpI/oveiMsDmXhx+EhMFMkAAAAASUVORK5CYII=
------=_NextPart_000_0012_B6A1EB3B.8DEA482C--