Date Phishing

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@nk.ca

Delivery-date: Wed, 22 Jun 2022 15:22:00 -0600

Received: from [168.194.66.91] (port=27003 helo=static-91.provedorlive.com.br)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o47mb-000BYZ-3G

for dave@nk.ca;

Wed, 22 Jun 2022 15:21:11 -0600

Message-ID:

List-Unsubscribe:

Date: Wed, 22 Jun 2022 18:21:07 -0300

From: Gaye Walin

MIME-Version: 1.0

To: Dave

Subject: Ukrainian beauties are waiting !

Content-Type: multipart/alternative;

boundary="===============C88DF52212291B9E2FC3A1=="

X-Spam_score: 34.5

X-Spam_score_int: 345

X-Spam_bar: ++++++++++++++++++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Us underwrite, snide step by step fief against coffers metronome

below rooster..I'm so sorry darlingI'm Gaye. I am from Ukraine. I found you

on facebookI will do my best to satisfy all your needs and [...]



Content analysis details: (34.5 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

[168.194.66.91 listed in bl.score.senderscore.com]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of

words

1.0 J_WEEDS_V FULL: Dec/Hex char Enc [Vv]

1.0 J_WEEDS_B FULL: Dec/Hex char Enc [Bb]

1.0 J_WEEDS_I FULL: Dec/Hex char Enc [Ii]

1.0 J_WEEDS_H FULL: Dec/Hex char Enc [Hh]

1.0 J_WEEDS_F FULL: Dec/Hex char Enc [Ff]

1.0 J_WEEDS_Y FULL: Dec/Hex char Enc [Yy]

1.0 J_WEEDS_W FULL: Dec/Hex char Enc [Ww]

1.0 J_WEEDS_T FULL: Dec/Hex char Enc [Tt]

1.0 J_WEEDS_S FULL: Dec/Hex char Enc [Ss]

1.0 J_WEEDS_E FULL: Dec/Hex char Enc [Ee]

1.0 J_WEEDS_R FULL: Dec/Hex char Enc [Rr]

1.0 J_WEEDS_L FULL: Dec/Hex char Enc [Ll]

1.0 J_WEEDS_D FULL: Dec/Hex char Enc [Dd]

1.0 J_WEEDS_A FULL: Dec/Hex char Enc [Aa]

1.0 J_WEEDS_U FULL: Dec/Hex char Enc [Uu]

1.0 J_WEEDS_G FULL: Dec/Hex char Enc [Gg]

1.0 J_WEEDS_P FULL: Dec/Hex char Enc [Pp]

1.0 J_WEEDS_O FULL: Dec/Hex char Enc [Oo]

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.3 HTML_SHORT_LINK_IMG_3 HTML is very short with a linked image

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

-0.0 T_SCC_BODY_TEXT_LINE No description available.

3.2 FOUND_YOU I found you...

0.0 T_REMOTE_IMAGE Message contains an external image

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL

blocklist

[URIs: beautywoman.cn]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URIs: beautywoman.cn]

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: beautywoman.cn]

Subject: {SPAM?} Ukrainian beauties are waiting !



This is a multi-part message in MIME format.

--===============C88DF52212291B9E2FC3A1==

Content-Type: text/plain; charset="UTF-8"; format=flowed

Content-Transfer-Encoding: quoted-printable



Us underwrite, snide step by step fief against coffers metronome below =

rooster..I'm so sorry darlingI'm Gaye. I am from Ukraine. I found you =

on facebookI will do my best to satisfy all your needs and meet filled =

with passionate sexual adventure. A girlfriend experience is what you =

receive from me. I wish we can have great time together. the profile is =

over there: http://Gaye.beautywoman.cnI am so horny-I hope you will find =

me there and we will become friends :-O Text me!



--===============C88DF52212291B9E2FC3A1==

Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable










UTF-8">Us underwrite, snide step by step fief against coffers =<br /><br /> metronome below rooster..







I'm so =

sorry darling


I'm =

Gaye. I am f̯rom Ukrainͥe. =

I found you on facebook


I will do my =

best to satis̼fy =

all your needs and meet =

filled with passionate sexual =

adventure. A girlfrien̡d =

experience is what you receive =

fr̟om me. I wish we can =

have great time =

together.

















I =

ho֟pe you will =

find me there and we =

will becٔom֦e =

frien̦ds :-O Text =

me!




--===============C88DF52212291B9E2FC3A1==--

Date Phish from inmotionhosting.com

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Jun 2022 14:45:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o47Cz-0009rs-Jy

for dave@doctor.nl2k.ab.ca;

Wed, 22 Jun 2022 14:44:17 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Jun 2022 14:44:17 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from vps36689.inmotionhosting.com ([209.182.204.189]:43002)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1o425E-000FPO-6Z

for doctor@doctor.nl2k.ab.ca;

Wed, 22 Jun 2022 09:16:01 -0600

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;

d=revolutionplusproperty.com; s=default; h=Content-Type:MIME-Version:Date:

Subject:From:Reply-To:Message-ID:Sender:To:Cc:Content-Transfer-Encoding:

Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:

Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:

List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;

bh=MhTUeJ9C/BOqQmqMzcBLOkF52aANqQTLfLoOVYvhgzQ=; b=tkho1xuAnEcQe2WRQ+7eAV0XQD

4Y3pJtOJhz3vn6noTCFZ0pNy08aUtxH+9p2JxeM57ZYA2M9tXgU+5WWcJGMc7AiVz3Quc9XPPgfgP

We98wYGYq2MHtC8GqH6MRSYt8efZtuUqZYTrGThzNLmU+RiVyG4A7gx7dd1ZEbBL2K3Co4qyEGBu8

sjrV9Lba9jlgMyJKfZeJ+FD/zsDt/WmzpWwu4naOmH5C72pU4xXlvk9olsVThQqgAg1qYch4a4A+i

f2noCIC5cf40cteKMCJxSySMZXJWwF4fhNM3oBp9chJlbwiLjpNKOAHjEHATaWD3cB0K0p54SuGl0

oddGeHlw==;

Received: from ec2-18-237-244-132.us-west-2.compute.amazonaws.com ([18.237.244.132]:55122 helo=tiscali.cz)

by vps36689.inmotionhosting.com with esmtpa (Exim 4.95)

(envelope-from )

id 1o424l-0008DL-U9;

Wed, 22 Jun 2022 11:15:29 -0400

Message-ID: <44BE862AD90A24E8CB3109B1621D5FE7@revolutionplusproperty.com>

Reply-To: Dating

From: Dating

Subject: You are interested Tatiana do not miss the chance of dating!

Date: Wed, 22 Jun 2022 15:15:13 +0000

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_075A_01D8864A.DF2CD9B0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Windows Live Mail 15.4.3538.513

X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3538.513

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - vps36689.inmotionhosting.com

X-AntiAbuse: Original Domain - doctor.nl2k.ab.ca

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain - revolutionplusproperty.com

X-Get-Message-Sender-Via: vps36689.inmotionhosting.com: authenticated_id: idara@revolutionplusproperty.com

X-Authenticated-Sender: vps36689.inmotionhosting.com: idara@revolutionplusproperty.com



This is a multi-part message in MIME format.



------=_NextPart_000_075A_01D8864A.DF2CD9B0

Content-Type: text/plain;

charset="iso-8859-2"

Content-Transfer-Encoding: base64



V2FudCBhIGd1YXJhbnRlZWQgaG9va3VwPw0KDQpWaXNpdCB0aGlzIG9ubGluZSBhdmVudWUgdG8g

ZGF0aW5nIGZvciBzZXguIE9uIHRoaXMgc2V4IHNpdGUsIGxvY2FsIHNpbmdsZXMsIGNvdXBsZXMs

IGFuZCBzd2luZ2VycyBzZWFyY2ggZm9yIGhvb2sgdXBzIGluIGEgc2FmZSBpbnRlcmZhY2UuIElu

IGp1c3QgYSBmZXcgY2xpY2tzLCB5b3Ugd2lsbCBmaW5kIHlvdXJzZWxmIGEgc2V4IHBhcnRuZXIg

d2hvIGlzIHdhaXRpbmcgZm9yIHlvdSBhbmQgeW91ciBwYXNzaW9uLiBDbGljayBoZXJlIA0KDQqg

SW4gdGhpcyBvZmZlcnMgZnJlZSBzdGFuZGFyZCBtZW1iZXJzaGlwIHdpdGggbGltaXRlZCBhY2Nl

c3MgdG8gY2VydGFpbiBzZXh5IGZlYXR1cmVzIHN1Y2ggYXMgZnVsbC1sZW5ndGggdmlkZW9zLiBG

b3IgcGFpZCBtZW1iZXJzLCBldmVyeXRoaW5nIGlzIG9wZW5seSBkaXNwbGF5ZWQgLSBhbmQgbm90

aGluZyBpcyBvZmYtbGltaXRzLiBTaWduIHVwIHRvIG1ha2UgYSBoYXNzbGUtZnJlZSBib290eSBj

YWxsLCB0YWtpbmcgeW91ciBwaWNrIGZyb20gdGhvdXNhbmRzIG9mIG1lbWJlcnMgbmVhciB5b3Ug

YXQgaG90IGRhdGluZyBzaXRlIS4NCg==



------=_NextPart_000_075A_01D8864A.DF2CD9B0

Content-Type: text/html;

charset="iso-8859-2"

Content-Transfer-Encoding: base64



PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv

L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWlz

by04ODU5LTIiIGh0dHAtZXF1aXY9Q29udGVudC1UeXBlPg0KPE1FVEEgbmFtZT1HRU5FUkFUT1Ig

Y29udGVudD0iTVNIVE1MIDEwLjAwLjkyMDAuMTY4OTciPjwvSEVBRD4NCjxCT0RZPg0KPERJViBh

bGlnbj1jZW50ZXI+PFNUUk9ORz5XYW50IGEgZ3VhcmFudGVlZCBob29rdXA/IDwvU1RST05HPjwv

RElWPg0KPERJViBhbGlnbj1jZW50ZXI+PFNUUk9ORz48L1NUUk9ORz48L0RJVj4NCjxESVYgYWxp

Z249Y2VudGVyPjxTVFJPTkc+VmlzaXQgdGhpcyBvbmxpbmUgYXZlbnVlIHRvIGRhdGluZyBmb3Ig

c2V4LiBPbiB0aGlzIA0Kc2V4IHNpdGUsIGxvY2FsIHNpbmdsZXMsIGNvdXBsZXMsIGFuZCBzd2lu

Z2VycyBzZWFyY2ggZm9yIGhvb2sgdXBzIGluIGEgc2FmZSANCmludGVyZmFjZS4gSW4ganVzdCBh

IGZldyBjbGlja3MsIHlvdSB3aWxsIGZpbmQgeW91cnNlbGYgYSBzZXggcGFydG5lciB3aG8gaXMg

DQp3YWl0aW5nIGZvciB5b3UgYW5kIHlvdXIgcGFzc2lvbi4gPC9TVFJPTkc+PEEgDQpocmVmPSJo

dHRwOi8vd29ybHdhcmhlaXNwb3JhZG5hLmdhP0ttanRYTyI+PFNUUk9ORz5DbGljayANCmhlcmU8

L1NUUk9ORz48L0E+PFNUUk9ORz4gPC9TVFJPTkc+PEEgDQpocmVmPSJodHRwOi8vc3BhbW9wb3hi

YWxvLm1sP3d5U2d6SXRpIj48U1RST05HPjwvU1RST05HPjwvRElWPg0KPERJViBhbGlnbj1jZW50

ZXI+DQo8RElWIGFsaWduPWNlbnRlcj48U1RST05HPiZuYnNwO0luIHRoaXMgb2ZmZXJzIGZyZWUg

c3RhbmRhcmQgbWVtYmVyc2hpcCB3aXRoIA0KbGltaXRlZCBhY2Nlc3MgdG8gY2VydGFpbiBzZXh5

IGZlYXR1cmVzIHN1Y2ggYXMgZnVsbC1sZW5ndGggdmlkZW9zLiBGb3IgcGFpZCANCm1lbWJlcnMs

IGV2ZXJ5dGhpbmcgaXMgb3Blbmx5IGRpc3BsYXllZCAtIGFuZCBub3RoaW5nIGlzIG9mZi1saW1p

dHMuIFNpZ24gdXAgdG8gDQptYWtlIGEgaGFzc2xlLWZyZWUgYm9vdHkgY2FsbCwgdGFraW5nIHlv

dXIgcGljayBmcm9tIHRob3VzYW5kcyBvZiBtZW1iZXJzIG5lYXIgDQp5b3UgYXQgaG90IGRhdGlu

ZyBzaXRlIS4gPC9TVFJPTkc+PC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPjwvRElWPjwvQT48L0JP

RFk+PC9IVE1MPg0K



------=_NextPart_000_075A_01D8864A.DF2CD9B0--

Shopper's Drug Mart phish

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Jun 2022 14:44:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o47Bv-0009oT-2u

for dave@doctor.nl2k.ab.ca;

Wed, 22 Jun 2022 14:43:11 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Jun 2022 14:43:11 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [176.114.2.177] (port=41462 helo=shuswaptourism.ca)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o41Yf-000DEw-Ty

for root@mail.nl2k.ab.ca;

Wed, 22 Jun 2022 08:42:23 -0600

MIME-Version: 1.0

From: Shoppers Drug Mart

Subject: Take Part In Our Marketing Surveyand Get $90 PROMO REWARD

Reply-To: rerootply@shuswaptourism.ca

Received: from shuswaptourism.ca (176.114.2.177) by shuswaptourism.ca id BiqEM3Ec9lDn for ; Wed, 22 Jun 2022 16:40:32 +0200 (envelope-from

To: root@mail.nl2k.ab.ca

Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset="UTF-8"

Date: Wed, 22 Jun 2022 16:40:32 +0200

X-Spam_score: 6.7

X-Spam_score_int: 67

X-Spam_bar: ++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: A gift for you !🎁Here is your $90 voucher!🐰 If you

no longer wish to receive these emails please unsubscribe here



Content analysis details: (6.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 SPF_HELO_NEUTRAL SPF: HELO does not match SPF record (neutral)

0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large

1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of

words

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image

0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML

tag

0.1 MISSING_MID Missing Message-Id: header

1.0 GOOG_STO_IMG_HTML Apparently using google content hosting to

avoid URIBL

Subject: {SPAM?} Take Part In Our Marketing Surveyand Get $90 PROMO REWARD















A gift for you !🎁Here is your $90 voucher!🐰





















If you no longer wish to receive these emails please







unsubscribe here










Shopper's Drug Mart phish

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Jun 2022 14:44:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o47Bp-0009no-HZ

for dave@doctor.nl2k.ab.ca;

Wed, 22 Jun 2022 14:43:05 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Jun 2022 14:43:05 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [176.114.14.15] (port=34629 helo=fcfa.ca)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o41Sp-000CoP-9L

for root@nl2k.ab.ca;

Wed, 22 Jun 2022 08:36:19 -0600

MIME-Version: 1.0

From: Shoppers Drug Mart <6EwC0Ont@fcfa.ca>

Subject: Take Part In Our Marketing Surveyand Get $90 PROMO REWARD

Reply-To: rerootply@fcfa.ca

Received: from fcfa.ca (176.114.14.15) by fcfa.ca id uybk38qjjzlw for ; Wed, 22 Jun 2022 16:40:31 +0200 (envelope-from

To: root@nl2k.ab.ca

Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset="UTF-8"

Date: Wed, 22 Jun 2022 16:40:31 +0200

X-Spam_score: 7.0

X-Spam_score_int: 70

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: A gift for you !🎁Here is your $90 voucher!🐰 If you

no longer wish to receive these emails please unsubscribe here



Content analysis details: (7.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=bounce%40fcfa.ca;ip=176.114.14.15;r=doctor.nl2k.ab.ca]

0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=fcfa.ca;ip=176.114.14.15;r=doctor.nl2k.ab.ca]

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large

1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of

words

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image

0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML

tag

0.1 MISSING_MID Missing Message-Id: header

1.0 GOOG_STO_IMG_HTML Apparently using google content hosting to

avoid URIBL

Subject: {SPAM?} Take Part In Our Marketing Surveyand Get $90 PROMO REWARD















A gift for you !🎁Here is your $90 voucher!🐰





















If you no longer wish to receive these emails please







unsubscribe here










Phish from emailsvr.com

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Jun 2022 14:43:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o47BA-0009lk-8v

for dave@doctor.nl2k.ab.ca;

Wed, 22 Jun 2022 14:42:24 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Jun 2022 14:42:24 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from smtp106.ord1d.emailsrvr.com ([184.106.54.106]:46262)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1o40us-0009eo-2r

for doctor@nl2k.ab.ca;

Wed, 22 Jun 2022 08:01:15 -0600

X-Auth-ID: amusarra@raypricecars.com

Received: by smtp6.relay.ord1d.emailsrvr.com (Authenticated sender: amusarra-AT-raypricecars.com) with ESMTPA id EBD36E019E;

Wed, 22 Jun 2022 10:00:16 -0400 (EDT)

From: "Amusarra"

Subject: Payment Received

Date: Wed, 22 Jun 2022 14:00:33 -0000

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_00F0_01C2A9A6.336845BA"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-Classification-ID: c219685d-7d4d-4b99-a3d5-1b8177297026-1-1

X-Spam_score: 8.7

X-Spam_score_int: 87

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Your payment was received, Attached is your invoice copy



Content analysis details: (8.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

-0.0 SPF_PASS SPF: sender matches SPF record

1.2 MISSING_HEADERS Missing To: header

0.0 T_OBFU_HTML_ATTACH BODY: HTML attachment with non-text MIME type

-0.0 T_SCC_BODY_TEXT_LINE No description available.

3.5 PHISH_ATTACH Attachment filename suspicious, probable phishing

0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait

0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority

0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool

0.0 T_HTML_ATTACH HTML attachment to bypass scanning?

0.0 OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From

0.0 T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced

From

0.1 MISSING_MID Missing Message-Id: header

0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors

0.0 FROM_MISSPACED From: missing whitespace

2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook

0.3 FROM_MISSP_EH_MATCH From misspaced, matches envelope

Subject: {SPAM?} Payment Received



This is a multi-part message in MIME format.



------=_NextPart_000_00F0_01C2A9A6.336845BA

Content-Type: text/plain;

charset="Windows-1251"

Content-Transfer-Encoding: 7bit



Your payment was received, Attached is your invoice copy



------=_NextPart_000_00F0_01C2A9A6.336845BA

Content-Type: application/octet-stream;

name="PTKOPJAX2196_22_pdf.HTML"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="PTKOPJAX2196_22_pdf.HTML"



PGJvZHkgb25sb2FkPSJqYXZhc2NyaXB0OndpbmRvdy5sb2NhdGlvbi5ocmVm

PSdodHRwczovL2toYWJyaW1lZGlhLmNvbS93cC1pbmNsdWRlcy8xQS9QVEtP

UEpBWDIxOTZfMjJfcGRmLmlzbyc7Ij4K



------=_NextPart_000_00F0_01C2A9A6.336845BA--

Phishing attempt to get Netknow user passwords using CPAnel a service nk.ca does not use

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Tue, 21 Jun 2022 18:23:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o3o8X-00074Q-G3

for dave@doctor.nl2k.ab.ca;

Tue, 21 Jun 2022 18:22:25 -0600

Resent-From: The Doctor

Resent-Date: Tue, 21 Jun 2022 18:22:25 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [62.197.136.78] (port=52225 helo=hmamail.com)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1o3nxh-0006PW-Ne

for root@nk.ca;

Tue, 21 Jun 2022 18:11:18 -0600

From: "Cpanel Server"

To: root@nk.ca

Subject: Notice! Notice!! Cpanel Password Protection

Date: 22 Jun 2022 02:10:50 +0200

Message-ID: <20220622021050.850ED3A2DA18395D@hmamail.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.6

X-Spam_score_int: 76

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: WebMail cPanel Secure Notification Dear Valued Customer, This

is to inform you that your account will be suspended for usual login attenpt.





Content analysis details: (7.6 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in

bl.spamcop.net

[Blocked - see ]

2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL

[62.197.136.78 listed in psbl.surriel.com]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[62.197.136.78 listed in wl.mailspike.net]

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as

"accounts suspended", "account credited",

"account verification"

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML

only

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: bit.ly]

Subject: {SPAM?} Notice! Notice!! Cpanel Password Protection




























max-width: 680px;" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">














y: "Helvetica Neue",Helvetica,Arial,sans-serif; font-size: 16px;"=

>


=3D"vertical-align: inherit;">
family: "arial black", sans-serif; font-size: 24pt;'>WebMail cPanel=

Secure Notification

an>


232, 232) rgb(232, 232, 232) rgb(255, 108, 44); padding: 15px 0px 20px; ba=

ckground-color: rgb(255, 255, 255);">


"Helvetica Neue",Helvetica,Arial,sans-serif;" border=3D"0" cellsp=

acing=3D"0" cellpadding=3D"0">









 








tr>




r>



e; text-indent: 0px; letter-spacing: normal; font-family: Verdana, Geneva, =

sans-serif; font-size: 13px; font-style: normal; font-weight: 400; word-spa=

cing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: rg=

b(255, 255, 255); -webkit-text-stroke-width: 0px; font-variant-ligatures: n=

ormal; font-variant-caps: normal; text-decoration-thickness: initial; text-=

decoration-style: initial; text-decoration-color:=20

initial;">Dear Valued Customer,

This is to inform you th=

at your account will be suspended for usual login attenpt.
>


e; text-indent: 0px; letter-spacing: normal; font-family: Verdana, Geneva, =

sans-serif; font-size: 13px; font-style: normal; font-weight: 400; word-spa=

cing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: rg=

b(255, 255, 255); -webkit-text-stroke-width: 0px; font-variant-ligatures: n=

ormal; font-variant-caps: normal; text-decoration-thickness: initial; text-=

decoration-style: initial; text-decoration-color:=20

initial;">Secure webmail password with the new cpanel protection.
=


Follow below link for your account Upgr=

ade Protection:




e; text-indent: 0px; letter-spacing: normal; font-family: Verdana, Geneva, =

sans-serif; font-size: 13px; font-style: normal; font-weight: 400; word-spa=

cing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: rg=

b(255, 255, 255); -webkit-text-stroke-width: 0px; font-variant-ligatures: n=

ormal; font-variant-caps: normal; text-decoration-thickness: initial; text-=

decoration-style: initial; text-decoration-color:=20

initial;">
y/3bgEnKgcpanelreset" target=3D"_blank" rel=3D"noreferrer">https://=

www.webmaildomain/en/email-account.jsp

This is an =

automated reply to your email and shall get back to you within 45 minu=

tes.

Thank you for choosing webmail domain.
(255, 102, 0);">



lvetica Neue",Helvetica,Arial,sans-serif; font-size: 12px; margin-top: 5px;=

border-top-color: rgb(232, 232, 232); border-top-width: 2px; border-top-st=

yle: solid;'>


gn: inherit;">The system generated=

this advisory on Monday, June 21, 2022 at 06:34:41 (UTC).
>




inherit;">




inherit;">Do not reply to this automated message.

  

=3D"25" style=3D"border: 0px rgb(0, 0, 0); border-image: none; line-height:=

100%;" alt=3D"PC" src=3D"cid:cpanel-logo-tiny.png">=20


ly: "Helvetica Neue",Helvetica,Arial,sans-serif; font-size: 12px;'>
yle=3D"vertical-align: inherit;">C=

opyright© 2022 cPanel, LLC



 


v>