Well Fargo UN Phish

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 22 Jul 2022 08:14:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oEtPB-000Pq1-Sy

for dave@doctor.nl2k.ab.ca;

Fri, 22 Jul 2022 08:13:25 -0600

Resent-From: The Doctor

Resent-Date: Fri, 22 Jul 2022 08:13:25 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-oi1-f194.google.com ([209.85.167.194]:33521)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oEpLW-000KrW-BB

for root@doctor.nl2k.ab.ca;

Fri, 22 Jul 2022 03:53:27 -0600

Received: by mail-oi1-f194.google.com with SMTP id s188so5125205oie.0

for ; Fri, 22 Jul 2022 02:53:01 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20210112;

h=mime-version:reply-to:from:date:message-id:subject:to

:content-transfer-encoding;

bh=Lievo06A9L+P0KlnGB9eb2eUU/0FWAP3zf3ejZPmgDM=;

b=fUhC7CbYL+3rHJAo+sTABh3stUPOq2/CiTIRLJcZIGnThDHHfUQNAbPGbqDtsmaLw0

Zz+//3TithQzAinnB5sVN1RKTRjL48gXeRdPE+vT399LOzqY7n3SvdhOcwMGZlsI2PeK

dqrSgHGKwvpA0qP6j/QoXv57a9We67JMYb2O5p39OtMH9ZICwmE6Y0sjpq0FxcTqaV+k

sbBOG0D+ye4w4bCdvT/YaFKf3vmfaE+ukSL9b8oALMEQa9KlpsNcJyyOLFNCXPID3D1S

YSmsuj+QJB8t5YLZpXf83pCgVCr69KaxcaXoZh1TrpMlyHu/vUR04SsPGTbqhh0WyQRO

X21Q==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20210112;

h=x-gm-message-state:mime-version:reply-to:from:date:message-id

:subject:to:content-transfer-encoding;

bh=Lievo06A9L+P0KlnGB9eb2eUU/0FWAP3zf3ejZPmgDM=;

b=hB6M+HLmu8tHKzdQHnEjF+c9MH/rM7N+w6wdsuf2yx8m4rFzGCP9u5rewX4q/i76eX

duDDrdrAYU/9YDbNzEItuoF3KXJOwTEIcRIi3L9iWu1s7MDXtPBgl28zLQe3X2LKPpof

zlu5MhHzRg0cUqVfLcf6B042gbVnLJXSnIHhICj+fnelZi8e9vX4gi89w/RqE5/yEOlb

rzSKXPGNUi2QwhkiQuwzTK/4sQDOrImJq16t1iZOh41fHuIP1eN94MxWN42r78AXGgEU

ODjoRtAMS5JcVQ7Z5gyGqbXEI7vrLVE9VUjGy4GR3mmisb34XKgnZtFWbF4Ht5aqhRcJ

mUeQ==

X-Gm-Message-State: AJIora+b1/eQnvQ3z7/1aZ5nojiy1dl/27IBL3Rr0Ga0JzjpHIQ1GoLO

u/3oOeGMsgmRBmgAO02C7K6rNsSlZCr1IPxgIow=

X-Google-Smtp-Source: AGRyM1uxd+TK2PxOgiI12M4FGCXQoExssPE/kv/lsBhan/5VOkG1W7JJt9lj/OGfEyoez8CcwJWDrd+U/J+Dde7nc5M=

X-Received: by 2002:aca:eb45:0:b0:33a:6c4a:3224 with SMTP id

j66-20020acaeb45000000b0033a6c4a3224mr6737273oih.272.1658483575042; Fri, 22

Jul 2022 02:52:55 -0700 (PDT)

MIME-Version: 1.0

Received: by 2002:a05:6358:9103:b0:af:d05f:987e with HTTP; Fri, 22 Jul 2022

02:52:54 -0700 (PDT)

Reply-To: fargobank@yahoo.com

From: Wells Fargo Bank

Date: Fri, 22 Jul 2022 02:52:54 -0700

Message-ID:

Subject: Wells Fargo Notify You

To: undisclosed-recipients:;

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable

Bcc: root@doctor.nl2k.ab.ca

X-Spam_score: 24.4

X-Spam_score_int: 244

X-Spam_bar: ++++++++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Congratulations!! Your payment has been approved and endorsed

by the United Nation Organization authorities, Your details information has

been confirmed with the instruction and approvals given from International

Monetary Fund and Federal Bureau Investigation (FBI, Washington DC, USA regards

the deposited of [...]



Content analysis details: (24.4 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[209.85.167.194 listed in wl.mailspike.net]

-0.0 SPF_PASS SPF: sender matches SPF record

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends

in digit

[unionw366[at]gmail.com]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail

provider

[unionw366[at]gmail.com]

1.1 HK_SCAM_N3 BODY: No description available.

2.0 TVD_PH_REC BODY: Message includes a phrase commonly used in

phishing mails

2.5 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)

1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as

"accounts suspended", "account credited",

"account verification"

2.0 HK_SCAM No description available.

2.9 YOU_INHERIT Discussing your inheritance

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 LOTS_OF_MONEY Huge... sums of money

1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain

different freemails

3.1 UNDISC_FREEM Undisclosed recipients + freemail reply-to

2.0 MONEY_FREEMAIL_REPTO Lots of money from someone using free

email?

0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal

information

1.3 MONEY_FORM_SHORT Lots of money if you fill out a short form

1.8 ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money

3.0 UNDISC_MONEY Undisclosed recipients + money/fraud signs

Subject: {SPAM?} Wells Fargo Notify You



Congratulations!!



Your payment has been approved and endorsed by the United Nation

Organization authorities,



Your details information has been confirmed with the instruction and

approvals given from International Monetary Fund and Federal Bureau

Investigation (FBI, Washington DC, USA regards the deposited of fund

from IMF, sum US$10,700,000.00. as full payment of your inheritance

fund.



Due to the incessant scam activities going around the globe, Federal

Bureau Investigation (FBI) and Homeland Security Director, MG Timothy

J. Weinberg, Adjutant General and Director State Military Department

,Washington Military Dept., Bldg 1 Camp Murray, WA 98430-5000 has

instructed our Financial Institution to use high Performance in

Banking System set up Barclay=E2=80=99s Personal On-line Banking Account.



The sum of US$10,700,000.00 was was deposited in our bank and we have

been instructed to pay your directly via personal on-line bank



The Management has resolved to open Personal On-line Banking Account

for you with our bank and then give you the on-line access which will

enable you to check and make electronics wire transfer out to any part

of the world of your choice.



We are going to have this account open on your name as soon as you

reply to this important e-mail and give you your new open account

information=E2=80=99s for your record.



Once we show you prove of fund by giving you the new Personal On-line

Account and your real account balance of US$10,700,000.00 which is

your Part payment of the full amount credited to you



We are only given you the benefit of doubt by agreeing in showing you

that we are capable of opening the new account on your behalf and give

you the full on line access for your record.



Let me know that you agree and understand the important of this matter

before we go ahead and get this matter completed for you because we

are professional in handling international matters like this.



Kindly Send the Above information to enable us set the account open for you=

.



Full Name:

Full Address:

Direct Telephone Number:





Please, reconfirm your direct cell phone number to enable voice communicati=

on

Looking forward for your next letter

Thank you for your patient.

Regards



Mr Steven Sharma





PLEASE SEND YOUR NAME AS IT IS CLEARLY WRITTEN IN YOUR PASSPORT AND ID

CARDS SO THAT WE WILL NOT MAKE MISTAKE IN OPENING OF THE NON

RESIDENTIAL BANK ACCOUNT UNDER YOUR NAME

Home Depot phish

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 22 Jul 2022 08:09:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oEtK1-000MMa-Iv

for dave@doctor.nl2k.ab.ca;

Fri, 22 Jul 2022 08:08:05 -0600

Resent-From: The Doctor

Resent-Date: Fri, 22 Jul 2022 08:08:05 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [103.144.177.232] (port=59531 helo=pwhealthcare.net)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

id 1oEhEP-0001aA-1a

for doctor@nl2k.ab.ca;

Thu, 21 Jul 2022 19:13:33 -0600

From:_Reward On Hold! Please Confirm

Subject:_Don’t miss your chance to win a makita power drill

Date: Fri, 22 Jul 2022 03:12:37 +0200

To: doctor@nl2k.ab.ca

Reply-To: "Adobe Creative Cloud"

MIME-Version: 1.0

X-mailer: nlserver, Build 6.7.0

Message-ID:

X-250ok-CID: P26341-121020

TenantHeader: 1d0e6311-6f98-4c5b-8b0e-RlKTa9SGJWACrg3bQ1qyQPy

Affinity: prod.default

X-cust_MessageID: 1938757681

X-cust_DeliveryID: 350826

X-cust_InstanceName: aci_prod

MessageMaxRetry:2

MessageRetryPeriod: 3600

MessageWebValidityDuration: 2592000

MessageValidityDuration: 432000

X-cust_IMSOrgID:

Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset="UTF-8"

X-Spam_score: 10.4

X-Spam_score_int: 104

X-Spam_bar: ++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: SURVEY ABOUT: THE HOME DEPOT THE HOME DEPOT Please tell us

about your: THE HOME DEPOT Experiences and as a thank you, you can select

from several exclusive offer rewards! Supply is extremely limited so act

fast today!



Content analysis details: (10.4 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: page.link]

0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe

0.3 MIME_8BIT_HEADER Message header contains 8-bit character

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

1.1 SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters

1.5 HDRS_MISSP Misspaced headers

0.1 SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify

the encoding

0.0 T_REMOTE_IMAGE Message contains an external image

Subject: {SPAM?} _Don’t miss your chance to win a makita power drill