Canada Post Phish

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 09 Sep 2022 14:48:37 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oWks7-000G5U-Fx

for dave@doctor.nl2k.ab.ca;

Fri, 09 Sep 2022 14:45:07 -0600

Resent-From: The Doctor

Resent-Date: Fri, 9 Sep 2022 14:45:07 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from round-robin16.sq3n.in ([212.129.0.222]:60300)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oWigD-000Ia1-He

for doctor@netknow.ca;

Fri, 09 Sep 2022 12:24:45 -0600

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=default; d=sq3n.in;

h=Subject:From:To:Sender:Reply-To:Date:List-Unsubscribe:Message-ID:MIME-Version:Content-Type; i=info@sq3n.in;

bh=ERx7N93Yf41tUZtTQlibyvoLB5xfQehhTQkwyZAVP8M=;

b=v9w329MA0R7SB5I8i1XL4zP4mOCnbk3IdphLJnb24Df9KbEew6W4+fc2x8dZ/jvpzw4FAfjJj3Xu

GWy9sJOXlbFUqy98B5Nsc+FSKX6WNY7croZkCHTddOMqVEpq3zTIl0EE5AspwN0OO1EdSyNTum1e

qa3V1YR9xcCI/kObkJo=

Subject: CONFIRMATION # 234654! doctor@netknow.ca, Delivery of your package has

been stopped.

From: "Canada Post"

To: doctor@netknow.ca

Sender: info@sq3n.in

Reply-To: info@sq3n.in

Date: 09 Sep 2022 17:47:38 -0000

List-Unsubscribe: ,



X-CampaignID: s4:40184-baae651ab8457fd9

Message-ID:

X-Mailer-Info: 8.E2M5cjN.QDMxgDN.Q2bjR3byBkblR3au92duMWY.QTN0gjM1kDM.QDMxgzN

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="==c3b599cda5f7a98e93507c6a039fa108"

X-Spam_score: 10.2

X-Spam_score_int: 102

X-Spam_bar: ++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: CANADAÂ POST _PACKAGE CONFIRMATIONÂ # 234654 _Hello doctor@netknow.ca,

This is the last time we are reminding you about your pending shipping cost.

The pending delivery will be canceled if the amou [...]



Content analysis details: (10.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL

blocklist

[URIs: sq3n.in]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URIs: sq3n.in]

1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist

[URIs: sq3n.in]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or

identical to background

0.0 HTML_MESSAGE BODY: HTML included in message

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.1 TO_IN_SUBJ To address is in Subject

Subject: {SPAM?} CONFIRMATION # 234654! doctor@netknow.ca, Delivery of your package has

been stopped.



This is a multi-part message in MIME format.



--==c3b599cda5f7a98e93507c6a039fa108

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: quoted-printable



CANADA=C2=A0POST

_

_PACKAGE CONFIRMATION=C2=A0# 234654_

_Hello doctor@netknow.ca,

This is the last time we are reminding you about your pending shipping

cost. The pending delivery will be canceled if the amount is not paid

within 48 hours.

Confirm the delivery details and pay the shipping costs in order to

get your package delivered within 72 hours.=C2=A0

Track your parcel

CA-TT-7854258-POST

TRACK YOUR PACKAGE [/%%Offer Link%%]

=C2=A0

Your delivery will be cancelled

if you don=E2=80=99t plan the delivery within 48 hours.

=C2=A0

Unsubscribe=



--==c3b599cda5f7a98e93507c6a039fa108

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: quoted-printable




.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


ft-com:office:office" xmlns:v=3D"urn:schemas-microsoft-com:vml">










0" cellpadding=3D"0">
























100%">
style=3D"font-size: 36pt;">CANADA 

=3D"font-size: 36pt;">POST

t-size: 36pt; background-color: #004a8e;">

pan>

gn=3D"top" width=3D"100%">




adding=3D"0" bgcolor=3D"#ffffff">














llpadding=3D"0">


























00" cellspacing=3D"0" cellpadding=3D"0">


















ght: 22px; color: #6c6c6c; height: 376px;" align=3D"center" valign=3D"top" =

width=3D"500">


g>


>PACKAGE CONFIRMATION # 234654=




strong>
Hello d=

octor@netknow.ca,

This is the last time we are reminding you abo=

ut your pending shipping cost. The pending delivery will be canceled if the=

amount is not paid within 48 hours.

Confirm the delivery detail=

s and pay the shipping costs in order to get your package delivered within =

72 hours. 


">

Track your parcel
CA-TT-7854258-POST

ng>




yle=3D"display: block; color: #ffffff; text-decoration: none; text-align: c=

enter; background: #004A8E; border: 5px solid #004A8E; border-radius: 5px; =

margin: 0 auto; padding: 4px;" href=3D"https://sign.sq3n.in/ga/click/2-4548=

2590-3976-20252-40187-21793-9094ed334b-c29929c15d">Track your package

span>





lpadding=3D"0">












ght: 22px; color: #6c6c6c;" align=3D"center" valign=3D"top" width=3D"500">

 



Your delivery will be c=

ancelled
if you don’t plan the delivery within 48 hours.
<=

/p>



 





=3D"https://sign.sq3n.in/ga/unsubscribe/2-45482590-3976-20252-40187-19530bf=

f25ee8cb-c29929c15d">

Unsubscribe





c15d" height=3D"2" width=3D"3" alt=3D"">

=



--==c3b599cda5f7a98e93507c6a039fa108--

sexual blackmail phish

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 10 Sep 2022 07:04:07 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oX05r-000AfQ-G8

for dave@doctor.nl2k.ab.ca;

Sat, 10 Sep 2022 07:00:19 -0600

Resent-From: The Doctor

Resent-Date: Sat, 10 Sep 2022 07:00:19 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from r190-134-107-122.dialup.adsl.anteldata.net.uy ([190.134.107.122]:42003)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oWuPv-000KQg-QM

for doctor@nk.ca;

Sat, 10 Sep 2022 00:56:51 -0600

From:

To:

Subject: You have an outstanding payment.

Date: 9 Sep 2022 23:50:13 -0400

Message-ID: <003e01d8c4c9$04f0028e$9d74778d$@nk.ca>

MIME-Version: 1.0

Content-Type: text/plain;

charset="iso-8859-3"

Content-Transfer-Encoding: 8bit

X-Mailer: Microsoft Office Outlook 11

Thread-Index: Acl5naoupfeto5vjl5naoupfeto5vj==

X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514

X-Spam_score: 15.4

X-Spam_score_int: 154

X-Spam_bar: +++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello there! Unfortunately, there are some bad news for you.

Around several months ago I have obtained access to your devices that you

were using to browse internet. Subsequently, I have proceeded with tracking

do [...]



Content analysis details: (15.4 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.

[190.134.107.122 listed in bb.barracudacentral.org]

0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or

Generic rPTR

0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP

address

[190.134.107.122 listed in dnsbl.sorbs.net]

1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=doctor%40nk.ca;ip=190.134.107.122;r=doctor.nl2k.ab.ca]

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.4 RDNS_DYNAMIC Delivered to internal network by host with

dynamic-looking rDNS

0.5 PDS_BTC_ID FP reduced Bitcoin ID

2.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)

3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP

addr 1)

1.0 BITCOIN_YOUR_INFO BitCoin with your personal info

1.0 BITCOIN_SPAM_07 BitCoin spam pattern 07

0.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX

0.4 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX

0.0 TO_EQ_FM_SPF_FAIL To == From and external SPF failed

1.4 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers

1.0 BITCOIN_MALWARE BitCoin + malware bragging

0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF

failed

0.0 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address

Subject: {SPAM?} You have an outstanding payment.



Hello there!



Unfortunately, there are some bad news for you.

Around several months ago I have obtained access to your devices that you were using to browse internet.

Subsequently, I have proceeded with tracking down internet activities of yours.



Below, is the sequence of past events:

In the past, I have bought access from hackers to numerous email accounts (today, that is a very straightforward task that can be done online).

Clearly, I have effortlessly logged in to email account of yours (doctor@nk.ca).



A week after that, I have managed to install Trojan virus to Operating Systems of all your devices that are used for email access.

Actually, that was quite simple (because you were clicking the links in inbox emails).

All smart things are quite straightforward. (@_@)



The software of mine allows me to access to all controllers in your devices, such as video camera, microphone and keyboard.

I have managed to download all your personal data, as well as web browsing history and photos to my servers.

I can access all messengers of yours, as well as emails, social networks, contacts list and even chat history.

My virus unceasingly refreshes its signatures (since it is driver-based), and hereby stays invisible for your antivirus.



So, by now you should already understand the reason why I remained unnoticed until this very moment...



While collecting your information, I have found out that you are also a huge fan of websites for adults.

You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun.

I have recorded several kinky scenes of yours and montaged some videos, where you reach orgasms while passionately masturbating.



If you still doubt my serious intentions, it only takes couple mouse clicks to share your videos with your friends, relatives and even colleagues.

It is also not a problem for me to allow those vids for access of public as well.

I truly believe, you would not want this to occur, understanding how special are the videos you love watching, (you are clearly aware of that) all that stuff can result in a real disaster for you.



Let's resolve it like this:

All you need is $1750 USD transfer to my account (bitcoin equivalent based on exchange rate during your transfer), and after the transaction is successful, I will proceed to delete all that kinky stuff without delay.

Afterwards, we can pretend that we have never met before. In addition, I assure you that all the harmful software will be deleted from all your devices. Be sure, I keep my promises.



That is quite a fair deal with a low price, bearing in mind that I have spent a lot of effort to go through your profile and traffic for a long period.

If you are unaware how to buy and send bitcoins - it can be easily fixed by searching all related information online.



Below is bitcoin wallet of mine: 1pSw6eh5GoWtBrETzPbM36DGxc6Tes5Mp



You are given not more than 48 hours after you have opened this email (2 days to be precise).



Below is the list of actions that you should not attempt doing:

> Do not attempt to reply my email (the email in your inbox was created by me together with return address).

> Do not attempt to call police or any other security services. Moreover, don't even think to share this with friends of yours. Once I find that out (make no doubt about it, I can do that effortlessly, bearing in mind that I have full control over all your systems) - the video of yours will become available to public immediately.

> Do not attempt to search for me - there is completely no point in that. All cryptocurrency transactions remain anonymous at all times.

> Do not attempt reinstalling the OS on devices of yours or get rid of them. It is meaningless too, because all your videos are already available at remote servers.



Below is the list of things you don't need to be concerned about:

> That I will not receive the money you transferred.

- Don't you worry, I can still track it, after the transaction is successfully completed, because I still monitor all your activities (trojan virus of mine includes a remote-control option, just like TeamViewer).

> That I still will make your videos available to public after your money transfer is complete.

- Believe me, it is meaningless for me to keep on making your life complicated. If I indeed wanted to make it happen, it would happen long time ago!



Everything will be carried out based on fairness!



Before I forget...moving forward try not to get involved in this kind of situations anymore!

An advice from me - regularly change all the passwords to your accounts.



Home Depot phish

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 10 Sep 2022 07:05:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oX04X-000A9z-SK

for dave@doctor.nl2k.ab.ca;

Sat, 10 Sep 2022 06:58:57 -0600

Resent-From: The Doctor

Resent-Date: Sat, 10 Sep 2022 06:58:57 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [213.226.114.201] (port=37431 helo=24cash.ca)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

id 1oWqsb-000PhD-Ft

for doctor@nl2k.ca;

Fri, 09 Sep 2022 21:10:06 -0600

MIME-Version: 1.0

Message-Id:

From:_Congratulations

Subject:_We have a surprise for our shoppers!

Reply-To: reply_MppVVHoCIDFsHnmpz1QhayWDlO2oNpS44BiCLe.bounce9@inx1and1.de

To: doctor@nl2k.ca

Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset=UTF-8

Date: Sat, 10 Sep 2022 05:09:37 +0200

X-Spam_score: 7.7

X-Spam_score_int: 77

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: SURVEY ABOUT: THE HOME DEPOT THE HOME DEPOT Please tell us

about your: THE HOME DEPOT Experiences and as a thank you, you can select

from several exclusive offer rewards! Supply is extremely limited so act

fast today!



Content analysis details: (7.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: googleapis.com]

0.0 SPF_HELO_NEUTRAL SPF: HELO does not match SPF record (neutral)

0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

1.8 HDRS_MISSP Misspaced headers

3.0 GOOG_STO_NOIMG_HTML Apparently using google content hosting to

avoid URIBL

Subject: {SPAM?} _We have a surprise for our shoppers!