Beneficiary spam from Google

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 11 Sep 2022 05:49:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oXKuV-000IrQ-Hf

for dave@doctor.nl2k.ab.ca;

Sun, 11 Sep 2022 05:13:59 -0600

Resent-From: The Doctor

Resent-Date: Sun, 11 Sep 2022 05:13:59 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-wr1-f52.google.com ([209.85.221.52]:34350)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oXHxQ-00041H-S6

for doctor@doctor.nl2k.ab.ca;

Sun, 11 Sep 2022 02:04:52 -0600

Received: by mail-wr1-f52.google.com with SMTP id d2so10549384wrn.1

for ; Sun, 11 Sep 2022 01:04:27 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20210112;

h=to:subject:message-id:date:from:sender:mime-version:from:to:cc

:subject:date;

bh=mRvFG1IRpXvjhykFOiOuj6LKoiGo2pxbZ+7xChpy/6g=;

b=bFVRdmWuOTtdc6axiEbplfi92jAT/h5FZ5cpmxagMChVBR/iadOgNAjNTmJgy0lO68

AtrUOFHv8V+lOoPbbkNzM4gj7FDASJikxJ9myIYxt5Tvrw+iQ6TE1lei09sWcQdU58qR

mRzwFhI8j0rnZHmv96e+jE2sufktzjg1SVuf8JsZNXMI3GBdEhXo/EetHsNPT07vHYhq

BpkfeHh88/RX7Z7hDSbf44B+DInImDka3ZoVG2VY+E21uAftvFJHOAzhUPrUcM95Z7nU

xnB15q3plOn1sCokPQawdAG92QVAO6qp5l9YWSIsOyeHKt0LmoK0ctLP0A9j5PkxYuJV

Qw7g==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20210112;

h=to:subject:message-id:date:from:sender:mime-version

:x-gm-message-state:from:to:cc:subject:date;

bh=mRvFG1IRpXvjhykFOiOuj6LKoiGo2pxbZ+7xChpy/6g=;

b=6gnfJjlw8l13oaHZYfxoZrSBU1602XgH71+i0ICiAlft6sFmGRuxoT84mavlPUN3cM

e0UctUSecfyRpw4R7i1S7GzsJk4ASsBUBrpQeUVzGb2/zz8V1rsb+3KIz856fyeR7qnr

j+8ItiShH1SN+s0cqMBh9eLB4rYspaCgamq9IgBTVMiLCqVIuFP7pe4SKZHASn4i7QuA

PwJ/kMCQ4/uSqwm5EQ0d+kpyaatAMWKLOyjdVGMWEuckReQgXtnDf5F17BaJa6SYIuNQ

fD3m+0skjoIhhswfhQxi9EGs/+SEO+PB7BlbCrDLt0L/u4rB52PFHu4hv5TAZ1BmXK4T

J50Q==

X-Gm-Message-State: ACgBeo2p+bW6PNh/Xw2wP8XzqnVr9w9aEzpVD3funLeDzCikEesMhhKu

dX2riACIkKR2UmUWU7PyJvFZsSu4n8F6i8kMZcs=

X-Google-Smtp-Source: AA6agR7L7TXFsMuzP/ZUoBeXAsluKihwKtgFqLlk63JQyOapA125HCNlKxJu6q2mJQfyYqYdp0ngfFvg+AsGyvYb9PY=

X-Received: by 2002:a05:6000:1563:b0:222:c827:1a19 with SMTP id

3-20020a056000156300b00222c8271a19mr11750125wrz.705.1662883460395; Sun, 11

Sep 2022 01:04:20 -0700 (PDT)

MIME-Version: 1.0

Sender: lw188904@gmail.com

Received: by 2002:a05:6020:f508:b0:213:fe23:42ed with HTTP; Sun, 11 Sep 2022

01:04:19 -0700 (PDT)

From: "Mrs Yu. Ging Yunnan"

Date: Sun, 11 Sep 2022 08:04:19 +0000

X-Google-Sender-Auth: V5bhXiCNthXalrhXayW3TR8CHnE

Message-ID:

Subject: hello dear

To: undisclosed-recipients:;

Content-Type: text/plain; charset="UTF-8"

Bcc: doctor@doctor.nl2k.ab.ca

X-Spam_score: 5.5

X-Spam_score_int: 55

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: hello I am Mrs Yu. Ging Yunnan, and i have Covid-19 and the

doctor said I will not survive it because all vaccines has been given to

me but to no avian, am a China woman but I base here in France because am

married here and I have no child for my late husband and now am a widow.



Content analysis details: (5.5 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail

provider

[lw188904[at]gmail.com]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[209.85.221.52 listed in wl.mailspike.net]

-0.0 SPF_PASS SPF: sender matches SPF record

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends

in digit

[lw188904[at]gmail.com]

2.5 MILLION_USD BODY: Talks about millions of dollars

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 LOTS_OF_MONEY Huge... sums of money

1.5 HK_NAME_FM_MR_MRS No description available.

0.0 T_HK_NAME_FM_MR_MRS No description available.

1.5 UNDISC_MONEY Undisclosed recipients + money/fraud signs

Subject: {SPAM?} hello dear



hello

I am Mrs Yu. Ging Yunnan, and i have Covid-19 and the doctor said I

will not survive it because all vaccines has been given to me but to

no avian, am a China



woman but I base here in France because am married here and I have no

child for my late husband and now am a widow.



My reason of communicating you is that i have $14 .2million USD which

was deposited in BNP Paribas Bank here in France by my late husband

which am the next of



kin to and I want you to stand as the beneficiary for the claim now

that am about to end my race according to my doctor.



I will want you to use the fund to build an orphanage home in my name

there in your country, please kindly reply to this message urgently if

willing to handle this project.



Mrs Yu. Ging Yunnan.

Sexual Blackmail phishing scam

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 11 Sep 2022 05:49:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oXKta-000Iij-0s

for dave@doctor.nl2k.ab.ca;

Sun, 11 Sep 2022 05:13:02 -0600

Resent-From: The Doctor

Resent-Date: Sun, 11 Sep 2022 05:13:02 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from ppp089210072195.access.hol.gr ([89.210.72.195]:28977)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oXDAg-000NE5-QA

for sales@nk.ca;

Sat, 10 Sep 2022 20:58:16 -0600

Message-ID: <631D78DC.6030706@nk.ca>

Date: Sun, 11 Sep 2022 07:57:48 +0200

From:

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110812 Thunderbird/6.0

MIME-Version: 1.0

To:

Subject: =?UTF-8?B?RG8gWW91IERvIEFueSBvZiBUaGVzZSBFbWJhcnJhc3NpbmcgVGhpbmdzPw==?=

Content-Type: multipart/alternative;

boundary="------------080207030208010806030001"



This is a multi-part message in MIME format.

--------------080207030208010806030001

Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Content-Transfer-Encoding: quoted-printable



I am sorry to inform you but your device was hacked.



That's what happened. I have used a Zero Click vulnerability with a =

special code to hack your device through a website.

A complicated software that requires precise skills that I posess.

This exploit works in a chain with a specially crafted unique code and =

such type of an attack goes undetected.

You only had to visit a website to be infected, and unfortunately for =

you it's that simple for me.



You were not targeted, but just became one of the many unlucky people =

who got hacked through that webpage.

All of this happened in August. So I’ve had enough time to collect =

the information.



I think you already know what is going to happen next.

For a couple of month my software was quietly collecting information =

about your habits, websites you visit, websearches, texts you send.

There is more to it, but I have listed just a few reasons for you to =

understand how serious this is.



To be clear, my software controlled your camera and microphone as well.

It was just about right timing to get you privacy violated. I have made =

a few pornhub worthy videos with you as a lead actor.



I’ve been waiting enough and have decided that it’s time to =

put an end to this.

Here is my offer. Let’s name this a “consulting fee” I =

need to get, so I can delete the media content I have been collecting.

Your privacy stays untouched, if I get the payment.

Otherwise, I will leak the most damaging content to your contacts and =

post it to a public website for perverts to view.



You and I understand how damaging this will be to you, it's not that =

much money to keep your privacy.



I don’t care about you personally, that's why you can be sure that =

all files I have and software on your device will be deleted immediately =

after I receive the transfer.

I only care about getting paid.



My modest consulting fee is 1700 US Dollars to be transferred in =

Bitcoin. Exchange rate at the time of the transfer.

You need to send that amount to this wallet: =

18YFLJHGufQQukMFRkJJJiz51mp21qN96p



The fee is non negotiable, to be transferred within 2 business days.



Obviously do not try to ask for help from the law enforcement unless you =

want your privacy to be violated.

I will monitor your every move until I get paid. If you keep your end of =

the agreement, you wont hear from me ever again.



Take care and have a good day.



--------------080207030208010806030001

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: quoted-printable










charset=3DISO-8859-1">





I am sorry to inform you but your device was hacked.



That's what happened. I have used a Zero Click vulnerability with a =

special code to hack your device through a website.


A complicated software that requires precise skills that I posess.


This exploit works in a chain with a specially crafted unique code and =

such type of an attack goes undetected.


You only had to visit a website to be infected, and unfortunately for =

you it's that simple for me.



You were not targeted, but just became one of the many unlucky people =

who got hacked through that webpage.


All of this happened in August. So I’ve had enough time to collect =

the information.



I think you already know what is going to happen next.


For a couple of month my software was quietly collecting information =

about your habits, websites you visit, websearches, texts you send.


There is more to it, but I have listed just a few reasons for you to =

understand how serious this is.



To be clear, my software controlled your camera and microphone as =

well.


It was just about right timing to get you privacy violated. I have made =

a few pornhub worthy videos with you as a lead actor.



I’ve been waiting enough and have decided that it’s time to =

put an end to this.


Here is my offer. Let’s name this a “consulting fee” I =

need to get, so I can delete the media content I have been =

collecting.


Your privacy stays untouched, if I get the payment.


Otherwise, I will leak the most damaging content to your contacts and =

post it to a public website for perverts to view.



You and I understand how damaging this will be to you, it's not that =

much money to keep your privacy.



I don’t care about you personally, that's why you can be sure that =

all files I have and software on your device will be deleted immediately =

after I receive the transfer.


I only care about getting paid.



My modest consulting fee is 1700 US Dollars to be transferred in =

Bitcoin. Exchange rate at the time of the transfer.


You need to send that amount to this wallet: =

18YFLJHGufQQukMFRkJJJiz51mp21qN96p



The fee is non negotiable, to be transferred within 2 business =

days.



Obviously do not try to ask for help from the law enforcement unless you =

want your privacy to be violated.


I will monitor your every move until I get paid. If you keep your end of =

the agreement, you wont hear from me ever again.



Take care and have a good day.








--------------080207030208010806030001--





Business proposal spam from sendgrid

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 10 Sep 2022 15:09:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oX5ys-000OC6-VR

for dave@doctor.nl2k.ab.ca;

Sat, 10 Sep 2022 13:17:30 -0600

Resent-From: The Doctor

Resent-Date: Sat, 10 Sep 2022 13:17:30 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from xvfrnscf.outbound-mail.sendgrid.net ([168.245.38.207]:54750)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oX40c-0008j4-QA

for doctor@nl2k.ab.ca;

Sat, 10 Sep 2022 11:11:14 -0600

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;

h=content-type:mime-version:content-transfer-encoding:

content-description:subject:from:reply-to:to:cc;

s=smtpapi; bh=KSxPEUfOVsp8vPcCElrZUmYcFYcn44YQlmq9b/HP9IQ=;

b=VdNGMFRukC3r8MvRxIZQB4pXILty5dNtcui83SiFsrmlY4TW1J7ZAAEriW1byPykLqH2

eYXTN/1xy5kOuc6SezJliEoOgLmSkgjKs1Jh1DjH6g1x+jlzlWFOxM/XxXB1yHdoyEXkE5

0viVYAFRzahH59vVFP9uG6RPhndNzI4BM=

Received: by filterdrecv-7f5fb5479d-qdhqr with SMTP id filterdrecv-7f5fb5479d-qdhqr-1-631CC513-4A

2022-09-10 17:10:43.478421798 +0000 UTC m=+1364187.304407931

Received: from APP-30106.karmakxcelerate.com (unknown)

by geopod-ismtpd-4-2 (SG) with ESMTP id axhlEREqSRWc6rLUDju6vQ

for ; Sat, 10 Sep 2022 17:10:43.337 +0000 (UTC)

Received: from [195.178.120.195] ([195.178.120.195]) by APP-30106.karmakxcelerate.com with Microsoft SMTPSVC(10.0.17763.1697);

Sat, 10 Sep 2022 13:10:42 -0400

Content-Type: text/plain; charset=us-ascii

MIME-Version: 1.0

Content-Transfer-Encoding: quoted-printable

Content-Description: Mail message body

Subject: 20.10.199.124

From: "Mrs. mena"

Date: Sat, 10 Sep 2022 17:10:43 +0000 (UTC)

Message-ID:

X-OriginalArrivalTime: 10 Sep 2022 17:10:43.0029 (UTC) FILETIME=[42669850:01D8C538]

Reply-To: vcgundotrasvp@gmail.com

X-SG-EID:

=?us-ascii?Q?+cDjL7XE=2FxKOF0BB68KHf8FuA15uh2lEKse0tLtsoVWuOtVtYvtREwoNwR8EB6?=

=?us-ascii?Q?Q1sWJ9mMgxnFeAcD+8V6QOVM1OGR+OORpKvpB=2FC?=

=?us-ascii?Q?3pkNruMMjdYAnmtXBf8Nhjb2kEbVgQZUkwQtllr?=

=?us-ascii?Q?qO4R4DNFrqrSr9YhnX+6vdgmgAr6rNferxs0wbT?=

=?us-ascii?Q?bx9g2HQDZGeXnfM+9EiY6ldMR3v=2FeruydZcAjB6?=

=?us-ascii?Q?LzYPCTFBXmwu2oxf8=3D?=

To: Recipients

X-Entity-ID: eN8NfSccfPSNVgM/qSDjvw==

X-Spam_score: 5.0

X-Spam_score_int: 50

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: I'm A citizen of Lebanon,MENA Cluster HEAD & CEO CITI Groups

UAE. I have a business proposal that will beneficial to both of us which

I wish to discuss with you. kindly get back to me your full name for more

details.



Content analysis details: (5.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: sendgrid.net]

1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in

bl.spamcop.net

[Blocked - see ]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[168.245.38.207 listed in wl.mailspike.net]

1.5 NIX_SPAM RBL: Listed in NIX_SPAM DNSBL (thanks to heise.de)

[168.245.38.207 listed in ix.dnsbl.manitu.net]

-0.0 SPF_PASS SPF: sender matches SPF record

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level

mail domains are different

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

-0.0 T_SCC_BODY_TEXT_LINE No description available.

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 HK_NAME_MR_MRS No description available.

2.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From

Subject: {SPAM?} 20.10.199.124



I'm A citizen of Lebanon,MENA Cluster HEAD & CEO CITI Groups UAE.



I have a business proposal that will beneficial to both of us which I

wish to discuss with you. kindly get back to me your full name for more det=

ails.



Regards,

Elissar Farah .A.

Home Depot Phish

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 10 Sep 2022 15:09:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oX5yM-000O8R-AM

for dave@doctor.nl2k.ab.ca;

Sat, 10 Sep 2022 13:16:58 -0600

Resent-From: The Doctor

Resent-Date: Sat, 10 Sep 2022 13:16:58 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [45.10.245.230] (port=36261 helo=24cash.ca)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

id 1oX3VC-0004xK-Ke

for doctor@netknow.ca;

Sat, 10 Sep 2022 10:38:47 -0600

MIME-Version: 1.0

Message-Id:

From:_Congratulations

Subject:_We have a surprise for our shoppers!

Reply-To: reply_Z383BpwPDiJhSdzHzGl3w4NCEyLcylrPR1uk7l.bounce9@inx1and1.de

To: doctor@netknow.ca

Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset=UTF-8

Date: Sat, 10 Sep 2022 18:38:12 +0200

X-Spam_score: 7.7

X-Spam_score_int: 77

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: SURVEY ABOUT: THE HOME DEPOT THE HOME DEPOT Please tell us

about your: THE HOME DEPOT Experiences and as a thank you, you can select

from several exclusive offer rewards! Supply is extremely limited so act

fast today!



Content analysis details: (7.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: googleapis.com]

0.0 SPF_HELO_NEUTRAL SPF: HELO does not match SPF record (neutral)

0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

1.8 HDRS_MISSP Misspaced headers

3.0 GOOG_STO_NOIMG_HTML Apparently using google content hosting to

avoid URIBL

Subject: {SPAM?} _We have a surprise for our shoppers!