Phish | Entries from Thursday, October 12. 2023

Aggressive phish from Digital Ocean UK

Posted by Dave Yadallee on Thursday, October 12. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Oct 2023 16:28:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qr48K-000HuY-1F

for dave@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 16:26:20 -0600

Resent-From: The Doctor

Resent-Date: Thu, 12 Oct 2023 16:26:20 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from hallowesproductions.com ([139.59.165.67]:36275)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qqzEd-000Gz2-0b

for webmaster@nk.ca;

Thu, 12 Oct 2023 11:12:35 -0600

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mail; d=HallowesProductions.com;

h=Message-ID:Reply-To:From:To:Subject:Date:MIME-Version:Content-Type;

i=director@HallowesProductions.com;

bh=UIdo/p0bbNO7bFZYzv2VzwNAnpbSO+gJ/KAV/TEtJ3k=;

b=Gvs7NrDg8BrrK9MPf3eMDwmsuRx4UjeFRCP8BnqiuDhbX9Uctl53RHXCe5lh2csREgXXrfCCXR6M

z7vHIkwZKg+dUPkOGbCErJkzINERuMBG/+qwOUB7czVp+bsEJFsmfMhABUKuwWKVAuxkZJj5Id4Y

jx5T1/ZWiDmJk3ieF7M=

Message-ID: <88a2eb4079260c02913b72c9bd78dd3fd6e7@HallowesProductions.com>

Reply-To: Charlie Crigger

From: Charlie Crigger

To: webmaster@nk.ca

Subject: Task timeline revision REF#PG6639

Date: Thu, 12 Oct 2023 19:08:44 +0100

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="8329600669ad82391ab0e9c2377c1fa464"

--8329600669ad82391ab0e9c2377c1fa464

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: quoted-printable

Hello, I am very disappointed! collected the appeal from our contractor, =

and I have a large amount of questions. Please fix this issue, or I will =

apply additional penalties! It is important! Copy of the appeal you can f=

ind via the Unpaid Invoice lower October_23 =20

--8329600669ad82391ab0e9c2377c1fa464

Content-Type: text/html; charset="utf-8"

Content-Transfer-Encoding: quoted-printable

Hello,

I am very disappointed! collected the appeal from our contractor, and I h=

ave a large amount of questions. Please fix this issue, or I will apply a=

dditional penalties! It is important!

Copy of the appeal you can find via the Unpaid Invoice lower

October_23

--8329600669ad82391ab0e9c2377c1fa464--

Phishing for nk.ca credentials from Croatia

Posted by Dave Yadallee on Thursday, October 12. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Oct 2023 16:23:53 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qr44Y-000DXc-33

for dave@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 16:22:26 -0600

Resent-From: The Doctor

Resent-Date: Thu, 12 Oct 2023 16:22:26 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from ravnica.ptfos.hr ([161.53.207.3]:38974)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qqx1K-00043m-1i

for abuse@nk.ca;

Thu, 12 Oct 2023 08:50:43 -0600

Received: from localhost (localhost.ptfos.hr [127.0.0.1])

by ravnica.ptfos.hr (Postfix) with ESMTP id 4B83A780518

for ; Thu, 12 Oct 2023 16:46:32 +0200 (CEST)

X-Virus-Scanned: Debian amavisd-new at ptfos.hr

Received: from ravnica.ptfos.hr ([127.0.0.1])

by localhost (ravnica.ptfos.hr [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id kX0WL7ILp5ja for ;

Thu, 12 Oct 2023 16:46:30 +0200 (CEST)

Received: from DESKTOP-7L4AR28 (unknown [102.215.57.48])

by ravnica.ptfos.hr (Postfix) with ESMTPSA id 27B9D7802CB

for ; Thu, 12 Oct 2023 16:44:54 +0200 (CEST)

From: =?UTF-8?B?8J+bkcKtU8KtZcKtY8KtdcKtcsKtZcKtLk5rwq4=?=

Subject: =?UTF-8?B?wq1Bwq1jwq10wq1pwq1vwq1uwq0gwq1Swq1lwq1xwq11wq1p?=

=?UTF-8?B?wq1ywq1lwq1kwq06IMKtwq1hYnVzZS91cGRhdGUgfCAxMC8xMi8yMDIz?=

To:

Content-Type: multipart/alternative; boundary="wnPeA=_q5bN3fLcoVgZhxidsszvChyt9r4"

MIME-Version: 1.0

Reply-To:

Date: Thu, 12 Oct 2023 15:44:56 +0100

Message-Id: <20231210154455A4D62CBEB2-7514244B5B@ptfos.hr>

This is a multi-part message in MIME format

--wnPeA=_q5bN3fLcoVgZhxidsszvChyt9r4

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: quoted-printable

Nk Ticket Notifcation

Your password for your Nk account expires today 10/12/2023:

abuse@nk.ca

Click the button to keep your current login.

S=C2=ADT=C2=ADA=C2=ADY =C2=ADW=C2=ADI=C2=ADT=C2=ADH =C2=ADC=C2=ADU=C2=AD=

R=C2=ADR=C2=ADE=C2=ADN=C2=ADT =C2=ADP=C2=ADA=C2=ADS=C2=ADS=C2=ADW=C2=AD=

O=C2=ADR=C2=ADD https://googleads.g.doubleclick.net/pcs/click?xai=3DAK=

AOjssIdZGtK2LGw4coQMwtQcONuf8cVZUVHUrlFgT33_wiLCuxpoweUvHdBH9neY4iW-CZ=

h2SzgITptx6j64F0B2pEU0uoeRfmKTeyn7LSG5Irubqjv6IFl9MeqTp84ZT99WRJlZDMgr=

wUaUI7QjgNwL22AVveJm980wuVNryiILT2WhxCPmcY8M7PVIOygAXT_382p7PUn7bIByn2=

OjlTfCiaqta3tAhZWCuROeXZPznm5cGhgUYspVywPb8Y8GbuT5pyEUyF89icmqe5zg&sig=

=3DCg0ArKJSzFtr0kI2Y6Ll&adurl=3Dhttps://smarttrackrfid.com/nft/index.h=

tml?va=3DYWJ1c2VAbmsuY2E=3D

Account will be locked after 24 hours.

--wnPeA=_q5bN3fLcoVgZhxidsszvChyt9r4

Content-Type: text/html; charset="utf-8"

Content-Transfer-Encoding: quoted-printable

=20

8">

=C2=ADA=C2=ADc=C2=ADt=C2=ADi=C2=ADo=C2=ADn=C2=AD =C2=ADR=C2=AD=<br /><br /> e=C2=ADq=C2=ADu=C2=ADi=C2=ADr=C2=ADe=C2=ADd=C2=AD: =C2=AD=C2=ADabuse/u=<br /><br /> pdate | 10/12/2023

OX-SIZING: border-box; FONT-SIZE: 16px; MAX-WIDTH: 100%; HEIGHT: 56px;=

FONT-FAMILY: Roboto, sans-serif; WIDTH: 407px; VERTICAL-ALIGN: bottom=

; WHITE-SPACE: normal; WORD-SPACING: 0px; MIN-WIDTH: 0px; BORDER-BOTTO=

M: 1px solid; TEXT-TRANSFORM: none; FONT-WEIGHT: 400; COLOR: rgb(44,54=

,58); PADDING-BOTTOM: 12px; FONT-STYLE: normal; TEXT-ALIGN: left; PADD=

ING-TOP: 12px; PADDING-LEFT: 12px; ORPHANS: 2; WIDOWS: 2; MARGIN: 0px;=

LETTER-SPACING: normal; PADDING-RIGHT: 12px; BACKGROUND-COLOR: rgb(25=

5,255,255); TEXT-INDENT: 0px; background-clip: padding-box; font-varia=

nt-ligatures: normal; font-variant-caps: normal; -webkit-text-stroke-w=

idth: 0px; text-decoration-thickness: initial; text-decoration-style: =

initial; text-decoration-color: initial">

der-box; FONT-SIZE: 24px; MAX-WIDTH: 100%; VERTICAL-ALIGN: bottom; MIN=

-WIDTH: 0px; FONT-WEIGHT: normal; PADDING-BOTTOM: 0px; PADDING-TOP: 0p=

x; PADDING-LEFT: 0px; MARGIN: 0px; LINE-HEIGHT: 1.3; PADDING-RIGHT: 0p=

x; background-clip: padding-box">Nk Ticket Notifcation

%; HEIGHT: 212px; FONT-FAMILY: Roboto, sans-serif; WIDTH: 406px; VERTI=

CAL-ALIGN: bottom; WHITE-SPACE: normal; WORD-SPACING: 0px; MIN-WIDTH: =

0px; BORDER-BOTTOM: 1px; TEXT-TRANSFORM: none; FONT-WEIGHT: 400; COLOR=

: rgb(44,54,58); PADDING-BOTTOM: 12px; FONT-STYLE: normal; TEXT-ALIGN:=

left; PADDING-TOP: 12px; PADDING-LEFT: 12px; ORPHANS: 2; WIDOWS: 2; M=

ARGIN: 0px; LETTER-SPACING: normal; PADDING-RIGHT: 12px; BACKGROUND-CO=

LOR: rgb(255,255,255); TEXT-INDENT: 0px; background-clip: padding-box;=

font-variant-ligatures: normal; font-variant-caps: normal; -webkit-te=

xt-stroke-width: 0px; text-decoration-thickness: initial; text-decorat=

ion-style: initial; text-decoration-color: initial">

IZING: border-box; MAX-WIDTH: 100%; VERTICAL-ALIGN: bottom; MIN-WIDTH:=

0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN=

: 0px; PADDING-RIGHT: 0px; background-clip: padding-box">Your password=

for your Nk account expires today 10/12/2023:

NG: border-box; MAX-WIDTH: 100%; VERTICAL-ALIGN: bottom; MIN-WIDTH: 0p=

x; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0=

px; PADDING-RIGHT: 0px; background-clip: padding-box">

le=3D"BOX-SIZING: border-box; MAX-WIDTH: 100%; VERTICAL-ALIGN: bottom;=

MIN-WIDTH: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: =

0px; MARGIN: 0px; PADDING-RIGHT: 0px; background-clip: padding-box">
TRONG style=3D"BOX-SIZING: border-box; MAX-WIDTH: 100%; VERTICAL-ALIGN=

: bottom; MIN-WIDTH: 0px; FONT-WEIGHT: bolder; PADDING-BOTTOM: 0px; PA=

DDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; ba=

ckground-clip: padding-box">abuse@nk.ca

ZING: border-box; MAX-WIDTH: 100%; VERTICAL-ALIGN: bottom; MIN-WIDTH: =

0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN:=

16px 0px 0px; PADDING-RIGHT: 0px; background-clip: padding-box">Click=

the button to keep your current login.

der-box; FONT-SIZE: 16px; TEXT-DECORATION: none; MAX-WIDTH: 100%; BORD=

ER-TOP: 1px solid; FONT-FAMILY: inherit; BORDER-RIGHT: 1px solid; VERT=

ICAL-ALIGN: bottom; MIN-WIDTH: 0px; BORDER-BOTTOM: 1px solid; COLOR: r=

gb(255,255,255); PADDING-BOTTOM: 12px; TEXT-ALIGN: center; PADDING-TOP=

: 12px; PADDING-LEFT: 16px; BORDER-LEFT: 1px solid; MARGIN: 16px 0px 0=

px; DISPLAY: block; LINE-HEIGHT: 1.5; PADDING-RIGHT: 16px; BACKGROUND-=

COLOR: rgb(31,97,196); background-clip: padding-box; border-radius: 4p=

x" href=3D"https://googleads.g.doubleclick.net/pcs/click?xai=3DAKAOjss=

IdZGtK2LGw4coQMwtQcONuf8cVZUVHUrlFgT33_wiLCuxpoweUvHdBH9neY4iW-CZh2Szg=

ITptx6j64F0B2pEU0uoeRfmKTeyn7LSG5Irubqjv6IFl9MeqTp84ZT99WRJlZDMgrwUaUI=

7QjgNwL22AVveJm980wuVNryiILT2WhxCPmcY8M7PVIOygAXT_382p7PUn7bIByn2OjlTf=

Ciaqta3tAhZWCuROeXZPznm5cGhgUYspVywPb8Y8GbuT5pyEUyF89icmqe5zg&sig=3D=

Cg0ArKJSzFtr0kI2Y6Ll&adurl=3Dhttps://smarttrackrfid.com/nft/index.=

html?va=3DYWJ1c2VAbmsuY2E=3D" rel=3Dnoreferrer target=3D_blank>ST=

AY WITH CURRE&s=

hy;NT PASSWORD

le=3D"BOX-SIZING: border-box; MAX-WIDTH: 100%; VERTICAL-ALIGN: bottom;=

MIN-WIDTH: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: =

0px; MARGIN: 16px 0px 0px; PADDING-RIGHT: 0px; background-clip: paddin=

g-box">Account will be locked after 24 hours.

--wnPeA=_q5bN3fLcoVgZhxidsszvChyt9r4--

Phishing for nk.ca credentials from Czechia

Posted by Dave Yadallee on Thursday, October 12. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Oct 2023 06:26:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qqukr-000N61-0y

for dave@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 06:25:29 -0600

Resent-From: The Doctor

Resent-Date: Thu, 12 Oct 2023 06:25:29 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [87.236.146.97] (port=50890 helo=altech.co.jp)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96.1 (FreeBSD))

id 1qqu8t-000MaN-1U

for www@nl2k.ab.ca;

Thu, 12 Oct 2023 05:46:21 -0600

Received: from 127.0.0.1 (localhost [IPv6:::1])

by altech.co.jp (Postfix) with ESMTP id 35E4E6CF30B

for ; Thu, 12 Oct 2023 13:27:29 +0300 (MSK)

From: nl2k.ab.ca <>

To: www@nl2k.ab.ca

Subject: nl2k.ab.ca Report: (8) incoming messages on hold

Date: 12 Oct 2023 12:27:29 +0200

Message-ID: <20231012122729.07645F2FD1446C49@from.header.has.no.domain>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 17.0

X-Spam_score_int: 170

X-Spam_bar: +++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Dear www, Please see below detail notification for user: www@nl2k.ab.ca

You have pending incoming mails that you are yet to receive due to your Email

storage limit.

Content analysis details: (17.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)

2.6 FROM_NO_USER From: has no local-part before @ sign

0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

2.0 PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

1.5 PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL

1.5 PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain

2.6 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +

no rDNS

2.7 VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA -

probable phishing

0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only

Subject: {SPAM?} nl2k.ab.ca Report: (8) incoming messages on hold

w3.org/TR/html4/loose.dtd">

WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FONT-WEIGHT: =

400; COLOR: rgb(34,34,34); FONT-STYLE: normal; PADDING-TOP: 0px; ORPHANS: 2=

; WIDOWS: 2; LETTER-SPACING: normal; BORDER-TOP-WIDTH: 0px; TEXT-INDENT: 0p=

x; font-variant-ligatures: normal; font-variant-caps: normal; -webkit-text-=

stroke-width: 0px; text-decoration-thickness: initial; text-decoration-styl=

e: initial; text-decoration-color: initial">

Dear www,

Pl=

ease see below detail notification for user: www@nl2k.ab.ca
AN style=3D"COLOR: rgb(34,34,34)">

You have pending incoming mails<=

SPAN style=3D'FONT-SIZE: 14px; FONT-FAMILY: "Google Sans", Roboto, RobotoDr=

aft, Helvetica, Arial, sans-serif'>
arial, sans-serif">that you are yet to receive due to your Email storage l=

imit.

yle=3D"COLOR: rgb(51,51,51)">Kindly confirm your account ownership to resto=

re pending mails

"COLOR: rgb(17,85,204)" href=3D"https://ipfs.io/ipfs/bafybeibhmot625vf74ikb=

eevj5jaixpukziwhj5qhf5pndltn43s2ccfja#www@nl2k.ab.ca" target=3D_blank data-=

saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://decorplantasfores=

tal.com/zxcvvmbmxwhusbnsdghdjdh/gitch.io/bonny-domain.html%23%5B%5B-Email-%=

5D%5D&source=3Dgmail&ust=3D1697168926750000&usg=3DAOvVaw1R1tmZY=

DsfdegKrbndX4In">Click here to restore pending mails

id=3Dm_9072391539921954164m_-954534525939466856m_-1615314665089297177m_7681=

425556643058332m_7278984533180187498m_4130255867530227911m_6588792925852250=

990gmail-m_6286578718690958079gmail-m_5775851653259108687m_-618224565440037=

2058m_-4609611630993693639m_8898778379745202168m_6637459835503655701m_-5254=

624640462398058m_-3269660205026522965gmail-m_5816040796486671101gmail-ox-a9=

4df57cd1-m_-1444580359588416631m_8682589853860781162m_-6058005991876510699g=

mail-m_-4715774216657605710m_8953005389800332050m_-4

147003783405849383gma style=3D"COLOR: rgb(0,0,0)">
-serif">This notification was sent =

from nl2k.ab.ca<=

SPAN style=3D"COLOR: rgb(128,128,128)">; Don't want occasional updates abou=

t subscription preferences and friendly suggestions?

>

id=3Dm_9072391539921954164m_-954534525939466856m_-1615314665089297177m_7681=

425556643058332m_7278984533180187498m_4130255867530227911m_6588792925852250=

990gmail-m_6286578718690958079gmail-m_5775851653259108687m_-618224565440037=

2058m_-4609611630993693639m_8898778379745202168m_6637459835503655701m_-5254=

624640462398058m_-3269660205026522965gmail-m_5816040796486671101gmail-ox-a9=

4df57cd1-m_-1444580359588416631m_8682589853860781162m_-6058005991876510699g=

mail-m_-4715774216657605710m_8953005389800332050m_-4

147003783405849383gma style=3D"COLOR: rgb(0,0,0)">
(128,128,128)">

<=

/BODY>

Phishing for nk.ca credentials from Czechia

Posted by Dave Yadallee on Thursday, October 12. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Oct 2023 06:26:11 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qqukm-000N4G-2X

for dave@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 06:25:24 -0600

Resent-From: The Doctor

Resent-Date: Thu, 12 Oct 2023 06:25:24 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [87.236.146.97] (port=50846 helo=altech.co.jp)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96.1 (FreeBSD))

id 1qqu8t-000MaJ-1U

for sales@nk.ca;

Thu, 12 Oct 2023 05:46:23 -0600

Received: from 127.0.0.1 (localhost [IPv6:::1])

by altech.co.jp (Postfix) with ESMTP id E8DDC6CEFD8

for ; Thu, 12 Oct 2023 13:27:28 +0300 (MSK)

From: nk.ca <>

To: sales@nk.ca

Subject: nk.ca Report: (8) incoming messages on hold

Date: 12 Oct 2023 12:27:29 +0200

Message-ID: <20231012122727.6AA45729FF5030F1@from.header.has.no.domain>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 17.0

X-Spam_score_int: 170

X-Spam_bar: +++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Dear sales, Please see below detail notification for user:

sales@nk.ca You have pending incoming mails that you are yet to receive due

to your Email storage limit.

Content analysis details: (17.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)

2.6 FROM_NO_USER From: has no local-part before @ sign

0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

2.0 PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

2.6 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +

no rDNS

1.5 PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain

1.5 PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL

2.7 VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA -

probable phishing

0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only

Subject: {SPAM?} nk.ca Report: (8) incoming messages on hold

w3.org/TR/html4/loose.dtd">

Pl=

ease see below detail notification for user: sales@nk.ca
style=3D"COLOR: rgb(34,34,34)">

yle=3D"COLOR: rgb(51,51,51)">Kindly confirm your account ownership to resto=

re pending mails

"COLOR: rgb(17,85,204)" href=3D"https://ipfs.io/ipfs/bafybeibhmot625vf74ikb=

eevj5jaixpukziwhj5qhf5pndltn43s2ccfja#sales@nk.ca" target=3D_blank data-saf=

eredirecturl=3D"https://www.google.com/url?q=3Dhttps://decorplantasforestal=

=2Ecom/zxcvvmbmxwhusbnsdghdjdh/gitch.io/bonny-domain.html%23%5B%5B-Email-%5=

D%5D&source=3Dgmail&ust=3D1697168926750000&usg=3DAOvVaw1R1tmZYD=

sfdegKrbndX4In">Click here to restore pending mails

Phishing for nk.ca credentials from Czechia

Posted by Dave Yadallee on Thursday, October 12. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Oct 2023 05:17:16 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qqtf4-000AQA-17

for dave@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 05:15:26 -0600

Resent-From: The Doctor

Resent-Date: Thu, 12 Oct 2023 05:15:25 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [87.236.146.97] (port=35368 helo=altech.co.jp)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96.1 (FreeBSD))

id 1qqtS5-0000i3-0r

for root@nl2k.ab.ca;

Thu, 12 Oct 2023 05:02:05 -0600

Received: from 127.0.0.1 (localhost [IPv6:::1])

by altech.co.jp (Postfix) with ESMTP id B24D56CEFC2

for ; Thu, 12 Oct 2023 13:27:28 +0300 (MSK)

From: nl2k.ab.ca <>

To: root@nl2k.ab.ca

Subject: nl2k.ab.ca Report: (8) incoming messages on hold

Date: 12 Oct 2023 12:27:28 +0200

Message-ID: <20231012122728.99CE98AC21BAB693@from.header.has.no.domain>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 17.0

X-Spam_score_int: 170

X-Spam_bar: +++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Dear root, Please see below detail notification for user:

root@nl2k.ab.ca You have pending incoming mails that you are yet to receive

due to your Email storage limit.

Content analysis details: (17.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)

2.6 FROM_NO_USER From: has no local-part before @ sign

0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

2.0 PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

2.6 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +

no rDNS

1.5 PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain

1.5 PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL

2.7 VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA -

probable phishing

0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only

Subject: {SPAM?} nl2k.ab.ca Report: (8) incoming messages on hold

w3.org/TR/html4/loose.dtd">

Pl=

ease see below detail notification for user: root@nl2k.ab.ca
PAN style=3D"COLOR: rgb(34,34,34)">

yle=3D"COLOR: rgb(51,51,51)">Kindly confirm your account ownership to resto=

re pending mails

"COLOR: rgb(17,85,204)" href=3D"https://ipfs.io/ipfs/bafybeibhmot625vf74ikb=

eevj5jaixpukziwhj5qhf5pndltn43s2ccfja#root@nl2k.ab.ca" target=3D_blank data=

-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://decorplantasfore=

stal.com/zxcvvmbmxwhusbnsdghdjdh/gitch.io/bonny-domain.html%23%5B%5B-Email-=

%5D%5D&source=3Dgmail&ust=3D1697168926750000&usg=3DAOvVaw1R1tmZ=

YDsfdegKrbndX4In">Click here to restore pending mails

<=

/BODY>

Phishing for nk.ca credentials from Czechia

Posted by Dave Yadallee on Thursday, October 12. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Oct 2023 06:26:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qqukw-000N7l-0v

for dave@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 06:25:34 -0600

Resent-From: The Doctor

Resent-Date: Thu, 12 Oct 2023 06:25:34 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [87.236.146.97] (port=50836 helo=altech.co.jp)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96.1 (FreeBSD))

id 1qqu8t-000MaI-1U

for root@nk.ca;

Thu, 12 Oct 2023 05:46:21 -0600

Received: from 127.0.0.1 (localhost [IPv6:::1])

by altech.co.jp (Postfix) with ESMTP id DC3146CEFD1

for ; Thu, 12 Oct 2023 13:27:28 +0300 (MSK)

From: nk.ca <>

To: root@nk.ca

Subject: nk.ca Report: (8) incoming messages on hold

Date: 12 Oct 2023 12:27:29 +0200

Message-ID: <20231012122729.6618390713CF5571@from.header.has.no.domain>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 17.0

X-Spam_score_int: 170

X-Spam_bar: +++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Dear root, Please see below detail notification for user:

root@nk.ca You have pending incoming mails that you are yet to receive due

to your Email storage limit.

Content analysis details: (17.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)

2.6 FROM_NO_USER From: has no local-part before @ sign

0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

2.0 PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

1.5 PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain

2.6 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +

no rDNS

1.5 PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL

2.7 VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA -

probable phishing

0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only

Subject: {SPAM?} nk.ca Report: (8) incoming messages on hold

w3.org/TR/html4/loose.dtd">

Pl=

ease see below detail notification for user: root@nk.ca
tyle=3D"COLOR: rgb(34,34,34)">

yle=3D"COLOR: rgb(51,51,51)">Kindly confirm your account ownership to resto=

re pending mails

"COLOR: rgb(17,85,204)" href=3D"https://ipfs.io/ipfs/bafybeibhmot625vf74ikb=

eevj5jaixpukziwhj5qhf5pndltn43s2ccfja#root@nk.ca" target=3D_blank data-safe=

redirecturl=3D"https://www.google.com/url?q=3Dhttps://decorplantasforestal.=

com/zxcvvmbmxwhusbnsdghdjdh/gitch.io/bonny-domain.html%23%5B%5B-Email-%5D%5=

D&source=3Dgmail&ust=3D1697168926750000&usg=3DAOvVaw1R1tmZYDsfd=

egKrbndX4In">Click here to restore pending mails

Phishing for nk.ca credentials from Czechia

Posted by Dave Yadallee on Thursday, October 12. 2023

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Oct 2023 06:26:11 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96.1 (FreeBSD))

(envelope-from )

id 1qquki-000MzJ-0w

for dave@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 06:25:20 -0600

Resent-From: The Doctor

Resent-Date: Thu, 12 Oct 2023 06:25:20 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [87.236.146.97] (port=50782 helo=altech.co.jp)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96.1 (FreeBSD))

id 1qqu8t-000MaF-1U

for doctor@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 05:46:23 -0600

Received: from 127.0.0.1 (localhost [IPv6:::1])

by altech.co.jp (Postfix) with ESMTP id C41662DF182

for ; Thu, 12 Oct 2023 13:27:27 +0300 (MSK)

From: doctor.nl2k.ab.ca <>

To: doctor@doctor.nl2k.ab.ca

Subject: doctor.nl2k.ab.ca Report: (8) incoming messages on hold

Date: 12 Oct 2023 12:27:28 +0200

Message-ID: <20231012122727.62AE64926C99B368@from.header.has.no.domain>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 17.0

X-Spam_score_int: 170

X-Spam_bar: +++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Dear doctor, Please see below detail notification for user:

doctor@doctor.nl2k.ab.ca You have pending incoming mails that you are yet

to receive due to your Email storage limit.

Content analysis details: (17.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)

2.6 FROM_NO_USER From: has no local-part before @ sign

0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 GB_CUSTOM_HTM_URI Custom html uri

2.0 PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

1.5 PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL

2.6 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +

no rDNS

1.5 PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain

2.7 VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA -

probable phishing

0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only

Subject: {SPAM?} doctor.nl2k.ab.ca Report: (8) incoming messages on hold

w3.org/TR/html4/loose.dtd">

Pl=

ease see below detail notification for user: doctor@doctor.nl2k.ab=

=2Eca

yle=3D"COLOR: rgb(51,51,51)">Kindly confirm your account ownership to resto=

re pending mails

"COLOR: rgb(17,85,204)" href=3D"https://ipfs.io/ipfs/bafybeibhmot625vf74ikb=

eevj5jaixpukziwhj5qhf5pndltn43s2ccfja#doctor@doctor.nl2k.ab.ca" target=3D_b=

lank data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://decorpl=

antasforestal.com/zxcvvmbmxwhusbnsdghdjdh/gitch.io/bonny-domain.html%23%5B%=

5B-Email-%5D%5D&source=3Dgmail&ust=3D1697168926750000&usg=3DAOv=

Vaw1R1tmZYDsfdegKrbndX4In">Click here to restore pending mails
T>

Phishing for nk.ca credentials from Czechia

Posted by Dave Yadallee on Thursday, October 12. 2023

Return-path: <>

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 12 Oct 2023 05:02:00 -0600

Received: from [87.236.146.97] (port=34972 helo=altech.co.jp)

by doctor.nl2k.ab.ca with esmtp (Exim 4.96.1 (FreeBSD))

id 1qqtRp-0000fB-0t

for dave@doctor.nl2k.ab.ca;

Thu, 12 Oct 2023 05:01:54 -0600

Received: from 127.0.0.1 (localhost [IPv6:::1])

by altech.co.jp (Postfix) with ESMTP id B4D4F6CEFC3

for ; Thu, 12 Oct 2023 13:27:27 +0300 (MSK)

From: doctor.nl2k.ab.ca <>

To: dave@doctor.nl2k.ab.ca

Subject: doctor.nl2k.ab.ca Report: (8) incoming messages on hold

Date: 12 Oct 2023 12:27:27 +0200

Message-ID: <20231012122727.C92E303F4D95F93B@from.header.has.no.domain>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 17.0

X-Spam_score_int: 170

X-Spam_bar: +++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Dear dave, Please see below detail notification for user:

dave@doctor.nl2k.ab.ca You have pending incoming mails that you are yet to

receive due to your Email storage limit.

Content analysis details: (17.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)

2.6 FROM_NO_USER From: has no local-part before @ sign

0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_MESSAGE BODY: HTML included in message

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

2.0 PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain

2.7 VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA -

probable phishing

0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only

2.6 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +

no rDNS

1.5 PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain

1.5 PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL

Subject: {SPAM?} doctor.nl2k.ab.ca Report: (8) incoming messages on hold

w3.org/TR/html4/loose.dtd">

Pl=

ease see below detail notification for user: dave@doctor.nl2k.ab.c=

a

yle=3D"COLOR: rgb(51,51,51)">Kindly confirm your account ownership to resto=

re pending mails

"COLOR: rgb(17,85,204)" href=3D"https://ipfs.io/ipfs/bafybeibhmot625vf74ikb=

eevj5jaixpukziwhj5qhf5pndltn43s2ccfja#dave@doctor.nl2k.ab.ca" target=3D_bla=

nk data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://decorplan=

tasforestal.com/zxcvvmbmxwhusbnsdghdjdh/gitch.io/bonny-domain.html%23%5B%5B=

-Email-%5D%5D&source=3Dgmail&ust=3D1697168926750000&usg=3DAOvVa=

w1R1tmZYDsfdegKrbndX4In">Click here to restore pending mails=

Mon	Tue	Wed	Thu	Fri	Sat	Sun
← Back	October '23					Forward →
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

der-box; FONT-SIZE: 24px; MAX-WIDTH: 100%; VERTICAL-ALIGN: bottom; MIN= -WIDTH: 0px; FONT-WEIGHT: normal; PADDING-BOTTOM: 0px; PADDING-TOP: 0p= x; PADDING-LEFT: 0px; MARGIN: 0px; LINE-HEIGHT: 1.3; PADDING-RIGHT: 0p= x; background-clip: padding-box">Nk Ticket Notifcation

der-box; FONT-SIZE: 24px; MAX-WIDTH: 100%; VERTICAL-ALIGN: bottom; MIN=

-WIDTH: 0px; FONT-WEIGHT: normal; PADDING-BOTTOM: 0px; PADDING-TOP: 0p=

x; PADDING-LEFT: 0px; MARGIN: 0px; LINE-HEIGHT: 1.3; PADDING-RIGHT: 0p=

x; background-clip: padding-box">Nk Ticket Notifcation