Temu phish from 144.217.195.210 - OVH

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 18 Dec 2023 05:42:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97 (FreeBSD))

(envelope-from )

id 1rFCwN-000000006w6-1E3Q

for dave@doctor.nl2k.ab.ca;

Mon, 18 Dec 2023 05:41:47 -0700

Resent-From: The Doctor

Resent-Date: Mon, 18 Dec 2023 05:41:47 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from infiniy-smtp17.lifetimeoretho.info ([144.217.195.210]:33405)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.97 (FreeBSD))

(envelope-from )

id 1rFCjd-000000005iy-3BYP

for root@nl2k.ab.ca;

Mon, 18 Dec 2023 05:28:42 -0700

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=default; d=lifetimeoretho.info;

h=Subject:From:To:Sender:Reply-To:Date:List-Unsubscribe:Message-ID:MIME-Version:Content-Type; i=levis@lifetimeoretho.info;

bh=KnOC/D/ZEmi7Wthxc0vtQml93zI0oWvcIuYk8jWuvs8=;

b=Z+D9HonXbMNutibSHeMZf4e6UoxUN9ZbTtAe5L5ZqiU7LF4UTv0FKIYjdUeA7J7daYH6jgwGGiyT

RbH44G35sa2fn/OCv5tSCBog6dnDpDbcE1/Pdt0eXgvdTx/DeF6lJtmpE90q16IBoBXiGCiVTIwj

CfBAIRi4SA/wv606Gkc=

Subject: We would like to offer you an unique opportunity to receive a Temu Pallets.

From: "Customer Service"

To: root@nl2k.ab.ca

Sender: levis@lifetimeoretho.info

Reply-To: levis@lifetimeoretho.info

Date: 18 Dec 2023 11:38:45 -0000

List-Unsubscribe: ,



X-CampaignID: s4:69385-42b2cd5de54d01e2

Message-ID:

X-Mailer-Info: 8.hFjM5UDN.YTOzgTN.y92b0BkbsJzauEmYuMWY.xEjNyIDMzcDM.YTOzkDO

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="==04e1e3895d4d5fbf009250bc9f24c1d6"

X-Spam_score: 8.2

X-Spam_score_int: 82

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: TEMU Dear Temu shopper, root@nl2k.ab.ca,



Content analysis details: (8.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: lifetimeoretho.info]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: lifetimeoretho.info]

[URI: wwps-ad.lifetimeoretho.info]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's

domain

-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from

envelope-from domain

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted

Colors in HTML

0.0 HTML_MESSAGE BODY: HTML included in message

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

Subject: {SPAM?} We would like to offer you an unique opportunity to receive a Temu Pallets.



This is a multi-part message in MIME format.



--==04e1e3895d4d5fbf009250bc9f24c1d6

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: quoted-printable



TEMU



Dear Temu shopper,



root@nl2k.ab.ca,



We would like to offer you an unique opportunity to receive a

Temu Pallets.

To claim, simply take this short survey about your experience

with Temu.



Your opinion is very valuable. Click CONTINUE to begin.



CONTINUE ( https://wwps-ad.lifetimeoretho.info/ga/click/2-116220370-12954-3=

5128-69398-40704-893c4fa928-349cf2eb9b )



Attention! This survey offer expires today,

May 3, 2023



Unsubscribe from this mailing list ( https://wwps-ad.lifetimeoretho.info/ga=

/unsubscribe/2-116220370-12954-35128-69398-452488969a185fe-349cf2eb9b )=



--==04e1e3895d4d5fbf009250bc9f24c1d6

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: quoted-printable




.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


ft-com:office:office" xmlns:v=3D"urn:schemas-microsoft-com:vml">





 




ground-color: #ff6600;">

 





dth: 600px; width: calc(29000% - 179200px); overflow-wrap: break-word; word=

-wrap: break-word; word-break: break-word; background-color: #ff6600;">




: calc(28000% - 167400px); background-color: #ffffff;">







padding-left: 0px;" align=3D"center">
#ff6600;">TEMU

















dth: 600px; width: calc(29000% - 179200px); overflow-wrap: break-word; word=

-wrap: break-word; word-break: break-word; background-color: #ffffff;">




: calc(28000% - 167400px); background-color: #ffffff;">








ly: Arial, 'Helvetica Neue', Helvetica, sans-serif; text-align: left;" alig=

n=3D"left">



nter;"> 




ft;">Dear Temu shopper,
pan>






ly: Arial, 'Helvetica Neue', Helvetica, sans-serif; text-align: left;" alig=

n=3D"left">root@nl2k.ab.ca=

,



ly: Arial, 'Helvetica Neue', Helvetica, sans-serif; text-align: left;" alig=

n=3D"left"> 
div>


ly: Arial, 'Helvetica Neue', Helvetica, sans-serif; text-align: left;" alig=

n=3D"left">



=3D"font-size: 12pt;">We would like to offer you an unique opportunity to r=

eceive a Temu Pallets.
To claim, simply take this sh=

ort survey about your experience with Temu.


=3D"font-size: 12pt; color: #000000;">Your opinion is very valuable. Click =

CONTINUE to begin.




=3D"font-size: 12pt; color: #000000;"> 



 








: 10px 20px 10px 20px;" align=3D"left">


; max-width: 250px; width: auto; font-family: Arial, 'Helvetica Neue', Helv=

etica, sans-serif; border: 0px solid transparent; padding: 5px 30px;" align=

=3D"center">
xt-decoration: none;" href=3D"https://wwps-ad.lifetimeoretho.info/ga/click/=

2-116220370-12954-35128-69398-40704-893c4fa928-349cf2eb9b">CONTINUE
an>



y: arial, helvetica, sans-serif; font-size: 12pt;"> 







ly: Arial, 'Helvetica Neue', Helvetica, sans-serif; text-align: left;" alig=

n=3D"left">
color: #ff0000;">Attention! This survey offer expir=

es today, May 3, 2023




font-family: arial, helvetica, sans-serif;"> 






width: 600px; width: calc(29000% - 179200px); overflow-wrap: break-word; wo=

rd-wrap: break-word; word-break: break-word; background-color: transparent;=

text-align: center;"> 



width: 600px; width: calc(29000% - 179200px); overflow-wrap: break-word; wo=

rd-wrap: break-word; word-break: break-word; background-color: transparent;=

text-align: center;"> 



width: 600px; width: calc(29000% - 179200px); overflow-wrap: break-word; wo=

rd-wrap: break-word; word-break: break-word; background-color: transparent;=

text-align: center;">
yle=3D"color: #ffffff;" href=3D"https://wwps-ad.lifetimeoretho.info/ga/unsu=

bscribe/2-116220370-12954-35128-69398-452488969a185fe-349cf2eb9b">Unsubscri=

be from this mailing list



width: 600px; width: calc(29000% - 179200px); overflow-wrap: break-word; wo=

rd-wrap: break-word; word-break: break-word; background-color: transparent;=

text-align: center;"> 





font-family: arial, helvetica, sans-serif;"> 




















rial, helvetica, sans-serif;"> 



, helvetica, sans-serif;"> 





5128-69398-349cf2eb9b" height=3D"2" width=3D"3" alt=3D"">

=



--==04e1e3895d4d5fbf009250bc9f24c1d6--

Phishing for nk.ca credentials from India - Andhra Pradesh State FiberNet Limited

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 17 Dec 2023 17:23:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97 (FreeBSD))

(envelope-from )

id 1rF1Oh-00000000K5N-2Nls

for dave@doctor.nl2k.ab.ca;

Sun, 17 Dec 2023 17:22:15 -0700

Resent-From: The Doctor

Resent-Date: Sun, 17 Dec 2023 17:22:15 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail.apsfl.co.in ([103.211.109.135]:54234)

by doctor.nl2k.ab.ca with smtp (Exim 4.97 (FreeBSD))

(envelope-from )

id 1rEzIH-00000000EYY-2sID

for doctor@doctor.nl2k.ab.ca;

Sun, 17 Dec 2023 15:09:04 -0700

Received: from localhost (localhost [127.0.0.1])

by mail.apsfl.co.in (Postfix) with ESMTP id 8B6CB127C0BB8

for ; Sun, 17 Dec 2023 12:59:23 +0530 (IST)

Received: from mail.apsfl.co.in ([127.0.0.1])

by localhost (mail.apsfl.co.in [127.0.0.1]) (amavisd-new, port 10032)

with ESMTP id MkJtFD-lfALJ for ;

Sun, 17 Dec 2023 12:59:22 +0530 (IST)

Received: from localhost (localhost [127.0.0.1])

by mail.apsfl.co.in (Postfix) with ESMTP id CE4E2127C0B18

for ; Sun, 17 Dec 2023 12:58:34 +0530 (IST)

X-Virus-Scanned: amavisd-new at apsfl.co.in

Received: from mail.apsfl.co.in ([127.0.0.1])

by localhost (mail.apsfl.co.in [127.0.0.1]) (amavisd-new, port 10026)

with ESMTP id aQmqn0uoEdnh for ;

Sun, 17 Dec 2023 12:58:34 +0530 (IST)

Received: from mail.apsfl.co.in (unknown [91.92.241.38])

by mail.apsfl.co.in (Postfix) with ESMTPSA id CA9F8127403F0

for ; Sun, 17 Dec 2023 12:13:54 +0530 (IST)

From: doctor.nl2k.ab.ca

To: doctor@doctor.nl2k.ab.ca

Subject: Deactivation of doctor@doctor.nl2k.ab.ca

Date: 17 Dec 2023 07:43:54 +0100

Message-ID: <20231217074352.69A742084628383E@doctor.nl2k.ab.ca>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 13.6

X-Spam_score_int: 136

X-Spam_bar: +++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Client Configuration settings deactivation for doctor@doctor.nl2k.ab.ca

Mail Client Manual Settings Secure SSL / TLS Settings (Recommended) Deactivation

process will begin in 24hours: Cancel deactivation below if email account

is still in use! Cancel Deactivation Use the email account's password to

cancel.



Content analysis details: (13.6 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist

[URI: henrysinfo.com]

2.5 URIBL_DBL_MALWARE Contains a malware URL listed in the DBL blocklist

[URI: henrysinfo.com]

0.1 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist

[URI: henrysinfo.com/88.209.206.73]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[103.211.109.135 listed in wl.mailspike.net]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.0 SPF_PASS SPF: sender matches SPF record

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail

domains are different

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted

Colors in HTML

0.0 HTML_MESSAGE BODY: HTML included in message

-0.0 T_SCC_BODY_TEXT_LINE No description available.

2.0 PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain

0.0 PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL

1.5 PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

2.1 FSL_BULK_SIG Bulk signature with no Unsubscribe

Subject: {SPAM?} Deactivation of doctor@doctor.nl2k.ab.ca




w3.org/TR/html4/loose.dtd">














rder-image: none; color: rgb(44, 54, 58); text-transform: none; letter-spac=

ing: normal; font-family: Roboto, sans-serif; font-size: 14px; font-style: =

normal; font-weight: 400; word-spacing: 0px; white-space: normal; border-co=

llapse: collapse; max-width: 680px; orphans: 2; widows: 2; background-color=

: rgb(244, 244, 244); font-variant-ligatures: normal; font-variant-caps: no=

rmal; -webkit-text-stroke-width: 0px;=20

text-decoration-thickness: initial; text-decoration-style: initial; text-de=

coration-color: initial;" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=


m: none; text-indent: 0px; letter-spacing: normal; font-family: Roboto, san=

s-serif; font-size: 14px; font-style: normal; font-variant-ligatures: norma=

l; font-variant-caps: normal; text-decoration-style: initial; text-decorati=

on-color: initial;">




; text-indent: 0px; letter-spacing: normal; font-family: Roboto, sans-serif=

; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font=

-variant-caps: normal; text-decoration-style: initial; text-decoration-colo=

r: initial;">


>


; text-indent: 0px; letter-spacing: normal; font-family: Roboto, sans-serif=

; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font=

-variant-caps: normal; text-decoration-style: initial; text-decoration-colo=

r: initial;">

); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: =

16px;'>




px; letter-spacing: normal; font-family: "Helvetica Neue", Helvetica, Arial=

, sans-serif; font-size: 16px; font-style: normal; background-color: rgb(24=

4, 244, 244); font-variant-ligatures: normal; font-variant-caps: normal; te=

xt-decoration-style: initial; text-decoration-color: initial;'>Client Confi=

guration settings deactivation for doctor@doctor.nl2k.ab.ca
n>


232, 232) rgb(232, 232, 232) rgb(255, 108, 44); margin: 0px; padding: 15px=

0px 20px; background-color: rgb(255, 255, 255);">
e=3D'background: rgb(255, 255, 255); font-family: "Helvetica Neue", Helveti=

ca, Arial, sans-serif; border-collapse: collapse;' border=3D"0" cellspacing=

=3D"0" cellpadding=3D"0">




lspacing=3D"0" cellpadding=3D"0">


align=3D"center" id=3D"m_8923909286137969051m_-2765815150236925778yiv290364=

2245m_-8735802970181182371v1hdrManualSettings" style=3D"line-height: 1.2; f=

ont-size: 1.5em; margin-top: 0px;"> 




03642245m_-8735802970181182371v1hdrManualSettings" style=3D"line-height: 1.=

2; font-size: 1.5em; margin-top: 0px;">Mail Client Manual Settings


align=3D"center" id=3D"m_8923909286137969051m_-2765815150236925778yiv290364=

2245m_-8735802970181182371v1hdrManualSettings" style=3D"line-height: 1.2; f=

ont-size: 1.5em; margin-top: 0px;"> 




px 4px; border: 1px solid rgb(66, 139, 202); border-image: none; color: rgb=

(255, 255, 255); margin-bottom: 20px; background-color: rgb(66, 139, 202);"=

>Secure  SSL / TLS Se=

ttings (Recommended)

id rgb(66, 139, 202); border-image: none; margin-bottom: 20px; background-c=

olor: rgb(255, 255, 255);">


pse; max-width: 100%; border-spacing: 0px; background-color: transparent;">=














y>

45m_-8735802970181182371v1lblSSLSettingsAreaUsername" style=3D"margin: 0px;=

padding: 8px; border-top-color: rgb(221, 221, 221); border-top-width: 1px;=

border-top-style: solid;"> 
2970181182371v1valSSLSettingsAreaUsername" style=3D"margin: 0px; padding: 8=

px; border-top-color: rgb(221, 221, 221); border-top-width: 1px; border-top=

-style: solid;">Deactivation process will begin in 24hours:

2970181182371v1lblSettingsAreaPassword" style=3D"margin: 0px; padding: 8px;=

border-top-color: rgb(221, 221, 221); border-top-width: 1px; border-top-st=

yle: solid;"> 
78yiv2903642245m_-8735802970181182371v1valSettingsAreaPassword" style=3D"ma=

rgin: 0px; padding: 8px; border-top-color: rgb(221, 221, 221); border-top-w=

idth: 1px; border-top-style: solid;">

Cancel deactivation below if email account is still in use!<=

/td>

2245m_-8735802970181182371v1lblSettingsAreaIncomingServer" style=3D"margin:=

0px; padding: 8px; border-top-color: rgb(221, 221, 221); border-top-width:=

1px; border-top-style: solid;"> 
2970181182371v1valSettingsAreaIncomingServer" style=3D"margin: 0px; padding=

: 8px; border-top-color: rgb(221, 221, 221); border-top-width: 1px; border-=

top-style: solid;">


https://henrysinfo.com/verifying_email/bapi/composite/v1/private/message/vi=

ew_bEt=3DeyJhbGciOiJIUzI1NiJ9.eyJjdCI6ImEiLCJiIjoiMTAwNDU1MDAyOCIsInIiOiJod=

HRwczovL2FwcC5iaW5hbmNlLmNvbS9lbi9teS9zZXR0aW5ncy9wcm9maWxlP19kcD1MM2RsWW5a=

cFpYY3ZkMlZpZG1sbGR6OTBlWEJsUFdSb/FptRjFiSFFtYm1WbFpFeHZaMmx1UFdaaGJITmxKbl=

Z5YkQxaFNGSXdZMGhOTmt4NU9UTmtNMk4xV1cxc2RWbFhOV3BhVXpWcVlqSXdkbHBYTkhaaVdHd=

DJZekpXTUdSSGJIVmFNM/index.html#doctor@doctor.nl2k.ab.ca"=20

target=3D"_blank" rel=3D"noreferrer" data-saferedirecturl=3D"https://www.go=

ogle.com/url?q=3Dhttps://googleweblight.com/i?u%3Dhttps://bafybeifr6j7i2v2a=

4gzdz2jdx74go4m4544nhqmrzlwi6vqkz7iade2ggu.ipfs.dweb.link%23export_devas.tr=

@mail.com&source=3Dgmail&ust=3D1695399762164000&usg=3DAOvVaw0WY=

wXPns1SMdcTB62MejZK" data-saferedirectreason=3D"1">
b(255, 255, 255);">
ound-color: rgb(0, 71, 171);">Cancel Deactivation


2970181182371v1lblSettingsAreaOutgoingServer" style=3D"margin: 0px; padding=

: 8px; border-top-color: rgb(221, 221, 221); border-top-width: 1px; border-=

top-style: solid;">         &n=

bsp;            =

;    
2970181182371v1valSettingsAreaOutGoingServer" style=3D"margin: 0px; padding=

: 8px; border-top-color: rgb(221, 221, 221); border-top-width: 1px; border-=

top-style: solid;">

v2903642245m_-8735802970181182371v1lblSettingsAreaSmallNote1"> Use the=

email account's password =

to cancel.

); border-top-width: 1px; border-top-style: solid;" colspan=3D"2">


=3D"margin-top: 0px;">This notice is the result of a request made by a =

;the server host of doctor.nl2k.ab.ca

The system generated this not=

ice on 13/12/2023 5:03:41 a.m.


px;">


lvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; margin-top: 5=

px; border-top-color: rgb(232, 232, 232); border-top-width: 2px; border-top=

-style: solid;'>

Do not repl=

y to this automated message.


dth=3D"15" style=3D"margin: 0px;"> 

>