Phishing attempt to gain nk.ca user credentials
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Fri, 01 Jul 2022 21:55:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1o7UCm-000JXA-OA
for dave@doctor.nl2k.ab.ca;
Fri, 01 Jul 2022 21:54:00 -0600
Resent-From: The Doctor
Resent-Date: Fri, 1 Jul 2022 21:54:00 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from static.2.246.108.65.clients.your-server.de ([65.108.246.2]:37868 helo=perfectpitchmusic.co.uk)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from)
id 1o7RdP-0006PM-4r
for root@nk.ca;
Fri, 01 Jul 2022 19:09:24 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=37vzeuxnojinkmtyakzpbrlgmhjn2or6; d=vonagebusiness.com;
t=1656703491;
h=Content-Type:MIME-Version:From:To:Date:Subject:Message-ID;
bh=diFfQYOrXYzXAOfL7+UMLN1S+p9iNsNOIA4q3apq8E4=;
b=i2XiN+D0c2O9MDawiP7Yy5v4oO0NoMh0Ws2Nn54LQHnoMA5B2iOr9jDNJrFjaTFk
ilydkZVx0gohGc+8hGphgg7SocW6ACdmhYGMWIF1Qcm8DARw1PvU2cB89u30EYJ1gnZ
rAIIweUYvptPrZlwKIZF3WrGHlzrl93vzqFuGaS4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656703491;
h=Content-Type:MIME-Version:From:To:Date:Subject:Message-ID:Feedback-ID;
bh=diFfQYOrXYzXAOfL7+UMLN1S+p9iNsNOIA4q3apq8E4=;
b=IafkL11J6SZVWjMBvitrBf8LSY2/f+EBDgV8TR7Wr+/XtIGJ3krtPpKglgzlPijT
TPULhK6dj2RH9t4Vn0Se+OrKz0gv6gIS4cR5KGxcOFG8QQJ9r6D4BqPg6kdTMcmx2i8
PY7eVexEUbxI4YGoCpDYt1Pl/7c19NhFPFx21Ewk=
MIME-Version: 1.0
Content-Type: text/html;charset="utf-8-base64"
Content-Transfer-Encoding: base64
From: Support
Date: Fri, 01 Jul 2022 18:07:32 -0700
Subject: Account Security Reminder – Protection from Malicious Activity
Message-ID: <118-0174580701217.45564668397811-0000@email.amazonses.com>
Feedback-ID: 1.us-east-1.y5x2mppewslhb+KFj26i4+5o=:AmazonSES
X-SES-Outgoing: 2022.07.01-54.240.48.175
X-Spam_score: 8.2
X-Spam_score_int: 82
X-Spam_bar: ++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, During peak seasons, there is always an increased risk
of hackers trying to gain access to accounts to perform malicious activities.
The list below includes some best practices to help you safeguard y [...]
Content analysis details: (8.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
1.2 MISSING_HEADERS Missing To: header
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.0 BASE64_LENGTH_79_INF BODY: base64 encoded email part uses line
length greater than 79 characters
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
1.1 SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.3 MIME_8BIT_HEADER Message header contains 8-bit character
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag
0.1 SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify
the encoding
0.0 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: leslietrentadesigns.com, rackspace.com,]
[vonagebusiness.com]
Subject: {SPAM?} Account Security Reminder – Protection from Malicious Activity
PHA+SGVsbG8sPC9wPgo8cD5EdXJpbmcgcGVhayBzZWFzb25zLCB0aGVyZSBpcyBhbHdheXMgYW4gaW5jcmVhc2VkIHJpc2sgb2YgaGFja2VycyB0cnlpbmcgdG8gZ2FpbiBhY2Nlc3MgdG8gYWNjb3VudHMgdG8gcGVyZm9ybSBtYWxpY2lvdXMgYWN0aXZpdGllcy4gJm5ic3A7VGhlIGxpc3QgYmVsb3cgaW5jbHVkZXMgc29tZSBiZXN0IHByYWN0aWNlcyB0byBoZWxwIHlvdSBzYWZlZ3VhcmQgeW91ciBhY2NvdW50IGFuZCBrZWVwIHlvdXIgaW5mb3JtYXRpb24gc2VjdXJlLiBVc2luZyB0aGVzZSBwcmFjdGljZXMgdG8gbWFrZSBuZWVkZWQgY2hhbmdlcyBjYW4gaGVscCB0byByZWR1Y2UgeW91ciByaXNrLjwvcD4KPHA+MS5Vc2UgZHVhbCBmYWN0b3IgYXV0aGVudGljYXRpb24uICZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vbGVzbGlldHJlbnRhZGVzaWducy5jb20vdXMvIy9ob3ctdG8vbXVsdGktZmFjdG9yLWF1dGhlbnRpY2F0aW9uLWZyb20tdGhlLWNsb3VkLWNvbnRyb2wtcGFuZWwiPmh0dHBzOi8vc3VwcG9ydC5yYWNrc3BhY2UuY29tL2hvdy10by9tdWx0aS1mYWN0b3ItYXV0aGVudGljYXRpb24tZnJvbS10aGUtY2xvdWQtY29udHJvbC1wYW5lbDwvYT48L3A+CjxwPjIuIEVuc3VyZSBhbGwgdXNlciBwYXNzd29yZHMgYXJlIHN0cm9uZyBhbmQgcm90YXRlZCBmcmVxdWVudGx5IChhIG1pbmltdW0gb2YgZXZlcnkgOTAgZGF5cykuICZuYnNwOyA8YSBocmVmPSJodHRwczovL2xlc2xpZXRyZW50YWRlc2lnbnMuY29tL3VzLyMvaG93LXRvL3Bhc3N3b3JkLW1hbmFnZW1lbnQtYW5kLWJlc3QtcHJhY3RpY2VzIj5odHRwczovL3N1cHBvcnQucmFja3NwYWNlLmNvbS9ob3ctdG8vcGFzc3dvcmQtbWFuYWdlbWVudC1hbmQtYmVzdC1wcmFjdGljZXM8L2E+PC9wPgo8cD4zLiBBdWRpdCBhbGwgdXNlcnMgdG8gZW5zdXJlIHRoYXQgdGhleSBiZWxvbmcgb24geW91ciBhY2NvdW50KHMpLjwvcD4KPHA+NC4gRW5zdXJlIHlvdXIgc2VjdXJpdHkgcXVlc3Rpb24gYW5kIGFuc3dlciBpcyBkaWZmaWN1bHQgYW5kIHNvbWV0aGluZyBvbmx5IHlvdSB3b3VsZCBrbm93LiAoRXguIERvbid0IHVzZSBhbiBhY3R1YWwgY29sb3IgYXMgeW91ciBmYXZvcml0ZSBjb2xvci4gSW5zdGVhZCwgdXNlIGEgcGxhY2Ugb3IgYSBzcGVjaWZpYyB3b3JkIGFzIHRoZSBhbnN3ZXIuKTwvcD4KPHA+NS4gUmV2aWV3IHlvdXIgdXNhZ2Ugb24gYSBtb250aGx5IGJhc2lzIHRvIGVuc3VyZSB5b3UgYXJlIGF3YXJlIG9mIHdoYXQgcHJvZHVjdHMgYW5kIHNlcnZpY2VzIGFyZSBydW5uaW5nIG9uIHlvdXIgYWNjb3VudC48L3A+CjxwPjYuRW5zdXJlIHlvdXIgY2hhcmdlcyB0byBkYXRlIGFsaWduIHdpdGggeW91ciBleHBlY3RhdGlvbnMuIFlvdSBjYW4gZmluZCB0aGlzIGluZm9ybWF0aW9uIGluIHRoZSBiaWxsaW5nIHNlY3Rpb24gaW4geW91ciBjb250cm9sIHBhbmVsLiZuYnNwOzwvcD4KPHA+VGhpcyBsaXN0IHByb3ZpZGVzIGJlc3QgcHJhY3RpY2VzIGF0IHRoZSBhY2NvdW50IGxldmVsLiBZb3UgY2FuIGFwcGx5IHRoZXNlIHByYWN0aWNlcyBhdCB0aGUgZGV2aWNlIGxldmVsIGFzIHdlbGwuICZuYnNwO0l0J3MgaW1wb3J0YW50IHRvIGVuc3VyZSB0aGF0IHlvdXIgZGV2aWNlcyBhcmUgc2VjdXJlZCwgYW5kIHVzZXIgcGFzc3dvcmRzIGFyZSBzZXQgdG8gdmVyeSBzdHJvbmcuIFJlbWVtYmVyLCBzaG91bGQgeW91ciBhY2NvdW50IHN1c3RhaW4gYSBjb21wcm9taXNlLCB5b3Ugd2lsbCBiZSByZXNwb25zaWJsZSBmb3IgdGhlIGNoYXJnZXMuPC9wPgo8cD5JZiB5b3UgaGF2ZSBhbnkgcXVlc3Rpb25zIG9yIGNvbmNlcm5zLCBwbGVhc2UgY29udGFjdCBSYWNrc3BhY2UgU3VwcG9ydC4mbmJzcDs8L3A+CjxwPlRoYW5rIHlvdSw8L3A+CjxwPlJhY2tzcGFjZSBTZXJ2aWNlIERlbGl2ZXJ5PC9wPg==
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Fri, 01 Jul 2022 21:55:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1o7UCm-000JXA-OA
for dave@doctor.nl2k.ab.ca;
Fri, 01 Jul 2022 21:54:00 -0600
Resent-From: The Doctor
Resent-Date: Fri, 1 Jul 2022 21:54:00 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from static.2.246.108.65.clients.your-server.de ([65.108.246.2]:37868 helo=perfectpitchmusic.co.uk)
by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.95 (FreeBSD))
(envelope-from
id 1o7RdP-0006PM-4r
for root@nk.ca;
Fri, 01 Jul 2022 19:09:24 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=37vzeuxnojinkmtyakzpbrlgmhjn2or6; d=vonagebusiness.com;
t=1656703491;
h=Content-Type:MIME-Version:From:To:Date:Subject:Message-ID;
bh=diFfQYOrXYzXAOfL7+UMLN1S+p9iNsNOIA4q3apq8E4=;
b=i2XiN+D0c2O9MDawiP7Yy5v4oO0NoMh0Ws2Nn54LQHnoMA5B2iOr9jDNJrFjaTFk
ilydkZVx0gohGc+8hGphgg7SocW6ACdmhYGMWIF1Qcm8DARw1PvU2cB89u30EYJ1gnZ
rAIIweUYvptPrZlwKIZF3WrGHlzrl93vzqFuGaS4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656703491;
h=Content-Type:MIME-Version:From:To:Date:Subject:Message-ID:Feedback-ID;
bh=diFfQYOrXYzXAOfL7+UMLN1S+p9iNsNOIA4q3apq8E4=;
b=IafkL11J6SZVWjMBvitrBf8LSY2/f+EBDgV8TR7Wr+/XtIGJ3krtPpKglgzlPijT
TPULhK6dj2RH9t4Vn0Se+OrKz0gv6gIS4cR5KGxcOFG8QQJ9r6D4BqPg6kdTMcmx2i8
PY7eVexEUbxI4YGoCpDYt1Pl/7c19NhFPFx21Ewk=
MIME-Version: 1.0
Content-Type: text/html;charset="utf-8-base64"
Content-Transfer-Encoding: base64
From: Support
Date: Fri, 01 Jul 2022 18:07:32 -0700
Subject: Account Security Reminder – Protection from Malicious Activity
Message-ID: <118-0174580701217.45564668397811-0000@email.amazonses.com>
Feedback-ID: 1.us-east-1.y5x2mppewslhb+KFj26i4+5o=:AmazonSES
X-SES-Outgoing: 2022.07.01-54.240.48.175
X-Spam_score: 8.2
X-Spam_score_int: 82
X-Spam_bar: ++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Hello, During peak seasons, there is always an increased risk
of hackers trying to gain access to accounts to perform malicious activities.
The list below includes some best practices to help you safeguard y [...]
Content analysis details: (8.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
1.2 MISSING_HEADERS Missing To: header
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.0 BASE64_LENGTH_79_INF BODY: base64 encoded email part uses line
length greater than 79 characters
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
1.1 SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.3 MIME_8BIT_HEADER Message header contains 8-bit character
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag
0.1 SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify
the encoding
0.0 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: leslietrentadesigns.com, rackspace.com,]
[vonagebusiness.com]
Subject: {SPAM?} Account Security Reminder – Protection from Malicious Activity
PHA+SGVsbG8sPC9wPgo8cD5EdXJpbmcgcGVhayBzZWFzb25zLCB0aGVyZSBpcyBhbHdheXMgYW4gaW5jcmVhc2VkIHJpc2sgb2YgaGFja2VycyB0cnlpbmcgdG8gZ2FpbiBhY2Nlc3MgdG8gYWNjb3VudHMgdG8gcGVyZm9ybSBtYWxpY2lvdXMgYWN0aXZpdGllcy4gJm5ic3A7VGhlIGxpc3QgYmVsb3cgaW5jbHVkZXMgc29tZSBiZXN0IHByYWN0aWNlcyB0byBoZWxwIHlvdSBzYWZlZ3VhcmQgeW91ciBhY2NvdW50IGFuZCBrZWVwIHlvdXIgaW5mb3JtYXRpb24gc2VjdXJlLiBVc2luZyB0aGVzZSBwcmFjdGljZXMgdG8gbWFrZSBuZWVkZWQgY2hhbmdlcyBjYW4gaGVscCB0byByZWR1Y2UgeW91ciByaXNrLjwvcD4KPHA+MS5Vc2UgZHVhbCBmYWN0b3IgYXV0aGVudGljYXRpb24uICZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vbGVzbGlldHJlbnRhZGVzaWducy5jb20vdXMvIy9ob3ctdG8vbXVsdGktZmFjdG9yLWF1dGhlbnRpY2F0aW9uLWZyb20tdGhlLWNsb3VkLWNvbnRyb2wtcGFuZWwiPmh0dHBzOi8vc3VwcG9ydC5yYWNrc3BhY2UuY29tL2hvdy10by9tdWx0aS1mYWN0b3ItYXV0aGVudGljYXRpb24tZnJvbS10aGUtY2xvdWQtY29udHJvbC1wYW5lbDwvYT48L3A+CjxwPjIuIEVuc3VyZSBhbGwgdXNlciBwYXNzd29yZHMgYXJlIHN0cm9uZyBhbmQgcm90YXRlZCBmcmVxdWVudGx5IChhIG1pbmltdW0gb2YgZXZlcnkgOTAgZGF5cykuICZuYnNwOyA8YSBocmVmPSJodHRwczovL2xlc2xpZXRyZW50YWRlc2lnbnMuY29tL3VzLyMvaG93LXRvL3Bhc3N3b3JkLW1hbmFnZW1lbnQtYW5kLWJlc3QtcHJhY3RpY2VzIj5odHRwczovL3N1cHBvcnQucmFja3NwYWNlLmNvbS9ob3ctdG8vcGFzc3dvcmQtbWFuYWdlbWVudC1hbmQtYmVzdC1wcmFjdGljZXM8L2E+PC9wPgo8cD4zLiBBdWRpdCBhbGwgdXNlcnMgdG8gZW5zdXJlIHRoYXQgdGhleSBiZWxvbmcgb24geW91ciBhY2NvdW50KHMpLjwvcD4KPHA+NC4gRW5zdXJlIHlvdXIgc2VjdXJpdHkgcXVlc3Rpb24gYW5kIGFuc3dlciBpcyBkaWZmaWN1bHQgYW5kIHNvbWV0aGluZyBvbmx5IHlvdSB3b3VsZCBrbm93LiAoRXguIERvbid0IHVzZSBhbiBhY3R1YWwgY29sb3IgYXMgeW91ciBmYXZvcml0ZSBjb2xvci4gSW5zdGVhZCwgdXNlIGEgcGxhY2Ugb3IgYSBzcGVjaWZpYyB3b3JkIGFzIHRoZSBhbnN3ZXIuKTwvcD4KPHA+NS4gUmV2aWV3IHlvdXIgdXNhZ2Ugb24gYSBtb250aGx5IGJhc2lzIHRvIGVuc3VyZSB5b3UgYXJlIGF3YXJlIG9mIHdoYXQgcHJvZHVjdHMgYW5kIHNlcnZpY2VzIGFyZSBydW5uaW5nIG9uIHlvdXIgYWNjb3VudC48L3A+CjxwPjYuRW5zdXJlIHlvdXIgY2hhcmdlcyB0byBkYXRlIGFsaWduIHdpdGggeW91ciBleHBlY3RhdGlvbnMuIFlvdSBjYW4gZmluZCB0aGlzIGluZm9ybWF0aW9uIGluIHRoZSBiaWxsaW5nIHNlY3Rpb24gaW4geW91ciBjb250cm9sIHBhbmVsLiZuYnNwOzwvcD4KPHA+VGhpcyBsaXN0IHByb3ZpZGVzIGJlc3QgcHJhY3RpY2VzIGF0IHRoZSBhY2NvdW50IGxldmVsLiBZb3UgY2FuIGFwcGx5IHRoZXNlIHByYWN0aWNlcyBhdCB0aGUgZGV2aWNlIGxldmVsIGFzIHdlbGwuICZuYnNwO0l0J3MgaW1wb3J0YW50IHRvIGVuc3VyZSB0aGF0IHlvdXIgZGV2aWNlcyBhcmUgc2VjdXJlZCwgYW5kIHVzZXIgcGFzc3dvcmRzIGFyZSBzZXQgdG8gdmVyeSBzdHJvbmcuIFJlbWVtYmVyLCBzaG91bGQgeW91ciBhY2NvdW50IHN1c3RhaW4gYSBjb21wcm9taXNlLCB5b3Ugd2lsbCBiZSByZXNwb25zaWJsZSBmb3IgdGhlIGNoYXJnZXMuPC9wPgo8cD5JZiB5b3UgaGF2ZSBhbnkgcXVlc3Rpb25zIG9yIGNvbmNlcm5zLCBwbGVhc2UgY29udGFjdCBSYWNrc3BhY2UgU3VwcG9ydC4mbmJzcDs8L3A+CjxwPlRoYW5rIHlvdSw8L3A+CjxwPlJhY2tzcGFjZSBTZXJ2aWNlIERlbGl2ZXJ5PC9wPg==
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments