Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 11 May 2022 14:43:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1notAE-000Na6-Fs

for dave@doctor.nl2k.ab.ca;

Wed, 11 May 2022 14:42:30 -0600

Resent-From: The Doctor

Resent-Date: Wed, 11 May 2022 14:42:30 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [102.38.110.113] (port=12995)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nor3B-000BsG-Tt

for doctor@nl2k.ab.ca;

Wed, 11 May 2022 12:27:15 -0600

Message-ID: <6BE04FCD25C462A72C8301E908AE6BE0@27JJSK68>

From:

To:

Subject: You have an outstanding payment. Debt settlement required.

Date: 11 May 2022 21:15:41 +0100

MIME-Version: 1.0

Content-Type: text/plain;

charset="windows-1250"

Content-Transfer-Encoding: 8bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.5931

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994

X-Spam_score: 8.2

X-Spam_score_int: 82

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello! Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all

devices that you use to browse internet. Afterwards, I have proceeded with

[...]



Content analysis details: (8.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.2 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam

(FTSDMCXX/boundary variant) + no rDNS

0.5 PDS_BTC_ID FP reduced Bitcoin ID

0.0 BITCOIN_XPRIO Bitcoin + priority

0.2 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam

(FTSDMCXX/boundary variant) + direct-to-MX

0.0 PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2

1.7 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX

3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers

1.0 BITCOIN_ONAN BitCoin + [censored]

Subject: {SPAM?} You have an outstanding payment. Debt settlement required.



Hello!



Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all devices that you use to browse internet.

Afterwards, I have proceeded with monitoring all internet activities of yours.



You can check out the sequence of events summarize below:

Previously I have bought from hackers a special access to various email accounts (currently, it is rather a straightforward thing that can be done online).

Clearly, I could effortlessly log in to your email account as well (doctor@nl2k.ab.ca).



One week after that, I proceeded with installing a Trojan virus in Operating Systems of all your devices, which are used by you to login to your email.

Actually, that was rather a simple thing to do (because you have opened a few links from your inbox emails previously).

Genius is in simplicity. ( ~_^)



Thanks to that software I can get access to all controllers inside your devices (such as your video camera, microphone, keyboard etc.).

I could easily download all your data, photos, web browsing history and other information to my servers.

I can access all your social networks accounts, messengers, emails, including chat history as well as contacts list.

This virus of mine unceasingly keeps refreshing its signatures (since it is controlled by a driver), and as result stays unnoticed by antivirus software.



Hereby, I believe by this time it is already clear for you why I was never detected until I sent this letter...



While compiling all the information related to you, I have also found out that you are a true fan and frequent visitor of adult websites.

You truly enjoy browsing through porn websites, while watching arousing videos and experiencing an unimaginable satisfaction.

To be honest, I could not resist but to record some of your kinky solo sessions and compiled them in several videos, which demonstrate you masturbating and cumming in the end.



If you still don't trust me, all it takes me is several mouse clicks to distribute all those videos with your colleagues, friends and even relatives.

In addition, I can upload them online for entire public to access.

I truly believe, you absolutely don't want such things to occur, bearing in mind the kinky stuff exposed in those videos that you usually watch, (you definitely understand what I am trying to say) it will result in a complete disaster for you.



We can still resolve it in the following manner:

You perform a transfer of $1590 USD to me (a bitcoin equivalent based on the exchange rate during the funds transfer), so after I receive the transfer, I will straight away remove all those lecherous videos without hesitation.

Then we can pretend like it has never happened before. In addition, I assure that all the harmful software will be deactivated and removed from all devices of yours. Don't worry, I am a man of my word.



It is really a good deal with a considerably low the price, bearing in mind that I was monitoring your profile as well as traffic over an extended period.

If you still unaware about the purchase and transfer process of bitcoins - all you can do is find the necessary information online.



My bitcoin wallet is as follows: 1GvxuP9puQCMNQvEKuwNrLeGwp9LWV4822



You are left with 48 hours and the countdown starts right after you open this email (2 days to be specific).



Don't forget to keep in mind and abstain from doing the following:

> Do not attempt to reply my email (this email was generated in your inbox together with the return address).

> Do not attempt to call police as well as other security services. Moreover, don't even think of sharing it with your friends. If I get to know about it (based on my skills, that would be very easy, since that I have all your systems under my control and constant monitoring) - your dirty video will become public without delay.

> Don't attempt searching for me - it is completely useless. Cryptocurrency transactions always remain anonymous.

> Don't attempt reinstalling the OS of your devices or even getting rid of them. It is meaningless too, because all your private videos are already been available on remote servers.



Things you should be concerned about:

> That I will not receive the funds transfer you make.

Relax, I will be able to track it immediately, after you complete the funds transfer, because I unceasingly monitor all activities that you do (trojan virus of mine can control remotely all processes, same as TeamViewer).

> That I will still distribute your videos after you have sent the money to me.

Believe me, it is pointless for me to proceed with troubling you after that. Besides that, if that really was my intention, it would happen long time ago!



It all will be settled on fair conditions and terms!



One last advice from me... Moving forward make sure you don't get involved in such type of incidents again!

My suggestion - make sure you change all your passwords as often as possible.

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 11 May 2022 14:33:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1not0b-000McB-6V

for dave@doctor.nl2k.ab.ca;

Wed, 11 May 2022 14:32:33 -0600

Resent-From: The Doctor

Resent-Date: Wed, 11 May 2022 14:32:33 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [186.178.66.32] (port=17549 helo=32.66.178.186.static.anycast.cnt-grms.ec)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nor7Q-000CIJ-AN

for sales@nk.ca;

Wed, 11 May 2022 12:31:33 -0600

Message-ID: <627BBA9A.1030102@andyandshelly.com>

Date: Wed, 11 May 2022 07:31:06 -0600

From:

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20

MIME-Version: 1.0

To:

Subject: You have an outstanding payment. Debt settlement required.

Content-Type: text/plain; charset=WINDOWS-1250; format=flowed

Content-Transfer-Encoding: 8bit

X-Spam_score: 8.2

X-Spam_score_int: 82

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello! Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all

devices that you use to browse internet. Afterwards, I have proceeded with

[...]



Content analysis details: (8.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or

Generic rPTR

2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname

(Split IP)

1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.5 PDS_BTC_ID FP reduced Bitcoin ID

1.2 BITCOIN_SPAM_02 BitCoin spam pattern 02

0.0 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address

1.0 BITCOIN_ONAN BitCoin + [censored]

Subject: {SPAM?} You have an outstanding payment. Debt settlement required.



Hello!



Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all devices that you use to browse internet.

Afterwards, I have proceeded with monitoring all internet activities of yours.



You can check out the sequence of events summarize below:

Previously I have bought from hackers a special access to various email accounts (currently, it is rather a straightforward thing that can be done online).

Clearly, I could effortlessly log in to your email account as well (sales@nk.ca).



One week after that, I proceeded with installing a Trojan virus in Operating Systems of all your devices, which are used by you to login to your email.

Actually, that was rather a simple thing to do (because you have opened a few links from your inbox emails previously).

Genius is in simplicity. ( ~_^)



Thanks to that software I can get access to all controllers inside your devices (such as your video camera, microphone, keyboard etc.).

I could easily download all your data, photos, web browsing history and other information to my servers.

I can access all your social networks accounts, messengers, emails, including chat history as well as contacts list.

This virus of mine unceasingly keeps refreshing its signatures (since it is controlled by a driver), and as result stays unnoticed by antivirus software.



Hereby, I believe by this time it is already clear for you why I was never detected until I sent this letter...



While compiling all the information related to you, I have also found out that you are a true fan and frequent visitor of adult websites.

You truly enjoy browsing through porn websites, while watching arousing videos and experiencing an unimaginable satisfaction.

To be honest, I could not resist but to record some of your kinky solo sessions and compiled them in several videos, which demonstrate you masturbating and cumming in the end.



If you still don't trust me, all it takes me is several mouse clicks to distribute all those videos with your colleagues, friends and even relatives.

In addition, I can upload them online for entire public to access.

I truly believe, you absolutely don't want such things to occur, bearing in mind the kinky stuff exposed in those videos that you usually watch, (you definitely understand what I am trying to say) it will result in a complete disaster for you.



We can still resolve it in the following manner:

You perform a transfer of $1590 USD to me (a bitcoin equivalent based on the exchange rate during the funds transfer), so after I receive the transfer, I will straight away remove all those lecherous videos without hesitation.

Then we can pretend like it has never happened before. In addition, I assure that all the harmful software will be deactivated and removed from all devices of yours. Don't worry, I am a man of my word.



It is really a good deal with a considerably low the price, bearing in mind that I was monitoring your profile as well as traffic over an extended period.

If you still unaware about the purchase and transfer process of bitcoins - all you can do is find the necessary information online.



My bitcoin wallet is as follows: 1GvxuP9puQCMNQvEKuwNrLeGwp9LWV4822



You are left with 48 hours and the countdown starts right after you open this email (2 days to be specific).



Don't forget to keep in mind and abstain from doing the following:

> Do not attempt to reply my email (this email was generated in your inbox together with the return address).

> Do not attempt to call police as well as other security services. Moreover, don't even think of sharing it with your friends. If I get to know about it (based on my skills, that would be very easy, since that I have all your systems under my control and constant monitoring) - your dirty video will become public without delay.

> Don't attempt searching for me - it is completely useless. Cryptocurrency transactions always remain anonymous.

> Don't attempt reinstalling the OS of your devices or even getting rid of them. It is meaningless too, because all your private videos are already been available on remote servers.



Things you should be concerned about:

> That I will not receive the funds transfer you make.

Relax, I will be able to track it immediately, after you complete the funds transfer, because I unceasingly monitor all activities that you do (trojan virus of mine can control remotely all processes, same as TeamViewer).

> That I will still distribute your videos after you have sent the money to me.

Believe me, it is pointless for me to proceed with troubling you after that. Besides that, if that really was my intention, it would happen long time ago!



It all will be settled on fair conditions and terms!



One last advice from me... Moving forward make sure you don't get involved in such type of incidents again!

My suggestion - make sure you change all your passwords as often as possible.

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Tue, 10 May 2022 17:30:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1noZIj-000PlF-KH

for dave@doctor.nl2k.ab.ca;

Tue, 10 May 2022 17:29:57 -0600

Resent-From: The Doctor

Resent-Date: Tue, 10 May 2022 17:29:57 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from ristibumey.lawyersofarizona.com ([193.233.182.188]:56615)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1noUNz-000Kt4-Uk

for root@nk.ca;

Tue, 10 May 2022 12:15:08 -0600

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=lawyersofarizona.com;

h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; i=kia.pow@lawyersofarizona.com;

bh=sba9B8XftkgXH4UELiyfwdEFqYM=;

b=XnVa1A9T+potforEEFEiURf44s3qQ12s5VkMYP5IGum2srVfHfSsZuxK8L3d8/egvGEs9uMyJU+i

Mis1uymym56DdpqZKb8mWUibojOIszJDo3UYCrfz6RlDh3nl0f9EmKEfv5csTcY7eaQVVVF+7arH

MXSr60ebYV34EY7wDRWjSUyAl5i28NulOP1T81XsQIFPNxwW36bfjDVDBKE5mhCWnuuVQiJ2f0uT

q95TSUlxyC/PC4JgQaEKAO6+4eHsDigLt4EVWq5OwYOAtex1TgD6hAUWR9oRoFWXxoKlY0bg9ea7

Vc+OitkJT1Yt2JAoPOd/gy0rNbzdlf/K4Lpd5A==

DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=lawyersofarizona.com;

b=WvIn7Vz3hwRMWhMAHHYRG9Kv9OoX9o7O/UkuHUKoMGz92jerNnCWYHB9A3NvrWa3bsTn/BFMg6r6

Q5GgvpjnfpagnlE5NNYXI523NNryd9pqAx69zGHoUrsMKmm9fn+xPZdOvQThhUB6IQ9faRP9k+8s

uBFRa15FueOss6LRq7L8gO0Hl29eYGQ/wXCFjXtFEy1xEEMMM6WOQfYyknf9eKdHjwGvWKStl16L

q0ohQU9JLjGLBrDhZ/MDWMR1HK1SVjLzut2zNIYw7eekdivINQ/CnHx/KrCTqL5LTB2gDajVG+Jc

CaYVmAERgBnVVp1TK+kUMOotVwtIloegwFobpg==;

From: nk.ca team support

To: root@nk.ca

Subject: Domain team support

Date: 10 May 2022 19:58:43 +0200

Message-ID: <20220510195843.5094ED4EE92F13E0@lawyersofarizona.com>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0012_E40A7C32.9AE079EA"

X-Spam_score: 5.4

X-Spam_score_int: 54

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear root ID: root@nk.ca Your root@nk.ca password expires

today 5/10/2022 2:28:23 a.m.



Content analysis details: (5.4 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.0 HTML_MESSAGE BODY: HTML included in message

0.7 MPART_ALT_DIFF BODY: HTML and text parts are different

0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME

0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or

identical to background

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily

valid

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from

envelope-from domain

-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from

author's domain

-0.0 T_SCC_BODY_TEXT_LINE No description available.

2.0 GOOG_STO_EMAIL_PHISH Possible phishing with google hosted

content URI having email address

2.9 GOOG_STO_NOIMG_HTML Apparently using google content hosting to

avoid URIBL

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: anytape.com, lawyersofarizona.com,]

[nk.ca]

Subject: {SPAM?} Domain team support





------=_NextPart_000_0012_E40A7C32.9AE079EA

Content-Type: text/plain;

charset="utf-8"

Content-Transfer-Encoding: quoted-printable



Dear root

------=_NextPart_000_0012_E40A7C32.9AE079EA

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

 ID:
edirecturl=3D"https://www.google.com/url?q=3Dhttp:///compose?To%3Dsales@any=

tape.com&source=3Dgmail&ust=3D1652290825546000&usg=3DAOvVaw3EDt=

DMp96_tYO6FUIUC55L">root@nk.ca

Your
" target=3D_blank data-saferedirecturl=3D"https://www.google.com/url?q=3Dht=

tp:///compose?To%3Dsales@anytape.com&source=3Dgmail&ust=3D165229082=

5546000&usg=3DAOvVaw3EDtDMp96_tYO6FUIUC55L">root@nk.ca

password expires today 5/10/2022 2:28:23 a.m.

Use the button below =

to continue with same password
 

rgb(11,102,35) 0% 50%; COLOR: white; PADDING-BOTTOM: 15px; TEXT-ALIGN: cen=

ter; PADDING-TOP: 15px; PADDING-LEFT: 15px; DISPLAY: block; PADDING-RIGHT: =

15px" href=3D"https://firebasestorage.googleapis.com/v0/b/cle1005ge.appspot=

=2Ecom/o/%5Ccle1005g%2Findex2cleenc.html?alt=3Dmedia&token=3D6081ed4a-2=

1c9-49cd-92c5-6aab058619d9#root@nk.ca" target=3D_blank=20

data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://firebasestor=

age.googleapis.com/v0/b/ber1303genco.appspot.com/o/%255Cber1303g%252Findex2=

ber.html?alt%3Dmedia%26token%3D025c921d-3376-4d30-831a-ec80362aabe0%23sales=

@anytape.com&source=3Dgmail&ust=3D1652290825546000&usg=3DAOvVaw=

2qIpqAdNZF64cKC3llLNSI" data-saferedirectreason=3D"5">Continue

nherit">Note: Your mails may not be delivered until you verify your account=

=2E

nherit">Sincerely,

nherit">
tps://www.google.com/url?q=3Dhttp://anytape.com&source=3Dgmail&ust=

=3D1652290825546000&usg=3DAOvVaw09CSNjl3XAFwdJONzd39Ti">nk.ca Suppo=

rt Team.

 

 

---

------=_NextPart_000_0012_E40A7C32.9AE079EA--

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Tue, 10 May 2022 17:26:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1noZEB-000PPj-Hd

for dave@doctor.nl2k.ab.ca;

Tue, 10 May 2022 17:25:15 -0600

Resent-From: The Doctor

Resent-Date: Tue, 10 May 2022 17:25:15 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [103.145.51.239] (port=41166 helo=vps.visionplusindia.in)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1noR83-000Cet-2S

for doctor@doctor.nl2k.ab.ca;

Tue, 10 May 2022 08:46:30 -0600

Received: by vps.visionplusindia.in (Postfix, from userid 48)

id DFC803014696; Tue, 10 May 2022 20:05:45 +0530 (IST)

To: doctor@doctor.nl2k.ab.ca

Subject: Something went wrong

X-PHP-Originating-Script: 48:wp-cmsgloballlc.php

MIME-Version: 1.0

Content-Type: text/html; charset=UTF-8

From: TSB

Message-Id: <20220510143545.DFC803014696@vps.visionplusindia.in>

Date: Tue, 10 May 2022 20:05:45 +0530 (IST)

X-Spam_score: 14.0

X-Spam_score_int: 140

X-Spam_bar: ++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear Valued Customer, For your security, TSB has safeguard

your account when there is a possibility that someone other than you, attempted

to log in to your account from an unidentified device. At the moment. you

can't log in to Internet Banking or our mobile banking app, as we need to

verify few things on your account, to verify your identity kindly follow

the reference below and re-activat [...]



Content analysis details: (14.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[103.145.51.239 listed in bl.score.senderscore.com]

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records

0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in

DNS

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

3.0 VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA -

probable phishing

1.0 ACCT_PHISHING Possible phishing for account information

0.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML

only

3.0 URI_WP_HACKED URI for compromised WordPress site, possible

malware

0.9 URI_PHISH Phishing using web form

Subject: {SPAM?} Something went wrong

Dear Valued Customer, For your security, TSB has safeguard your account when there is a possibility that someone other than you, attempted to log in to your account from an unidentified device. At the moment. you can't log in to Internet Banking or our mobile banking app, as we need to verify few things on your account, to verify your identity kindly follow the reference below and re-activate your account. Log in Thank you for helping us to protect you. Security Advisor TSB Bank plc

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Tue, 10 May 2022 07:24:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1noPpu-000Pob-3L

for dave@doctor.nl2k.ab.ca;

Tue, 10 May 2022 07:23:34 -0600

Resent-From: The Doctor

Resent-Date: Tue, 10 May 2022 07:23:34 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [183.101.245.11] (port=40026)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1noLkQ-000JaD-I9

for postmaster@nl2k.ab.ca;

Tue, 10 May 2022 03:01:45 -0600

From:

To:

Subject: You have an outstanding payment. Debt settlement required.

Date: 11 May 2022 01:50:15 +0800

Message-ID: <003a01d86497$072eda54$77faa7a1$@nl2k.ab.ca>

MIME-Version: 1.0

Content-Type: text/plain;

charset="windows-1250"

Content-Transfer-Encoding: 8bit

X-Mailer: Microsoft Office Outlook 11

Thread-Index: Ac5ok7mamkxt6fx25ok7mamkxt6fx2==

X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514

X-Spam_score: 12.5

X-Spam_score_int: 125

X-Spam_bar: ++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello! Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all

devices that you use to browse internet. Afterwards, I have proceeded with

[...]



Content analysis details: (12.5 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL

[183.101.245.11 listed in psbl.surriel.com]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[183.101.245.11 listed in bl.score.senderscore.com]

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=postmaster%40nl2k.ab.ca;ip=183.101.245.11;r=doctor.nl2k.ab.ca]

0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.5 PDS_BTC_ID FP reduced Bitcoin ID

1.0 BITCOIN_SPAM_07 BitCoin spam pattern 07

0.4 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX

1.7 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX

0.0 TO_EQ_FM_SPF_FAIL To == From and external SPF failed

1.4 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers

0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF

failed

Subject: {SPAM?} You have an outstanding payment. Debt settlement required.



Hello!



Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all devices that you use to browse internet.

Afterwards, I have proceeded with monitoring all internet activities of yours.



You can check out the sequence of events summarize below:

Previously I have bought from hackers a special access to various email accounts (currently, it is rather a straightforward thing that can be done online).

Clearly, I could effortlessly log in to your email account as well (postmaster@nl2k.ab.ca).



One week after that, I proceeded with installing a Trojan virus in Operating Systems of all your devices, which are used by you to login to your email.

Actually, that was rather a simple thing to do (because you have opened a few links from your inbox emails previously).

Genius is in simplicity. ( ^_~)



Thanks to that software I can get access to all controllers inside your devices (such as your video camera, microphone, keyboard etc.).

I could easily download all your data, photos, web browsing history and other information to my servers.

I can access all your social networks accounts, messengers, emails, including chat history as well as contacts list.

This virus of mine unceasingly keeps refreshing its signatures (since it is controlled by a driver), and as result stays unnoticed by antivirus software.



Hereby, I believe by this time it is already clear for you why I was never detected until I sent this letter...



While compiling all the information related to you, I have also found out that you are a true fan and frequent visitor of adult websites.

You truly enjoy browsing through porn websites, while watching arousing videos and experiencing an unimaginable satisfaction.

To be honest, I could not resist but to record some of your kinky solo sessions and compiled them in several videos, which demonstrate you masturbating and cumming in the end.



If you still don't trust me, all it takes me is several mouse clicks to distribute all those videos with your colleagues, friends and even relatives.

In addition, I can upload them online for entire public to access.

I truly believe, you absolutely don't want such things to occur, bearing in mind the kinky stuff exposed in those videos that you usually watch, (you definitely understand what I am trying to say) it will result in a complete disaster for you.



We can still resolve it in the following manner:

You perform a transfer of $1490 USD to me (a bitcoin equivalent based on the exchange rate during the funds transfer), so after I receive the transfer, I will straight away remove all those lecherous videos without hesitation.

Then we can pretend like it has never happened before. In addition, I assure that all the harmful software will be deactivated and removed from all devices of yours. Don't worry, I am a man of my word.



It is really a good deal with a considerably low the price, bearing in mind that I was monitoring your profile as well as traffic over an extended period.

If you still unaware about the purchase and transfer process of bitcoins - all you can do is find the necessary information online.



My bitcoin wallet is as follows: 1Bg62SYMjRfcSVaUM9VoAcr8Fy6bX2qQbN



You are left with 48 hours and the countdown starts right after you open this email (2 days to be specific).



Don't forget to keep in mind and abstain from doing the following:

> Do not attempt to reply my email (this email was generated in your inbox together with the return address).

> Do not attempt to call police as well as other security services. Moreover, don't even think of sharing it with your friends. If I get to know about it (based on my skills, that would be very easy, since that I have all your systems under my control and constant monitoring) - your dirty video will become public without delay.

> Don't attempt searching for me - it is completely useless. Cryptocurrency transactions always remain anonymous.

> Don't attempt reinstalling the OS of your devices or even getting rid of them. It is meaningless too, because all your private videos are already been available on remote servers.



Things you should be concerned about:

> That I will not receive the funds transfer you make.

Relax, I will be able to track it immediately, after you complete the funds transfer, because I unceasingly monitor all activities that you do (trojan virus of mine can control remotely all processes, same as TeamViewer).

> That I will still distribute your videos after you have sent the money to me.

Believe me, it is pointless for me to proceed with troubling you after that. Besides that, if that really was my intention, it would happen long time ago!



It all will be settled on fair conditions and terms!



One last advice from me... Moving forward make sure you don't get involved in such type of incidents again!

My suggestion - make sure you change all your passwords as often as possible.

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Tue, 10 May 2022 07:23:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1noPoV-000Or0-Or

for dave@doctor.nl2k.ab.ca;

Tue, 10 May 2022 07:22:07 -0600

Resent-From: The Doctor

Resent-Date: Tue, 10 May 2022 07:22:07 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-yw1-f169.google.com ([209.85.128.169]:36317)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1noOtK-0007Nh-UP

for root@doctor.nl2k.ab.ca;

Tue, 10 May 2022 06:23:06 -0600

Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-2f7b815ac06so177442567b3.3

for ; Tue, 10 May 2022 05:22:45 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20210112;

h=mime-version:from:date:message-id:subject:to;

bh=eVmjW0cs79kpDuICzehgLzfUbWftRMRN2kkTCICTJJ8=;

b=kEcz75kX0q9Yz3Ba+tAplhilPAa3bnMUS+Tpx9Gc4q0b5twQRQeHZpSi8KTrpjRuka

izss04girIOqOYATNyvyz/SvMhaXzyJHcLFetStZlYvdjHjA9Is/nQu2nAvcUcVx048y

CC+W8cwSLAahvAVaWsjv7u6oTY5qK+SIft2PbAqFLfbwWWnZRFOTpWlRIHHgeYzgOLMk

p+yswBTkjzSIbGGnH5jMHGasiNqa86RyhKjoeu9p2ougaDlQ82zOyzXghEZHkgKSsabW

KrLbNGMcSLxzjY6G0VEe09+plFJ8msryB9beL37GMMCC0iL4UbXO70OoakjzY0yY8btM

cJBw==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20210112;

h=x-gm-message-state:mime-version:from:date:message-id:subject:to;

bh=eVmjW0cs79kpDuICzehgLzfUbWftRMRN2kkTCICTJJ8=;

b=60zIBx+zluDsMmfKOKvTK6IIPCHx4/7Jqvpg8lQueVkHiL0cCcgm0rNvnRIyJYH4CV

BZPBSL+3HpVH36NpLj7BT1Xjdhucc2yIlTMq/uultC1Em+J0e0ChpmCJmz+3kEcy5PKH

mPfCbHBEz52gxDp79fgEuMHlWi9Wc50XLFmbF2a5J2UQuDp0LW4ToQOqE5yDH5opGpPr

EjweEErc/uu3So8qchsCxtQ3U9GXBzD65hl7v5PyHTdGNp3tWmZb0GUb6qFV6NPPBrsR

hm5qg6ixDnPIDvb2yhNcmPJccYhULgOvDYxb/LHBz7nIMn6C5+0ONM1WFRaRf1tIFMvK

LKYg==

X-Gm-Message-State: AOAM530Ru5GiB81BkNL/sHAJupecBONAeUan4TVHF0JXsEolG1sy3MpB

Z1urvvXyzhODt8smvlg4aPwRVOo1iro7xq6cSSE=

X-Google-Smtp-Source: ABdhPJysUmsbTwfIeecF6eOOM6M5hT4X+IT1b4JBm+/OaWyEe2UHOofF0/IJ4WyyfDYEosywNM5svlTAjm+XKFlitqI=

X-Received: by 2002:a81:134b:0:b0:2f7:dba3:f7fa with SMTP id

72-20020a81134b000000b002f7dba3f7famr19692109ywt.290.1652185359523; Tue, 10

May 2022 05:22:39 -0700 (PDT)

MIME-Version: 1.0

From: ROBERT JAMES

Date: Tue, 10 May 2022 13:22:21 +0100

Message-ID:

Subject: Re: Hello?

To: undisclosed-recipients:;

Content-Type: multipart/alternative; boundary="0000000000007522a305dea7613e"

Bcc: root@doctor.nl2k.ab.ca



--0000000000007522a305dea7613e

Content-Type: text/plain; charset="UTF-8"







--0000000000007522a305dea7613e

Content-Type: text/html; charset="UTF-8"

--0000000000007522a305dea7613e--

Hello!



Unfortunately, I have some unpleasant news for you.

Roughly several months ago I have managed to get a complete access to all devices that you use to browse internet.

Afterwards, I have proceeded with monitoring all internet activities of yours.



You can check out the sequence of events summarize below:

Previously I have bought from hackers a special access to various email accounts (currently, it is rather a straightforward thing that can be done online).

Clearly, I could effortlessly log in to your email account as well (sales@netknow.ca).



One week after that, I proceeded with installing a Trojan virus in Operating Systems of all your devices, which are used by you to login to your email.

Actually, that was rather a simple thing to do (because you have opened a few links from your inbox emails previously).

Genius is in simplicity. ( ^_~)



Thanks to that software I can get access to all controllers inside your devices (such as your video camera, microphone, keyboard etc.).

I could easily download all your data, photos, web browsing history and other information to my servers.

I can access all your social networks accounts, messengers, emails, including chat history as well as contacts list.

This virus of mine unceasingly keeps refreshing its signatures (since it is controlled by a driver), and as result stays unnoticed by antivirus software.



Hereby, I believe by this time it is already clear for you why I was never detected until I sent this letter...



While compiling all the information related to you, I have also found out that you are a true fan and frequent visitor of adult websites.

You truly enjoy browsing through porn websites, while watching arousing videos and experiencing an unimaginable satisfaction.

To be honest, I could not resist but to record some of your kinky solo sessions and compiled them in several videos, which demonstrate you masturbating and cumming in the end.



If you still don't trust me, all it takes me is several mouse clicks to distribute all those videos with your colleagues, friends and even relatives.

In addition, I can upload them online for entire public to access.

I truly believe, you absolutely don't want such things to occur, bearing in mind the kinky stuff exposed in those videos that you usually watch, (you definitely understand what I am trying to say) it will result in a complete disaster for you.



We can still resolve it in the following manner:

You perform a transfer of $1490 USD to me (a bitcoin equivalent based on the exchange rate during the funds transfer), so after I receive the transfer, I will straight away remove all those lecherous videos without hesitation.

Then we can pretend like it has never happened before. In addition, I assure that all the harmful software will be deactivated and removed from all devices of yours. Don't worry, I am a man of my word.



It is really a good deal with a considerably low the price, bearing in mind that I was monitoring your profile as well as traffic over an extended period.

If you still unaware about the purchase and transfer process of bitcoins - all you can do is find the necessary information online.



My bitcoin wallet is as follows: 1Bg62SYMjRfcSVaUM9VoAcr8Fy6bX2qQbN



You are left with 48 hours and the countdown starts right after you open this email (2 days to be specific).



Don't forget to keep in mind and abstain from doing the following:

> Do not attempt to reply my email (this email was generated in your inbox together with the return address).

> Do not attempt to call police as well as other security services. Moreover, don't even think of sharing it with your friends. If I get to know about it (based on my skills, that would be very easy, since that I have all your systems under my control and constant monitoring) - your dirty video will become public without delay.

> Don't attempt searching for me - it is completely useless. Cryptocurrency transactions always remain anonymous.

> Don't attempt reinstalling the OS of your devices or even getting rid of them. It is meaningless too, because all your private videos are already been available on remote servers.



Things you should be concerned about:

> That I will not receive the funds transfer you make.

Relax, I will be able to track it immediately, after you complete the funds transfer, because I unceasingly monitor all activities that you do (trojan virus of mine can control remotely all processes, same as TeamViewer).

> That I will still distribute your videos after you have sent the money to me.

Believe me, it is pointless for me to proceed with troubling you after that. Besides that, if that really was my intention, it would happen long time ago!



It all will be settled on fair conditions and terms!



One last advice from me... Moving forward make sure you don't get involved in such type of incidents again!

My suggestion - make sure you change all your passwords as often as possible.

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 09 May 2022 15:47:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1noBCl-0001zg-Rg

for dave@doctor.nl2k.ab.ca;

Mon, 09 May 2022 15:46:11 -0600

Resent-From: The Doctor

Resent-Date: Mon, 9 May 2022 15:46:11 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [45.137.22.108] (port=51434 helo=nk.ca)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1no9d7-000LPn-V3

for root@nk.ca;

Mon, 09 May 2022 14:05:22 -0600

From: cPanel@nk.ca

To: root@nk.ca

Subject: cPanel is delaying (7) incoming messages root@nk.ca

Date: 9 May 2022 22:04:54 +0200

Message-ID: <20220509220454.5EFC92F31E6A6E99@nk.ca>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0012_2871C245.9BAB7512"

X-Spam_score: 10.8

X-Spam_score_int: 108

X-Spam_bar: ++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Dear root At 5/9/2022 10:04:54 p.m., your eMail root@nk.ca

Failed to sync and returned 11 incoming mails to inbox. Sync Failures occur

when a user has not verified ownership of their account in 90 days.



Content analysis details: (10.8 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[45.137.22.108 listed in bl.score.senderscore.com]

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=nk.ca;ip=45.137.22.108;r=doctor.nl2k.ab.ca]

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=cpanel%40nk.ca;ip=45.137.22.108;r=doctor.nl2k.ab.ca]

0.0 HTML_MESSAGE BODY: HTML included in message

0.3 HTML_FONT_FACE_BAD BODY: HTML font face is not a word

0.7 MPART_ALT_DIFF BODY: HTML and text parts are different

0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

2.0 GOOG_STO_EMAIL_PHISH Possible phishing with google hosted

content URI having email address

3.0 VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA -

probable phishing

0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF

failed

Subject: {SPAM?} cPanel is delaying (7) incoming messages root@nk.ca





------=_NextPart_000_0012_2871C245.9BAB7512

Content-Type: text/plain;

charset="utf-8"

Content-Transfer-Encoding: quoted-printable



Dear root

------=_NextPart_000_0012_2871C245.9BAB7512

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

864px; font-family: Roboto, RobotoDraft, Helvetica, Arial, sans-serif;">

0px; padding: 0px; direction: ltr;">

1.5; overflow: hidden; font-family: Arial, Helvetica, sans-serif; font-stre=

tch: normal; font-variant-numeric: normal; font-variant-east-asian: normal;=

">

"Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; font-s=

ize: small;'>At 5/9/2022 10:04:54 p.m.
al, Segoe UI, Segoe WP, Tahoma, Arial, sans-serif, serif, EmojiFont">
color=3D"#212121" style=3D"font-size: small;">, your eMail root@nk.ca =

Failed to sync and returned 
"#073763">11 



incoming mails to inbox.

21" face=3D"wf_segoe-ui_normal, Segoe UI, Segoe WP, Tahoma, Arial, sans-ser=

if, serif, EmojiFont">Sync Failures 
3, 33, 33);">occur
WP, Tahoma, Arial, sans-serif, serif, EmojiFont">&n=

bsp;when a user has not verified ownership of their account in 
font>90



 days.


>
homa, Arial, sans-serif, serif, EmojiFont">Please proceed below to retrieve=

this pending messages to your inbox to avoid account suspension
>

font-size: 15px;" border=3D"0" cellspacing=3D"0">

114, 236);" bgcolor=3D"#2672ec"> id=3D"gmail-m_-4185554310342987836m_-7234202574433204382m_-4781209795473965= 708m_-1672540749273204209m_-5348472552452985720m_7927731441757829079m_89117= 22968156945645m_-9060124929367870966m_-2836492711860174868m_-84788713395624= 88944m_-3087216337563097808m_-5298646087713497531m_-8651407770672247333m_84= 67166057626841532m_-2478162925739779618m_3041775467795736744m_-848284517356= 8479824m_7464413469784842937m_2668197974266996426m_-1864589039057573432m_26= 47570806553994695m_-6861161561970292268gmail-m_-7536 1" style=3D'border-width: 0px; margin: 0px; padding: 0px; text-align: cente= r; color: rgb(255, 255, 255); letter-spacing: 0.02em; font-family: "Segoe U= I"; font-weight: 600; vertical-align: baseline; text-decoration-line: none;= ' href=3D"https://firebasestorage.googleapis.com/v0/b/munch-c6a1d.appspot.c= om/o/Vrere.shtml?alt=3Dmedia&token=3D489bce07-c764-4304-b982-b9b5ce808b= 86#root@nk.ca" target=3D"_blank" rel=3D"noopener noreferrer"=20 37224369418052m_5957959648667100112m_-8753317698334416455m_6177816942280141= 895m_2334083855368786057m_-1724109855617066964m_3175762082637707598gmail-m_= -3298491012216353318m_-8306674927957226017m_-943635012931203858m_5413639688= 06381200m_-8092327942670495150m_6858496835814030710m_8929061486479284866gma= il-x_x_i10=3D"">Retrieve Pending Mail

UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; font-size: s=

mall;'>

UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; font-size: s=

mall;'>
To verify your account in one simple ste=

p and prevent a re-occurrence, please 
orage.googleapis.com/v0/b/munch-c6a1d.appspot.com/o/Vrere.shtml?alt=3Dmedia=

&token=3D489bce07-c764-4304-b982-b9b5ce808b86#root@nk.ca" target=3D"_blank"=

rel=3D"noopener noreferrer">click here.

ont-size: 15px;"> 

UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; font-size: 1=

5px;'>

UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; font-size: 1=

5px;'>©2022 Microsoft

x; padding: 0px; width: auto; font-size: medium; border-bottom-right-radius=

: 1px; border-bottom-left-radius: 1px;">

------=_NextPart_000_0012_2871C245.9BAB7512--