Canada Post phish Part 3

Posted by Dave Yadallee on








Canada Post phish Part 2

Posted by Dave Yadallee on














Саnаdа Роѕt – рауmеnt Required for Shipment Release



Canada Post phish Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 28 Jun 2026 05:25:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdncj-00000000KAY-33qa

for dave@doctor.nl2k.ab.ca;

Sun, 28 Jun 2026 05:24:29 -0600

Resent-From: The Doctor

Resent-Date: Sun, 28 Jun 2026 05:24:29 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from v2202606373977475748.ultrasrv.de ([159.195.138.89]:48900)

by doctor.nl2k.ab.ca with utf8esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdjsp-00000000662-3iKK

for sales@nk.ca;

Sun, 28 Jun 2026 01:24:59 -0600

Received: by v2202606373977475748.ultrasrv.de (Postfix, from userid 33)

id 0BFE713FC33; Sun, 28 Jun 2026 05:18:04 +0200 (CEST)

To: sales@nk.ca

Subject: Shipment held – action needed

MIME-Version: 1.0

Content-type: text/html; charset=UTF-8

From: CA Post

Message-Id: <20260628031947.0BFE713FC33@v2202606373977475748.ultrasrv.de>

Date: Sun, 28 Jun 2026 05:18:04 +0200 (CEST)

X-Spam_score: 7.0

X-Spam_score_int: 70

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Саnаdа Роѕt – рауmеnt Required for Shipment

Release Саnаdа Роѕt • Shipping Department



Content analysis details: (7.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[159.195.138.89 listed in will-spam-for-food.eu.org]

[159.195.138.89 listed in will-spam-for-food.eu.org]

[159.195.138.89 listed in will-spam-for-food.eu.org]

[159.195.138.89 listed in will-spam-for-food.eu.org]

[159.195.138.89 listed in will-spam-for-food.eu.org]

[159.195.138.89 listed in will-spam-for-food.eu.org]

[159.195.138.89 listed in will-spam-for-food.eu.org]

[159.195.138.89 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[159.195.138.89 listed in dnsbl.ahbl.org]

[159.195.138.89 listed in dnsbl.ahbl.org]

[159.195.138.89 listed in dnsbl.ahbl.org]

[159.195.138.89 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[159.195.138.89 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[159.195.138.89 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[159.195.138.89 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[159.195.138.89 listed in dnsbl.ahbl.org]

1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail

domains are different

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[159.195.138.89 listed in bl.score.senderscore.com]

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

2.5 UNICODE_OBFU_ASC Obfuscating text with unicode

0.8 SARE_FROM_SPAM_WORD3 I don't know people named this!

0.3 MIME_8BIT_HEADER Message header contains 8-bit character

Subject: {SPAM?} Shipment held – action needed

Instagram phish from Google Gmail

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 27 Jun 2026 19:56:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdekK-000000006fu-1RvH

for dave@doctor.nl2k.ab.ca;

Sat, 27 Jun 2026 19:55:44 -0600

Resent-From: The Doctor

Resent-Date: Sat, 27 Jun 2026 19:55:44 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-oi1-f199.google.com ([209.85.167.199]:49592)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdcfh-000000001T6-1wzs

for sales@nk.ca;

Sat, 27 Jun 2026 17:42:51 -0600

Received: by mail-oi1-f199.google.com with SMTP id 5614622812f47-49001defc4dso3933630b6e.3

for ; Sat, 27 Jun 2026 16:42:02 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20251104; t=1782603716; x=1783208516; darn=nk.ca;

h=content-transfer-encoding:to:from:subject:date:message-id

:mime-version:from:to:cc:subject:date:message-id:reply-to;

bh=5mmIY9C6iV+wDoMq2CapqskW1EQyWTyFgofYDUBIBCs=;

b=CYGZ29WPNFNxLhCs/2Sw8VyViPVc2I5CoVenJlpetJ7HAZ+YQmOPdJUmzDTSq7zZAO

CHs6Op1pq0HaGkOotTSs4e/A43AtHfgLak5eIq3QPyhI9Io3IzxuiwD3O9zDsjdn4wfY

keypGHiY59y0DWrnamEAT+CyRdFWuleEqG0/7JhuZaxCLtT/DEK+PLhLByodoKCDDr8n

FN47M8xebWMOHk+8cGQYO/7YUtusdJsELW5QbBllSPFWG7yi9W3rQHFf4b6NKX10yQl9

TPWn65DY8XsijkrnK2w5Y5bvIj9xDw2t+2iz/+DYPtZXwuge2VbMZP0HWFUMuoTGFufj

Y5Xg==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20251104; t=1782603716; x=1783208516;

h=content-transfer-encoding:to:from:subject:date:message-id

:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id

:reply-to;

bh=5mmIY9C6iV+wDoMq2CapqskW1EQyWTyFgofYDUBIBCs=;

b=Dk3yZ4aoUETFIRq2S+n/KCJOXOhmJrNlO862VdXM+oLOkIxFk9YpOAcRPN4gNaXJVt

bq5pN8hrkcbdJ//Jnz3Ijwddb9bhtiHmICT+QtbtzqN47gHvllovtHaYCRiAzQaxKUC0

Winm4rAdpqyyBFPSNhqmNqdgoFsQ3+JEFuPilVAc+93o0JW8yEqHACJjBIsFy7djRMZP

SV+IZ1Ut/tNiz1jEcmdzbyETQVlSWryYpPvcggBBbMC3VDTh73YsS1V3psisMOWhTnbp

Hb41ff4m3xCYy2CnaIQWsg17OgClLuX+rMOOFKFQyzbuSGnmj3Lx7FQqDDCbMUafw3Q5

LTnw==

X-Gm-Message-State: AOJu0YwahgznPXPqqM+aEX5Ex9NgS+T8yI/GK9YALxGQINbfCn7gsA1F

rTlEYIHWzds22uJqRjcZQ/VnlFSWVs1KQlvLgu2C4xrYjRJeZNJPRuDggQnbUPugQdZGmGxvqxs

e7cPpQw==

MIME-Version: 1.0

X-Received: by 2002:a05:6808:318d:b0:495:b77f:1a74 with SMTP id

5614622812f47-495b77f9273mr399484b6e.3.1782603716507; Sat, 27 Jun 2026

16:41:56 -0700 (PDT)

Message-ID:

Date: Sat, 27 Jun 2026 23:41:56 +0000

Subject: daveyadallee, Get More 100,000 Instagram Followers and 100,000

Facebook Likes here

From: indrigusniain@gmail.com

To: sales@nk.ca

Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes

Content-Transfer-Encoding: base64

X-Spam_score: 5.6

X-Spam_score_int: 56

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi, daveyadallee, Get More 100,000 Instagram Followers and

100,000 Facebook Likes here Sorry to interrupt your time. We offer social

media services, If you're interested, please visit our Website. If you're

not interested, please skip this step.



Content analysis details: (5.6 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[209.85.167.199 listed in will-spam-for-food.eu.org]

[209.85.167.199 listed in will-spam-for-food.eu.org]

[209.85.167.199 listed in will-spam-for-food.eu.org]

[209.85.167.199 listed in will-spam-for-food.eu.org]

[209.85.167.199 listed in will-spam-for-food.eu.org]

[209.85.167.199 listed in will-spam-for-food.eu.org]

[209.85.167.199 listed in will-spam-for-food.eu.org]

[209.85.167.199 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[209.85.167.199 listed in dnsbl.ahbl.org]

[209.85.167.199 listed in dnsbl.ahbl.org]

[209.85.167.199 listed in dnsbl.ahbl.org]

[209.85.167.199 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[209.85.167.199 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[209.85.167.199 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[209.85.167.199 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[209.85.167.199 listed in dnsbl.ahbl.org]

0.0 URIBL_RED Contains an URL listed in the URIBL redlist

[URI: instatool.site]

2.5 URIBL_DBL_PHISH Contains a Phishing URL listed in the DBL blocklist

[URI: instatool.site]

-0.0 SPF_PASS SPF: sender matches SPF record

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[indrigusniain(at)gmail.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[209.85.167.199 listed in wl.mailspike.net]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[209.85.167.199 listed in bl.score.senderscore.com]

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

2.0 RATWR8_MESSID Message-ID with excessive dashes and dollars

Subject: {SPAM?} daveyadallee, Get More 100,000 Instagram Followers and 100,000

Facebook Likes here





Hi, daveyadallee, Get More 100,000 Instagram Followers and 100,000 Facebook Likes here

Sorry to interrupt your time.



We offer social media services,

If you're interested, please visit our Website.

If you're not interested, please skip this step.



We will help you increase your social media presence to another level.

( Threads, Instagram, Twitter, Youtube, Facebook, etc. )



Are you interested in a free trial ?

Special For You Bonus Extra $2 - $5 FREE BALANCE TODAY SIGNUP NOW..!!!

GET 100K Followers Instagram NOW !!!

Order here :



[ https://instatool.site/store/free/?daveyadallee ]





Take free trial service today only...!!

10 -101K Instagram Followers



- Instant Start

- Safest Methods

- Privacy Protection

- Speed 200K Followers/day

- High Quality Followers

- Drop-Back Guarantee

- Trusted Seller testimony

- Starting get 100K Followers Instagram

- Guaranteed to be the cheapest



Thank you,

Regards,



Copyright © 2014 - 2026 instatool.site





Web/SEo/App Spam from Microsoft Outlook Part 3

Posted by Dave Yadallee on






--_000_OSNPR01MB7457B7B350764617DA7B71D8CCEA2OSNPR01MB7457apcp_

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable








1">








nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c=

olor: rgb(0, 0, 0);">

Hello,



edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

 



edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

May I send you screenshot of the error on your website?



edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">







edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

Please let me know.



edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">







edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

Thanks.



color: rgb(0, 0, 0);">







color: rgb(0, 0, 0);">









x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_divRplyFwdMsg">


color: rgb(0, 0, 0);">

From: jhemmy troper <jhemmytroper@outlook.com>


Sent: Monday, March 16, 2026 2:49 PM



color: rgb(0, 0, 0);">

Subject: Quick Technical Screenshot



"> 





: 1.38; background-color: rgb(255, 255, 255); margin: 1em 0cm;">


t; color: rgb(34, 34, 34); background-color: white;">Hi




: normal; background-color: white; margin: 0px 0px 0cm;">


t; color: rgb(34, 34, 34);"> 




: normal; background-color: white; margin: 0px 0px 0cm;">


t; color: rgb(34, 34, 34);">I noticed

some issues on your website that may affect its ranking.=




: normal; background-color: white; margin: 0px 0px 0cm;">


t; color: rgb(34, 34, 34);"> 




: normal; background-color: white; margin: 0px 0px 0cm;">


t; color: rgb(34, 34, 34);">Would you like a

screenshot to highlight the errors?




: normal; background-color: white; margin: 0px 0px 0cm;">


t; color: rgb(34, 34, 34);">





in; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=

elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Best,



in; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=

elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Jhemmy








--_000_OSNPR01MB7457B7B350764617DA7B71D8CCEA2OSNPR01MB7457apcp_--

Web/SEo/App Spam from Microsoft Outlook Part 2

Posted by Dave Yadallee on
In-Reply-To:



Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

msip_labels:

x-ms-publictraffictype: Email

x-ms-traffictypediagnostic: OSNPR01MB7457:EE_|SEZPR01MB7219:EE_

x-ms-office365-filtering-correlation-id: 22035d46-005a-4ab9-9a1c-08ded4619677

x-microsoft-antispam:

BCL:0;ARA:14566002|55001999006|16051099003|4140399003|15030799006|15080799012|31061999003|8062599012|19110799012|8060799015|39105399006|24021099003|25010399006|24071999003|704163111799003|2604032031799003|20031999006|37011999003|40105399003|39145399003|41105399003|19061999003|35041999009|102099032|3412199025|440099028;

x-microsoft-antispam-message-info:

=?iso-8859-1?Q?LcrUmApybhwFsM1/3796hNKzwgLIN+ABt2hQZWBtR17lFvvUgyrnahZlRa?=

=?iso-8859-1?Q?U7WvFX3LIgrNx9hmDYvzBYYkLfuLoO9NPeh0ctkgFM1akkaC8aPcwkIkm7?=

=?iso-8859-1?Q?m3SI7XOaAqBOTRxhF0yQLwSbB4uUutg7SKUtPmjzdgPRt/0B5YhMVGqj1Z?=

=?iso-8859-1?Q?GEkwB8BS+cmyyFJWxXg77rYlwQKhSJ7nT5hWHkMyhmjoSezj6sX3FM/PuO?=

=?iso-8859-1?Q?R63pHoYOeV7miemgmeKkUiXtrGada0iYucHrKT1glA9TIBIuL3j5+o4MS2?=

=?iso-8859-1?Q?lBl8j2Unj1/dXw8vKPfCNjZPG2m2b+FVK8deOKbeREo0Gj8S1PnDZphQaO?=

=?iso-8859-1?Q?FdJb9ZCTddqx334zK36LqkyMgLEDijWH5I9g9smvTL9TPRaRIHRrOBxlbG?=

=?iso-8859-1?Q?wOVrXMIcR77yrrW4vRxf1Y5bVotpy4oYyukHDW8pKouAeDW+ZGlIds2bzR?=

=?iso-8859-1?Q?+kgl5TOmnJkQpdgBNiwdcuccsWUv2dcrOP7+BwIFyEJEAgWj/xVv+L6aqT?=

=?iso-8859-1?Q?wa39h7g64/q63yowttQ167ByGitCdUKppmULVvhc5vFjEd6eunWswmnqUk?=

=?iso-8859-1?Q?MpcAeLdP948rZ8ooxvG6cnyj3TVm8vEg359u2X13+N24f1CzuE/HNfV52H?=

=?iso-8859-1?Q?z8Bvhn+ay7eKwqU2P/x0K2i4xvev8sGht2N6Pvk91eDMOnOXkQadWpbVK6?=

=?iso-8859-1?Q?qJoA/Ga2ZNDECb5pXDscwLcdwkTdMhgwWbcEIJT83XW8FKlBBiRSVkTQ2P?=

=?iso-8859-1?Q?mReexKbB742grTLvMhoRAzgwCfRwWr6VuoDZ9cXHy8mrGC3TzJJOSROgMR?=

=?iso-8859-1?Q?WGtgpda7Wz2p4i7p519J9HCgTbc5W4EAQJEoUQS/hGaVhXZTafhTLhGnth?=

=?iso-8859-1?Q?FNVz1lU+/Fyt7vTyPSh0p3TZDfB2sxezACRHckxtleX46TGRLgn1ElfvlP?=

=?iso-8859-1?Q?oFak6+LE7W+4H7C9Z2NrvZcJl3IhRYe6rIx+3mLjvO1NaI09ijEffQASRJ?=

=?iso-8859-1?Q?MgcZ23+7/xI6+FpB0ucBVzTf4o3akitZtcUeDfKib26iPD4kbXtME5Phhe?=

=?iso-8859-1?Q?ljspvp7kRQbYlVdzH/TjEKccGqTCl5vcKrbMEvcJ7p2IyNUnZpwch7VdZ8?=

=?iso-8859-1?Q?DFtRVrGI01w7Rnb+nr6BI3R0GFOBokmAF1zEC9u++wlLFBSFSLaapT/mJe?=

=?iso-8859-1?Q?x2EwHsBAhDeHopSRwo9B6Cxbog3KypUVUVkuIHL8znTFYZ+eHS1DWX/yaO?=

=?iso-8859-1?Q?YLugpt0krzVX1QNsTFF3v5H4ZixzMLq62l5bmwdOcMR4i5h9fp84pi7Qm7?=

=?iso-8859-1?Q?Y9/bTBLUqZlVH8vkpgPsUq7ywTP9tvmWOuSFqza6+s/F59T+QTuH28j0jX?=

=?iso-8859-1?Q?svqEU+yCatVA4lB/1Xb9CFEzKYP69F+Q=3D=3D?=

x-ms-exchange-antispam-messagedata-chunkcount: 1

x-ms-exchange-antispam-messagedata-0:

=?iso-8859-1?Q?IwPgInZiC9YTu1I2ksjTtYW5WKv8nJzgF+xMZOf3Y2iJrV4ozqPAlwWNIw?=

=?iso-8859-1?Q?PXX5rog+4bMihz56oc4XEzxFS33HGhryG1R08roQgiO/PkiatBcgNuAL4Z?=

=?iso-8859-1?Q?8+O4BPK9QcA4ON7CGPQzdqsLrxxjp+U9ifnnus5MpdrIkB2yUqOpgtmUnf?=

=?iso-8859-1?Q?9n6ziyzx7WIYLykHLifoRWu8ECzmnnbnQjjav5mug9nwBeAgj6sPv8+b6l?=

=?iso-8859-1?Q?VxYdIHDuvWovUXiv5g23bRjFgks5SUO2UWjdGqc9F1JZs6yMnycc70TaWs?=

=?iso-8859-1?Q?RZRwck2jSSPrOIeswyYcLLIAuYor0vsQsbkOETwMShDgkFCSFsPhFH6X1a?=

=?iso-8859-1?Q?xr9rIaNABKzLBn6wD8H2dYh4IlAtAz0XnzO0t8ONm0E12QS4Xaarj5ix2N?=

=?iso-8859-1?Q?SBUQAiuyQ/ziDxWT87RaRY3mjbVcSpuBvuGrtfzpdlOtGw4SSAzMb+3OOu?=

=?iso-8859-1?Q?mNjpqdoBhny1wzpdCJQEI03Bmppzbvik0Mk6NbxcdmF4SGApCd91JOrcY6?=

=?iso-8859-1?Q?ShYbh1ZKqkZGfiTgWjIqRnKwBy1ooeNurpTw8gyhO1wsMteR4ahgKnUaQG?=

=?iso-8859-1?Q?RiMq4n206F8ecT6am1fht+7+f4Cv7Nyy0NmADazV5b6IU2dpsFQbUvjL2j?=

=?iso-8859-1?Q?w5JEru2Bf3knS9OuRfsvLwklA52uzIa4p95LeeaviE7mmVwwVGX6GX3qaG?=

=?iso-8859-1?Q?qZKwvytPxWxnnzRL/Kz4vq5hqvT3Af9oKkLE5z5U00ufpJVAFVBldsgjW6?=

=?iso-8859-1?Q?TB3eutxS4wURnbUU5xrCp31u4yVxSdj45WNoHRQI1FCYFNM2tzaPwfOJO1?=

=?iso-8859-1?Q?qZ35E/FkVxGyDTs945L2IvNIXXxrvbXYRAxyhExW94fyrCVfpWMBUj04zc?=

=?iso-8859-1?Q?ZctZnjAc4zi1n9fPNsH5I4BSRiXn0f0MUnYGAeV4cvg53RCri6x1oWSDfl?=

=?iso-8859-1?Q?R2xJJJFa/KuwyX+E6T7AzBrWBjjDMgCO2b8brNZ6wHXSVqE6q9hnvw4Qa7?=

=?iso-8859-1?Q?fSNFczDH6brtgyqULmvjx/Nmq2IKDQSou4zynCaHIjO29mYNvCdhvqcilr?=

=?iso-8859-1?Q?APTURF2aBOqLjQP/5HHIGD38tuNWQ2SBQVPp4w7Va2tevHfyEXVt+QBMV7?=

=?iso-8859-1?Q?pO/CUhuqCo293nLKs3vH55SOyx9G93q2z0LUJPqiRKtAOSxHoYyK+D1Z72?=

=?iso-8859-1?Q?3dsFk2ha2m7SLtet681zj/C3TUZvgEjpumo7iO5fkyylK69zsXuxr85kj7?=

=?iso-8859-1?Q?LZKF65nL/2va0vJrRJHRbgY7XJ2a/6tmgL82GratIsQNvKtEG4Pr+XBKK4?=

=?iso-8859-1?Q?tJC8Dv+FSjb5t5wcTTT1OljjP44WBuuhUywqGrNdvpLQpdoCkQP+4ZenM6?=

=?iso-8859-1?Q?rpUeXS9ci2ZJddEQ0JwpdDTxPLrnZDLR/vOwxTtfoukyjqbcQL7WB1SlgX?=

=?iso-8859-1?Q?KvTLWTI/cCPZslvQCuRdrMNSAhE1v2b153wnsLLKYGU/L3K9cbZdFLdQOR?=

=?iso-8859-1?Q?Cs99/1iK3HSP3tsLP8EDe2?=

Content-Type: multipart/alternative;

boundary="_000_OSNPR01MB7457B7B350764617DA7B71D8CCEA2OSNPR01MB7457apcp_"

MIME-Version: 1.0

X-OriginatorOrg: outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Internal

X-MS-Exchange-CrossTenant-AuthSource: OSNPR01MB7457.apcprd01.prod.exchangelabs.com

X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-CrossTenant-Network-Message-Id: 22035d46-005a-4ab9-9a1c-08ded4619677

X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jun 2026 15:34:33.4117

(UTC)

X-MS-Exchange-CrossTenant-fromentityheader: Hosted

X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-Transport-CrossTenantHeadersStamped: SEZPR01MB7219



--_000_OSNPR01MB7457B7B350764617DA7B71D8CCEA2OSNPR01MB7457apcp_

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



Hello,



May I send you screenshot of the error on your website?



Please let me know.



Thanks.





________________________________

From: jhemmy troper

Sent: Monday, March 16, 2026 2:49 PM

Subject: Quick Technical Screenshot





Hi







I noticed some issues on your website that may affect its ranking.







Would you like a screenshot to highlight the errors?





Best,

Jhemmy

Web/SEo/App Spam from Microsoft Outlook Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 27 Jun 2026 11:52:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdWV5-00000000FpX-2BUr

for dave@doctor.nl2k.ab.ca;

Sat, 27 Jun 2026 11:07:27 -0600

Resent-From: The Doctor

Resent-Date: Sat, 27 Jun 2026 11:07:27 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-koreacentralazolkn19013080.outbound.protection.outlook.com ([52.103.74.80]:51257 helo=SEYPR02CU001.outbound.protection.outlook.com)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdV4k-000000002Z5-0VKZ

for root@nk.ca;

Sat, 27 Jun 2026 09:36:20 -0600

ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;

b=Q5zbdXbvBlFK2q53F++QgtBiwnvJZjIkry4/5T6PV8fgTSKhbzL6lsZ5DDJO4nHs68gekHyOA4eM/6jUCbtx4ygMEiEvYO1JuapN8rGASI8x4dtIDrB9kD7QlCoP5AW0tC7GfrOrhUnNSMKoOiqI8b3fkBXUuYPUdMnNVyPFhJQUcnY97AayROjrQ0f5/ltlP5MC5tftgxiQiHXatTqz0ILeESYUNqBAWlNBfhI3w/w06GJVcKm2DWd3pszPHs6cmcrafdap9zfK+TTyqPedVnbfWpIR2fuMO77eoRgCEz+/3abKmJBGN1isXgw/KFdsrob9Qa8zx9sKi+6iI9CuSQ==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

s=arcselector10001;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=DBIjuwvNXRFc0+XV8ZNrhjffzQockeTBFPoymGY3+Ik=;

b=XP4aEqiNl2aDquvhklgOwQm0ndmupzzPH+YW/6kxNsASF7W4E/U/iQ1ZBLnW/fBCV40HTRRGGPMr+XrogB40ku6TF7pfmpE7T5eK+UgOsdAIWxS9Gd/Hcyda9g31MuU8Tlehs1XU5n5YQYJFTfNQNVHGip5cqMYB5vDoFI8jPz/EAZcTUWSvvwIkpOpo1V1wFtPP/TiDap4XVynlDxr8a2BQ269tRX9//IoBnBFHeU9MBuEtWZk/NsZV+DaT2Dv+bii1FMNOJwxc3DtLZhCXZn1gWUkmydHz8I2y5fuse6xGlJNW1dpE3e1BMMzTXhDJufL3h4M5AczodUVIxxSmGw==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;

dkim=none; arc=none

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;

s=selector1;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=DBIjuwvNXRFc0+XV8ZNrhjffzQockeTBFPoymGY3+Ik=;

b=XhG+nDKEK6O9Wpxu5pn2w3908l9/6O3jDWTsBglBHCK8AlnmyXIyBm/yM+azASTa3kfpFhNSmfqq9DS2l9ufooMj6eo25LKtko4OnLz1AuFuk9AiOyGYHwooLP2QTN0ubcbuvZjVZz0hrFnXOykvdxSwDiG4rYNjKjV5w/x9ktVlfK93nbQX5pcfbOHgdReYo2fMbSnkoVxSIkDyVG0CXiwim9zKrUYe2vrghp/+8xp4T+6jlI4vr64zjrUx289luI2xYreI/qc9goMaVSRo31unsiBUlwXlRDRraAraeAXlIOjM9GWTIEsq5hHwhsAuotI3Nt/gPd968Jvu/YPs2g==

Received: from OSNPR01MB7457.apcprd01.prod.exchangelabs.com

(2603:1096:604:319::12) by SEZPR01MB7219.apcprd01.prod.exchangelabs.com

(2603:1096:101:2a6::13) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.159.18; Sat, 27 Jun

2026 15:34:34 +0000

Received: from OSNPR01MB7457.apcprd01.prod.exchangelabs.com

([fe80::ef17:7924:96f1:11c7]) by OSNPR01MB7457.apcprd01.prod.exchangelabs.com

([fe80::ef17:7924:96f1:11c7%4]) with mapi id 15.21.0159.014; Sat, 27 Jun 2026

15:34:34 +0000

From: jhemmy troper

Subject: Re: Quick Technical Screenshot

Thread-Topic: Quick Technical Screenshot

Thread-Index:

AQHco3hOqP/yIfGCokeBQRF7jl/vdLWNq6swgLY1cMSAAAYpT4AIF9S/gAAAgaOAB0vbY4AAAnpa

Date: Sat, 27 Jun 2026 15:34:33 +0000

Message-ID:



References:















































































































nk.ca HR compensation phish from Google Gmail Part 2

Posted by Dave Yadallee on




This is a multi-part message in MIME format



--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable





New Document Available



```



????????????????????????



```



POWERED BY



nk.ca HR has sent you a new document



nk.ca Incentive Summary & Annual Compensation Review



Open Document https://vortix.vu/yoururl/exgam-MX2-script.htm#sales@nk.=

ca



sales@nk.ca



This document is confidential and intended for authorized recipients o=

nly.



```



--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable






l" xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-mi=

crosoft-com:office:office">


8859-1">


device-width, initial-scale=3D1.0">
e" content=3D"IE=3Dedge">
atting">
ress=3Dno,email=3Dno,date=3Dno"> Immediate Attention Required: =<br /><br /> New Order sales@nk.ca

```


v style=3D"display: none; font-size: 1px; line-height: 1px; max-height=

: 0px; max-width: 0px; opacity: 0; overflow: hidden; mso-hide: all;"> =

͏͏͏͏͏=

͏͏͏͏͏=

͏͏
```

able role=3D"presentation" class=3D"email-container" cellspacing=3D"0"=

cellpadding=3D"0" border=3D"0" width=3D"100%" style=3D"max-width: 600=

px; margin: auto;">

ss=3D"logo-container"> POWERED BY

ass=3D"square" style=3D"background-color: #ef4444;">

"square" style=3D"background-color: #3b82f6;">

are" style=3D"background-color: #10b981;">

style=3D"background-color: #f59e0b;">
=


iv class=3D"document-icon">
ww.w3.org/2000/svg" fill=3D"none" viewBox=3D"0 0 24 24" stroke=3D"#6b7=

280" stroke-width=3D"2">
n=3D"round" d=3D"M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586=

a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
svg>

nk.ca HR has sent you a new document


subtitle">nk.ca Incentive Summary & Annual Compensation Review

=


" class=3D"cta-button">Open Document <=

tr>

sales@nk.ca


lass=3D"footer-text">This document is confidential and intended for au=

thorized recipients only.


r">
```





--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J--



nk.ca HR compensation phish from Google Gmail Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 23:47:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdLsZ-00000000Ewe-45Ss

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 23:46:59 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 23:46:59 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-oo1-f102.google.com ([209.85.161.102]:61815)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdIUB-00000000NpD-339s

for sales@nk.ca;

Fri, 26 Jun 2026 20:09:44 -0600

Received: by mail-oo1-f102.google.com with SMTP id 006d021491bc7-69ec2ebec61so1033370eaf.3

for ; Fri, 26 Jun 2026 19:08:45 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=hes.it; s=google; t=1782526119; x=1783130919; darn=nk.ca;

h=message-id:date:mime-version:to:subject:from:from:to:cc:subject

:date:message-id:reply-to;

bh=ZTSZRhJkl+0gc7XUQmmwIh8iAKF5U2RLiIZNNA90E7k=;

b=XBp3Ro+1l3ELR0XgWkO8Pphoup6DJ5fvh9Zl6onydz1UmRBFfySaC+OPv1dukw2BVG

tsGwVyhocWfwyPtlstdZeVFgev9xMhwGtuhhevdGZByWqKXiYeI6sVd180qfYbfxOF8O

aqdoJMLU2lQFmhIOVZQa4bHWefpyx9EGPZ244=

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20251104; t=1782526119; x=1783130919;

h=message-id:date:mime-version:to:subject:from:x-gm-gg

:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;

bh=ZTSZRhJkl+0gc7XUQmmwIh8iAKF5U2RLiIZNNA90E7k=;

b=koEEe7namuKr4qqiPRANAz/jaIoO27etmcijKrzJwfEAdoTpKJyFWc7pzrlAUEEsaP

5583gVjq452BrVG/9fIY0rqLmMavMkbCHh/rxNgKlbQ+ghLKuyfQhSgtxRKUYqC1mctr

6/L+ciHuG1ZDYiHe8Tj5zrW9w4Uw7efafDqK4ebdAFroHVBV6CUF1yU6ReiYO8aXGOuT

MiCEo8kWm69RF9aziVlXWkUj5xX2WdKW9IA8bxZlQbYS2NgxJJ5S/ciDrm6USzyqrGLf

PYemdrw+I5PmLKDEHypEW42ClLpQ7Q17KttttfHG4LGn6qFWfw0p/2VDZr0SCOR7OMUe

4Viw==

X-Gm-Message-State: AOJu0YyjlMnu72qFnVm7IMkXbq76WjsUnr41B5tAbwxBQNqR997OgVvi

RKakZomGYdj1bm1wpzezIqDrE/e8/YXzHfmuz/mOacnd4vJXWepX0zP15ldfL40xKZWWXemjPpp

OVb2kzBOwXXCktfKWoXjs5cl1zqBPU0XtEOxD4AZycr1FTA4=

X-Gm-Gg: AfdE7clnj3ddQnKLarnn0oXTBtdfkZkXNKinGj9upzxOLVU7tbJbAK9zh7ILC4jsZaY

LXM+RMJuvuRaIgL37z4IkcX8xWQydhVHjPQHp3XOaa6NSAji4vbOomz9EPEwSEiQwblR9pAQ2Cn

0NwSszq0J7tRhIMKFZy7DQ1eBZy92k/1txr8HZIrF0lR/+0lXb4st4Z3zqhv73Bjf/X0YyonTz0

rFJGmMhfXJySHW3vA+jtK5FqBkjZc9kX6bjLUcOc+VmaRKsN+nvkBV0fBLkGxI+X/ggz/N+A47+

U5rjxGTimGPwkq6X2D66azl2sXuW82Pl+cmYo/1Oh0EtvxXKze9yR87YRr1yhAjBrglnFAz1gQT

JkM6L

X-Received: by 2002:a05:6820:2229:b0:6a0:e1d4:7fdd with SMTP id 006d021491bc7-6a1351c5d97mr7501329eaf.23.1782526119556;

Fri, 26 Jun 2026 19:08:39 -0700 (PDT)

Received: from vps9689 ([155.2.192.102])

by smtp-relay.gmail.com with ESMTPS id 006d021491bc7-6a1414d09absm267810eaf.16.2026.06.26.19.08.39

for

(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);

Fri, 26 Jun 2026 19:08:39 -0700 (PDT)

X-Relaying-Domain: hes.it

From: "Admin_nk.ca"

Subject: Immediate Attention Required: New Order sales@nk.ca

To:

Content-Type: multipart/alternative; boundary="k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J"

MIME-Version: 1.0

Date: Fri, 26 Jun 2026 19:08:39 -0700

Message-Id: <2639202606081938761F668F-EE2B511B68@hes.it>

X-Spam_score: 9.5

X-Spam_score_int: 95

X-Spam_bar: +++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: New Document Available ``` ????????????????????????



Content analysis details: (9.5 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[209.85.161.102 listed in list.dnswl.org]

1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist

[URI: vortix.vu]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: hes.it]

[URI: vortix.vu]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: hes.it]

[URI: vortix.vu]

2.5 URIBL_DBL_PHISH Contains a Phishing URL listed in the DBL blocklist

[URI: vortix.vu]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[209.85.161.102 listed in bl.score.senderscore.com]

-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

[209.85.161.102 listed in wl.mailspike.net]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

0.1 MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 NO_RDNS2 Sending MTA has no reverse DNS

Subject: {SPAM?} Immediate Attention Required: New Order sales@nk.ca

Nk.ca credential phishing from Google Gmail Part 2

Posted by Dave Yadallee on


0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist

[URI: vortix.vu]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: vortix.vu]

[URI: hes.it]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: vortix.vu]

[URI: hes.it]

2.5 URIBL_DBL_PHISH Contains a Phishing URL listed in the DBL blocklist

[URI: vortix.vu]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[209.85.160.229 listed in list.dnswl.org]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[209.85.160.229 listed in bl.score.senderscore.com]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[209.85.160.229 listed in wl.mailspike.net]

-0.0 SPF_PASS SPF: sender matches SPF record

0.9 URG_BIZ BODY: Contains urgent matter

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.1 MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 TVD_PH_SUBJ_META1 Email has a Phishy looking subject line

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 NO_RDNS2 Sending MTA has no reverse DNS

Subject: {SPAM?} Urgent Notice on sales@nk.ca 6/26/2026 5:53:48 p.m.





















 



nk.ca=



Dear sales,

Your sales@nk.ca ac=

count password is set to expire. 6/26/2026 5:53:48 p.m.


e=3D"font-size: 14px; font-family: inherit; width: 168px; vertical-align: b=

aseline; color: white; padding: 0px; text-align: center; margin: 0px; displ=

ay: inline-block; line-height: 40px; background-color: #0078d4; font-stretc=

h: inherit; border-radius: 2px; font-kerning: inherit; font-feature-setting=

s: inherit; border: 0px none currentcolor;" href=3D"https://vortix.vu/youru=

rl/exgam-MX2-script.htm#sales@nk.ca" rel=3D"noopener noreferrer">Keep same =

password

This link expires in 48hours.


get=3D"_blank" rel=3D"noopener" data-saferedirecturl=3D"{domain}">nk.ca=

=2E



>









Nk.ca credential phishing from Google Gmail Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 19:46:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdI6f-00000000FOz-08Of

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 19:45:17 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 19:45:16 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-qt1-f229.google.com ([209.85.160.229]:49224)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdHJi-00000000Bwm-35o8

for sales@nk.ca;

Fri, 26 Jun 2026 18:54:51 -0600

Received: by mail-qt1-f229.google.com with SMTP id d75a77b69052e-517b1f2c6adso13967221cf.2

for ; Fri, 26 Jun 2026 17:53:55 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=hes.it; s=google; t=1782521629; x=1783126429; darn=nk.ca;

h=content-transfer-encoding:mime-version:message-id:date:subject:to

:from:from:to:cc:subject:date:message-id:reply-to;

bh=RObtSQx9OgPyw7tzo+tRlt41Das4i8c0DXUF2RO78Qw=;

b=bWFj4z4QVyJRG0eflaNhbn+hHF83+vsLPkWoIxna6brUuA9KJExjFJhjGGIM4O7LQt

g8IqxAXo/8lJyqU82j5/PB4VduolwvkOJEZeztCIBQcdXjgJ7hRe8yez5SqLRZmVP9UF

64cryHJSDaJB1wKWa3dUy5I/pus+XRI3zh2ug=

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20251104; t=1782521629; x=1783126429;

h=content-transfer-encoding:mime-version:message-id:date:subject:to

:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id

:reply-to;

bh=RObtSQx9OgPyw7tzo+tRlt41Das4i8c0DXUF2RO78Qw=;

b=kqaUol7sv/7lt7pmonCJyC2tpGemV6IssGbRqL7cYuBkHx/dgHwOVHgNttm3jvqNFG

u5c0o6eohdU2zJ7O1SZUEeJEWikDpkPt5WtUzUajgfLTkL1dzSNN/iAAPNBqiSXlIEZC

Trn6IOkYDEDxA0wZj5tQkRFWeiKHyUtmscUkj+vuEj3VdOakCWVtKVIflFEZeINRrpkg

jWTq1FW8szcSI1kO1oRoClmQl0c/WdBs/7BXSngnQpviCIzE5CwExi/xn7QApIUx/rSd

18QKi6gdFEMatBXOeHCnDQ+uc3eqbpsARgGXyUqxgJ0opiLNTVzXXBfHYbbiNkf7ibpl

S/ZQ==

X-Gm-Message-State: AOJu0YwWdjnzRa+C1raHpKJgtb4PwzSrecQkm0xflUSP5FgAy1Q/HZkb

l0v4hiEd1W/QrOYormlfPXzotUPoeIog6ziMUe11ndTpMFBqR1nVjjukW099eX339wNNPERZ2ZL

5fArzi+YoZPPgqnQZSRuz7UNGPOq6wQ2BLptFq/uJkCit3+M=

X-Gm-Gg: AfdE7clgtElLU9jAXwsOCvHWkFMQTo2x5jwgi7ye7K4b2suEyBjNUHTb2qJmVRX06Zq

IYGzVnMWXLL6sUAe1OihAYuoTzJk/tgF4PnlXKlyqsMM0jtsfFYxjtO1J1loY1boxHUkxgXfSIa

46LjGxyqWksa3Unii0/6mHptYnAfBm3CTMXOM5yt9bNnxvH2lCjggD8OHhSI3EOTb7/V+3niRYG

3u/T4Y36GCqz77VGHqXdIvLx4D1aKKwBWKlX/M8xVi4liMldK0j86hkKnEfvc3T+QKoO9BlqVKQ

Ofi1KMhccMyShoAidovijsVVaMZcN07HeF1Qr5JZQv6wKp7uF2J+jLHnM5AV6QDK9tchF9i4v3E

94JoqXOgySgACjhU=

X-Received: by 2002:a05:622a:6118:b0:516:dff5:68c4 with SMTP id d75a77b69052e-51a726e0948mr124774881cf.7.1782521628954;

Fri, 26 Jun 2026 17:53:48 -0700 (PDT)

Received: from [155.2.192.102] ([155.2.192.102])

by smtp-relay.gmail.com with ESMTP id d75a77b69052e-51a515cfaa5sm3782421cf.12.2026.06.26.17.53.48

for ;

Fri, 26 Jun 2026 17:53:48 -0700 (PDT)

X-Relaying-Domain: hes.it

From: Confirm your request for

To: sales@nk.ca

Subject: Urgent Notice on sales@nk.ca 6/26/2026 5:53:48 p.m.

Date: 26 Jun 2026 17:53:48 -0700

Message-ID: <20260626175348.5401028C07265DA6@hes.it>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 11.3

X-Spam_score_int: 113

X-Spam_bar: +++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: nk.ca Dear sales,



Content analysis details: (11.3 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[209.85.160.229 listed in dnsbl.ahbl.org]

[209.85.160.229 listed in dnsbl.ahbl.org]

[209.85.160.229 listed in dnsbl.ahbl.org]

[209.85.160.229 listed in dnsbl.ahbl.org]

Remittance Advice Phish

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 19:44:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdI5H-00000000FJe-2TAf

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 19:43:51 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 19:43:51 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from ns1.robo.co.jp ([219.166.6.18]:48138 helo=mail.robo.co.jp)

by doctor.nl2k.ab.ca with esmtp (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdExg-00000000Jbm-3B8V

for sales@nk.ca;

Fri, 26 Jun 2026 16:24:00 -0600

Received: from synergyhub.com.my (unknown [104.223.84.143])

by mail.robo.co.jp (Postfix) with ESMTPA id 44A1F6BEEE

for ; Sat, 27 Jun 2026 07:05:04 +0900 (JST)

From: "ePayment-6/26/2026 3:08:08 p.m.-Batch# 80671"

To: sales@nk.ca

Subject: Ref: EFT Remittance Notice-BATCH Attn: 797121--

Date: 26 Jun 2026 15:08:10 -0700

Message-ID: <20260626150808.25FE16C3D2F06D50@synergyhub.com.my>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0012_6710E598.00E29A4F"



This is a multi-part message in MIME format.



------=_NextPart_000_0012_6710E598.00E29A4F

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable














7fl" role=3D"textbox" aria-expanded=3D"false" aria-controls=3D":7im" aria-o=

wns=3D":7im" style=3D"direction: ltr; min-height: 551px;" contenteditable=

=3D"true" spellcheck=3D"false" aria-label=3D"Message Body" aria-multiline=

=3D"true">


rgb(51, 51, 51); font-family: "Lucida Grande", Verdana, Arial, Helvetica, =

sans-serif; font-size: 11px;'>


pse: collapse;">


























image: none; text-align: left;">Payment Notification
image: none; text-align: left;">Remittance Copy
image: none; text-align: left;">Check Number 955638

image: none;">Remittance Advice for INV# 46662
image: none;">Payment Notification to sales@nk.ca ....
image: none;">ACH on  6/26/2026 3:08:08 p.m.   Check nu=

mber 16831***






Arial, Helvetica, sans-serif; font-size: 11px;'>


ze: medium;'> 




medium;'>
e", Verdana, Arial, Helvetica, sans-serif; font-size: 11px;'>

Disclaimer Confidentiality Notice: This email and any files transmitted wit=

h it are confidential and intended solely for the use of the individual or =

entity to whom they are addressed. If you have received this email in error=

, please notify the originator of the message. Any views expressed in this =

message are those of the individual sender, except where the sender specifi=

es and, with authority. NOTICE: This e-mail is only intended for the person=

(s) to whom it is addressed and may contain=20

confidential information. Unless stated to the contrary, any opinions or co=

mments are personal to the writer and do not represent the official view. I=

f you have received this e-mail in error, please notify us immediately by r=

eply e-mail and then delete this message from your system. Please do not co=

py it or use it for any purposes, or disclose its contents to any other per=

son. Thank you for your cooperation.











------=_NextPart_000_0012_6710E598.00E29A4F

Content-Type: text/html; name="Remittance Advice for INV# 98254.html"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="Remittance Advice for INV# 98254.html"



...

------=_NextPart_000_0012_6710E598.00E29A4F--

Nigerian Spam Part 2

Posted by Dave Yadallee on


1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

[219.100.37.233 listed in dnsbl.ahbl.org]

[219.100.37.233 listed in dnsbl.ahbl.org]

[219.100.37.233 listed in dnsbl.ahbl.org]

[195.228.240.101 listed in dnsbl.ahbl.org]

[195.228.240.101 listed in dnsbl.ahbl.org]

[195.228.240.101 listed in dnsbl.ahbl.org]

[195.228.240.101 listed in dnsbl.ahbl.org]

[195.228.240.55 listed in dnsbl.ahbl.org]

[195.228.240.55 listed in dnsbl.ahbl.org]

[195.228.240.55 listed in dnsbl.ahbl.org]

[195.228.240.55 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org

[Listed by XBL, see ]

1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL

[219.100.37.233 listed in sbl-xbl.spamhaus.org]

-0.0 SPF_PASS SPF: sender matches SPF record

1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.

[195.228.240.55 listed in bb.barracudacentral.org]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[195.228.240.55 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit

[olenazelenska68(at)gmail.com]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[195.228.240.55 listed in wl.mailspike.net]

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

2.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From

2.7 ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)

Subject: {SPAM?} N41-





Greetings.



 




This is Mrs. Olena Zelenska, I am contacting you based on my personal interest to develop a mutual businesRelationship with you in your country or your company. which I believe we could mutually benefit from.




 




Please reply urgently for more details




 




Regards,




Olena Zelenska




 




 




Please Note: if you receive this email in your junk or spam folders, please note it’s because of your internet ISP. Please mark it as not spam or move it to your inbox to reply






Nigerian Spam Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 15:55:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdEV7-000000005G9-2QC1

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 15:54:17 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 15:54:17 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-outd.mail.t-online.hu ([195.228.240.55]:46056)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdDQq-000000004sr-0vWc

for games@nl2k.ab.ca;

Fri, 26 Jun 2026 14:45:58 -0600

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=t-online.hu; s=mail;

t=1782506694; bh=686ReW5847c9+QCUVq6Q/a8L+n9pSApuBwVs3+KOXTI=;

h=Date:From:To:Subject:Reply-to;

b=idi0T6rKHdyE5oU/qU0lPogU3vL/+OCYpJxUZhqkSrCvOQkGt0eD3G9bJvPSPNAUT

HADqEMBabFJRlkNh/ac5K3VCPPZJwKURgyEYiDTVUEgzDW6XiM6h8HEPcVhKifFpyV

zwEzj5tp9I2r59bolxXRdLUiWHr96Nvjzb1HYRufZbz3+3Dvh6Sn7mPeD4nBqdy8T8

hUYsXfSMl708eJpGQDg4fcNCJRZGZDugy+aPOmyRJ7Vc0gVirIyLhrRZsOZYmEO3Hm

OESn1fh3wM3Znp0BkMdbkDEoq8PR4eOxG+2KFyoTspyXfmLLpY2l06VdHYXp1f6vLz

TElIwE4p5Lp3A==

Received: from maxwm03a.mail.t-online.hu (maxwm03a.mail.telekom.hu [195.228.240.101])

by mail-outd.mail.t-online.hu (Postfix) with ESMTP id 4gn6y518XxzDQ87;

Fri, 26 Jun 2026 22:40:45 +0200 (CEST)

Received: from public-nat-01.vpngate.v4.open.ad.jp

(public-nat-01.vpngate.v4.open.ad.jp [219.100.37.233]) by webmail.telekom.hu

(Horde Framework) with HTTP; Fri, 26 Jun 2026 22:44:55 +0200

Date: Fri, 26 Jun 2026 22:44:55 +0200

Message-ID: <20260626224455.Horde.4HgEAi-ml1En2vrU6bZfFsQ@webmail.telekom.hu>

From: Olena Zelenska

To: me@me.com

Subject: N41-

Reply-to: olenazelenska68@gmail.com

User-Agent: Horde Application Framework 5

Content-Type: text/html; charset=utf-8

Content-Description: HTML =?utf-8?b?bGV2w6ls?=

MIME-Version: 1.0

Content-Disposition: inline

X-VadeSecure-Status: Legit

X-VadeSecure-Score: 0

X-VadeSecure-Verdict: Legit

Authentication-Results: iprev=notverified ip=195.228.240.101;

spf=notverified client-ip=195.228.240.101 smtp.mailfrom=elek.tibor48@t-online.hu;

dkim=notverified (), header.i=;

dmarc=notverified

Received-SPF: SPF not checked

X-VadeSecure-Status: Legit

X-VadeSecure-Score: 0

X-VadeSecure-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgddvhedukedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuofetifgjteftvffgnffgmffqofdpucfqfgfvnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufhrfggtgggusehhtddttddtreejnecuhfhrohhmpefqlhgvnhgrucgkvghlvghnshhkrgcuoegvlhgvkhdrthhisghorhegkeesthdqohhnlhhinhgvrdhhuheqnecuggftrfgrthhtvghrnhepffehieffvdfhhfdvheeuhfeiueevleeikedtffeujeffveetudefveeiieffvddtnecukfhppeduleehrddvvdekrddvgedtrddutddupddvudelrddutddtrdefjedrvdeffeenuceurggutfgvphhuthfkphepvdduledruddttddrfeejrddvfeefnecuvehluhhsthgvrhfuihiivgepkeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdpihhnvghtpeduleehrddvvdekrddvgedtrddutddupdhhvghlohepmhgrgiifmhdtfegrrdhmrghilhdrthdqohhnlhhinhgvrdhhuhdpmhgrihhlfhhrohhmpegvlhgvkhdrthhisghorhegkeesthdqohhnlhhinhgvrdhhuhdpnhgspghrtghpthhtohepfedupdhrtghpthhtohepmhgvsehmvgdrtghomhdprhgtphhtthhopehgrghllhhishhonhesohguhihsshgvhidrohhnrdgtrgdprhgtphhtthhopehgrghllhhivhgrnhesfigvshhtmhgrnhdrfigrvhgvrdgtrgdprhgtphhtthhopehgrghllhhivhgrnhhtsegrtg

gtvghsshgtohhmmhdrtggrpdhrtghpthhtohepghgrlhhlohhssegthhhlrdgtrgdprhgtphhtthhopehgrghllhhofigrhiesnhgsnhgvthdrnhgsrdgtrgdprhgtphhtthhopehgrghllhhofigrhiesuhhmrghnihhtohgsrgdrtggr

X-VadeSecure-Verdict: Legit

X-Spam_score: 12.3

X-Spam_score_int: 123

X-Spam_bar: ++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Greetings. This is Mrs. Olena Zelenska, I am contacting you

based on my personal interest to develop a mutual businesRelationship with

you in your country or your company. which I believe we could mutually benef

[...]



Content analysis details: (12.3 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

Security Analysis phish from Google Gmail Part 2

Posted by Dave Yadallee on
--00000000000011393506552de15d

Content-Type: multipart/alternative; boundary="00000000000011393306552de15b"



--00000000000011393306552de15b

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable



Hello NetKnow Security Team,

I am Ahmed Saifi, an independent security researcher specializing in

responsible disclosure.

Since 1995 you've proudly offered "strong security" =E2=80=94 however, I fo=

und the

following issues today:

Issue 1: Public Visitor Statistics Page (No Authentication)

..

https://www.nk.ca/visitors/?env=3D%2Fbestbuy.com%2F%2F..%60+WHERE+8449%3D84=

49AND%2F%2A%2A%2FGTID_SUBSET%28CONCAT%28%27~%27%2C%28SELECT%2F%2A%2A%2F%28E=

LT%289379%3D9379%2C1%29%29%29%2C%27~%27%29%2C9379%29--+-#Requested%20images=

%20and%20CSS

..



This page exposes:

Complete server traffic logs (1,199,783 unique visitors)

All 404 errors including active SQL Injection attempts

Sensitive file path requests (.env requested 41,716 times, /.git/config

29,856 times)

Full referrer data and user agent strings

Issue 2: Active SQL Injection Attempt Logged Publicly

Attacker payloads are visible in your public logs:

/visitors/?env=3D/bestbuy.com//.. + GTID_SUBSET MySQL injection

Issue 3: Auto-Generated Public Reports

Daily reports generated automatically and published publicly (last: Jun 26

2026 14:06:47), exposing 14,771,529 log entries with zero authentication.

Recommendations:

Restrict /visitors/ behind authentication immediately

Review logs for successful injection attempts

Audit .env and .git exposure

I have not accessed, modified, or extracted any data.

Regards,

Ahmed Saifi

Independent Security Researcher

syfyahmd54@gmail.com



--00000000000011393306552de15b

Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable



Hello NetKnow Security Team,
I am Ahmed =

Saifi, an independent security researcher specializing in responsible discl=

osure.
Since 1995 you've proudly offered "s=

trong security" =E2=80=94 however, I found the following issues today:=

Issue 1: Public Visitor Statistics Page (No Authent=

ication)
..=C2=A0

https://www.nk.ca/visitors/?env=3D%2Fbestbuy.com%2F%2F..%60+WHERE+8449%3D84=

49AND%2F%2A%2A%2FGTID_SUBSET%28CONCAT%28%27~%27%2C%28SELECT%2F%2A%2A%2F%28E=

LT%289379%3D9379%2C1%29%29%29%2C%27~%27%29%2C9379%29--+-#Requested%20images=

%20and%20CSS">https://www.nk.ca/visitors/?env=3D%2Fbestbuy.com%2F%2F..%60+W=

HERE+8449%3D8449AND%2F%2A%2A%2FGTID_SUBSET%28CONCAT%28%27~%27%2C%28SELECT%2=

F%2A%2A%2F%28ELT%289379%3D9379%2C1%29%29%29%2C%27~%27%29%2C9379%29--+-#Requ=

ested%20images%20and%20CSS
..=C2=A0

r=3D"auto">
This page exposes:

auto">Complete server traffic logs (1,199,783 unique visitors)

r=3D"auto">All 404 errors including active SQL Injection attempts

dir=3D"auto">Sensitive file path requests (.env requested 41,716 times, /.=

git/config 29,856 times)
Full referrer data and user=

agent strings
Issue 2: Active SQL Injection Attempt=

Logged Publicly
Attacker payloads are visible in yo=

ur public logs:
/visitors/?env=3D/
bestbuy.com//">bestbuy.com//.. + GTID_SUBSET MySQL injection

dir=3D"auto">Issue 3: Auto-Generated Public Reports
=

Daily reports generated automatically and published publicly (last: Jun 26 =

2026 14:06:47), exposing 14,771,529 log entries with zero authentication.
div>
Recommendations:
Restrict /vis=

itors/ behind authentication immediately
Review logs=

for successful injection attempts
Audit .env and .g=

it exposure
I have not accessed, modified, or extrac=

ted any data.
Regards,
Ahmed =

Saifi
Independent Security Researcher

=3D"auto">syfyahmd54@gmail.com<=

/div>




--00000000000011393306552de15b--

--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059256.jpg"

Content-Disposition: attachment; filename="1000059256.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059256.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"



You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059256.jpg"

Content-Disposition: attachment; filename="1000059256.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3c06a114>

X-Attachment-Id: 19f059986fba3c06a114





--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059254.jpg"

Content-Disposition: attachment; filename="1000059254.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059254.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"



You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059254.jpg"

Content-Disposition: attachment; filename="1000059254.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3a43b0f6>

X-Attachment-Id: 19f059986fba3a43b0f6





--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059255.jpg"

Content-Disposition: attachment; filename="1000059255.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059255.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"



You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059255.jpg"

Content-Disposition: attachment; filename="1000059255.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3b252905>

X-Attachment-Id: 19f059986fba3b252905





--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059257.jpg"

Content-Disposition: attachment; filename="1000059257.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059257.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"



You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059257.jpg"

Content-Disposition: attachment; filename="1000059257.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3ce81923>

X-Attachment-Id: 19f059986fba3ce81923





--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059258.jpg"

Content-Disposition: attachment; filename="1000059258.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059258.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"



You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059258.jpg"

Content-Disposition: attachment; filename="1000059258.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3dc99132>

X-Attachment-Id: 19f059986fba3dc99132





--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059259.jpg"

Content-Disposition: attachment; filename="1000059259.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059259.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"



You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059259.jpg"

Content-Disposition: attachment; filename="1000059259.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3eab0941>

X-Attachment-Id: 19f059986fba3eab0941





--00000000000011393506552de15d--