Credential phishing Part 1
Posted by Dave Yadallee on
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Sat, 03 Jan 2026 08:11:00 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))
(envelope-from)
id 1vc3H1-00000000MDD-05Fs
for dave@doctor.nl2k.ab.ca;
Sat, 03 Jan 2026 08:10:35 -0700
Resent-From: The Doctor
Resent-Date: Sat, 3 Jan 2026 08:10:34 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from [45.141.234.70] (port=55913 helo=adrarlis.com)
by doctor.nl2k.ab.ca with esmtp (Exim 4.98.2 (FreeBSD))
id 1vbw8q-00000000NBO-0i2I
for sales@netknow.ca;
Sat, 03 Jan 2026 00:33:47 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=smtp; d=netknow.ca;
h=Date:Message-Id:To:From:Subject:Content-Type:Mime-Version:Content-Transfer-Encoding; i=sales@netknow.ca;
bh=K95xSKGqjMk8FQjXErXTLkWbSOI=;
b=saflOmWQRYjVcdPxa7oOKrKdFiCf7HbHmy6yU7Mnpnr8HAH4zXWZKL2d5SdQUOf+49HcEWWc6O/D
wWZfsYZgTe/u0W2/Nxr0ujl32DOe0O/cUHTadZNPc+y+Kfl0zrLPBWpWFYEzmMz/+9JQv5VwJ50S
qPDCshYBZF3/vSIWkik=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=smtp; d=netknow.ca;
b=B1euFQ3lX/T7pt/sVIIz2XMoUlRLCUtLyyoevlX2OiKNrMsS4w4OSfu7nsaGLXECVcr6J6C5K+E6
iWgjs06mfZb6U+ySpykD88pHEJy0zZZZTqmMwslokev366fcNuV5lA+faOsvsIKxzEd6jvvojbcr
Lm4Kn6bIoTKocEP4d80=;
Date: Sat, 03 Jan 2026 07:32:20 +0000
Message-Id: <831353027697902.9.RTG8440292622@adrarlis.com>
To: sales@netknow.ca
From: Cloud Storage
Subject: Final Warning: Your photos will be deleted today
Content-Type: text/html; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam_score: 23.9
X-Spam_score_int: 239
X-Spam_bar: +++++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Critical Storage Alert ! Transaction Declined: Payment Failed
Content analysis details: (23.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
[45.141.234.70 listed in dnsbl.ahbl.org]
[45.141.234.70 listed in dnsbl.ahbl.org]
[45.141.234.70 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
[45.141.234.70 listed in sbl-xbl.spamhaus.org]
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[45.141.234.70 listed in zen.spamhaus.org]
1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URI: 31.129.22.185]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URI: 31.129.22.185]
1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URI: 31.129.22.185]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
1.6 RCVD_IN_MSPIKE_L3 RBL: Low reputation (-3)
[45.141.234.70 listed in bl.mailspike.net]
1.0 OFFER_URI URI: Offer in link address
0.0 NORMAL_HTTP_TO_IP URI: URI host has a public dotted-decimal IPv4
address
0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.8 SARE_FROM_SPAM_WORD3 I don't know people named this!
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.4 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
1.8 TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
0.0 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX
0.0 T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
Subject: {SPAM?} Final Warning: Your photos will be deleted today
Critical Storage Alert
Automatic renewal failed.
Without an active plan, your secure cloud environment has been suspended.
Update Payment Information
Subscription ID:
48521556984
Product:
Cloud Storage 1TB
Termination Date:
Today
Reactivate Account Now
X-Mozilla-Status2: 00000000
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Sat, 03 Jan 2026 08:11:00 -0700
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))
(envelope-from
id 1vc3H1-00000000MDD-05Fs
for dave@doctor.nl2k.ab.ca;
Sat, 03 Jan 2026 08:10:35 -0700
Resent-From: The Doctor
Resent-Date: Sat, 3 Jan 2026 08:10:34 -0700
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from [45.141.234.70] (port=55913 helo=adrarlis.com)
by doctor.nl2k.ab.ca with esmtp (Exim 4.98.2 (FreeBSD))
id 1vbw8q-00000000NBO-0i2I
for sales@netknow.ca;
Sat, 03 Jan 2026 00:33:47 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=smtp; d=netknow.ca;
h=Date:Message-Id:To:From:Subject:Content-Type:Mime-Version:Content-Transfer-Encoding; i=sales@netknow.ca;
bh=K95xSKGqjMk8FQjXErXTLkWbSOI=;
b=saflOmWQRYjVcdPxa7oOKrKdFiCf7HbHmy6yU7Mnpnr8HAH4zXWZKL2d5SdQUOf+49HcEWWc6O/D
wWZfsYZgTe/u0W2/Nxr0ujl32DOe0O/cUHTadZNPc+y+Kfl0zrLPBWpWFYEzmMz/+9JQv5VwJ50S
qPDCshYBZF3/vSIWkik=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=smtp; d=netknow.ca;
b=B1euFQ3lX/T7pt/sVIIz2XMoUlRLCUtLyyoevlX2OiKNrMsS4w4OSfu7nsaGLXECVcr6J6C5K+E6
iWgjs06mfZb6U+ySpykD88pHEJy0zZZZTqmMwslokev366fcNuV5lA+faOsvsIKxzEd6jvvojbcr
Lm4Kn6bIoTKocEP4d80=;
Date: Sat, 03 Jan 2026 07:32:20 +0000
Message-Id: <831353027697902.9.RTG8440292622@adrarlis.com>
To: sales@netknow.ca
From: Cloud Storage
Subject: Final Warning: Your photos will be deleted today
Content-Type: text/html; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam_score: 23.9
X-Spam_score_int: 239
X-Spam_bar: +++++++++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Critical Storage Alert ! Transaction Declined: Payment Failed
Content analysis details: (23.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
[45.141.234.70 listed in dnsbl.ahbl.org]
[45.141.234.70 listed in dnsbl.ahbl.org]
[45.141.234.70 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org
[45.141.234.70 listed in dnsbl.ahbl.org]
1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
[45.141.234.70 listed in will-spam-for-food.eu.org]
1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
[45.141.234.70 listed in sbl-xbl.spamhaus.org]
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[45.141.234.70 listed in zen.spamhaus.org]
1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URI: 31.129.22.185]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URI: 31.129.22.185]
1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URI: 31.129.22.185]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
1.6 RCVD_IN_MSPIKE_L3 RBL: Low reputation (-3)
[45.141.234.70 listed in bl.mailspike.net]
1.0 OFFER_URI URI: Offer in link address
0.0 NORMAL_HTTP_TO_IP URI: URI host has a public dotted-decimal IPv4
address
0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.8 SARE_FROM_SPAM_WORD3 I don't know people named this!
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.4 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
1.8 TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
0.0 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX
0.0 T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
Subject: {SPAM?} Final Warning: Your photos will be deleted today
Transaction Declined: Payment Failed
Your billing information is outdated. Immediate action is required to avoid permanent file
deletion. If your storage is full, incoming data will be rejected.
Automatic renewal failed.
Without an active plan, your secure cloud environment has been suspended.
Your Cloud synchronization service protects your photos, videos, and documents. Without a valid
subscription, access to these files will be revoked across all devices.
Update Payment Information
System Log: Transaction Error
Subscription ID:
48521556984
Product:
Cloud Storage 1TB
Termination Date:
Today
Reactivate Account Now