NetKnow Corporate Blog

Invoice phish from Russia Part 2

Posted by Dave Yadallee on Wednesday, April 22. 2026

erif; font-size: 16px;">Hi doctor,

erif; font-size: 16px;">

erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.

erif; font-size: 16px;">

erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.

erif; font-size: 16px;">

erif; font-size: 16px;"> 3D"d=<br

ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">

gomeryauc.vercel.app/?email=3Ddoctor@nk.ca">View_Invoice_Payment_Receipt.pd=

f

erif; font-size: 16px;">

erif; font-size: 16px;">Best Regards,

Mike O'Leary

Billing Department

Invoice phish from Russia Part 1

Posted by Dave Yadallee on Wednesday, April 22. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYE-00000000NjT-1Xly

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:39:50 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:39:50 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:5460)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY6-00000000I1A-0djC

for doctor@nk.ca;

Wed, 22 Apr 2026 10:35:50 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id CB1A53EE88

for ; Wed, 22 Apr 2026 19:31:33 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wl3wDPz1M9nS

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id Q6epcr8UsiYl for ;

Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wk6RNxz1M9mW

for ; Wed, 22 Apr 2026 19:32:34 +0300 (MSK)

From: Mike O'Leary

To: doctor@nk.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:04 -0700

Message-ID: <20260422093404.3C1C6576E8611ADF@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 8.7

X-Spam_score_int: 87

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Hi doctor, Attached is your invoice and payment receipt for

your records.

Content analysis details: (8.7 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

1.5 GB_CUSTOM_HTM_URI Custom html uri

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Invoice phish from Russia Part 2

Posted by Dave Yadallee on Wednesday, April 22. 2026

erif; font-size: 16px;">Hi doctor,

erif; font-size: 16px;">

erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.

erif; font-size: 16px;">

erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.

erif; font-size: 16px;">

erif; font-size: 16px;"> 3D"d=<br

ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">

gomeryauc.vercel.app/?email=3Ddoctor@doctor.nl2k.ab.ca">View_Invoice_Paymen=

t_Receipt.pdf

erif; font-size: 16px;">

erif; font-size: 16px;">Best Regards,

Mike O'Leary

Billing Department

Invoice phish from Russia Part 1

Posted by Dave Yadallee on Wednesday, April 22. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbY9-00000000NjC-35Bh

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:39:45 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:39:45 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:50515)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY5-00000000I13-3mwv

for doctor@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:45 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id C522B3EF92

for ; Wed, 22 Apr 2026 19:31:33 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wl3l4Dz1M9n6

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id 47rZVzVqlNEd for ;

Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wk5Gcxz1M9q3

for ; Wed, 22 Apr 2026 19:32:34 +0300 (MSK)

From: Mike O'Leary

To: doctor@doctor.nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:04 -0700

Message-ID: <20260422093404.1A0A0D2F66C0CE4B@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Hi doctor, Attached is your invoice and payment receipt for

your records.

Content analysis details: (7.2 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Russian INvoice SPam Part 1

Posted by Dave Yadallee on Wednesday, April 22. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbY3-00000000NiP-13Zw

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:39:39 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:39:39 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:19181)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY5-00000000I1B-3o66

for sales@nk.ca;

Wed, 22 Apr 2026 10:35:45 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id D74933EF95

for ; Wed, 22 Apr 2026 19:31:33 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wl4Fwvz1M9mZ

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id zGRDCVWqSJ0s for ;

Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wl0RfBz1M9mj

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

From: Mike O'Leary

To: sales@nk.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:04 -0700

Message-ID: <20260422093404.E78456BF4B57ED08@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Hi sales, Attached is your invoice and payment receipt for

your records.

Content analysis details: (7.2 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Russian INvoice SPam Part 2

Posted by Dave Yadallee on Wednesday, April 22. 2026

erif; font-size: 16px;">Hi sales,

erif; font-size: 16px;">

erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.

erif; font-size: 16px;">

erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.

erif; font-size: 16px;">

erif; font-size: 16px;"> 3D"d=<br

ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">

gomeryauc.vercel.app/?email=3Dsales@nk.ca">View_Invoice_Payment_Receipt.pdf=

erif; font-size: 16px;">

erif; font-size: 16px;">Best Regards,

Mike O'Leary

Billing Department

Invoice Phish from Russia Part 2

Posted by Dave Yadallee on Wednesday, April 22. 2026

erif; font-size: 16px;">Hi root,

erif; font-size: 16px;">

erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.

erif; font-size: 16px;">

erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.

erif; font-size: 16px;">

erif; font-size: 16px;"> 3D"d=<br

ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">

gomeryauc.vercel.app/?email=3Droot@nk.ca">View_Invoice_Payment_Receipt.pdf<=

/a>

erif; font-size: 16px;">

erif; font-size: 16px;">Best Regards,

Mike O'Leary

Billing Department

Russian INvoice phish

Posted by Dave Yadallee on Wednesday, April 22. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 10:36:00 -0600

Received: from relay.meteogmp.ru ([95.163.222.104]:62960)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY5-00000000I17-3tv8

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:50 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id C14D13EDF5

for ; Wed, 22 Apr 2026 19:31:33 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wl3d5kz1M9n1

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id khhgqgvtowCO for ;

Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wk5Cm8z1M9q1

for ; Wed, 22 Apr 2026 19:32:34 +0300 (MSK)

From: Mike O'Leary

To: dave@doctor.nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:04 -0700

Message-ID: <20260422093404.6A072C982CEAD731@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Hi dave, Attached is your invoice and payment receipt for

your records.

Content analysis details: (7.2 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

erif; font-size: 16px;">Hi dave,

erif; font-size: 16px;">

erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.

erif; font-size: 16px;">

erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.

erif; font-size: 16px;">

erif; font-size: 16px;"> 3D"d=<br

ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">

gomeryauc.vercel.app/?email=3Ddave@doctor.nl2k.ab.ca">View_Invoice_Payment_=

Receipt.pdf

erif; font-size: 16px;">

erif; font-size: 16px;">Best Regards,

Mike O'Leary

Billing Department

Invoice phish from Russia Part 2

Posted by Dave Yadallee on Wednesday, April 22. 2026

erif; font-size: 16px;">Hi www,

erif; font-size: 16px;">

erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.

erif; font-size: 16px;">

erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.

erif; font-size: 16px;">

erif; font-size: 16px;"> 3D"d=<br

ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">

gomeryauc.vercel.app/?email=3Dwww@doctor.nl2k.ab.ca">View_Invoice_Payment_R=

eceipt.pdf

erif; font-size: 16px;">

erif; font-size: 16px;">Best Regards,

Mike O'Leary

Billing Department

Invoice Phish from Russia Part 1

Posted by Dave Yadallee on Wednesday, April 22. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:41:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYW-00000000Nmc-2v3l

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:40:08 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:40:08 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:61327)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaXz-00000000I1W-2E82

for root@nk.ca;

Wed, 22 Apr 2026 10:35:41 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id D3DD73EE96

for ; Wed, 22 Apr 2026 19:31:38 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wr3VYXz1M9q0

for ; Wed, 22 Apr 2026 19:32:40 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id M2ZNCN6QnVMZ for ;

Wed, 22 Apr 2026 19:32:38 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wp5kStz1M9nT

for ; Wed, 22 Apr 2026 19:32:38 +0300 (MSK)

From: Mike O'Leary

To: root@nk.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:08 -0700

Message-ID: <20260422093408.17764C9FBFB7760F@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Hi root, Attached is your invoice and payment receipt for

your records.

Content analysis details: (7.2 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Invoice phish from Russia Part 1

Posted by Dave Yadallee on Wednesday, April 22. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYP-00000000Nlh-1sR0

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:40:01 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:40:01 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:6576)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaXz-00000000I1Q-2EEU

for www@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:45 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id C5F633EE6F

for ; Wed, 22 Apr 2026 19:31:38 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wr3Xgtz1M9q5

for ; Wed, 22 Apr 2026 19:32:40 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id A53558o3u6KR for ;

Wed, 22 Apr 2026 19:32:39 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wq146Sz1M9nS

for ; Wed, 22 Apr 2026 19:32:39 +0300 (MSK)

From: Mike O'Leary

To: www@doctor.nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:08 -0700

Message-ID: <20260422093408.F9285C48D6D0F4C2@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 8.7

X-Spam_score_int: 87

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Hi www, Attached is your invoice and payment receipt for

your records.

Content analysis details: (8.7 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

1.5 GB_CUSTOM_HTM_URI Custom html uri

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Invoice phish from Russia Part 2

Posted by Dave Yadallee on Wednesday, April 22. 2026

erif; font-size: 16px;">Hi root,

erif; font-size: 16px;">

erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.

erif; font-size: 16px;">

erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.

erif; font-size: 16px;">

erif; font-size: 16px;"> 3D"d=<br

ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">

gomeryauc.vercel.app/?email=3Droot@nl2k.ab.ca">View_Invoice_Payment_Receipt=

=2Epdf

erif; font-size: 16px;">

erif; font-size: 16px;">Best Regards,

Mike O'Leary

Billing Department

Invoice Phish from Russia Part 2

Posted by Dave Yadallee on Wednesday, April 22. 2026

erif; font-size: 16px;">Hi doctor,

erif; font-size: 16px;">

erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.

erif; font-size: 16px;">

erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.

erif; font-size: 16px;">

erif; font-size: 16px;"> 3D"d=<br

ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">

gomeryauc.vercel.app/?email=3Ddoctor@nl2k.ab.ca">View_Invoice_Payment_Recei=

pt.pdf

erif; font-size: 16px;">

erif; font-size: 16px;">Best Regards,

Mike O'Leary

Billing Department

Invoice phish from Russia Part 1

Posted by Dave Yadallee on Wednesday, April 22. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYI-00000000Njw-28wB

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:39:54 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:39:54 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:1238)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY6-00000000I1Z-3wKz

for root@nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:50 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id E2A1C3EFB0

for ; Wed, 22 Apr 2026 19:31:38 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wr3bPWz1M9n4

for ; Wed, 22 Apr 2026 19:32:40 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id l0qinLs6vMSv for ;

Wed, 22 Apr 2026 19:32:38 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wp3Pbnz1M9mW

for ; Wed, 22 Apr 2026 19:32:38 +0300 (MSK)

From: Mike O'Leary

To: root@nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:08 -0700

Message-ID: <20260422093407.1E5886C207724BFB@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Hi root, Attached is your invoice and payment receipt for

your records.

Content analysis details: (7.2 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Invoice phish from Russia Part 1

Posted by Dave Yadallee on Wednesday, April 22. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:41:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYa-00000000Nmv-1aQK

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:40:12 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:40:12 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:32251)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY7-00000000I1b-45UN

for doctor@nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:50 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id 581C73EEA8

for ; Wed, 22 Apr 2026 19:31:42 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wv5pjYz1M9qT

for ; Wed, 22 Apr 2026 19:32:43 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id 6MpyEWYmP_Hn for ;

Wed, 22 Apr 2026 19:32:40 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wq4768z1M9nZ

for ; Wed, 22 Apr 2026 19:32:39 +0300 (MSK)

From: Mike O'Leary

To: doctor@nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:09 -0700

Message-ID: <20260422093408.AEBADED01E71F45F@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Hi doctor, Attached is your invoice and payment receipt for

your records.

Content analysis details: (7.2 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Mon	Tue	Wed	Thu	Fri	Sat	Sun
← Back	April '26					Forward →
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30