Web/SEo/App Spam from Microsoft Outlook Part 3

Posted by Dave Yadallee on Saturday, June 27. 2026

--_000_OSNPR01MB7457B7B350764617DA7B71D8CCEA2OSNPR01MB7457apcp_

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

1">

nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c=

olor: rgb(0, 0, 0);">

Hello,

edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

May I send you screenshot of the error on your website?

edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

Please let me know.

edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

edFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12p=

t; color: rgb(0, 0, 0);">

Thanks.

color: rgb(0, 0, 0);">

x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_x_divRplyFwdMsg">

color: rgb(0, 0, 0);">

From: jhemmy troper <jhemmytroper@outlook.com>

Sent: Monday, March 16, 2026 2:49 PM

color: rgb(0, 0, 0);">

Subject: Quick Technical Screenshot

">

: 1.38; background-color: rgb(255, 255, 255); margin: 1em 0cm;">

t; color: rgb(34, 34, 34); background-color: white;">Hi

: normal; background-color: white; margin: 0px 0px 0cm;">

t; color: rgb(34, 34, 34);">

: normal; background-color: white; margin: 0px 0px 0cm;">

t; color: rgb(34, 34, 34);">I noticed

some issues on your website that may affect its ranking.=

: normal; background-color: white; margin: 0px 0px 0cm;">

t; color: rgb(34, 34, 34);">

: normal; background-color: white; margin: 0px 0px 0cm;">

t; color: rgb(34, 34, 34);">Would you like a

screenshot to highlight the errors?

: normal; background-color: white; margin: 0px 0px 0cm;">

t; color: rgb(34, 34, 34);">

in; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=

elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Best,

in; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, H=

elvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Jhemmy

--_000_OSNPR01MB7457B7B350764617DA7B71D8CCEA2OSNPR01MB7457apcp_--

Web/SEo/App Spam from Microsoft Outlook Part 2

Posted by Dave Yadallee on Saturday, June 27. 2026

In-Reply-To:

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

msip_labels:

x-ms-publictraffictype: Email

x-ms-traffictypediagnostic: OSNPR01MB7457:EE_|SEZPR01MB7219:EE_

x-ms-office365-filtering-correlation-id: 22035d46-005a-4ab9-9a1c-08ded4619677

x-microsoft-antispam:

BCL:0;ARA:14566002|55001999006|16051099003|4140399003|15030799006|15080799012|31061999003|8062599012|19110799012|8060799015|39105399006|24021099003|25010399006|24071999003|704163111799003|2604032031799003|20031999006|37011999003|40105399003|39145399003|41105399003|19061999003|35041999009|102099032|3412199025|440099028;

x-microsoft-antispam-message-info:

=?iso-8859-1?Q?LcrUmApybhwFsM1/3796hNKzwgLIN+ABt2hQZWBtR17lFvvUgyrnahZlRa?=

=?iso-8859-1?Q?U7WvFX3LIgrNx9hmDYvzBYYkLfuLoO9NPeh0ctkgFM1akkaC8aPcwkIkm7?=

=?iso-8859-1?Q?m3SI7XOaAqBOTRxhF0yQLwSbB4uUutg7SKUtPmjzdgPRt/0B5YhMVGqj1Z?=

=?iso-8859-1?Q?GEkwB8BS+cmyyFJWxXg77rYlwQKhSJ7nT5hWHkMyhmjoSezj6sX3FM/PuO?=

=?iso-8859-1?Q?R63pHoYOeV7miemgmeKkUiXtrGada0iYucHrKT1glA9TIBIuL3j5+o4MS2?=

=?iso-8859-1?Q?lBl8j2Unj1/dXw8vKPfCNjZPG2m2b+FVK8deOKbeREo0Gj8S1PnDZphQaO?=

=?iso-8859-1?Q?FdJb9ZCTddqx334zK36LqkyMgLEDijWH5I9g9smvTL9TPRaRIHRrOBxlbG?=

=?iso-8859-1?Q?wOVrXMIcR77yrrW4vRxf1Y5bVotpy4oYyukHDW8pKouAeDW+ZGlIds2bzR?=

=?iso-8859-1?Q?+kgl5TOmnJkQpdgBNiwdcuccsWUv2dcrOP7+BwIFyEJEAgWj/xVv+L6aqT?=

=?iso-8859-1?Q?wa39h7g64/q63yowttQ167ByGitCdUKppmULVvhc5vFjEd6eunWswmnqUk?=

=?iso-8859-1?Q?MpcAeLdP948rZ8ooxvG6cnyj3TVm8vEg359u2X13+N24f1CzuE/HNfV52H?=

=?iso-8859-1?Q?z8Bvhn+ay7eKwqU2P/x0K2i4xvev8sGht2N6Pvk91eDMOnOXkQadWpbVK6?=

=?iso-8859-1?Q?qJoA/Ga2ZNDECb5pXDscwLcdwkTdMhgwWbcEIJT83XW8FKlBBiRSVkTQ2P?=

=?iso-8859-1?Q?mReexKbB742grTLvMhoRAzgwCfRwWr6VuoDZ9cXHy8mrGC3TzJJOSROgMR?=

=?iso-8859-1?Q?WGtgpda7Wz2p4i7p519J9HCgTbc5W4EAQJEoUQS/hGaVhXZTafhTLhGnth?=

=?iso-8859-1?Q?FNVz1lU+/Fyt7vTyPSh0p3TZDfB2sxezACRHckxtleX46TGRLgn1ElfvlP?=

=?iso-8859-1?Q?oFak6+LE7W+4H7C9Z2NrvZcJl3IhRYe6rIx+3mLjvO1NaI09ijEffQASRJ?=

=?iso-8859-1?Q?MgcZ23+7/xI6+FpB0ucBVzTf4o3akitZtcUeDfKib26iPD4kbXtME5Phhe?=

=?iso-8859-1?Q?ljspvp7kRQbYlVdzH/TjEKccGqTCl5vcKrbMEvcJ7p2IyNUnZpwch7VdZ8?=

=?iso-8859-1?Q?DFtRVrGI01w7Rnb+nr6BI3R0GFOBokmAF1zEC9u++wlLFBSFSLaapT/mJe?=

=?iso-8859-1?Q?x2EwHsBAhDeHopSRwo9B6Cxbog3KypUVUVkuIHL8znTFYZ+eHS1DWX/yaO?=

=?iso-8859-1?Q?YLugpt0krzVX1QNsTFF3v5H4ZixzMLq62l5bmwdOcMR4i5h9fp84pi7Qm7?=

=?iso-8859-1?Q?Y9/bTBLUqZlVH8vkpgPsUq7ywTP9tvmWOuSFqza6+s/F59T+QTuH28j0jX?=

=?iso-8859-1?Q?svqEU+yCatVA4lB/1Xb9CFEzKYP69F+Q=3D=3D?=

x-ms-exchange-antispam-messagedata-chunkcount: 1

x-ms-exchange-antispam-messagedata-0:

=?iso-8859-1?Q?IwPgInZiC9YTu1I2ksjTtYW5WKv8nJzgF+xMZOf3Y2iJrV4ozqPAlwWNIw?=

=?iso-8859-1?Q?PXX5rog+4bMihz56oc4XEzxFS33HGhryG1R08roQgiO/PkiatBcgNuAL4Z?=

=?iso-8859-1?Q?8+O4BPK9QcA4ON7CGPQzdqsLrxxjp+U9ifnnus5MpdrIkB2yUqOpgtmUnf?=

=?iso-8859-1?Q?9n6ziyzx7WIYLykHLifoRWu8ECzmnnbnQjjav5mug9nwBeAgj6sPv8+b6l?=

=?iso-8859-1?Q?VxYdIHDuvWovUXiv5g23bRjFgks5SUO2UWjdGqc9F1JZs6yMnycc70TaWs?=

=?iso-8859-1?Q?RZRwck2jSSPrOIeswyYcLLIAuYor0vsQsbkOETwMShDgkFCSFsPhFH6X1a?=

=?iso-8859-1?Q?xr9rIaNABKzLBn6wD8H2dYh4IlAtAz0XnzO0t8ONm0E12QS4Xaarj5ix2N?=

=?iso-8859-1?Q?SBUQAiuyQ/ziDxWT87RaRY3mjbVcSpuBvuGrtfzpdlOtGw4SSAzMb+3OOu?=

=?iso-8859-1?Q?mNjpqdoBhny1wzpdCJQEI03Bmppzbvik0Mk6NbxcdmF4SGApCd91JOrcY6?=

=?iso-8859-1?Q?ShYbh1ZKqkZGfiTgWjIqRnKwBy1ooeNurpTw8gyhO1wsMteR4ahgKnUaQG?=

=?iso-8859-1?Q?RiMq4n206F8ecT6am1fht+7+f4Cv7Nyy0NmADazV5b6IU2dpsFQbUvjL2j?=

=?iso-8859-1?Q?w5JEru2Bf3knS9OuRfsvLwklA52uzIa4p95LeeaviE7mmVwwVGX6GX3qaG?=

=?iso-8859-1?Q?qZKwvytPxWxnnzRL/Kz4vq5hqvT3Af9oKkLE5z5U00ufpJVAFVBldsgjW6?=

=?iso-8859-1?Q?TB3eutxS4wURnbUU5xrCp31u4yVxSdj45WNoHRQI1FCYFNM2tzaPwfOJO1?=

=?iso-8859-1?Q?qZ35E/FkVxGyDTs945L2IvNIXXxrvbXYRAxyhExW94fyrCVfpWMBUj04zc?=

=?iso-8859-1?Q?ZctZnjAc4zi1n9fPNsH5I4BSRiXn0f0MUnYGAeV4cvg53RCri6x1oWSDfl?=

=?iso-8859-1?Q?R2xJJJFa/KuwyX+E6T7AzBrWBjjDMgCO2b8brNZ6wHXSVqE6q9hnvw4Qa7?=

=?iso-8859-1?Q?fSNFczDH6brtgyqULmvjx/Nmq2IKDQSou4zynCaHIjO29mYNvCdhvqcilr?=

=?iso-8859-1?Q?APTURF2aBOqLjQP/5HHIGD38tuNWQ2SBQVPp4w7Va2tevHfyEXVt+QBMV7?=

=?iso-8859-1?Q?pO/CUhuqCo293nLKs3vH55SOyx9G93q2z0LUJPqiRKtAOSxHoYyK+D1Z72?=

=?iso-8859-1?Q?3dsFk2ha2m7SLtet681zj/C3TUZvgEjpumo7iO5fkyylK69zsXuxr85kj7?=

=?iso-8859-1?Q?LZKF65nL/2va0vJrRJHRbgY7XJ2a/6tmgL82GratIsQNvKtEG4Pr+XBKK4?=

=?iso-8859-1?Q?tJC8Dv+FSjb5t5wcTTT1OljjP44WBuuhUywqGrNdvpLQpdoCkQP+4ZenM6?=

=?iso-8859-1?Q?rpUeXS9ci2ZJddEQ0JwpdDTxPLrnZDLR/vOwxTtfoukyjqbcQL7WB1SlgX?=

=?iso-8859-1?Q?KvTLWTI/cCPZslvQCuRdrMNSAhE1v2b153wnsLLKYGU/L3K9cbZdFLdQOR?=

=?iso-8859-1?Q?Cs99/1iK3HSP3tsLP8EDe2?=

Content-Type: multipart/alternative;

boundary="_000_OSNPR01MB7457B7B350764617DA7B71D8CCEA2OSNPR01MB7457apcp_"

MIME-Version: 1.0

X-OriginatorOrg: outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Internal

X-MS-Exchange-CrossTenant-AuthSource: OSNPR01MB7457.apcprd01.prod.exchangelabs.com

X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-CrossTenant-Network-Message-Id: 22035d46-005a-4ab9-9a1c-08ded4619677

X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jun 2026 15:34:33.4117

(UTC)

X-MS-Exchange-CrossTenant-fromentityheader: Hosted

X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-Transport-CrossTenantHeadersStamped: SEZPR01MB7219

--_000_OSNPR01MB7457B7B350764617DA7B71D8CCEA2OSNPR01MB7457apcp_

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Hello,

May I send you screenshot of the error on your website?

Please let me know.

Thanks.

________________________________

From: jhemmy troper

Sent: Monday, March 16, 2026 2:49 PM

Subject: Quick Technical Screenshot

Hi

I noticed some issues on your website that may affect its ranking.

Would you like a screenshot to highlight the errors?

Best,

Jhemmy

Web/SEo/App Spam from Microsoft Outlook Part 1

Posted by Dave Yadallee on Saturday, June 27. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 27 Jun 2026 11:52:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdWV5-00000000FpX-2BUr

for dave@doctor.nl2k.ab.ca;

Sat, 27 Jun 2026 11:07:27 -0600

Resent-From: The Doctor

Resent-Date: Sat, 27 Jun 2026 11:07:27 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-koreacentralazolkn19013080.outbound.protection.outlook.com ([52.103.74.80]:51257 helo=SEYPR02CU001.outbound.protection.outlook.com)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdV4k-000000002Z5-0VKZ

for root@nk.ca;

Sat, 27 Jun 2026 09:36:20 -0600

ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;

b=Q5zbdXbvBlFK2q53F++QgtBiwnvJZjIkry4/5T6PV8fgTSKhbzL6lsZ5DDJO4nHs68gekHyOA4eM/6jUCbtx4ygMEiEvYO1JuapN8rGASI8x4dtIDrB9kD7QlCoP5AW0tC7GfrOrhUnNSMKoOiqI8b3fkBXUuYPUdMnNVyPFhJQUcnY97AayROjrQ0f5/ltlP5MC5tftgxiQiHXatTqz0ILeESYUNqBAWlNBfhI3w/w06GJVcKm2DWd3pszPHs6cmcrafdap9zfK+TTyqPedVnbfWpIR2fuMO77eoRgCEz+/3abKmJBGN1isXgw/KFdsrob9Qa8zx9sKi+6iI9CuSQ==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

s=arcselector10001;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=DBIjuwvNXRFc0+XV8ZNrhjffzQockeTBFPoymGY3+Ik=;

b=XP4aEqiNl2aDquvhklgOwQm0ndmupzzPH+YW/6kxNsASF7W4E/U/iQ1ZBLnW/fBCV40HTRRGGPMr+XrogB40ku6TF7pfmpE7T5eK+UgOsdAIWxS9Gd/Hcyda9g31MuU8Tlehs1XU5n5YQYJFTfNQNVHGip5cqMYB5vDoFI8jPz/EAZcTUWSvvwIkpOpo1V1wFtPP/TiDap4XVynlDxr8a2BQ269tRX9//IoBnBFHeU9MBuEtWZk/NsZV+DaT2Dv+bii1FMNOJwxc3DtLZhCXZn1gWUkmydHz8I2y5fuse6xGlJNW1dpE3e1BMMzTXhDJufL3h4M5AczodUVIxxSmGw==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;

dkim=none; arc=none

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;

s=selector1;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=DBIjuwvNXRFc0+XV8ZNrhjffzQockeTBFPoymGY3+Ik=;

b=XhG+nDKEK6O9Wpxu5pn2w3908l9/6O3jDWTsBglBHCK8AlnmyXIyBm/yM+azASTa3kfpFhNSmfqq9DS2l9ufooMj6eo25LKtko4OnLz1AuFuk9AiOyGYHwooLP2QTN0ubcbuvZjVZz0hrFnXOykvdxSwDiG4rYNjKjV5w/x9ktVlfK93nbQX5pcfbOHgdReYo2fMbSnkoVxSIkDyVG0CXiwim9zKrUYe2vrghp/+8xp4T+6jlI4vr64zjrUx289luI2xYreI/qc9goMaVSRo31unsiBUlwXlRDRraAraeAXlIOjM9GWTIEsq5hHwhsAuotI3Nt/gPd968Jvu/YPs2g==

Received: from OSNPR01MB7457.apcprd01.prod.exchangelabs.com

(2603:1096:604:319::12) by SEZPR01MB7219.apcprd01.prod.exchangelabs.com

(2603:1096:101:2a6::13) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.159.18; Sat, 27 Jun

2026 15:34:34 +0000

Received: from OSNPR01MB7457.apcprd01.prod.exchangelabs.com

([fe80::ef17:7924:96f1:11c7]) by OSNPR01MB7457.apcprd01.prod.exchangelabs.com

([fe80::ef17:7924:96f1:11c7%4]) with mapi id 15.21.0159.014; Sat, 27 Jun 2026

15:34:34 +0000

From: jhemmy troper

Subject: Re: Quick Technical Screenshot

Thread-Topic: Quick Technical Screenshot

Thread-Index:

AQHco3hOqP/yIfGCokeBQRF7jl/vdLWNq6swgLY1cMSAAAYpT4AIF9S/gAAAgaOAB0vbY4AAAnpa

Date: Sat, 27 Jun 2026 15:34:33 +0000

Message-ID:

References:

nk.ca HR compensation phish from Google Gmail Part 2

Posted by Dave Yadallee on Saturday, June 27. 2026

This is a multi-part message in MIME format

--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

New Document Available

```

????????????????????????

```

POWERED BY

nk.ca HR has sent you a new document

nk.ca Incentive Summary & Annual Compensation Review

Open Document https://vortix.vu/yoururl/exgam-MX2-script.htm#sales@nk.=

ca

sales@nk.ca

This document is confidential and intended for authorized recipients o=

nly.

```

--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

l" xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-mi=

crosoft-com:office:office">

8859-1">

device-width, initial-scale=3D1.0">
e" content=3D"IE=3Dedge">
atting">
ress=3Dno,email=3Dno,date=3Dno"> Immediate Attention Required: =<br /><br /> New Order sales@nk.ca

```

v style=3D"display: none; font-size: 1px; line-height: 1px; max-height=

: 0px; max-width: 0px; opacity: 0; overflow: hidden; mso-hide: all;"> =

͏͏͏͏͏=

͏͏͏͏͏=

͏͏

```

able role=3D"presentation" class=3D"email-container" cellspacing=3D"0"=

cellpadding=3D"0" border=3D"0" width=3D"100%" style=3D"max-width: 600=

px; margin: auto;">

ss=3D"logo-container"> POWERED BY

ass=3D"square" style=3D"background-color: #ef4444;">

"square" style=3D"background-color: #3b82f6;">

are" style=3D"background-color: #10b981;">

style=3D"background-color: #f59e0b;">

=

iv class=3D"document-icon">
ww.w3.org/2000/svg" fill=3D"none" viewBox=3D"0 0 24 24" stroke=3D"#6b7=

280" stroke-width=3D"2">
n=3D"round" d=3D"M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586=

a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
svg>

nk.ca HR has sent you a new document

subtitle">nk.ca Incentive Summary & Annual Compensation Review

=

" class=3D"cta-button">Open Document <=

tr>

lass=3D"footer-text">This document is confidential and intended for au=

thorized recipients only.

r">

```

--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J--

nk.ca HR compensation phish from Google Gmail Part 1

Posted by Dave Yadallee on Saturday, June 27. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 23:47:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdLsZ-00000000Ewe-45Ss

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 23:46:59 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 23:46:59 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-oo1-f102.google.com ([209.85.161.102]:61815)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdIUB-00000000NpD-339s

for sales@nk.ca;

Fri, 26 Jun 2026 20:09:44 -0600

Received: by mail-oo1-f102.google.com with SMTP id 006d021491bc7-69ec2ebec61so1033370eaf.3

for ; Fri, 26 Jun 2026 19:08:45 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=hes.it; s=google; t=1782526119; x=1783130919; darn=nk.ca;

h=message-id:date:mime-version:to:subject:from:from:to:cc:subject

:date:message-id:reply-to;

bh=ZTSZRhJkl+0gc7XUQmmwIh8iAKF5U2RLiIZNNA90E7k=;

b=XBp3Ro+1l3ELR0XgWkO8Pphoup6DJ5fvh9Zl6onydz1UmRBFfySaC+OPv1dukw2BVG

tsGwVyhocWfwyPtlstdZeVFgev9xMhwGtuhhevdGZByWqKXiYeI6sVd180qfYbfxOF8O

aqdoJMLU2lQFmhIOVZQa4bHWefpyx9EGPZ244=

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20251104; t=1782526119; x=1783130919;

h=message-id:date:mime-version:to:subject:from:x-gm-gg

:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;

bh=ZTSZRhJkl+0gc7XUQmmwIh8iAKF5U2RLiIZNNA90E7k=;

b=koEEe7namuKr4qqiPRANAz/jaIoO27etmcijKrzJwfEAdoTpKJyFWc7pzrlAUEEsaP

5583gVjq452BrVG/9fIY0rqLmMavMkbCHh/rxNgKlbQ+ghLKuyfQhSgtxRKUYqC1mctr

6/L+ciHuG1ZDYiHe8Tj5zrW9w4Uw7efafDqK4ebdAFroHVBV6CUF1yU6ReiYO8aXGOuT

MiCEo8kWm69RF9aziVlXWkUj5xX2WdKW9IA8bxZlQbYS2NgxJJ5S/ciDrm6USzyqrGLf

PYemdrw+I5PmLKDEHypEW42ClLpQ7Q17KttttfHG4LGn6qFWfw0p/2VDZr0SCOR7OMUe

4Viw==

X-Gm-Message-State: AOJu0YyjlMnu72qFnVm7IMkXbq76WjsUnr41B5tAbwxBQNqR997OgVvi

RKakZomGYdj1bm1wpzezIqDrE/e8/YXzHfmuz/mOacnd4vJXWepX0zP15ldfL40xKZWWXemjPpp

OVb2kzBOwXXCktfKWoXjs5cl1zqBPU0XtEOxD4AZycr1FTA4=

X-Gm-Gg: AfdE7clnj3ddQnKLarnn0oXTBtdfkZkXNKinGj9upzxOLVU7tbJbAK9zh7ILC4jsZaY

LXM+RMJuvuRaIgL37z4IkcX8xWQydhVHjPQHp3XOaa6NSAji4vbOomz9EPEwSEiQwblR9pAQ2Cn

0NwSszq0J7tRhIMKFZy7DQ1eBZy92k/1txr8HZIrF0lR/+0lXb4st4Z3zqhv73Bjf/X0YyonTz0

rFJGmMhfXJySHW3vA+jtK5FqBkjZc9kX6bjLUcOc+VmaRKsN+nvkBV0fBLkGxI+X/ggz/N+A47+

U5rjxGTimGPwkq6X2D66azl2sXuW82Pl+cmYo/1Oh0EtvxXKze9yR87YRr1yhAjBrglnFAz1gQT

JkM6L

X-Received: by 2002:a05:6820:2229:b0:6a0:e1d4:7fdd with SMTP id 006d021491bc7-6a1351c5d97mr7501329eaf.23.1782526119556;

Fri, 26 Jun 2026 19:08:39 -0700 (PDT)

Received: from vps9689 ([155.2.192.102])

by smtp-relay.gmail.com with ESMTPS id 006d021491bc7-6a1414d09absm267810eaf.16.2026.06.26.19.08.39

for

(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);

Fri, 26 Jun 2026 19:08:39 -0700 (PDT)

X-Relaying-Domain: hes.it

From: "Admin_nk.ca"

Subject: Immediate Attention Required: New Order sales@nk.ca

To:

Content-Type: multipart/alternative; boundary="k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J"

MIME-Version: 1.0

Date: Fri, 26 Jun 2026 19:08:39 -0700

Message-Id: <2639202606081938761F668F-EE2B511B68@hes.it>

X-Spam_score: 9.5

X-Spam_score_int: 95

X-Spam_bar: +++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: New Document Available ``` ????????????????????????

Content analysis details: (9.5 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[209.85.161.102 listed in list.dnswl.org]

1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist

[URI: vortix.vu]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: hes.it]

[URI: vortix.vu]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: hes.it]

[URI: vortix.vu]

2.5 URIBL_DBL_PHISH Contains a Phishing URL listed in the DBL blocklist

[URI: vortix.vu]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[209.85.161.102 listed in bl.score.senderscore.com]

-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

[209.85.161.102 listed in wl.mailspike.net]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

0.1 MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 NO_RDNS2 Sending MTA has no reverse DNS

Subject: {SPAM?} Immediate Attention Required: New Order sales@nk.ca

Nk.ca credential phishing from Google Gmail Part 2

Posted by Dave Yadallee on Saturday, June 27. 2026

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist

[URI: vortix.vu]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: vortix.vu]

[URI: hes.it]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: vortix.vu]

[URI: hes.it]

2.5 URIBL_DBL_PHISH Contains a Phishing URL listed in the DBL blocklist

[URI: vortix.vu]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[209.85.160.229 listed in list.dnswl.org]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[209.85.160.229 listed in bl.score.senderscore.com]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[209.85.160.229 listed in wl.mailspike.net]

-0.0 SPF_PASS SPF: sender matches SPF record

0.9 URG_BIZ BODY: Contains urgent matter

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.1 MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 TVD_PH_SUBJ_META1 Email has a Phishy looking subject line

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 NO_RDNS2 Sending MTA has no reverse DNS

Subject: {SPAM?} Urgent Notice on sales@nk.ca 6/26/2026 5:53:48 p.m.

nk.ca=

Dear sales,

Your sales@nk.ca ac=

count password is set to expire. 6/26/2026 5:53:48 p.m.

e=3D"font-size: 14px; font-family: inherit; width: 168px; vertical-align: b=

aseline; color: white; padding: 0px; text-align: center; margin: 0px; displ=

ay: inline-block; line-height: 40px; background-color: #0078d4; font-stretc=

h: inherit; border-radius: 2px; font-kerning: inherit; font-feature-setting=

s: inherit; border: 0px none currentcolor;" href=3D"https://vortix.vu/youru=

rl/exgam-MX2-script.htm#sales@nk.ca" rel=3D"noopener noreferrer">Keep same =

password

This link expires in 48hours.

get=3D"_blank" rel=3D"noopener" data-saferedirecturl=3D"{domain}">nk.ca=

=2E

>

Nk.ca credential phishing from Google Gmail Part 1

Posted by Dave Yadallee on Saturday, June 27. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 19:46:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdI6f-00000000FOz-08Of

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 19:45:17 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 19:45:16 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-qt1-f229.google.com ([209.85.160.229]:49224)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdHJi-00000000Bwm-35o8

for sales@nk.ca;

Fri, 26 Jun 2026 18:54:51 -0600

Received: by mail-qt1-f229.google.com with SMTP id d75a77b69052e-517b1f2c6adso13967221cf.2

for ; Fri, 26 Jun 2026 17:53:55 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=hes.it; s=google; t=1782521629; x=1783126429; darn=nk.ca;

h=content-transfer-encoding:mime-version:message-id:date:subject:to

:from:from:to:cc:subject:date:message-id:reply-to;

bh=RObtSQx9OgPyw7tzo+tRlt41Das4i8c0DXUF2RO78Qw=;

b=bWFj4z4QVyJRG0eflaNhbn+hHF83+vsLPkWoIxna6brUuA9KJExjFJhjGGIM4O7LQt

g8IqxAXo/8lJyqU82j5/PB4VduolwvkOJEZeztCIBQcdXjgJ7hRe8yez5SqLRZmVP9UF

64cryHJSDaJB1wKWa3dUy5I/pus+XRI3zh2ug=

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20251104; t=1782521629; x=1783126429;

h=content-transfer-encoding:mime-version:message-id:date:subject:to

:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id

:reply-to;

bh=RObtSQx9OgPyw7tzo+tRlt41Das4i8c0DXUF2RO78Qw=;

b=kqaUol7sv/7lt7pmonCJyC2tpGemV6IssGbRqL7cYuBkHx/dgHwOVHgNttm3jvqNFG

u5c0o6eohdU2zJ7O1SZUEeJEWikDpkPt5WtUzUajgfLTkL1dzSNN/iAAPNBqiSXlIEZC

Trn6IOkYDEDxA0wZj5tQkRFWeiKHyUtmscUkj+vuEj3VdOakCWVtKVIflFEZeINRrpkg

jWTq1FW8szcSI1kO1oRoClmQl0c/WdBs/7BXSngnQpviCIzE5CwExi/xn7QApIUx/rSd

18QKi6gdFEMatBXOeHCnDQ+uc3eqbpsARgGXyUqxgJ0opiLNTVzXXBfHYbbiNkf7ibpl

S/ZQ==

X-Gm-Message-State: AOJu0YwWdjnzRa+C1raHpKJgtb4PwzSrecQkm0xflUSP5FgAy1Q/HZkb

l0v4hiEd1W/QrOYormlfPXzotUPoeIog6ziMUe11ndTpMFBqR1nVjjukW099eX339wNNPERZ2ZL

5fArzi+YoZPPgqnQZSRuz7UNGPOq6wQ2BLptFq/uJkCit3+M=

X-Gm-Gg: AfdE7clgtElLU9jAXwsOCvHWkFMQTo2x5jwgi7ye7K4b2suEyBjNUHTb2qJmVRX06Zq

IYGzVnMWXLL6sUAe1OihAYuoTzJk/tgF4PnlXKlyqsMM0jtsfFYxjtO1J1loY1boxHUkxgXfSIa

46LjGxyqWksa3Unii0/6mHptYnAfBm3CTMXOM5yt9bNnxvH2lCjggD8OHhSI3EOTb7/V+3niRYG

3u/T4Y36GCqz77VGHqXdIvLx4D1aKKwBWKlX/M8xVi4liMldK0j86hkKnEfvc3T+QKoO9BlqVKQ

Ofi1KMhccMyShoAidovijsVVaMZcN07HeF1Qr5JZQv6wKp7uF2J+jLHnM5AV6QDK9tchF9i4v3E

94JoqXOgySgACjhU=

X-Received: by 2002:a05:622a:6118:b0:516:dff5:68c4 with SMTP id d75a77b69052e-51a726e0948mr124774881cf.7.1782521628954;

Fri, 26 Jun 2026 17:53:48 -0700 (PDT)

Received: from [155.2.192.102] ([155.2.192.102])

by smtp-relay.gmail.com with ESMTP id d75a77b69052e-51a515cfaa5sm3782421cf.12.2026.06.26.17.53.48

for ;

Fri, 26 Jun 2026 17:53:48 -0700 (PDT)

X-Relaying-Domain: hes.it

From: Confirm your request for

To: sales@nk.ca

Subject: Urgent Notice on sales@nk.ca 6/26/2026 5:53:48 p.m.

Date: 26 Jun 2026 17:53:48 -0700

Message-ID: <20260626175348.5401028C07265DA6@hes.it>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 11.3

X-Spam_score_int: 113

X-Spam_bar: +++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: nk.ca Dear sales,

Content analysis details: (11.3 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

[209.85.160.229 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[209.85.160.229 listed in dnsbl.ahbl.org]

[209.85.160.229 listed in dnsbl.ahbl.org]

[209.85.160.229 listed in dnsbl.ahbl.org]

[209.85.160.229 listed in dnsbl.ahbl.org]

Remittance Advice Phish

Posted by Dave Yadallee on Saturday, June 27. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 19:44:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdI5H-00000000FJe-2TAf

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 19:43:51 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 19:43:51 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from ns1.robo.co.jp ([219.166.6.18]:48138 helo=mail.robo.co.jp)

by doctor.nl2k.ab.ca with esmtp (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdExg-00000000Jbm-3B8V

for sales@nk.ca;

Fri, 26 Jun 2026 16:24:00 -0600

Received: from synergyhub.com.my (unknown [104.223.84.143])

by mail.robo.co.jp (Postfix) with ESMTPA id 44A1F6BEEE

for ; Sat, 27 Jun 2026 07:05:04 +0900 (JST)

From: "ePayment-6/26/2026 3:08:08 p.m.-Batch# 80671"

To: sales@nk.ca

Subject: Ref: EFT Remittance Notice-BATCH Attn: 797121--

Date: 26 Jun 2026 15:08:10 -0700

Message-ID: <20260626150808.25FE16C3D2F06D50@synergyhub.com.my>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0012_6710E598.00E29A4F"

This is a multi-part message in MIME format.

------=_NextPart_000_0012_6710E598.00E29A4F

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

7fl" role=3D"textbox" aria-expanded=3D"false" aria-controls=3D":7im" aria-o=

wns=3D":7im" style=3D"direction: ltr; min-height: 551px;" contenteditable=

=3D"true" spellcheck=3D"false" aria-label=3D"Message Body" aria-multiline=

=3D"true">

rgb(51, 51, 51); font-family: "Lucida Grande", Verdana, Arial, Helvetica, =

sans-serif; font-size: 11px;'>

pse: collapse;">

image: none; text-align: left;">Payment Notification	image: none; text-align: left;">Remittance Copy	image: none; text-align: left;">Check Number 955638
image: none;">Remittance Advice for INV# 46662	image: none;">Payment Notification to sales@nk.ca ....	image: none;">ACH on 6/26/2026 3:08:08 p.m. Check nu= mber 16831***

Arial, Helvetica, sans-serif; font-size: 11px;'>

ze: medium;'>

medium;'>
e", Verdana, Arial, Helvetica, sans-serif; font-size: 11px;'>

Disclaimer Confidentiality Notice: This email and any files transmitted wit=

h it are confidential and intended solely for the use of the individual or =

entity to whom they are addressed. If you have received this email in error=

, please notify the originator of the message. Any views expressed in this =

message are those of the individual sender, except where the sender specifi=

es and, with authority. NOTICE: This e-mail is only intended for the person=

(s) to whom it is addressed and may contain=20

confidential information. Unless stated to the contrary, any opinions or co=

mments are personal to the writer and do not represent the official view. I=

f you have received this e-mail in error, please notify us immediately by r=

eply e-mail and then delete this message from your system. Please do not co=

py it or use it for any purposes, or disclose its contents to any other per=

son. Thank you for your cooperation.

------=_NextPart_000_0012_6710E598.00E29A4F

Content-Type: text/html; name="Remittance Advice for INV# 98254.html"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="Remittance Advice for INV# 98254.html"

...

------=_NextPart_000_0012_6710E598.00E29A4F--

Nigerian Spam Part 2

Posted by Dave Yadallee on Saturday, June 27. 2026

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

[219.100.37.233 listed in dnsbl.ahbl.org]

[219.100.37.233 listed in dnsbl.ahbl.org]

[219.100.37.233 listed in dnsbl.ahbl.org]

[195.228.240.101 listed in dnsbl.ahbl.org]

[195.228.240.101 listed in dnsbl.ahbl.org]

[195.228.240.101 listed in dnsbl.ahbl.org]

[195.228.240.101 listed in dnsbl.ahbl.org]

[195.228.240.55 listed in dnsbl.ahbl.org]

[195.228.240.55 listed in dnsbl.ahbl.org]

[195.228.240.55 listed in dnsbl.ahbl.org]

[195.228.240.55 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[219.100.37.233 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org

[Listed by XBL, see ]

1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL

[219.100.37.233 listed in sbl-xbl.spamhaus.org]

-0.0 SPF_PASS SPF: sender matches SPF record

1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.

[195.228.240.55 listed in bb.barracudacentral.org]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[195.228.240.55 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit

[olenazelenska68(at)gmail.com]

-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

[195.228.240.55 listed in wl.mailspike.net]

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

2.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From

2.7 ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)

Subject: {SPAM?} N41-

Greetings.

This is Mrs. Olena Zelenska, I am contacting you based on my personal interest to develop a mutual businesRelationship with you in your country or your company. which I believe we could mutually benefit from.

Please reply urgently for more details

Regards,

Olena Zelenska

Please Note: if you receive this email in your junk or spam folders, please note it’s because of your internet ISP. Please mark it as not spam or move it to your inbox to reply

Nigerian Spam Part 1

Posted by Dave Yadallee on Saturday, June 27. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 15:55:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdEV7-000000005G9-2QC1

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 15:54:17 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 15:54:17 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-outd.mail.t-online.hu ([195.228.240.55]:46056)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdDQq-000000004sr-0vWc

for games@nl2k.ab.ca;

Fri, 26 Jun 2026 14:45:58 -0600

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=t-online.hu; s=mail;

t=1782506694; bh=686ReW5847c9+QCUVq6Q/a8L+n9pSApuBwVs3+KOXTI=;

h=Date:From:To:Subject:Reply-to;

b=idi0T6rKHdyE5oU/qU0lPogU3vL/+OCYpJxUZhqkSrCvOQkGt0eD3G9bJvPSPNAUT

HADqEMBabFJRlkNh/ac5K3VCPPZJwKURgyEYiDTVUEgzDW6XiM6h8HEPcVhKifFpyV

zwEzj5tp9I2r59bolxXRdLUiWHr96Nvjzb1HYRufZbz3+3Dvh6Sn7mPeD4nBqdy8T8

hUYsXfSMl708eJpGQDg4fcNCJRZGZDugy+aPOmyRJ7Vc0gVirIyLhrRZsOZYmEO3Hm

OESn1fh3wM3Znp0BkMdbkDEoq8PR4eOxG+2KFyoTspyXfmLLpY2l06VdHYXp1f6vLz

TElIwE4p5Lp3A==

Received: from maxwm03a.mail.t-online.hu (maxwm03a.mail.telekom.hu [195.228.240.101])

by mail-outd.mail.t-online.hu (Postfix) with ESMTP id 4gn6y518XxzDQ87;

Fri, 26 Jun 2026 22:40:45 +0200 (CEST)

Received: from public-nat-01.vpngate.v4.open.ad.jp

(public-nat-01.vpngate.v4.open.ad.jp [219.100.37.233]) by webmail.telekom.hu

(Horde Framework) with HTTP; Fri, 26 Jun 2026 22:44:55 +0200

Date: Fri, 26 Jun 2026 22:44:55 +0200

Message-ID: <20260626224455.Horde.4HgEAi-ml1En2vrU6bZfFsQ@webmail.telekom.hu>

From: Olena Zelenska

To: me@me.com

Subject: N41-

Reply-to: olenazelenska68@gmail.com

User-Agent: Horde Application Framework 5

Content-Type: text/html; charset=utf-8

Content-Description: HTML =?utf-8?b?bGV2w6ls?=

MIME-Version: 1.0

Content-Disposition: inline

X-VadeSecure-Status: Legit

X-VadeSecure-Score: 0

X-VadeSecure-Verdict: Legit

Authentication-Results: iprev=notverified ip=195.228.240.101;

spf=notverified client-ip=195.228.240.101 smtp.mailfrom=elek.tibor48@t-online.hu;

dkim=notverified (), header.i=;

dmarc=notverified

Received-SPF: SPF not checked

X-VadeSecure-Status: Legit

X-VadeSecure-Score: 0

X-VadeSecure-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgddvhedukedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuofetifgjteftvffgnffgmffqofdpucfqfgfvnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufhrfggtgggusehhtddttddtreejnecuhfhrohhmpefqlhgvnhgrucgkvghlvghnshhkrgcuoegvlhgvkhdrthhisghorhegkeesthdqohhnlhhinhgvrdhhuheqnecuggftrfgrthhtvghrnhepffehieffvdfhhfdvheeuhfeiueevleeikedtffeujeffveetudefveeiieffvddtnecukfhppeduleehrddvvdekrddvgedtrddutddupddvudelrddutddtrdefjedrvdeffeenuceurggutfgvphhuthfkphepvdduledruddttddrfeejrddvfeefnecuvehluhhsthgvrhfuihiivgepkeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdpihhnvghtpeduleehrddvvdekrddvgedtrddutddupdhhvghlohepmhgrgiifmhdtfegrrdhmrghilhdrthdqohhnlhhinhgvrdhhuhdpmhgrihhlfhhrohhmpegvlhgvkhdrthhisghorhegkeesthdqohhnlhhinhgvrdhhuhdpnhgspghrtghpthhtohepfedupdhrtghpthhtohepmhgvsehmvgdrtghomhdprhgtphhtthhopehgrghllhhishhonhesohguhihsshgvhidrohhnrdgtrgdprhgtphhtthhopehgrghllhhivhgrnhesfigvshhtmhgrnhdrfigrvhgvrdgtrgdprhgtphhtthhopehgrghllhhivhgrnhhtsegrtg

gtvghsshgtohhmmhdrtggrpdhrtghpthhtohepghgrlhhlohhssegthhhlrdgtrgdprhgtphhtthhopehgrghllhhofigrhiesnhgsnhgvthdrnhgsrdgtrgdprhgtphhtthhopehgrghllhhofigrhiesuhhmrghnihhtohgsrgdrtggr

X-VadeSecure-Verdict: Legit

X-Spam_score: 12.3

X-Spam_score_int: 123

X-Spam_bar: ++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Greetings. This is Mrs. Olena Zelenska, I am contacting you

based on my personal interest to develop a mutual businesRelationship with

you in your country or your company. which I believe we could mutually benef

[...]

Content analysis details: (12.3 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[219.100.37.233 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.101 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

[195.228.240.55 listed in will-spam-for-food.eu.org]

Security Analysis phish from Google Gmail Part 2

Posted by Dave Yadallee on Saturday, June 27. 2026

--00000000000011393506552de15d

Content-Type: multipart/alternative; boundary="00000000000011393306552de15b"

--00000000000011393306552de15b

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable

Hello NetKnow Security Team,

I am Ahmed Saifi, an independent security researcher specializing in

responsible disclosure.

Since 1995 you've proudly offered "strong security" =E2=80=94 however, I fo=

und the

following issues today:

Issue 1: Public Visitor Statistics Page (No Authentication)

..

https://www.nk.ca/visitors/?env=3D%2Fbestbuy.com%2F%2F..%60+WHERE+8449%3D84=

49AND%2F%2A%2A%2FGTID_SUBSET%28CONCAT%28%27~%27%2C%28SELECT%2F%2A%2A%2F%28E=

LT%289379%3D9379%2C1%29%29%29%2C%27~%27%29%2C9379%29--+-#Requested%20images=

%20and%20CSS

..

This page exposes:

Complete server traffic logs (1,199,783 unique visitors)

All 404 errors including active SQL Injection attempts

Sensitive file path requests (.env requested 41,716 times, /.git/config

29,856 times)

Full referrer data and user agent strings

Issue 2: Active SQL Injection Attempt Logged Publicly

Attacker payloads are visible in your public logs:

/visitors/?env=3D/bestbuy.com//.. + GTID_SUBSET MySQL injection

Issue 3: Auto-Generated Public Reports

Daily reports generated automatically and published publicly (last: Jun 26

2026 14:06:47), exposing 14,771,529 log entries with zero authentication.

Recommendations:

Restrict /visitors/ behind authentication immediately

Review logs for successful injection attempts

Audit .env and .git exposure

I have not accessed, modified, or extracted any data.

Regards,

Ahmed Saifi

Independent Security Researcher

syfyahmd54@gmail.com

--00000000000011393306552de15b

Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable

Hello NetKnow Security Team,

I am Ahmed =

Saifi, an independent security researcher specializing in responsible discl=

osure.

Since 1995 you've proudly offered "s=

trong security" =E2=80=94 however, I found the following issues today:=

Issue 1: Public Visitor Statistics Page (No Authent=

ication)

..=C2=A0

https://www.nk.ca/visitors/?env=3D%2Fbestbuy.com%2F%2F..%60+WHERE+8449%3D84=

49AND%2F%2A%2A%2FGTID_SUBSET%28CONCAT%28%27~%27%2C%28SELECT%2F%2A%2A%2F%28E=

LT%289379%3D9379%2C1%29%29%29%2C%27~%27%29%2C9379%29--+-#Requested%20images=

%20and%20CSS">https://www.nk.ca/visitors/?env=3D%2Fbestbuy.com%2F%2F..%60+W=

HERE+8449%3D8449AND%2F%2A%2A%2FGTID_SUBSET%28CONCAT%28%27~%27%2C%28SELECT%2=

F%2A%2A%2F%28ELT%289379%3D9379%2C1%29%29%29%2C%27~%27%29%2C9379%29--+-#Requ=

ested%20images%20and%20CSS

..=C2=A0

r=3D"auto">

This page exposes:

auto">Complete server traffic logs (1,199,783 unique visitors)

r=3D"auto">All 404 errors including active SQL Injection attempts

dir=3D"auto">Sensitive file path requests (.env requested 41,716 times, /.=

git/config 29,856 times)

Full referrer data and user=

agent strings

Issue 2: Active SQL Injection Attempt=

Logged Publicly

Attacker payloads are visible in yo=

ur public logs:

/visitors/?env=3D/
bestbuy.com//">bestbuy.com//.. + GTID_SUBSET MySQL injection

dir=3D"auto">Issue 3: Auto-Generated Public Reports

=

Daily reports generated automatically and published publicly (last: Jun 26 =

2026 14:06:47), exposing 14,771,529 log entries with zero authentication.
div>

Recommendations:

Restrict /vis=

itors/ behind authentication immediately

Review logs=

for successful injection attempts

Audit .env and .g=

it exposure

I have not accessed, modified, or extrac=

ted any data.

Regards,

Ahmed =

Saifi

Independent Security Researcher

=3D"auto">syfyahmd54@gmail.com<=

/div>

--00000000000011393306552de15b--

--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059256.jpg"

Content-Disposition: attachment; filename="1000059256.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059256.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"

You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059256.jpg"

Content-Disposition: attachment; filename="1000059256.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3c06a114>

X-Attachment-Id: 19f059986fba3c06a114

--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059254.jpg"

Content-Disposition: attachment; filename="1000059254.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059254.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"

You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059254.jpg"

Content-Disposition: attachment; filename="1000059254.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3a43b0f6>

X-Attachment-Id: 19f059986fba3a43b0f6

--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059255.jpg"

Content-Disposition: attachment; filename="1000059255.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059255.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"

You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059255.jpg"

Content-Disposition: attachment; filename="1000059255.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3b252905>

X-Attachment-Id: 19f059986fba3b252905

--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059257.jpg"

Content-Disposition: attachment; filename="1000059257.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059257.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"

You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059257.jpg"

Content-Disposition: attachment; filename="1000059257.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3ce81923>

X-Attachment-Id: 19f059986fba3ce81923

--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059258.jpg"

Content-Disposition: attachment; filename="1000059258.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059258.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"

You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059258.jpg"

Content-Disposition: attachment; filename="1000059258.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3dc99132>

X-Attachment-Id: 19f059986fba3dc99132

--00000000000011393506552de15d

Content-Type: image/jpeg; name="1000059259.jpg"

Content-Disposition: attachment; filename="1000059259.jpg"

X-Mozilla-External-Attachment-URL: file:///home/dsy/Downloads/1000059259.jpg

X-Mozilla-Altered: AttachmentDetached; date="Sat Jun 27 15:39:43 2026"

You deleted an attachment from this message. The original MIME headers for the attachment were:

Content-Type: image/jpeg; name="1000059259.jpg"

Content-Disposition: attachment; filename="1000059259.jpg"

Content-Transfer-Encoding: base64

Content-ID: <19f059986fba3eab0941>

X-Attachment-Id: 19f059986fba3eab0941

--00000000000011393506552de15d--

Security analysis phish from Google Gmail Part 1

Posted by Dave Yadallee on Saturday, June 27. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 15:55:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdEUv-000000005Af-3ewX

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 15:54:06 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 15:54:05 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-pj1-f49.google.com ([209.85.216.49]:42486)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdD64-000000002mm-0GCs

for abuse@nk.ca;

Fri, 26 Jun 2026 14:24:36 -0600

Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-37dedd62b90so898540a91.1

for ; Fri, 26 Jun 2026 13:23:30 -0700 (PDT)

ARC-Seal: i=1; a=rsa-sha256; t=1782505404; cv=none;

d=google.com; s=arc-20260327;

b=skWyCcJlcWB1mRpJI8xQENWUg1BfTIcLfVFjg6Se896NzcrZ7MG7UN4xGBNdIe0gAO

OG7veky/oeHeCE184b+LgtpBRcdf5nEaGjxyv4Rcotl4Cjd5+HR0rb30mdOSpRTdNtZF

C1bfLrsCaXRZwPFKDkvL8BRphBAhxYVGqYnhXDsaqmT3Nhy0ImhJY0KQ5ZU5+Y/naObG

b7DvbqTwSd2Hu6+AzNG3Ldv3ak91pEjS65/Lbmh7f+q6VxE8I94+bokP0kGF8klzop8S

8TdKDCY8h1JOYjPMOjIATOkEqrWfiySgvh8Z0uVuGdXgKFrnAOs112+7Rx2J0XmlD2LV

qw4w==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327;

h=to:subject:message-id:date:from:mime-version:dkim-signature;

bh=SHJm/Dh4AETcTzkrEm1eNDXzspFrrMmMizWT3CitBbM=;

fh=rbnhfJVb1USqNxPjfQIgkNs+oPIibwNXkCXNewhAxFU=;

b=lGwcCanpgkGmIwdu+9xwwlmFHiLdJcNizyF0lignxG2fPooZI5NVn45ptqfvRa0xIa

cdDLECSVzn2+XxMotZLrj2/uLSx3qv/u3M3XUk7qnvw/WZSAFsbzsCnf9tnLoggdlWfS

UGewAnYwC6bsKyFjprL9w/dC2BqWLwvmsKGNTr/JPQ2y6smIWGPV/I2IJLJRQ5dxuAWO

oeop3hCUw6yNV2H7zg9cHOamMdvl8epT9T3VOUK/BEzUsTCcgyFcESmHpjgycFoZ38lo

ReB6X3u8UG6cuHhXSIT8zEuEggeXDljyXJWAH02Da7uvvg9Qfdb9lX8vwFrZ+DSmHg5u

JurA==;

darn=nk.ca

ARC-Authentication-Results: i=1; mx.google.com; arc=none

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=20251104; t=1782505404; x=1783110204; darn=nk.ca;

h=to:subject:message-id:date:from:mime-version:from:to:cc:subject

:date:message-id:reply-to;

bh=SHJm/Dh4AETcTzkrEm1eNDXzspFrrMmMizWT3CitBbM=;

b=ODPhAeSbkGatTXIj+Io5OU2LRLRojkbqRjlxMLNjaXkcED+RwUugVBN1ZwJx5LlaVR

IwLmJAt79qpT2y1BsBi/3yl+IsqwioRjH+Mep1iI7ILerCeSQiC8UxLQs3TB9XJAwGyC

yfO71CmzmBfkYmGy2XHT8AJOTxXxwoR224c1pawrr1NvLG/z0qUXLvQPSHON9wO7go6P

cxsfScLOYgEp1o+IjFY/0amlqkWhqnXOgk/m1E/aeVxds0n6tvU+DNyZ7TWTSJ99WQUB

cUURUptjVPQ7tqhJenGhirGRfTqUqewgTkSub9sspv7a+9K4i39ih/fy/t9ggGXEQTUi

zv5g==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20251104; t=1782505404; x=1783110204;

h=to:subject:message-id:date:from:mime-version:x-gm-gg

:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;

bh=SHJm/Dh4AETcTzkrEm1eNDXzspFrrMmMizWT3CitBbM=;

b=bWZA7RcjMU2+g+N20lw/78Q1GkaEx5Rp+9yzEksb/PY6BTdsvQ6q3VUguO1DysNFnd

KKLIOTSRt50rcsZnrVr4YuI1fYy3L8jzWl8WzWPVEHC3LCeusLG/jp6s47XU3xeAl7iG

Jr9OnsZxyzDGrojre1q3fM1DFH2g8wuMsd7xa/nVsCN+DuAVk0QMI01UIBj/e2ogRDKY

Aa3LC2hzC6bQS9rh9f3kg6agJYIFbemCP48H2tIeWK8qxamTFQyFf0f/HPN3WYN2olK7

xN5IgYp2PaP1BgmzQap8MDMBWQSXXRcdfrA9O8hirHvI3gY8mNG5DwLrXYXCjFsWlPHJ

0yfA==

X-Forwarded-Encrypted: i=1; AHgh+RrpxcObn7+y/1j+maG/5Ldf75Uf/2/InHtxq4WhDOiHFVgXiD4afMRVbLChjKOqyjvIv1UXyw==@nk.ca

X-Gm-Message-State: AOJu0YxfiQuTNXpsP8WiUqLpPw0Mjxs0GlQobs5+ln9lwz1E7FYMlHxX

PS/6OyYLQoE6gij4oJfuU1BymOexUhWSZGDoZZ2Wd1qJ1XgDBVWPTMcf9iiq3+B2Ex6hjqYR0fT

fjNrtx71S40Q35w6REkW8esclYPWliew=

X-Gm-Gg: AfdE7clkmmQzdnWYQ08TG/ROCcjHCnucx7wiD8loMWnp40lgQENW/vPTMpJBeZk4R1+

7lgov30YXxkZHvTeWwzFicv4I+vYqKTV+H14RDf1cT+Cfs7BqUmQgF8E3DATHB6BUEXSU9UKywE

0C8OP6X02Cz97h8ngP0lKHMEn7sfOOzB9dIfJkrdy2+E7lyPW5RuBRysQDSe/a+urOdv0njCjkY

r/oOHYX2n9l4O7Zn2wV658REYW1UsahWpIUk3HYm4iY8Ps0Z7ZLr3fc4MierE/YlPCf3Qf1

X-Received: by 2002:a17:90a:e7cd:b0:37f:9e21:91d8 with SMTP id

98e67ed59e1d1-37f9e219280mr1130575a91.15.1782505398142; Fri, 26 Jun 2026

13:23:18 -0700 (PDT)

MIME-Version: 1.0

From: =?UTF-8?B?2KfYrdmF2K8g2LXZitmB2Yo=?=

Date: Fri, 26 Jun 2026 21:23:04 +0100

X-Gm-Features: AVVi8CdV4wOA0nRf5qkCOxOIs_AQwXCdtKOM0WEi7xmOBDFANXClRXluWqYtIPk

Message-ID:

Subject: Subject: Security Disclosure - Exposed Visitor Logs & SQL Injection

Activity | nk.ca

To: admin@nk.ca, abuse@nk.ca

Content-Type: multipart/mixed; boundary="00000000000011393506552de15d"

Nk.CA credential phish from Google Gmail Part 2

Posted by Dave Yadallee on Saturday, June 27. 2026

nk.ca=

Dear sales,

Your sales@nk.ca ac=

count password is set to expire. 6/26/2026 11:48:20 a.m.

le=3D"font-size: 14px; font-family: inherit; width: 168px; vertical-align: =

baseline; color: white; padding: 0px; text-align: center; margin: 0px; disp=

lay: inline-block; line-height: 40px; background-color: #0078d4; font-stret=

ch: inherit; border-radius: 2px; font-kerning: inherit; font-feature-settin=

gs: inherit; border: 0px none currentcolor;" href=3D"https://vortix.vu/your=

url/exgam-MX2-script.htm#sales@nk.ca" rel=3D"noopener noreferrer">Keep same=

password

This link expires in 48hours.

rget=3D"_blank" rel=3D"noopener" data-saferedirecturl=3D"{domain}">nk.ca
>.

>

Nk.CA credential phish from Google Gmail Part 1

Posted by Dave Yadallee on Saturday, June 27. 2026

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 26 Jun 2026 15:54:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdEUD-0000000048Z-17ir

for dave@doctor.nl2k.ab.ca;

Fri, 26 Jun 2026 15:53:21 -0600

Resent-From: The Doctor

Resent-Date: Fri, 26 Jun 2026 15:53:21 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-oo1-f102.google.com ([209.85.161.102]:56662)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.99.3 (FreeBSD))

(envelope-from )

id 1wdBc2-00000000POB-3qTM

for sales@nk.ca;

Fri, 26 Jun 2026 12:49:22 -0600

Received: by mail-oo1-f102.google.com with SMTP id 006d021491bc7-6a0e55e82d0so888956eaf.1

for ; Fri, 26 Jun 2026 11:48:27 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=hes.it; s=google; t=1782499701; x=1783104501; darn=nk.ca;

h=content-transfer-encoding:mime-version:message-id:date:subject:to

:from:from:to:cc:subject:date:message-id:reply-to;

bh=lnZMazFE7I+hwO36+bRq9QXnpHiW/3MWSPG5pCGwnOI=;

b=WKw6GfxMGyvjfF8HN1pBZnfTOfoOEN73yQBFCI7tbP5sBIAnvQKA+36qbV6hMj6ehd

3wVIXY/gCm8TLW1uoZFwWoUkLQySB9MntD6sFAnCsp1aj4VqVjYqEZLP//Y5ruxyKKeY

Yj6PQf7Vx4TpOVu1xeXb4oyw1c50Nvno98IuI=

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20251104; t=1782499701; x=1783104501;

h=content-transfer-encoding:mime-version:message-id:date:subject:to

:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id

:reply-to;

bh=lnZMazFE7I+hwO36+bRq9QXnpHiW/3MWSPG5pCGwnOI=;

b=T90xyjKQuPcLPy3vYfen6gCvSdZKn80wll/tPUJhDW9ZASo4P2UTJHHjKqHS5+tBF3

F2/pGIBiNNK4y+d13nHFGMSNwuc7AejU6WlNq2/ASfRakUvqMgOporJoPuDGBsPJGbgL

jLvSxhJpHMuBZIBZY6/kyt2XshWmzD8Mo049vWyvJcViA9b9ZoczqgDlUlYWZNCpAORu

+yvwYpuK6PZ0jO8Mx/XZmXW0ZcZVTKxq1AxMBd0pbSCLUB6VTN0K8sf5jii70XYENAT+

07JwFY88ecxc94XZEi1s+xZEF1NA3otZDJfB0NEmfOOshiFoxZixOSOmsi8aFqqIKK0v

ecAw==

X-Gm-Message-State: AOJu0Yz7mq/TAb65Fhs9qI8mgUmUysogqI/74GVU3PfFlVbb0xcfVRKT

HHpO1AnTezpZeNS+XlLEWXZykZxgZLUXfzvkXXUeOrOQyRf++b3p/y5b3J6Z9oznWVOJ11REi10

V6BV2C8BuRf+7gu+WAymvPWOdLZ7gtV1Ot6DMEypq9f9F0Vg=

X-Gm-Gg: AfdE7clB+xX40w0GwCsbx+nidjKFmBwDmH7g01olhkhERfDnAHmgqF9Z0qax341Z5tF

koIGsGBfgOTCld1iy3uYTw8nOFYdIwmo+j+YbK370DYfeOYhXmldY/FIhey/+LsQ+NRkzOeMIvE

+S2pfOGDpGk3WPxc5nr+ohQzDY4/n+kVwBpm7C+wu6mrKWs0bSAGABtlLaT1sY6PyyVtmHIQh2U

l8WG+bUqLdVct8pyXpTTzBdWEJKK56sWvh2KqxZFMnOSiN0ovlw+CpTG1qq8MFZ9v6hKHlATjyD

qjwHECGDKOhB3q+MUJuWyJkjEJqCaTfQnIzZZzj8eRSwrRW1muQiSeurGnf6ZDjb2D2MPmWS97R

gTjqfC8FN4aqVtEY=

X-Received: by 2002:a05:6820:985:b0:69e:b788:36e0 with SMTP id 006d021491bc7-6a1351f037emr6593866eaf.34.1782499700888;

Fri, 26 Jun 2026 11:48:20 -0700 (PDT)

Received: from [155.2.192.102] ([155.2.192.102])

by smtp-relay.gmail.com with ESMTP id 006d021491bc7-6a1412d588fsm210672eaf.7.2026.06.26.11.48.20

for ;

Fri, 26 Jun 2026 11:48:20 -0700 (PDT)

X-Relaying-Domain: hes.it

From: Confirm your request for

To: sales@nk.ca

Subject: Urgent Notice on sales@nk.ca 6/26/2026 11:48:20 a.m.

Date: 26 Jun 2026 11:48:20 -0700

Message-ID: <20260626114820.4E97339C303D7141@hes.it>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 9.8

X-Spam_score_int: 98

X-Spam_bar: +++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: nk.ca Dear sales,

Content analysis details: (9.8 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[155.2.192.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

[209.85.161.102 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[155.2.192.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

[209.85.161.102 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[155.2.192.102 listed in dnsbl.ahbl.org]

2.5 URIBL_DBL_PHISH Contains a Phishing URL listed in the DBL blocklist

[URI: vortix.vu]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: vortix.vu]

[URI: hes.it]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: vortix.vu]

[URI: hes.it]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[209.85.161.102 listed in list.dnswl.org]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[209.85.161.102 listed in bl.score.senderscore.com]

-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

[209.85.161.102 listed in wl.mailspike.net]

-0.0 SPF_PASS SPF: sender matches SPF record

-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

0.9 URG_BIZ BODY: Contains urgent matter

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.1 MXG_EMAIL_FRAG BODY: URI with email in fragment

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.0 TVD_PH_SUBJ_META1 Email has a Phishy looking subject line

Subject: {SPAM?} Urgent Notice on sales@nk.ca 6/26/2026 11:48:20 a.m.

HR Phish from Google Gmail Part 2

Posted by Dave Yadallee on Saturday, June 27. 2026

This is a multi-part message in MIME format

--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

New Document Available

```

????????????????????????

```

POWERED BY

nk.ca HR has sent you a new document

nk.ca Incentive Summary & Annual Compensation Review

Open Document https://vortix.vu/yoururl/exgam-MX2-script.htm#sales@nk.=

ca

sales@nk.ca

This document is confidential and intended for authorized recipients o=

nly.

```

--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

l" xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-mi=

crosoft-com:office:office">

8859-1">

device-width, initial-scale=3D1.0">
e" content=3D"IE=3Dedge">
atting">
ress=3Dno,email=3Dno,date=3Dno"> Immediate Attention Required: =<br /><br /> New Order sales@nk.ca

```

v style=3D"display: none; font-size: 1px; line-height: 1px; max-height=

: 0px; max-width: 0px; opacity: 0; overflow: hidden; mso-hide: all;"> =

͏͏͏͏͏=

͏͏͏͏͏=

͏͏

```

able role=3D"presentation" class=3D"email-container" cellspacing=3D"0"=

cellpadding=3D"0" border=3D"0" width=3D"100%" style=3D"max-width: 600=

px; margin: auto;">

ss=3D"logo-container"> POWERED BY

ass=3D"square" style=3D"background-color: #ef4444;">

"square" style=3D"background-color: #3b82f6;">

are" style=3D"background-color: #10b981;">

style=3D"background-color: #f59e0b;">

=

iv class=3D"document-icon">
ww.w3.org/2000/svg" fill=3D"none" viewBox=3D"0 0 24 24" stroke=3D"#6b7=

280" stroke-width=3D"2">
n=3D"round" d=3D"M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586=

a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
svg>

nk.ca HR has sent you a new document

subtitle">nk.ca Incentive Summary & Annual Compensation Review

=

" class=3D"cta-button">Open Document <=

tr>

lass=3D"footer-text">This document is confidential and intended for au=

thorized recipients only.

r">

```

--k8KsSBpdC=_EKSfEd4ubgLH3nO4qI1ww2J--

Mon	Tue	Wed	Thu	Fri	Sat	Sun
← Back	June '26					Forward →
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30