Credential phishing Part 2

Posted by Dave Yadallee on
/ Secondary Blue Box /

.dark-blue-box {

background-color: #E3F2FD;

padding: 15px;

font-weight: 600;

font-size: 14px;

color: #0d47a1;

line-height: 1.4;

}



/ Body Text /

.context-text {

padding: 0 30px;

font-size: 14px;

color: #666;

margin-bottom: 25px;

}



/ Buttons (Flat Design) /

.btn {

text-decoration: none;

padding: 16px 32px;

border-radius: 4px;

font-weight: bold;

display: inline-block;

margin: 10px 0;

text-transform: uppercase;

font-size: 14px;

transition: opacity 0.2s;

}



.btn-blue {

background-color: #1976d2;

color: white;

}



.btn-red {

background-color: #d32f2f;

color: white;

width: 80%;

}



.btn:hover {

opacity: 0.8;

}



/ NEW DESIGN: Dashed Receipt / Log Box /

.receipt-wrapper {

padding: 0 20px;

}



.receipt-box {

border: 2px dashed #bdbdbd;

/ Dashed border /

background-color: #fafafa;

padding: 15px;

margin: 20px 0;

text-align: left;

}



.receipt-header {

font-size: 12px;

text-transform: uppercase;

color: #999;

border-bottom: 1px solid #eee;

padding-bottom: 5px;

margin-bottom: 10px;

text-align: center;

letter-spacing: 1px;

}



.receipt-row {

display: flex;

justify-content: space-between;

margin-bottom: 8px;

font-size: 14px;

}



.receipt-label {

color: #666;

font-weight: 600;

}



.receipt-value {

color: #333;

font-family: "Courier New", Courier, monospace;

/ Monospace for technical feel /

font-weight: 700;

}



.status-danger {

color: #d32f2f;

background-color: #ffebee;

padding: 2px 6px;

border-radius: 3px;

}



/ Footer /

.footer {

font-size: 11px;

color: #999;

margin-top: 30px;

padding-bottom: 20px;

background-color: #f4f4f4;

border-top: 1px solid #e0e0e0;

padding-top: 20px;

}



.footer a {

color: #555;

text-decoration: underline;

}





















Cloud Logo













!




Transaction Declined: Payment Failed



Your billing information is outdated. Immediate action is required to avoid permanent file

deletion. If your storage is full, incoming data will be rejected.









Final Notice: Data purge scheduled for today







Automatic renewal failed.


Without an active plan, your secure cloud environment has been suspended.









Your Cloud synchronization service protects your photos, videos, and documents. Without a valid

subscription, access to these files will be revoked across all devices.





Update Payment Information









System Log: Transaction Error






Subscription ID:

48521556984







Product:

Cloud Storage 1TB







Termination Date:

Today









Reactivate Account Now





If you no longer wish to receive billing alerts, you may unsubscribe here.


Cloud Services Inc.



















Credential phishing Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 03 Jan 2026 08:11:00 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1vc3H1-00000000MDD-05Fs

for dave@doctor.nl2k.ab.ca;

Sat, 03 Jan 2026 08:10:35 -0700

Resent-From: The Doctor

Resent-Date: Sat, 3 Jan 2026 08:10:34 -0700

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [45.141.234.70] (port=55913 helo=adrarlis.com)

by doctor.nl2k.ab.ca with esmtp (Exim 4.98.2 (FreeBSD))

id 1vbw8q-00000000NBO-0i2I

for sales@netknow.ca;

Sat, 03 Jan 2026 00:33:47 -0700

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=smtp; d=netknow.ca;

h=Date:Message-Id:To:From:Subject:Content-Type:Mime-Version:Content-Transfer-Encoding; i=sales@netknow.ca;

bh=K95xSKGqjMk8FQjXErXTLkWbSOI=;

b=saflOmWQRYjVcdPxa7oOKrKdFiCf7HbHmy6yU7Mnpnr8HAH4zXWZKL2d5SdQUOf+49HcEWWc6O/D

wWZfsYZgTe/u0W2/Nxr0ujl32DOe0O/cUHTadZNPc+y+Kfl0zrLPBWpWFYEzmMz/+9JQv5VwJ50S

qPDCshYBZF3/vSIWkik=

DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=smtp; d=netknow.ca;

b=B1euFQ3lX/T7pt/sVIIz2XMoUlRLCUtLyyoevlX2OiKNrMsS4w4OSfu7nsaGLXECVcr6J6C5K+E6

iWgjs06mfZb6U+ySpykD88pHEJy0zZZZTqmMwslokev366fcNuV5lA+faOsvsIKxzEd6jvvojbcr

Lm4Kn6bIoTKocEP4d80=;

Date: Sat, 03 Jan 2026 07:32:20 +0000

Message-Id: <831353027697902.9.RTG8440292622@adrarlis.com>

To: sales@netknow.ca

From: Cloud Storage

Subject: Final Warning: Your photos will be deleted today

Content-Type: text/html; charset="UTF-8"

Mime-Version: 1.0

Content-Transfer-Encoding: 8bit

X-Spam_score: 23.9

X-Spam_score_int: 239

X-Spam_bar: +++++++++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Critical Storage Alert ! Transaction Declined: Payment Failed





Content analysis details: (23.9 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

[45.141.234.70 listed in dnsbl.ahbl.org]

[45.141.234.70 listed in dnsbl.ahbl.org]

[45.141.234.70 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL

[45.141.234.70 listed in sbl-xbl.spamhaus.org]

3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS

[45.141.234.70 listed in zen.spamhaus.org]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: 31.129.22.185]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: 31.129.22.185]

1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist

[URI: 31.129.22.185]

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid

1.6 RCVD_IN_MSPIKE_L3 RBL: Low reputation (-3)

[45.141.234.70 listed in bl.mailspike.net]

1.0 OFFER_URI URI: Offer in link address

0.0 NORMAL_HTTP_TO_IP URI: URI host has a public dotted-decimal IPv4

address

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.8 SARE_FROM_SPAM_WORD3 I don't know people named this!

0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.4 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX

1.8 TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only

0.0 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX

0.0 T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX

Subject: {SPAM?} Final Warning: Your photos will be deleted today















Critical Storage Alert





















Cloud Logo













!




Transaction Declined: Payment Failed



Your billing information is outdated. Immediate action is required to avoid permanent file

deletion. If your storage is full, incoming data will be rejected.









Final Notice: Data purge scheduled for today







Automatic renewal failed.


Without an active plan, your secure cloud environment has been suspended.









Your Cloud synchronization service protects your photos, videos, and documents. Without a valid

subscription, access to these files will be revoked across all devices.





Update Payment Information









System Log: Transaction Error






Subscription ID:

48521556984







Product:

Cloud Storage 1TB







Termination Date:

Today









Reactivate Account Now





If you no longer wish to receive billing alerts, you may unsubscribe here.


Cloud Services Inc.



















Credential phishing Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path: <>

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sat, 03 Jan 2026 00:30:00 -0700

Received: from [45.141.234.70] (port=59169 helo=adrarlis.com)

by doctor.nl2k.ab.ca with esmtp (Exim 4.98.2 (FreeBSD))

id 1vbw59-00000000Mvd-0vo9

for dave@doctor.nl2k.ab.ca;

Sat, 03 Jan 2026 00:29:59 -0700

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=smtp; d=doctor.nl2k.ab.ca;

h=Date:Message-Id:To:From:Subject:Content-Type:Mime-Version:Content-Transfer-Encoding; i=dave@doctor.nl2k.ab.ca;

bh=3bj15M9TAzDPXZ2XDJya4b1wi94=;

b=PI925MnGbhQeD0NoCE+7Xu/NHqz6mqnY69GXLJXHLYlKkmJ/0I/HvOgpULQPD8eu23+qkZCPrD56

q+KN2CGD3o2fvU99bUycdZVsJ4UDQEzxKvgLM7FYP8FjmG8QoFwWlf8OKZzM/PhT5quJboKUr1tE

wQulIXsLuzZ3+4wz1ZQ=

DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=smtp; d=doctor.nl2k.ab.ca;

b=Rvek+UA34zdEChoR5WqTDFSFer9usI73c1mYWWcSmBZ0+YcJMK4Ds9xHiUFsBVXkckSnxH8+hduw

7++1tKz/Okvaj70TghZ0uA7JfN+409HG23pH6VRBmk4eFqHzxn0Q8VRySAzAWUimxnZlOvUrt79A

eVI+Ro689/emgYuS2Ks=;

Date: Sat, 03 Jan 2026 07:28:26 +0000

Message-Id: <990437716604498.3.TBQ5507834337@adrarlis.com>

To: dave@doctor.nl2k.ab.ca

From: Cloud Storage

Subject: Final Warning: Your photos will be deleted today

Content-Type: text/html; charset="UTF-8"

Mime-Version: 1.0

Content-Transfer-Encoding: 8bit

X-Spam_score: 12.7

X-Spam_score_int: 127

X-Spam_bar: ++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Critical Storage Alert ! Transaction Declined: Payment Failed





Content analysis details: (12.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

[45.141.234.70 listed in dnsbl.ahbl.org]

[45.141.234.70 listed in dnsbl.ahbl.org]

[45.141.234.70 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[45.141.234.70 listed in dnsbl.ahbl.org]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

[45.141.234.70 listed in will-spam-for-food.eu.org]

1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist

[URI: 31.129.22.185]

1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

[URI: 31.129.22.185]

0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The

query to Validity was blocked. See

https://knowledge.validity.com/hc/en-us/articles/20961730681243

for more information.

[45.141.234.70 listed in sa-trusted.bondedsender.org]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to

Validity was blocked. See

https://knowledge.validity.com/hc/en-us/articles/20961730681243

for more information.

[45.141.234.70 listed in sa-accredit.habeas.com]

1.6 RCVD_IN_MSPIKE_L3 RBL: Low reputation (-3)

[45.141.234.70 listed in bl.mailspike.net]

0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to

Validity was blocked. See

https://knowledge.validity.com/hc/en-us/articles/20961730681243

for more information.

[45.141.234.70 listed in bl.score.senderscore.com]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[45.141.234.70 listed in bl.score.senderscore.com]

1.0 OFFER_URI URI: Offer in link address

0.0 NORMAL_HTTP_TO_IP URI: URI host has a public dotted-decimal IPv4

address

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.0 T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX

1.8 TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only

0.4 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX

0.0 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX

Subject: {SPAM?} Final Warning: Your photos will be deleted today















Critical Storage Alert