Loan spam from Google Gmail Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 16:42:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFgG5-00000000HjU-0B4v

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 16:41:25 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 16:41:24 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from mail-pj1-f46.google.com ([209.85.216.46]:44402)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_128_GCM_SHA256

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFf5B-00000000E8s-1d44

for sales@nk.ca;

Wed, 22 Apr 2026 15:26:13 -0600

Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-3590042fa8eso4721906a91.1

for ; Wed, 22 Apr 2026 14:25:18 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=kesefmarketing.com; s=google; t=1776893112; x=1777497912; darn=nk.ca;

h=list-unsubscribe-post:list-unsubscribe:in-reply-to:references

:message-id:date:to:from:subject:mime-version:from:to:cc:subject

:date:message-id:reply-to;

bh=GeW0YKIWbORHPBIjAdPjVmC3ocGfWtFRuu/q8GPMWhI=;

b=ATDp94IxBo3YE2M1oKRaeCK3widOXO51ORrRpCu7Sy+l6wdjlsjt8r+Uo211ICTcs+

8VGVKpt3c8fnj9xev4z+urOXy0jYSWHruWXddTzzyuYgvPpTZB2bpypdy+HNTdV5Gh2u

kAdB07uDOa/76B9tLwTh7YezCoouZOgcks9kfLREOsFfnozs/aO8neVmtc14slXH8GVg

sIsT8uPF25Erxuw3lQYRjrzzM8kdn+qk4GsLiXh2jV8uG3s/88sAjCkqLS4+X7Vpifhs

A5JsFAUoIc0B3DQp7hJthmwuRoSvA2HMjVG1rF3ZqzQm1OiUGgBt6Fhgty7J/EQwZ7B8

S8hg==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=1e100.net; s=20251104; t=1776893112; x=1777497912;

h=list-unsubscribe-post:list-unsubscribe:in-reply-to:references

:message-id:date:to:from:subject:mime-version:x-gm-gg

:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;

bh=GeW0YKIWbORHPBIjAdPjVmC3ocGfWtFRuu/q8GPMWhI=;

b=RTspXKiTB9s1Wv7/o/MvxPUxMA+dJi52a2IhZ3chou+CDNpGcFJsVfzpN1jXCc4YXR

Qq5oo32N2K4EqNFkDfVarSogXVxLDPioRL/YHpWfmMT69rUucQ0WCTnT3oICx3d/XIgQ

rGtLOy/adC+8OtLoqDOAut8VJFpzuDg1OaGUGVvOtiiCFVcYr164XqNZ0UN5M8HQhEER

86P17Bl3J9UBPbvHaw29blVRzjnNHmFEaWaUiEizaPKdEv7311A8nXWmywNuTxq6f9X6

YGyDr0li2ZjmVqjlJ55pm6fbQ+LapP5qICldEeahs+YcS+OJUrd4SFkl0TxNigUgwUbe

uUZw==

X-Gm-Message-State: AOJu0YydvYbFVH/H5m7UST2vwXQco9X0KP9Y+YpAi5d2JrH2j3b4OV2D

e36SeOZp/V2U2RF3+A02WXQro8xg5qPfVIzEQh8mpOzB3o3ShDspEBRCIVy4AowyXdn5AXOYwxH

382Ml

X-Gm-Gg: AeBDieuzKZT18gPJNrqAXabgW9jirTphjwFQj8Jt5UKq+GiSENWY9RfTiCwseiuLqte

TyddM+IkDi5lx3/5oQX1GBdgD962/u7oCuOH9w4jYp+qmp+VBPtB+MhpBhZ3gw8z3dMMYqC9bwt

9FR1GlYnq4EHG9R140JpmjEd4kaS0rGpBspSbf5ZGqzWpS+1SHE4nXPkAAli4e646WS8ipIxcZm

m3kLM2gLHvVFwaG5xare/cW+19L7b9bVANrRDnvHCbLuBfX8Q3IPgV0+kdt/Rvs5nfEYwIQ8H7f

2f1uc8Cq3iDQ03skGHq8q5xDbvbDt47WKnUJ1fhmtcvjtrljJaOWr8VYwNpNiTl81458uVkvbRV

51EtT2MwvysRPls4zwvHA0YfiSeWobE4sXcgDces/cbhYmszeolO5fVNMyGggAw8dBY78ftSa6Z

4YS8mI7w7GjSNQkIwGN6FN+DZhzPG3HoMRz2zwXx6Zl5p034aEKDx51fQrsAXKumgWj+pA9jEZ8

hZIhg==

X-Received: by 2002:a17:90b:5106:b0:35a:189b:43db with SMTP id 98e67ed59e1d1-361403d5c41mr21873040a91.4.1776893111780;

Wed, 22 Apr 2026 14:25:11 -0700 (PDT)

Received: from smtpgw.close.com (am11-natgw-b0.close.com. [54.186.6.46])

by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa2f129sm161924145ad.29.2026.04.22.14.25.11

for

(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);

Wed, 22 Apr 2026 14:25:11 -0700 (PDT)

Content-Type: multipart/mixed; boundary="===============3587633668073453775=="

MIME-Version: 1.0

Subject: Re: Kesef Marketing | Smarter Access to Business Loans

From: =?utf-8?q?Stephanie_Kesef_Marketing?=

To: =?utf-8?q?Gurkirat_Wirring?=

Date: Wed, 22 Apr 2026 21:25:11 +0000

Message-ID: <177689311103.7.1517992003165419683@smtpgw.close.com>

X-CLOSEIO-EMAIL-ID: acti_oVk2mA9KNAVoTyNq5ZvE3Wb80u4vrphjX8yMb6LeRfh

References: <177644538269.7.3986001924003818893@smtpgw.close.com> <177644538269.7.7253266245741056513@smtpgw.close.com> <177665952029.7.16881262815357895943@smtpgw.close.com> <177665952029.7.4037035181715252544@smtpgw.close.com>

In-Reply-To: <177665952029.7.16881262815357895943@smtpgw.close.com>

List-Unsubscribe:

List-Unsubscribe-Post: List-Unsubscribe=One-Click



--===============3587633668073453775==

Content-Type: multipart/alternative; boundary="===============0308454826350702456=="

MIME-Version: 1.0



--===============0308454826350702456==

Content-Type: text/plain; charset="utf-8"

MIME-Version: 1.0

Content-Transfer-Encoding: quoted-printable



**Hi Gurkirat,**



=20



**This is Stephanie Cabiao from Kesef Marketing.** =20

=20



**Many businesses are currently reviewing their funding options to stay

ahead.**



=20



**If this is something you=E2=80=99re considering, you can check your optio=

ns here: =20

**[**CLICK HERE TO START YOUR

APPLICATION**](https://form.jotform.com/260672364104452?lead_id=3Dlead_bqyN=

tSfmgPr9HEY1bFvoKaWRLZZxf887Qp2LC28qfuP&legalBusiness=3DN

K MAINTENANCE&fullName\[first\]=3DGurkirat&fullName\[last\]=3DWirring) =20

=20

**If you have any questions or would prefer to speak directly, feel free to

call me at +1-866-216-5475 or 715-641-4654**



=20



**Best regards,**



**Stephanie Cabiao** =20

**Kesef Marketing =20

**



To stop receiving these emails, click

[here](https://app.close.com/go/unsubscribe/orga_WJQdcK5MUUa02rLIty6GVDnil9=

kHSKU8WElV6ueTPiF/sales%40nk.ca/GK6U1JDQJSfaf6

--tg9gajA9HdvShNSyH_DgbhmTyc8=3D/)



=20

=20

On Apr 19, 2026, at 10:32 PM, Stephanie Kesef Marketing

wrote: =20



> **Hi Gurkirat, **

>

> =20

>

>

> **We noticed your Cash Advance application is still incomplete.**

>

> =20

>

>

> **You=E2=80=99re just a few steps away from securing up to $800,000 in fu=

nding

> within 48 hours.**

>

> =20

>

>

> **To move forward, please complete your application here: =20

> **

>

> [**Click to Start your Application

> here**](https://form.jotform.com/260672364104452?lead_id=3Dlead_bqyNtSfmg=

Pr9HEY1bFvoKaWRLZZxf887Qp2LC28qfuP&legalBusiness=3DN

> K MAINTENANCE&fullName\[first\]=3DGurkirat&fullName\[last\]=3DWirring)

>

> =20

>

>

> **and upload your last 3 months of bank statements. This will allow us to

> finalize your review and match you with the best available funding

> options.**

>

> =20

>

>

> **If you have any questions or would prefer to speak directly, feel free =

to

> call me at +1-866-216-5475 or 715-641-4654**

>

> =20

> **Best regards, =20

> Stephanie Cabiao =20

> Kesef Marketing**

Invoice phish from Russia Part 2

Posted by Dave Yadallee on













erif; font-size: 16px;">Hi doctor,





erif; font-size: 16px;"> 





erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.





erif; font-size: 16px;"> 





erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.





erif; font-size: 16px;"> 





erif; font-size: 16px;">3D"d=<br
ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">






gomeryauc.vercel.app/?email=3Ddoctor@nk.ca">View_Invoice_Payment_Receipt.pd=

f





erif; font-size: 16px;"> 





erif; font-size: 16px;">Best Regards,





Mike O'Leary


Billing Department








Invoice phish from Russia Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYE-00000000NjT-1Xly

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:39:50 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:39:50 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:5460)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY6-00000000I1A-0djC

for doctor@nk.ca;

Wed, 22 Apr 2026 10:35:50 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id CB1A53EE88

for ; Wed, 22 Apr 2026 19:31:33 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wl3wDPz1M9nS

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id Q6epcr8UsiYl for ;

Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wk6RNxz1M9mW

for ; Wed, 22 Apr 2026 19:32:34 +0300 (MSK)

From: Mike O'Leary

To: doctor@nk.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:04 -0700

Message-ID: <20260422093404.3C1C6576E8611ADF@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 8.7

X-Spam_score_int: 87

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi doctor, Attached is your invoice and payment receipt for

your records.



Content analysis details: (8.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

1.5 GB_CUSTOM_HTM_URI Custom html uri

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Invoice phish from Russia Part 2

Posted by Dave Yadallee on













erif; font-size: 16px;">Hi doctor,





erif; font-size: 16px;"> 





erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.





erif; font-size: 16px;"> 





erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.





erif; font-size: 16px;"> 





erif; font-size: 16px;">3D"d=<br
ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">






gomeryauc.vercel.app/?email=3Ddoctor@doctor.nl2k.ab.ca">View_Invoice_Paymen=

t_Receipt.pdf





erif; font-size: 16px;"> 





erif; font-size: 16px;">Best Regards,





Mike O'Leary


Billing Department








Invoice phish from Russia Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbY9-00000000NjC-35Bh

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:39:45 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:39:45 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:50515)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY5-00000000I13-3mwv

for doctor@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:45 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id C522B3EF92

for ; Wed, 22 Apr 2026 19:31:33 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wl3l4Dz1M9n6

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id 47rZVzVqlNEd for ;

Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wk5Gcxz1M9q3

for ; Wed, 22 Apr 2026 19:32:34 +0300 (MSK)

From: Mike O'Leary

To: doctor@doctor.nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:04 -0700

Message-ID: <20260422093404.1A0A0D2F66C0CE4B@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi doctor, Attached is your invoice and payment receipt for

your records.



Content analysis details: (7.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Russian INvoice SPam Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbY3-00000000NiP-13Zw

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:39:39 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:39:39 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:19181)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY5-00000000I1B-3o66

for sales@nk.ca;

Wed, 22 Apr 2026 10:35:45 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id D74933EF95

for ; Wed, 22 Apr 2026 19:31:33 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wl4Fwvz1M9mZ

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id zGRDCVWqSJ0s for ;

Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wl0RfBz1M9mj

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

From: Mike O'Leary

To: sales@nk.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:04 -0700

Message-ID: <20260422093404.E78456BF4B57ED08@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi sales, Attached is your invoice and payment receipt for

your records.



Content analysis details: (7.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Russian INvoice SPam Part 2

Posted by Dave Yadallee on















erif; font-size: 16px;">Hi sales,





erif; font-size: 16px;"> 





erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.





erif; font-size: 16px;"> 





erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.





erif; font-size: 16px;"> 





erif; font-size: 16px;">3D"d=<br
ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">






gomeryauc.vercel.app/?email=3Dsales@nk.ca">View_Invoice_Payment_Receipt.pdf=






erif; font-size: 16px;"> 





erif; font-size: 16px;">Best Regards,





Mike O'Leary


Billing Department








Invoice Phish from Russia Part 2

Posted by Dave Yadallee on













erif; font-size: 16px;">Hi root,





erif; font-size: 16px;"> 





erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.





erif; font-size: 16px;"> 





erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.





erif; font-size: 16px;"> 





erif; font-size: 16px;">3D"d=<br
ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">






gomeryauc.vercel.app/?email=3Droot@nk.ca">View_Invoice_Payment_Receipt.pdf<=

/a>





erif; font-size: 16px;"> 





erif; font-size: 16px;">Best Regards,





Mike O'Leary


Billing Department






Russian INvoice phish

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 10:36:00 -0600

Received: from relay.meteogmp.ru ([95.163.222.104]:62960)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY5-00000000I17-3tv8

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:50 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id C14D13EDF5

for ; Wed, 22 Apr 2026 19:31:33 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wl3d5kz1M9n1

for ; Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id khhgqgvtowCO for ;

Wed, 22 Apr 2026 19:32:35 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wk5Cm8z1M9q1

for ; Wed, 22 Apr 2026 19:32:34 +0300 (MSK)

From: Mike O'Leary

To: dave@doctor.nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:04 -0700

Message-ID: <20260422093404.6A072C982CEAD731@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi dave, Attached is your invoice and payment receipt for

your records.



Content analysis details: (7.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.
















erif; font-size: 16px;">Hi dave,





erif; font-size: 16px;"> 





erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.





erif; font-size: 16px;"> 





erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.





erif; font-size: 16px;"> 





erif; font-size: 16px;">3D"d=<br
ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">






gomeryauc.vercel.app/?email=3Ddave@doctor.nl2k.ab.ca">View_Invoice_Payment_=

Receipt.pdf





erif; font-size: 16px;"> 





erif; font-size: 16px;">Best Regards,





Mike O'Leary


Billing Department








Invoice phish from Russia Part 2

Posted by Dave Yadallee on













erif; font-size: 16px;">Hi www,





erif; font-size: 16px;"> 





erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.





erif; font-size: 16px;"> 





erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.





erif; font-size: 16px;"> 





erif; font-size: 16px;">3D"d=<br
ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">






gomeryauc.vercel.app/?email=3Dwww@doctor.nl2k.ab.ca">View_Invoice_Payment_R=

eceipt.pdf





erif; font-size: 16px;"> 





erif; font-size: 16px;">Best Regards,





Mike O'Leary


Billing Department








Invoice Phish from Russia Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:41:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYW-00000000Nmc-2v3l

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:40:08 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:40:08 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:61327)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaXz-00000000I1W-2E82

for root@nk.ca;

Wed, 22 Apr 2026 10:35:41 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id D3DD73EE96

for ; Wed, 22 Apr 2026 19:31:38 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wr3VYXz1M9q0

for ; Wed, 22 Apr 2026 19:32:40 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id M2ZNCN6QnVMZ for ;

Wed, 22 Apr 2026 19:32:38 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wp5kStz1M9nT

for ; Wed, 22 Apr 2026 19:32:38 +0300 (MSK)

From: Mike O'Leary

To: root@nk.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:08 -0700

Message-ID: <20260422093408.17764C9FBFB7760F@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi root, Attached is your invoice and payment receipt for

your records.



Content analysis details: (7.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[95.163.222.104 listed in dnsbl.ahbl.org]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Invoice phish from Russia Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYP-00000000Nlh-1sR0

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:40:01 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:40:01 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:6576)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaXz-00000000I1Q-2EEU

for www@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:45 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id C5F633EE6F

for ; Wed, 22 Apr 2026 19:31:38 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wr3Xgtz1M9q5

for ; Wed, 22 Apr 2026 19:32:40 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id A53558o3u6KR for ;

Wed, 22 Apr 2026 19:32:39 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wq146Sz1M9nS

for ; Wed, 22 Apr 2026 19:32:39 +0300 (MSK)

From: Mike O'Leary

To: www@doctor.nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:08 -0700

Message-ID: <20260422093408.F9285C48D6D0F4C2@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 8.7

X-Spam_score_int: 87

X-Spam_bar: ++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi www, Attached is your invoice and payment receipt for

your records.



Content analysis details: (8.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

1.5 GB_CUSTOM_HTM_URI Custom html uri

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Invoice phish from Russia Part 2

Posted by Dave Yadallee on















erif; font-size: 16px;">Hi root,





erif; font-size: 16px;"> 





erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.





erif; font-size: 16px;"> 





erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.





erif; font-size: 16px;"> 





erif; font-size: 16px;">3D"d=<br
ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">






gomeryauc.vercel.app/?email=3Droot@nl2k.ab.ca">View_Invoice_Payment_Receipt=

=2Epdf





erif; font-size: 16px;"> 





erif; font-size: 16px;">Best Regards,





Mike O'Leary


Billing Department








Invoice Phish from Russia Part 2

Posted by Dave Yadallee on













erif; font-size: 16px;">Hi doctor,





erif; font-size: 16px;"> 





erif; font-size: 16px;">Attached is your invoice and payment receipt for yo=

ur records.





erif; font-size: 16px;"> 





erif; font-size: 16px;">Please review the attached document. Let us know if=

you have any questions.





erif; font-size: 16px;"> 





erif; font-size: 16px;">3D"d=<br
ocument icon" src=3D"https://gyazo.com/da09dca224cdd187568d5f5cb45895ed.png=

" width=3D"76" height=3D"104">






gomeryauc.vercel.app/?email=3Ddoctor@nl2k.ab.ca">View_Invoice_Payment_Recei=

pt.pdf





erif; font-size: 16px;"> 





erif; font-size: 16px;">Best Regards,





Mike O'Leary


Billing Department

Invoice phish from Russia Part 1

Posted by Dave Yadallee on
X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Wed, 22 Apr 2026 11:40:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFbYI-00000000Njw-28wB

for dave@doctor.nl2k.ab.ca;

Wed, 22 Apr 2026 11:39:54 -0600

Resent-From: The Doctor

Resent-Date: Wed, 22 Apr 2026 11:39:54 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from relay.meteogmp.ru ([95.163.222.104]:1238)

by doctor.nl2k.ab.ca with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384

(Exim 4.98.2 (FreeBSD))

(envelope-from )

id 1wFaY6-00000000I1Z-3wKz

for root@nl2k.ab.ca;

Wed, 22 Apr 2026 10:35:50 -0600

Received: from mail.meteogmp.ru (mail.meteogmp.ru [91.247.194.23])

by relay.meteogmp.ru (Postfix) with ESMTP id E2A1C3EFB0

for ; Wed, 22 Apr 2026 19:31:38 +0300 (MSK)

Received: from mail.meteogmp.ru (localhost [127.0.0.1])

by mail.meteogmp.ru (Postfix) with ESMTP id 4g14Wr3bPWz1M9n4

for ; Wed, 22 Apr 2026 19:32:40 +0300 (MSK)

X-Virus-Scanned: Debian amavis at localhost.localdomain

Received: from mail.meteogmp.ru ([127.0.0.1])

by mail.meteogmp.ru (mail.meteogmp.ru [127.0.0.1]) (amavis, port 10024)

with ESMTP id l0qinLs6vMSv for ;

Wed, 22 Apr 2026 19:32:38 +0300 (MSK)

Received: from s1590535.smartape-vps.com (_gateway [10.10.0.1])

by mail.meteogmp.ru (Postfix) with ESMTPS id 4g14Wp3Pbnz1M9mW

for ; Wed, 22 Apr 2026 19:32:38 +0300 (MSK)

From: Mike O'Leary

To: root@nl2k.ab.ca

Subject: Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.

Date: 22 Apr 2026 09:34:08 -0700

Message-ID: <20260422093407.1E5886C207724BFB@gmail.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Spam_score: 7.2

X-Spam_score_int: 72

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi root, Attached is your invoice and payment receipt for

your records.



Content analysis details: (7.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[91.247.194.23 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

[95.163.222.104 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

[91.247.194.23 listed in dnsbl.ahbl.org]

-2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact

safe-sa@returnpath.net

[Excessive Number of Queries | ]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[95.163.222.104 listed in bl.score.senderscore.com]

-3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified - Contact

cert-sa@returnpath.net

[Excessive Number of Queries | ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in will-spam-for-food.eu.org

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[91.247.194.23 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

[95.163.222.104 listed in will-spam-for-food.eu.org]

1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit

[andy55(at)gmail.com]

1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

[andy55(at)gmail.com]

1.5 MR_STRANGE_QUESTION URI: No description available.

0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge

0.0 HTML_MESSAGE BODY: HTML included in message

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 NO_RDNS2 Sending MTA has no reverse DNS

0.7 SPOOFED_FREEMAIL No description available.

0.1 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

Subject: {SPAM?} Invoice attached from Mike O'Leary - Wednesday, April 22, 2026 9:34 a.m.