Received Tue, Feb 24, 2026 03:55:27 -0800 (PST). Unsolicited bulk marketing email promoting “career ...
show moreReceived Tue, Feb 24, 2026 03:55:27 -0800 (PST). Unsolicited bulk marketing email promoting “career hacks/productivity for men over 40,” formatted as a fake TikTok-style digest with multiple tracked redirect links and images, encouraging clicks and engagement. Message originated from 69.169.224.52 using Amazon SES outbound host (b224-52.smtp-out.eu-central-1.amazonses.com) with visible branding of “tokivo.site” (From: [email protected]
) and numerous click-tracking URLs. Header auth results show SPF=PASS for the SES envelope sender and DKIM=PASS (tokivo.site and amazonses.com). DMARC result not shown in the provided header (unknown). This appears to be unsolicited commercial email / list-style spam delivered to a mailbox nickname (recipient name used in the To: display), with one-click unsubscribe headers present but content is still unwanted.
The sending infrastructure appears to be Amazon Simple Email Service (SES) based on the amazonses.com outbound hostname and X-SES-Outgoing.
show less
Received 2026-02-21 15:16:06 +0000. Phishing-style “Cloud subscription payment expired” notice claim ...
show moreReceived 2026-02-21 15:16:06 +0000. Phishing-style “Cloud subscription payment expired” notice claiming your cloud data will be deleted unless you “update payment”. It uses an urgent deadline and a payment/renewal pretext to drive the victim to an external site (cronosaviel.shop) to harvest credentials/payment details.
Sending IP / mail server: 104.140.53.132 (HELO cpia.zkbkhuuyfg.eu.com). Return-Path and From use qassimy.com; the message is HTML-only with tracking pixel and “unsubscribe” links typical of spam operations. No evidence the sender is a legitimate cloud provider.
Auth results: SPF=pass, DKIM=unknown (not signed/verified), DMARC=pass with policy p=NONE. Likely violations: CAN-SPAM (deceptive content/headers and misleading solicitation), and anti-fraud/anti-phishing prohibitions (attempted credential/payment theft); also inconsistent with email authenticity best practices (RFC 5322/5321 norms). Network owner/host: Eonix Corporation (AS62904). Abuse contact: [email protected].
show less
Received Thu, 19 Feb 2026 20:21:36 -0800. Source IP: 60.36.166.33 (msc111.plala.or.jp). Unsolicited ...
show moreReceived Thu, 19 Feb 2026 20:21:36 -0800. Source IP: 60.36.166.33 (msc111.plala.or.jp). Unsolicited advance-fee phishing scam claiming a “$10 Million Donation Award” tied to a past Powerball jackpot. Message asks recipient to contact a supposed bank CFO/representative to “confirm acceptance” and demands sensitive data (full name, age, address, occupation, phone/WhatsApp, photo, and ID/passport copy) plus a payment code—high risk of identity theft and fraud. Reply-To differs from From, indicating impersonation/social-engineering. Auth results: SPF=PASS, DKIM=PASS, DMARC=PASS (no failures noted).U.S. CAN-SPAM Act (deceptive unsolicited commercial email practices)Wire fraud / attempted fraud (soliciting money/PII via deception)Identity theft / identity fraud attempts (requesting ID/passport + photo + personal details)Deceptive/misleading use of message identity fields (e.g., From/Reply-To mismatch used to mislead recipients), inconsistent with good-faith email practices under RFC 5322 norms.
show less
Received Fri, 20 Feb 2026 04:09:35 -0800 (PST). Source IP 51.38.208.114 sent a deceptive “account bl ...
show moreReceived Fri, 20 Feb 2026 04:09:35 -0800 (PST). Source IP 51.38.208.114 sent a deceptive “account blocked” alert claiming the victim’s photos/videos will be deleted unless payment details are updated immediately. Message uses urgency + a deadline and includes call-to-action links leading to unrelated domains (e.g., hinyvfz.com / storage.googleapis.com), consistent with credential/billing phishing. The display name impersonates the recipient’s name to look legitimate. Header authentication shows SPF=pass and DKIM=pass; no DMARC result is shown in this header. Unsolicited social-engineering attempt intended to trick the recipient into clicking and submitting sensitive info.
CAN-SPAM Act (U.S.): deceptive/false header or routing info, misleading content, and failure to meet commercial email requirements can trigger violations (even when the goal is fraud).
18 U.S.C. § 1343 (Wire fraud): if the intent is to trick the recipient into sending money or credentials via electronic communications.
show less
Received Thu, Feb 19, 2026 15:41:10 PST. SMTP source: e226-4.smtp-out.us-east-2.amazonses.com (23.25 ...
show moreReceived Thu, Feb 19, 2026 15:41:10 PST. SMTP source: e226-4.smtp-out.us-east-2.amazonses.com (23.251.226.4). Message promotes “Florida Annual Report” filing and a paid “3-in-1 compliance package” (annual report + registered agent + labor law posters), urging the recipient to click tracking links to “get started,” warns about deadlines/late fees, and includes marketing language plus an unsubscribe link. Authentication seen: SPF=pass, DKIM=pass (domain + amazonses), DMARC=pass (policy quarantine). This appears to be unsolicited bulk/commercial email and potentially misleading “official-sounding” solicitation intended to drive a paid purchase.
Based on the sending host/IP in the header, this is Amazon SES / Amazon.com, Inc.
Abuse contact: [email protected]
Phone: +1-206-741-3696
CAN-SPAM (US): unsolicited commercial email can be unlawful if it uses deceptive headers/subject, lacks a valid opt-out, or fails other requirements. From the header/body shown, it does include an unsubscribe link
show less
Spamcop says HOST DOES NOT CARE about the spam and will do nothing to stop it. They should be sued ...
show moreSpamcop says HOST DOES NOT CARE about the spam and will do nothing to stop it. They should be sued for harassment.
show less
Received on Feb 19, 2026 at 07:09 PST. Unsolicited bulk marketing email promoting “Top TikTok Picks” ...
show moreReceived on Feb 19, 2026 at 07:09 PST. Unsolicited bulk marketing email promoting “Top TikTok Picks” with embedded tracking links, unsubscribe token, and multiple third-party redirect URLs. Message appears sent via Amazon SES infrastructure, indicating possible abuse of cloud email services. No prior consent observed and message contains promotional content with mass-mail characteristics. Uses generic noreply sender and branded display name to appear legitimate. Presence of one-click unsubscribe does not validate consent and is commonly used in spam campaigns. Authentication shows SPF=pass, DKIM=pass (tokivo.site and amazonses.com), DMARC alignment not clearly enforced, suggesting domain reputation misuse rather than authentication failure. Pattern indicates commercial spam distribution at scale through relay services, violating acceptable use policies and CAN-SPAM Act requirements for consent and truthful identification. Possible deceptive marketing and unsolicited advertising activity.
show less
This email was received on Thu, 19 Feb 2026 at 12:53:31 +0000 and appears to be unsolicited spam con ...
show moreThis email was received on Thu, 19 Feb 2026 at 12:53:31 +0000 and appears to be unsolicited spam containing a deceptive hyperlink. The message uses vague language ("There's a text from me waiting") intended to lure the recipient into clicking a malicious link. The content is minimal and impersonates a personal message to create urgency. This pattern is consistent with phishing campaigns designed to harvest credentials or deliver malware.
Analysis of the header shows the originating IP as 89.253.221.115, identifying itself as vps-33732823-401935.z.host4g.ru. Authentication checks failed or were missing: SPF=none (domain not authorized), DKIM=unknown, and DMARC=unknown, indicating no legitimate authentication and a high likelihood of spoofing. These failures confirm the message is not authorized by the sending domain and is likely forged.
This activity violates the CAN-SPAM Act by sending unsolicited commercial email without proper identification or consent and likely violates RFC 7208 (SPF)
show less
This unsolicited email was received on Wed, 18 Feb 2026 13:54:24 +0000. The message originated from ...
show moreThis unsolicited email was received on Wed, 18 Feb 2026 13:54:24 +0000. The message originated from IP 104.140.53.133 using HELO xvbw.drnsmrzkzl.us.com with Return-Path grubber.ru and was delivered through Yahoo infrastructure. The content impersonates a “Cloud Security Team” and uses urgent language claiming payment expiration and imminent deletion of files to pressure the recipient. It contains deceptive links directing to an external domain intended to harvest sensitive information.
Authentication results show SPF=pass and DMARC=pass (policy none), while DKIM is missing or unknown, indicating weak authentication controls. The message uses obfuscation techniques, generic branding, and misleading subscription data to appear legitimate. This behavior is consistent with phishing campaigns designed to obtain financial or login credentials through fraudulent payment update requests.
This activity violates the CAN-SPAM Act and constitutes phishing fraud. It also breaches RFC 5322 and RFC 7208
show less
Received 2026-02-18 07:09 PST. Unsolicited bulk email advertising “DIY Home Improvement / TikTok vid ...
show moreReceived 2026-02-18 07:09 PST. Unsolicited bulk email advertising “DIY Home Improvement / TikTok videos” sent without prior consent. Message uses tracking links, marketing tokens, and promotional content indicating commercial intent. The email appears to be part of a mass-mail campaign routed through a third-party sender. Although SPF and DKIM pass via a cloud email provider, the originating domain and campaign are likely unrelated to the recipient, indicating abuse of a relay service. Includes one-click unsubscribe link but lacks verifiable opt-in, suggesting unsolicited marketing. This activity may violate the CAN-SPAM Act (15 U.S.C. §7701), including requirements for consent and truthful identification, and RFC 5321/5322 principles regarding accurate sender representation. Evidence suggests potential misuse of sending infrastructure for spam distribution.
Mail Server / Host Details
Sending IP: 69.169.224.50
Service: Amazon Simple Email Service (SES)
Company: Amazon Web Services (AWS)
show less
Blocked user from trying to hack into WordPress. A user with IP address 43.165.67.251 has been locke ...
show moreBlocked user from trying to hack into WordPress. A user with IP address 43.165.67.251 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username 'r3dc0d3r' to try to sign in.
show less
Received Fri, 13 Feb 2026 20:03:44 -0800. Source/MTA: webmail.swanforlife.com (smtp.swanforlife.com) ...
show moreReceived Fri, 13 Feb 2026 20:03:44 -0800. Source/MTA: webmail.swanforlife.com (smtp.swanforlife.com) [202.123.29.132]. Return-Path/From used [email protected]
while the message claims a “U.S. Government/UN/World Bank compensation” via Chase ATM VISA card.
Auth results: SPF softfail (sender not authorized for bsvgroup.com), DKIM missing/unknown, DMARC FAIL (policy quarantine). Message is an advance-fee/identity-harvest scam requesting full name, address, phone, age, occupation, and a photo, and redirects replies to a separate Gmail “Chase bank” address.
Likely violations: CAN-SPAM (misleading origin/unauthorized sending, deceptive content) and fraud/identity-theft statutes (e.g., 18 USC 1343 wire fraud; 18 USC 1028 identity fraud). RFC issues: spoofed/unauthenticated mail inconsistent with RFC 5321/5322 and DMARC (RFC 7489) alignment failure. Abuse contact for network/owner (AS23889 MauritiusTelecom
show less
Received Wed, 11 Feb 2026 08:08:53 -0800 (PST). Sending IP: 54.240.14.146 (a14-146.smtp-out.amazonse ...
show moreReceived Wed, 11 Feb 2026 08:08:53 -0800 (PST). Sending IP: 54.240.14.146 (a14-146.smtp-out.amazonses.com / Amazon SES). Message claims “Social Security Administration” and says a “new statement is ready,” urging the recipient to click “Download Now” leading to a non-government site (forms.basixagency.com). This is credential-harvesting style social-engineering using a spoofed government brand and deceptive call-to-action.
Auth results observed: SPF=pass; DKIM=pass (ez.works and amazonses.com); DMARC=pass (from ez.works). Despite passing authentication, the display name uses look-alike characters and impersonates a government agency, indicating phishing/spoofing intent rather than legitimate SSA notification.
Likely violations: CAN-SPAM Act (15 U.S.C. §7701 et seq.) for deceptive header/identity and misleading content; potential wire fraud (18 U.S.C. §1343) and identity theft/impersonation (18 U.S.C. §1028) due to government-brand phishing. IP owner/host: Amazon Web Services / Amazon SES.
show less
Received Feb 16, 2026 23:38:14 PST. Phishing email claiming “We’ve Blocked Your Account” and that ph ...
show moreReceived Feb 16, 2026 23:38:14 PST. Phishing email claiming “We’ve Blocked Your Account” and that photos/videos will be deleted unless the recipient immediately updates payment. Uses urgency (“Final reminder”) and a prominent button linking to a non-service domain (via storage.googleapis.com and other redirect/track URLs). HTML is heavily obfuscated/encoded and includes list-unsubscribe artifacts to appear legitimate. Display-name in From impersonates the recipient’s name. Source IP: 185.211.103.87. SPF=PASS, DKIM=PASS; no DMARC result shown in header. Likely violates CAN-SPAM (deceptive subject/headers) and anti-phishing/fraud statutes; inconsistent with RFC 5322/5321 message authenticity expectations.
show less
Received Thu, 12 Feb 2026 03:55:30 +0000 via Yahoo. Unsolicited advance-fee scam email posing as a t ...
show moreReceived Thu, 12 Feb 2026 03:55:30 +0000 via Yahoo. Unsolicited advance-fee scam email posing as a terminally ill individual offering $15,000,000 for charitable distribution, requesting reply for further instructions. The message uses emotional manipulation, religious language, and promises a large personal share to induce response, which is consistent with fraud schemes designed to obtain money or personal data.
Sending IP: 103.235.118.147 (EHLO dealerfeeds.io). Additional client IP: 185.169.4.16. Return-Path domain test.com is generic and not authoritative. Auth results: SPF=none, DKIM=unknown, DMARC=unknown, indicating no valid authentication and likely forged sender identity and headers (RFC 5321/5322 violations). Infrastructure appears abused to relay scam content.
Likely violations: CAN-SPAM Act (15 USC 7701–7713) for deceptive unsolicited email, and potential wire fraud (18 USC 1343) due to financial scam solicitation. Host appears associated with dealerfeeds.io network.
show less
Received Thu, 12 Feb 2026 17:30:27 +0000 via Yahoo. Source IP: 177.71.92.23 (srv01.juniornet.psi.br) ...
show moreReceived Thu, 12 Feb 2026 17:30:27 +0000 via Yahoo. Source IP: 177.71.92.23 (srv01.juniornet.psi.br); client IP seen in header: 190.242.98.162. Message impersonates a Hotmail sender (“Edward Stevenson”) and pitches a 10-year “investment capital” arrangement, promising you 15% upfront plus 30% of profits, asking for company details and WhatsApp contact—classic advance-fee/investment fraud solicitation.
Auth results: SPF FAIL for hotmail.com; DKIM unknown; DMARC FAIL (p=NONE). This indicates domain spoofing/unauthorized use and likely forged/inauthentic headers (RFC 5321/5322) and DMARC policy failure (RFC 7489). The sending infrastructure appears abused to distribute scam email. Likely network owner for 177.71.92.0/22 is AS263292 (L E M TELECOMUNICAÇÕES LTDA -ME). Abuse contact: [email protected]show less
Received Thu, 12 Feb 2026 18:01:04 +0000. Unsolicited commercial email advertising construction esti ...
show moreReceived Thu, 12 Feb 2026 18:01:04 +0000. Unsolicited commercial email advertising construction estimating and material takeoff services, requesting replies for quotes and samples. The message is generic, not requested, and constitutes bulk solicitation. It appears to be sent to harvest responses and promote services without prior consent.
Sending IP: 209.85.221.67 (mail-wr1-f67.google.com) with originating client IP 39.46.226.218. Return-Path uses gmail.com. Auth results: SPF=pass, DKIM=pass, DMARC=pass, indicating the sender used legitimate Gmail infrastructure but for unsolicited marketing activity. The sending host is Google LLC. Abuse contact: [email protected]
.
Likely violations: CAN-SPAM Act (15 U.S.C. §7701–7713) for unsolicited commercial email lacking clear consent and proper identification. Potential RFC issues include RFC 5322 (bulk unsolicited messaging practices) and RFC 3834 (improper use of automated messaging). Content suggests mass mailing behavior without opt-in compliance.
show less
Received Fri, 13 Feb 2026 06:39:54 +0000. Unsolicited phishing email impersonating Tinder, claiming ...
show moreReceived Fri, 13 Feb 2026 06:39:54 +0000. Unsolicited phishing email impersonating Tinder, claiming “Someone matched with you” to entice clicks. Message uses branding, images, and urgency to lure the recipient to click a link leading to a third-party domain (kkg.al), not associated with Tinder, indicating credential harvesting or scam redirection.
Sending IP: 87.118.221.136 (EHLO host-136.meg.87.118.221.128.0xffffffe0.macomnet.net). Return-Path domain: melange-design.ru. Auth results: SPF=permerror, DKIM=unknown, DMARC=unknown. Authentication failures and mismatched domains strongly indicate spoofing and unauthorized use of infrastructure.
Likely violations: CAN-SPAM Act (15 U.S.C. §7701–7713) deceptive commercial messaging and potential wire fraud (18 U.S.C. §1343) for phishing intent. RFC concerns include RFC 5322 (misleading headers), RFC 7208 (SPF failure), and RFC 7489 (DMARC). Host network appears associated with M247 Ltd
show less
Received Fri, 13 Feb 2026 17:59:17 +0000. Unsolicited marketing email promoting a real estate “Open ...
show moreReceived Fri, 13 Feb 2026 17:59:17 +0000. Unsolicited marketing email promoting a real estate “Open House” event. Message contains promotional imagery, tracking pixels, and unsubscribe links, sent without clear prior consent. Content is commercial advertising encouraging engagement and tracking user activity, consistent with bulk email campaigns and potential unsolicited marketing.
Sending IP: 69.169.237.32 (EHLO b237-32.smtp-out.us-west-2.amazonses.com). Mail service: Amazon SES. From domain: moxiimpress.sendproperty.com. Auth results: SPF=pass, DKIM=pass (amazonses.com and moxiimpress.sendproperty.com), DMARC=pass (p=NONE). Although authentication passes, this does not confirm consent or legitimacy of distribution list.
Likely violations: CAN-SPAM Act (15 U.S.C. §7701–7713) for unsolicited commercial email if no consent or proper opt-in exists. Possible misuse of bulk mail infrastructure. Relevant standards: RFC 5322 (message format), RFC 7208 (SPF), RFC 6376 (DKIM), RFC 7489 (DMARC).
show less
Received Mon, 16 Feb 2026 21:51:00 +0000. Suspected phishing email impersonating a “Cloud/Cloud+” st ...
show moreReceived Mon, 16 Feb 2026 21:51:00 +0000. Suspected phishing email impersonating a “Cloud/Cloud+” storage subscription, claiming the recipient’s payment method expired and threatening immediate/permanent deletion of photos, backups, contacts, and documents unless a payment update is completed “today.” Message contains urgent CTA buttons and directs the victim to a non-matching external site cronosaviel.shop to “Update Payment & Secure My Data.”
Sending/originating IP: 198.12.127.73 (EHLO: envelope.softwareag.com). Envelope/Return-Path domain: qassimy.com. Authentication results: SPF=pass, DKIM=unknown, DMARC=pass (p=NONE). This is deceptive social engineering attempting to harvest payment details (credential/payment theft), consistent with phishing.
Likely violations: CAN-SPAM Act (15 U.S.C. § 7701–7713) (deceptive header/content and misleading solicitation) and potential wire fraud (18 U.S.C. § 1343) if used to obtain money/credentials. Related email standards abused/misused: RFC 5322
show less
Received Tue, 17 Feb 2026 09:52:17 +0000. Unsolicited bulk email advertising a “BLACK FRIDAY MEGA SA ...
show moreReceived Tue, 17 Feb 2026 09:52:17 +0000. Unsolicited bulk email advertising a “BLACK FRIDAY MEGA SALE” and a supposed JD Sports/Adidas offer for £9.99, urging the recipient to click links to claim sneakers and auto-apply a voucher code. Uses time pressure (“valid today until midnight”) and brand impersonation typical of lead-gen/phishing spam.
Sending IP (X-Originating-IP): 5.181.2.151. SMTP server: mail.weeklyboost100.com (5.181.2.151). SPF=pass, DKIM=pass, DMARC=pass(p=NONE). Auth passes, but message is deceptive commercial spam.
Likely violations: CAN-SPAM Act (15 U.S.C. §7701+), and if the links solicit credentials/payment, potential wire fraud/CFAA. Host/abuse contact for the IP: GLOBAL CONNECTIVITY SOLUTIONS LLP, [email protected]show less
Received Tue, 17 Feb 2026 11:32:26 +0000. Email is a fake “FINAL NOTICE” about an expired cloud-stor ...
show moreReceived Tue, 17 Feb 2026 11:32:26 +0000. Email is a fake “FINAL NOTICE” about an expired cloud-storage payment method, threatening same-day file removal unless you “update payment”/“upgrade storage.” It uses urgency/fear and routes clicks to nuvexorida.shop, consistent with phishing for credentials or card data.
Sending path/IPs: X-Originating-IP 104.140.53.134; SMTP peer 104.140.53.134 (EHLO prpb.fxcdmpijlb.us.com). Return-Path: [email protected] From display name: “Cloud Security Team”. Auth: SPF=pass; DKIM=unknown; DMARC=pass (p=NONE). The authenticated domain (grubber.ru) does not match the “Cloud” branding or link destination.
Likely violations: CAN-SPAM Act (15 U.S.C. §7701–7713) deceptive messaging; potential wire fraud/phishing attempt (18 U.S.C. §1343). RFC concerns: misleading header/content practices and non-aligned third-party links (RFC 5322/5321).
show less
Received: Sun, 15 Feb 2026 21:18:55 +0000. Sending IP: 185.157.222.205 (EHLO 185-157-222-205-static. ...
show moreReceived: Sun, 15 Feb 2026 21:18:55 +0000. Sending IP: 185.157.222.205 (EHLO 185-157-222-205-static.glesys.net). Purported sender: [email protected] Return-Path same). Delivered to Yahoo via atlas-production.v2-mail-prod1-gq1.omega.yahoo.com.
This message is an extortion/sextortion-style scam. Body (base64) claims the sender compromised the recipient and/or device, threatens reputational harm, and demands cryptocurrency payment (Monero/XMR), using pressure and intimidation. No legitimate context or prior relationship is present; subject is “re:”, consistent with social-engineering.
Auth results: SPF NONE (no permitted sender hosts published), DKIM UNKNOWN, DMARC FAIL. This appears to violate CAN-SPAM (15 USC 7701 et seq.) and is consistent with fraud/extortion attempts; also implicates RFC 5322/5321 misuse plus RFC 7208 (SPF) and RFC 7489 (DMARC) failures. IP owner/host: Glesys AB. Abuse contact: [email protected]
.
show less
Fraud OrdersPhishingWeb SpamEmail SpamSpoofing
By clicking “Accept all”, you agree to the storing of cookies on your device to remember preferences and
analyze site usage.
Read more
- Required to log into your AbuseIPDB account, and store these cookie preferences.