We've had this one in Sniffer for a while. They were originally going after Sun Trust:
Rule ID - 99546 Created - 2004-03-22 From Source - http://200.97.91. Rule Type - Numbered Link Origin - Spam Trap Original Rule Name - suntrust phishing Current Strength - 2.68760205 _M On Tuesday, June 8, 2004, 4:11:28 PM, Kami wrote: KR> Hi; KR> The site is live.. a definite phishing attempt. KR> � KR> http://200.97.91.210/citi/";>Activate KR> � KR> Regards, KR> Kami KR> =========================== KR> � KR> Received: from 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] by foroosh.com KR> � (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04 -0400 KR> Received: from 50.106.132.64 by 82.33.98.143; Tue, 08 Jun 2004 13:00:46 -0600 KR> Message-ID: <[EMAIL PROTECTED]> KR> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> KR> Reply-To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> KR> To: ********************* KR> Subject: [35~]Activate Bill Pay KR> Date: Tue, 08 Jun 2004 20:05:46 +0100 KR> MIME-Version: 1.0 KR> Content-Type: multipart/alternative; KR> �boundary="--23927787921753605107" KR> X-Originating-IP: 12.5.20.80 KR> X-RBL-Warning: IPNOTINMX: KR> X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. KR> X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. KR> X-RBL-Warning: FIVETEN-SPAM: KR> 143.98.33.82.blackholes.five-ten-sg.com. KR> X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" KR> X-RBL-Warning: BROADBAND: Message failed BROADBAND test (line 236, weight 9) KR> X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 221, weight 1) KR> X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 187, weight 13) KR> X-Declude-Sender: [EMAIL PROTECTED] [82.33.98.143] KR> X-Declude-Spoolname: D00832a350272ffb3.SMD KR> X-Note: KR> ================================================================== KR> X-Note: Spam Score: 35 [BLOCKED ON 20+ DELETED ON 60+] KR> X-Note: Scan Time: 14:08:11 on 06/08/2004 KR> X-Note: Spool File: D00832a350272ffb3.SMD KR> X-Note: Server Name: KR> 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk KR> X-Note: SMTP Sender: [EMAIL PROTECTED] KR> X-Note: Reverse DNS IP: KR> 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] KR> X-Note: Recipient(s): ********************* KR> X-Note: Country Chain: [IANA Reserved]->UNITED KINGDOM->destination KR> X-Note: KR> ================================================================== KR> X-Note: This E-mail was scanned filtered by Declude [1.79i8] for SPAM virus. KR> X-Note: Spam and virus blocking services provided by ClickandPledge.com KR> X-Note: KR> ================================================================== KR> X-RCPT-TO: *************** KR> Status: U KR> X-UIDL: 331480131 KR> � KR> ----23927787921753605107 KR> Content-Type: text/html; KR> Content-Transfer-Encoding: quoted-printable KR> � KR> </font><font size=3D"2"><br><br><td class=3D"smalltext"> KR> Dear Citibank customer,<br> KR> We've upgraded our service so you can schedule fund transfers. And with ou= KR> r improved<br>Bill Pay, you can now pay bills on one screen. We will requi= KR> re all Citibank customers to KR> signup for this, please<br>fill in your card information now to avoid extr= KR> a upgrade fees KR> being withdrawn from your account later on. KR> <br><br> KR> <font color=3D"red">*�ALL CITIBANK CUSTOMERS ARE REQIRED TO ACTIVATE = KR> BILL PAY�*</font> KR> <br><br> KR> <b>Click on the link below to active Bill Pay:</b><br> KR> <a href=3D"http://200.97.91.210/citi/";>Activate Bill Pay</a> KR> </font> KR> � KR> � KR> � KR> ----23927787921753605107-- KR> � KR> � --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
