TrendMicro also catches some phishing attempts: http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=citifrau d&alt=citifraud
But I've no idea what exactly their triggering on. If it's a body URL, their release updates are probably too far apart, but their CPR (Controlled Pattern Release) update schedule might be useful. I find that only some of the phishing attempts I see get through my net would be caught by a spamdomains setting. A URL filter would definitely be appropriate. Andrew. -----Original Message----- From: Bill Landry [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 7:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Citibank - phishing- still live Where else would you suggest they be posted, after all, phishing e-mail are spam in my book. However, with that said, more and more virus vendors are starting to add phishing e-mail recognition to their virus definitions. Both uvscan (NAI/McAfee) and the latest release candidates for ClamAV support phishing e-mail detection. Bill ----- Original Message ----- From: "Dan Geiser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 4:22 AM Subject: Re: [Declude.JunkMail] Citibank - phishing- still live Can I ask why you guys post these to the Declude JunkMail discussion list? It doesn't seem to have anything to do with the subject matter of this list. ----- Original Message ----- From: Kami Razvan <mailto:[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 6:56 AM Subject: [Declude.JunkMail] Citibank - phishing- still live Hi; the following is another phishing attempt- the site still live. http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/> Regards, Kami ==== Email Subject: [37~]Dear customer your details have been compromised MIME-Version: 1.0 (produced by annunciatemarginalia 8.2) Content-Type: multipart/alternative; boundary="--938071008627732911" X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html <http://njabl.org/dynablock.html> " X-RBL-Warning: NJABL-DUL: This E-mail came from 12.107.246.11, a potential spam source listed in NJABL-DUL. X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> " X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11 <http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11> " X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 198, weight 13) X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [12.107.246.11] X-Declude-Spoolname: D26691b0502409fba.SMD X-Note: ================================================================== X-Note: Spam Score: 37 [BLOCKED ON 20+ & DELETED ON 40+] X-Note: Scan Time: 00:43:47 on 05 Oct 2004 X-Note: Spool File: D26691b0502409fba.SMD X-Note: Server Name: dialup-12-107-246-11.dtccom.net X-Note: SMTP Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> X-Note: Reverse DNS & IP: dialup-12-107-246-11.dtccom.net [12.107.246.11] X-Note: Country Chain: UNITED STATES->destination ----938071008627732911 Content-Type: text/plain; charset="iso-2059-6" Content-Transfer-Encoding: quoted-printable Content-Description: nicholson salmonberry biblical Dear Customer: Recently there have been a large number of cyber attacks pointing our data= base servers. In order to safeguard your account, we require you to sign o= n immediately. This personal check is requested of you as a precautionary measure and to = ensure yourselves that everything is normal with your balance and personal= information. This process is mandatory, and if you did not sign on within the nearest t= ime your account may be subject to temporary suspension. Please make sure you have your Citibank(R) debit card number and your User= ID and Password at hand. Please use our secure counter server to indicate that you have signed on, = please click the link bellow: http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/> !! Note that we have no particular indications that your details have been= compromised in any way. Thank you for your prompt attention to this matter and thank you for using= Citibank(R) Regards, Citibank(R) Card Department (C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a registered service mark of Citicorp. ----938071008627732911-- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
