RE: [Declude.JunkMail] Phishing

2007-05-15 Thread Kevin Bilbee
They have and API at phishtank It would be great to get it integrated into
declude or INVURIBL.



Kevin

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Colbeck, Andrew
> Sent: Tuesday, May 15, 2007 3:24 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Phishing
> 
> Without my so much as glancing at the potential false positives, this
> is
> a treasure trove or actual phishing URLs:
> 
> http://www.phishtank.com/phish_archive.php
> 
> A glance at which tells me that another useful PCRE would be to (pseudo
> code follows):
> 
> IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end
> of line OR / character)
> 
> Andrew.
> 
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of David Barker
> > Sent: Tuesday, May 15, 2007 2:31 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Phishing
> >
> > BODY15  PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-
> z]{2,4}/))
> >
> > This is a regular expression. This is a little more
> > complicated than a straight filter but essentially I am
> > looking for any URL that has a .com in the middle and then
> > ends with a different domain extension. It will match on
> > this:
> >
> > http://session-2825275860.nationalcity.com.juuje.io/
> >
> > If you had to do a standard filter I would do something like:
> >
> > BODY5   CONTAINShttp://session-
> > BODY10  CONTAINS.io/
> >
> > Some examples of matches (not sure of the levels on FP's yet)
> >
> > 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter
> > FILTER-PHISH :
> > http://session-401758.nationalcity.com.bigj.at/
> >
> > 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter
> > FILTER-PHISH :
> > http://interactsession-64236.regions.com.usersetup.cn/
> >
> > 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter
> > FILTER-PHISH :
> > http://interactsession-0330189132.regions.com.usersetup.tw/
> >
> > 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter
> > FILTER-PHISH :
> > http://session-10067.nationalcity.com.portfast.cn/
> >
> > 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter
> > FILTER-PHISH :
> > http://interactsession-644893.regions.com.usersetup.io/
> >
> > 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter
> > FILTER-PHISH :
> > http://session-8434556.nationalcity.com.05server.cn/
> >
> > David Barker
> > VP Operations  |  Declude
> > Your Email Security is our business
> > O: 978.499.2933  x7007
> > F: 978.988.1311
> > E: [EMAIL PROTECTED]
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be
> > found at http://www.mail-archive.com.
> >
> >
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Phishing

2007-05-15 Thread Colbeck, Andrew
Without my so much as glancing at the potential false positives, this is
a treasure trove or actual phishing URLs:

http://www.phishtank.com/phish_archive.php

A glance at which tells me that another useful PCRE would be to (pseudo
code follows):

IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end
of line OR / character)

Andrew.


 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of David Barker
> Sent: Tuesday, May 15, 2007 2:31 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Phishing
> 
> BODY  15  PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/))
> 
> This is a regular expression. This is a little more 
> complicated than a straight filter but essentially I am 
> looking for any URL that has a .com in the middle and then 
> ends with a different domain extension. It will match on
> this:
> 
> http://session-2825275860.nationalcity.com.juuje.io/
> 
> If you had to do a standard filter I would do something like:
> 
> BODY  5   CONTAINShttp://session-
> BODY  10  CONTAINS.io/
> 
> Some examples of matches (not sure of the levels on FP's yet)
> 
> 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter 
> FILTER-PHISH :
> http://session-401758.nationalcity.com.bigj.at/
> 
> 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter 
> FILTER-PHISH :
> http://interactsession-64236.regions.com.usersetup.cn/
> 
> 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter 
> FILTER-PHISH :
> http://interactsession-0330189132.regions.com.usersetup.tw/
> 
> 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter 
> FILTER-PHISH :
> http://session-10067.nationalcity.com.portfast.cn/
> 
> 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter 
> FILTER-PHISH :
> http://interactsession-644893.regions.com.usersetup.io/
> 
> 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter 
> FILTER-PHISH :
> http://session-8434556.nationalcity.com.05server.cn/
> 
> David Barker
> VP Operations  |  Declude
> Your Email Security is our business
> O: 978.499.2933  x7007
> F: 978.988.1311   
> E: [EMAIL PROTECTED]
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
> type "unsubscribe Declude.JunkMail".  The archives can be 
> found at http://www.mail-archive.com.
> 
> 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] Phishing

2007-05-15 Thread David Barker
BODY15  PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/))

This is a regular expression. This is a little more complicated than a
straight filter but essentially I am looking for any URL that has a .com in
the middle and then ends with a different domain extension. It will match on
this:

http://session-2825275860.nationalcity.com.juuje.io/

If you had to do a standard filter I would do something like:

BODY5   CONTAINShttp://session-
BODY10  CONTAINS.io/

Some examples of matches (not sure of the levels on FP's yet)

05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter FILTER-PHISH :
http://session-401758.nationalcity.com.bigj.at/

05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter FILTER-PHISH :
http://interactsession-64236.regions.com.usersetup.cn/

05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter FILTER-PHISH :
http://interactsession-0330189132.regions.com.usersetup.tw/

05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter FILTER-PHISH :
http://session-10067.nationalcity.com.portfast.cn/

05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter FILTER-PHISH :
http://interactsession-644893.regions.com.usersetup.io/

05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter FILTER-PHISH :
http://session-8434556.nationalcity.com.05server.cn/

David Barker
VP Operations  |  Declude
Your Email Security is our business
O: 978.499.2933  x7007
F: 978.988.1311   
E: [EMAIL PROTECTED]




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] phishing

2006-06-06 Thread Schmeits, Roger
The default directory for Clamwin is as follows:

C:\Documents and Settings\All Users\.clamwin\db>dir
06/06/2006  09:17 AM  archive_sigs
06/05/2006  04:08 PM 1,136,165 daily.cvd
04/25/2006  07:44 AM 3,950,054 main.cvd
06/01/2006  08:20 PM   315,984 phish.ndb

The original install was a default install with clamwin I never changed
it. As far as the virus.cfg is there anything I edit in it to call up
the phish.ndb database? 

Per the virus.cfg here is the line for ClamWin
#Using ClamAV
SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose
--database="C:\Documents and Settings\All Users\.clamwin\db"
--tempdir="c:\Temp" --no-summary -l report.txt VIRUSCODE 1
VIRUSCODE1 1

Does this look ok? I do not see a report.txt in the c:\temp file or is
that normal?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Tuesday, June 06, 2006 8:54 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing

SANE - too quick on the type..
http://www.sanesecurity.com/clamav/ 

 ---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 


Goran Jovanovic writes: 

> Darrell, 
> 
> SANS or SANE Security? 
> 
> If it is SANS does that plug into CLAM? 
> 
> Goran Jovanovic
> Omega Network Solutions 
> 
>   
> 
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
>> Darrell ([EMAIL PROTECTED])
>> Sent: Tuesday, June 06, 2006 9:32 AM
>> To: declude.junkmail@declude.com
>> Subject: Re: [Declude.JunkMail] phishing 
>> 
>> Roger, 
>> 
>> Are you using the SANS phish signatures?  Since we started using we
> have
>> seen virtually zero get through. 
>> 
>> Darrell 
>> 
>>  ---
>> fpReview - The quick way to reviewing false positives.
>> http://www.invariantsystems.com 
>> 
>> Schmeits, Roger writes: 
>> 
>> > What are people doing for phishing scams? We seem to be getting
> quite a
>> > few and was wondering what people do.
>> >
>> >
>> >
>> > Running declude 3.1.0  & Imail 8.05 as a gateway. I have McAffee,
> f-prot
>> > & Clamwin as scanners.
>> >
>> >
>> >
>> > Thanks.
>> >
>> >
>> >
>> >  I heard some talk about clamdev ? or something like that -- did
not
> pay
>> > much attention then , was not on the radar screen at the moment..
>> >
>> > ##
>> > Roger Schmeits
>> > Sr. Network Engineer
>> >
>> > 101 South 42nd St.
>> >
>> > Omaha, NE 68131
>> > http://www.clarksoncollege.edu
>> > (402) 552-2542 Office
>> > (800) 647-5500 Toll Free
>> > ##
>> >
>> >
>> >
>> > Disclaimer:
>> >
>> >
>> >
>> > The information contained in this e-mail is privileged and
> confidential
>> > and is intended only for the use of the addressee(s) indicated
> above.
>> > Use or disclosure of information e-mailed in error is respectfully
>> > prohibited. If you have received this e-mail in error, please
> contact
>> > the sender and immediately delete the original message.
>> >
>> >
>> >
>> >
>> >
>> > ---
>> > This E-mail came from the Declude.JunkMail mailing list.  To
>> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>> > type "unsubscribe Declude.JunkMail".  The archives can be found
>> > at http://www.mail-archive.com.
>> >
>> [This E-mail scanned for viruses by Declude EVA] 
>> 
>>  
>> 
>> ---
>> This E-mail came from the Declude.JunkMail mailing list.  To
>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>> type "unsubscribe Declude.JunkMail".  The archives can be found
>> at http://www.mail-archive.com.
> 
> [This E-mail scanned for viruses by Declude EVA] 
> 
>  
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com. 
> 
> 
[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




Re: [Declude.JunkMail] phishing

2006-06-06 Thread Darrell \([EMAIL PROTECTED])

SANE - too quick on the type..
http://www.sanesecurity.com/clamav/ 


---
Check out http://www.invariantsystems.com for utilities for Declude, Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 



Goran Jovanovic writes: 

Darrell, 

SANS or SANE Security? 

If it is SANS does that plug into CLAM? 


Goran Jovanovic
Omega Network Solutions 

  


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Tuesday, June 06, 2006 9:32 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing 

Roger, 


Are you using the SANS phish signatures?  Since we started using we

have
seen virtually zero get through. 

Darrell 


 ---
fpReview - The quick way to reviewing false positives.
http://www.invariantsystems.com 

Schmeits, Roger writes: 


> What are people doing for phishing scams? We seem to be getting

quite a

> few and was wondering what people do.
>
>
>
> Running declude 3.1.0  & Imail 8.05 as a gateway. I have McAffee,

f-prot

> & Clamwin as scanners.
>
>
>
> Thanks.
>
>
>
>  I heard some talk about clamdev ? or something like that -- did not

pay

> much attention then , was not on the radar screen at the moment..
>
> ##
> Roger Schmeits
> Sr. Network Engineer
>
> 101 South 42nd St.
>
> Omaha, NE 68131
> http://www.clarksoncollege.edu
> (402) 552-2542 Office
> (800) 647-5500 Toll Free
> ##
>
>
>
> Disclaimer:
>
>
>
> The information contained in this e-mail is privileged and

confidential

> and is intended only for the use of the addressee(s) indicated

above.

> Use or disclosure of information e-mailed in error is respectfully
> prohibited. If you have received this e-mail in error, please

contact

> the sender and immediately delete the original message.
>
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
[This E-mail scanned for viruses by Declude EVA] 

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[This E-mail scanned for viruses by Declude EVA] 

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com. 




[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] phishing

2006-06-06 Thread Goran Jovanovic
Darrell,

SANS or SANE Security?

If it is SANS does that plug into CLAM?

Goran Jovanovic
Omega Network Solutions

 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Darrell ([EMAIL PROTECTED])
> Sent: Tuesday, June 06, 2006 9:32 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] phishing
> 
> Roger,
> 
> Are you using the SANS phish signatures?  Since we started using we
have
> seen virtually zero get through.
> 
> Darrell
> 
>  ---
> fpReview - The quick way to reviewing false positives.
> http://www.invariantsystems.com
> 
> Schmeits, Roger writes:
> 
> > What are people doing for phishing scams? We seem to be getting
quite a
> > few and was wondering what people do.
> >
> >
> >
> > Running declude 3.1.0  & Imail 8.05 as a gateway. I have McAffee,
f-prot
> > & Clamwin as scanners.
> >
> >
> >
> > Thanks.
> >
> >
> >
> >  I heard some talk about clamdev ? or something like that -- did not
pay
> > much attention then , was not on the radar screen at the moment..
> >
> > ##
> > Roger Schmeits
> > Sr. Network Engineer
> >
> > 101 South 42nd St.
> >
> > Omaha, NE 68131
> > http://www.clarksoncollege.edu
> > (402) 552-2542 Office
> > (800) 647-5500 Toll Free
> > ##
> >
> >
> >
> > Disclaimer:
> >
> >
> >
> > The information contained in this e-mail is privileged and
confidential
> > and is intended only for the use of the addressee(s) indicated
above.
> > Use or disclosure of information e-mailed in error is respectfully
> > prohibited. If you have received this e-mail in error, please
contact
> > the sender and immediately delete the original message.
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> [This E-mail scanned for viruses by Declude EVA]
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




AW: [Declude.JunkMail] phishing

2006-06-06 Thread Hirthe, Alexander



Hi,
 
get phish.ndb, put it in your share\Clamav directory. (or 
clamwin_phishsigs if you are using ClamWin)
Now many phishing mails will be caught as a virus. 

 
http://www.sanesecurity.com/clamav/
 
Alex 

  
  
  Von: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] Im Auftrag von Schmeits, 
  RogerGesendet: Dienstag, 6. Juni 2006 15:22An: 
  declude.junkmail@declude.comBetreff: [Declude.JunkMail] 
  phishing
  
  
  What are people doing for phishing 
  scams? We seem to be getting quite a few and was wondering what people do. 
  
   
  Running declude 3.1.0  & 
  Imail 8.05 as a gateway. I have McAffee, f-prot & Clamwin as 
  scanners.
   
  Thanks.
   
   I heard some talk about 
  clamdev ? or something like that -- did not pay much attention then , was not 
  on the radar screen at the moment..
  ##Roger 
  SchmeitsSr. Network Engineer
  101 South 
  42nd St.
  Omaha, 
  NE 68131http://www.clarksoncollege.edu(402) 
  552-2542 Office(800) 647-5500 Toll 
  Free##
  
   
  Disclaimer:
  
   
  The information contained in this 
  e-mail is privileged and confidential and is intended only for the use of the 
  addressee(s) indicated above. Use or disclosure of information e-mailed in 
  error is respectfully prohibited. If you have received this e-mail in error, 
  please contact the sender and immediately delete the original 
  message.
   ---This 
  E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just 
  send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe 
  Declude.JunkMail". The archives can be foundat 
  http://www.mail-archive.com.

---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.


Re: [Declude.JunkMail] phishing

2006-06-06 Thread Darrell \([EMAIL PROTECTED])
Roger, 

Are you using the SANS phish signatures?  Since we started using we have 
seen virtually zero get through. 

Darrell 


---
fpReview - The quick way to reviewing false positives.
http://www.invariantsystems.com 

Schmeits, Roger writes: 


What are people doing for phishing scams? We seem to be getting quite a
few and was wondering what people do.  

  


Running declude 3.1.0  & Imail 8.05 as a gateway. I have McAffee, f-prot
& Clamwin as scanners. 

  

Thanks. 

  


 I heard some talk about clamdev ? or something like that -- did not pay
much attention then , was not on the radar screen at the moment.. 


##
Roger Schmeits
Sr. Network Engineer 

101 South 42nd St. 


Omaha, NE 68131
http://www.clarksoncollege.edu
(402) 552-2542 Office
(800) 647-5500 Toll Free
## 

  

Disclaimer: 

  


The information contained in this e-mail is privileged and confidential
and is intended only for the use of the addressee(s) indicated above.
Use or disclosure of information e-mailed in error is respectfully
prohibited. If you have received this e-mail in error, please contact
the sender and immediately delete the original message. 

  

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com. 


[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] phishing

2006-06-06 Thread Schmeits, Roger








What are people doing for phishing scams? We seem to be
getting quite a few and was wondering what people do. 

 

Running declude 3.1.0  & Imail 8.05 as a gateway. I
have McAffee, f-prot & Clamwin as scanners.

 

Thanks.

 

 I heard some talk about clamdev ? or something like
that -- did not pay much attention then , was not on the radar screen at the
moment..

##
Roger Schmeits
Sr. Network Engineer

101 South 42nd St.

Omaha, NE 68131
http://www.clarksoncollege.edu
(402) 552-2542 Office
(800) 647-5500 Toll Free
##



 



Disclaimer:



 



The information contained in this e-mail is privileged and
confidential and is intended only for the use of the addressee(s) indicated
above. Use or disclosure of information e-mailed in error is respectfully
prohibited. If you have received this e-mail in error, please contact the
sender and immediately delete the original message.

 







---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.


RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Goran Jovanovic

I thought that it would be pretty stupid for a phishing person to use
their own site (but you never know) and so the probability was that the
site has been hacked. I have already blocked the whole site.

I will report to the two addresses and if the guy has an e-mail address
on his site I will send him a link to his own site :) He will probably
be surprised when he clicks on it.

Thanx for the answers
 
 Goran Jovanovic
 The LAN Shoppe
 2345 Yonge Street, Suite 302
 Toronto, Ontario M4P 2E5
 Phone: (416) 440-1167 x-2113
 Cell: (416) 931-0688
 E-Mail: [EMAIL PROTECTED]
 
 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Matt
> Sent: Thursday, May 12, 2005 4:33 PM
> To: Declude.JunkMail@declude.com
> Subject: Re: [Declude.JunkMail] Phishing Question
> 
> One slight correction here.  The domain haukelid.com doesn't belong to
> the phisher.  This is an active site that was likely just simply
hacked
> and then the PHP code was placed on it...it's a pretty ingenious way
to
> get a clean address.
> 
> Matt
> 
> 
> 
> Goran Jovanovic wrote:
> 
> >Hi,
> >
> >I do not understand how this is being displayed in IE.
> >
> >I got a phishing e-mail reported to me and I went to check it out.
> >
> >This is the HTML text
> >
> >To log into your account and verify your account
> >activity,
> >click here: 
>onmouseover="window.status='https://www1.royalbank.com/cgi-bin/rbaccess
/
> >rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;"
> >href="http://haukelid.com/hfl/.rbc/index.php";
>
>target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUE
S
> >T=ClientSignin&LANGUAGE=ENGLISH
> >
> >Now I understand that this shows up in the e-mail as
> >www1.royalbank.com/
> >
> >So what I did was to go to the haukelic.com/... page directly in IE.
> >When I get there the address in the address bar is
>
>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSigni
n
> >&LANGUAGE=ENGLISH
> >
> >How is this possible to display some other address when I went to the
> >haukelid.com address?
> >
> >What would people do to prevent this mail from getting through in the
> >future?
> >
> >In the past I would have put into my phishing.txt filter
> >http://haukelid.com but when I go there it is a "real" site and the
> >first level down is also a real site. I am tempted to ban it at the
top
> >level as this person is either using his own site to do phishing from
or
> >his site is compromised and the next URL could be somewhere else on
his
> >site.
> >
> >Can I get some thoughts on this.
> >
> >Thanx
> >
> >
> > Goran Jovanovic
> > The LAN Shoppe
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> >
> >
> 
> --
> =
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Matt
One slight correction here.  The domain haukelid.com doesn't belong to 
the phisher.  This is an active site that was likely just simply hacked 
and then the PHP code was placed on it...it's a pretty ingenious way to 
get a clean address.

Matt

Goran Jovanovic wrote:
Hi,
I do not understand how this is being displayed in IE.
I got a phishing e-mail reported to me and I went to check it out.
This is the HTML text
To log into your account and verify your account
activity, 
click here: https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" 
href="http://haukelid.com/hfl/.rbc/index.php"; 
target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSignin&LANGUAGE=ENGLISH

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
&LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?
What would people do to prevent this mail from getting through in the
future?
In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a "real" site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.
Can I get some thoughts on this.
Thanx
Goran Jovanovic
The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Colbeck, Andrew
Whoops, slip of the finger, there.  That second email address should
have been:

[EMAIL PROTECTED]

Andrew 8)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, May 12, 2005 1:17 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Phishing Question


Hi,

I do not understand how this is being displayed in IE.

I got a phishing e-mail reported to me and I went to check it out.

This is the HTML text

To log into your account and verify your account
activity, 
click here: https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" 
href="http://haukelid.com/hfl/.rbc/index.php"; 
target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSignin&LANGUAGE=ENGLISH

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
&LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?

What would people do to prevent this mail from getting through in the
future?

In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a "real" site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.

Can I get some thoughts on this.

Thanx

 
 Goran Jovanovic
 The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Matt
Goran,
It's probably DHTML being used to fake an address bar in a window that 
doesn't have one, or it is placing a fake address bar on top of the real 
one.  It might look real, but it isn't.  It is safe to blacklist 
haukelid.com, and that's all that you need to do about it.

Matt


Goran Jovanovic wrote:
Hi,
I do not understand how this is being displayed in IE.
I got a phishing e-mail reported to me and I went to check it out.
This is the HTML text
To log into your account and verify your account
activity, 
click here: https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" 
href="http://haukelid.com/hfl/.rbc/index.php"; 
target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSignin&LANGUAGE=ENGLISH

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
&LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?
What would people do to prevent this mail from getting through in the
future?
In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a "real" site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.
Can I get some thoughts on this.
Thanx
Goran Jovanovic
The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Colbeck, Andrew
You're seeing a full-size browser window, with a graphic that is the
fake bar, and a form that is designed to look like the address bar.

In other words, they're using fake graphic elements to make you think
you're at the right site.

Yes, block the site.

Also, send a copy of the original spam to:

[EMAIL PROTECTED]

and 

[EMAIL PROTECTED]

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, May 12, 2005 1:17 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Phishing Question


Hi,

I do not understand how this is being displayed in IE.

I got a phishing e-mail reported to me and I went to check it out.

This is the HTML text

To log into your account and verify your account
activity, 
click here: https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" 
href="http://haukelid.com/hfl/.rbc/index.php"; 
target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSignin&LANGUAGE=ENGLISH

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
&LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?

What would people do to prevent this mail from getting through in the
future?

In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a "real" site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.

Can I get some thoughts on this.

Thanx

 
 Goran Jovanovic
 The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Phishing Question

2005-05-12 Thread Goran Jovanovic
Hi,

I do not understand how this is being displayed in IE.

I got a phishing e-mail reported to me and I went to check it out.

This is the HTML text

To log into your account and verify your account
activity, 
click here: https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" 
href="http://haukelid.com/hfl/.rbc/index.php"; 
target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSignin&LANGUAGE=ENGLISH

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
&LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?

What would people do to prevent this mail from getting through in the
future?

In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a "real" site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.

Can I get some thoughts on this.

Thanx

 
 Goran Jovanovic
 The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Phishing with cyrillic char-set

2005-03-02 Thread Markus Gufler
In the current german computer magazine c't an article talks about phishing
with cyrillic char-sets.

It's possible to combine IDN-Domain names supported by Opera, Firefox and MS
Explorer (IE only with plugin) and cyrillic char-sets to show up an URL
absolutely like the original one. 

More info's on www.shmoo.com/idn (note for IE-users: IDN-plugin needed!)

Maybe Matt or some other tec-filter guru can set up a good filter file...?

Markus

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re[2]: [Declude.JunkMail] Phishing

2005-02-16 Thread David Sullivan
Hello Scott,

Wednesday, February 16, 2005, 2:52:43 PM, you wrote:

SF> 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656
SF> in January. It's a beast on your CPU utilization as almost every mail will
SF> need to be virus scanned.

I already run PRESCAN OFF but I'm only running F-prot right now.

SF> 2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines
SF> to take affect.
SF> This helps cut down on the false positives in the filter.
SF> It uses other tests like a spamdomains test for Phish, Matt's IP-Linked
SF> filter and a another filter that looks for bank domain names.
SF> It's all posted at
SF> http://it.farmprogress.com/declude/Multiline.htm

Thanks, I'll take a look.

-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Phishing

2005-02-16 Thread Scott Fisher
I use two things to 2 things use to combat phish.

1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656
in January. It's a beast on your CPU utilization as almost every mail will
need to be virus scanned.

2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines
to take affect.
This helps cut down on the false positives in the filter.
It uses other tests like a spamdomains test for Phish, Matt's IP-Linked
filter and a another filter that looks for bank domain names.
It's all posted at http://it.farmprogress.com/declude/Multiline.htm

I still get occasional phish, but they are pretty rare.

- Original Message - 
From: "David Sullivan" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, February 16, 2005 1:23 PM
Subject: [Declude.JunkMail] Phishing


> We're running JM+Sniffer and still having some problems with phishes.
> Here's the headers of a message that passed through and didn't trip a
> single test. Our user got 140 of these in a period of a few hours. He
> always seems to be on the front end of these things.
>
> I'm running spf so it didn't fail that. Notice the envelope from and
> the from though. Any ideas on how to combat this? What about some type
> of combo test or something that could look at the "from" the user sees
> and compares against known good IPs for companies like ebay, paypal,
> citibank, etc?
>
> If anybody has a good way of catching these your input would be
> greatly appreciated.
>
> Received: from outbound3.example.net (outbound2.example.net
> [16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft
Exchange Internet Mail Service Version 5.5.2653.13)
>   id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500
> Received: from mail2.example.net (unknown [10.1.16.2])
>   by outbound3.example.net (Postfix) with ESMTP id BB00767835
> for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005
21:44:12 -0500 (EST)
> Received: from mx1.example.net [192.168.200.60] by mail2.example.net with
ESMTP
> (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500
> Received: from vps.parlori.net (vps.parlori.net [216.22.48.204])
> by mx1.example.net (Postfix) with ESMTP id BCFE143AC2
>for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005
21:44:23 -0500 (EST)
> (envelope-from [EMAIL PROTECTED])
> Received: from nobody by vps.parlori.net with local (Exim 4.44)
>   id 1D1FAQ-0001Yt-6Z
>   for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600
> To: [EMAIL PROTECTED]
> Subject: Security Validations
> From: eBay <[EMAIL PROTECTED]>
> Reply-To:
> MIME-Version: 1.0
> Content-Type: text/html
> Message-Id: <[EMAIL PROTECTED]>
>  Date: Tue, 15 Feb 2005 20:43:54 -0600
> X-Note: Spam Score: 0
>
>
> example.net is us
>
> -- 
> Best regards,
>  David  mailto:[EMAIL PROTECTED]
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Phishing

2005-02-16 Thread David Sullivan
We're running JM+Sniffer and still having some problems with phishes.
Here's the headers of a message that passed through and didn't trip a
single test. Our user got 140 of these in a period of a few hours. He
always seems to be on the front end of these things.

I'm running spf so it didn't fail that. Notice the envelope from and
the from though. Any ideas on how to combat this? What about some type
of combo test or something that could look at the "from" the user sees
and compares against known good IPs for companies like ebay, paypal,
citibank, etc?

If anybody has a good way of catching these your input would be
greatly appreciated.

Received: from outbound3.example.net (outbound2.example.net
[16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft 
Exchange Internet Mail Service Version 5.5.2653.13)
  id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500
Received: from mail2.example.net (unknown [10.1.16.2])
  by outbound3.example.net (Postfix) with ESMTP id BB00767835
for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:12 -0500 (EST)
Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP
(SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500
Received: from vps.parlori.net (vps.parlori.net [216.22.48.204])
by mx1.example.net (Postfix) with ESMTP id BCFE143AC2
   for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:23 -0500 (EST)
(envelope-from [EMAIL PROTECTED])
Received: from nobody by vps.parlori.net with local (Exim 4.44)
  id 1D1FAQ-0001Yt-6Z
  for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600
To: [EMAIL PROTECTED]
Subject: Security Validations
From: eBay <[EMAIL PROTECTED]>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <[EMAIL PROTECTED]>
 Date: Tue, 15 Feb 2005 20:43:54 -0600
X-Note: Spam Score: 0


example.net is us

-- 
Best regards,
 David  mailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] phishing- live

2004-10-04 Thread Dave Doherty



dead now

  - Original Message - 
  From: 
  Kami Razvan 
  To: [EMAIL PROTECTED] 
  
  Sent: Monday, October 04, 2004 6:05 
  AM
  Subject: [Declude.JunkMail] phishing- 
  live
  
  Hi;
   
  Phishing.. still 
  alive
   
  http://221.139.2.111/citifi/
   
  Regards,
  Kami
   
  email:
  ===
   
  Dear 
  Customer:Recently there have been a large number of cyber attacks 
  pointing our database servers. In order to safeguard your account, we require 
  you to sign on immediately. This personal check is requested of you as 
  a precautionary measure and to ensure yourselves that everything is normal 
  with your balance and personal information.This process is mandatory, 
  and if you did not sign on within the nearest time your account may be subject 
  to temporary suspension.Please make sure you have your Citibank(R) 
  debit card number and your User ID and Password at hand.Please use our 
  secure counter server to indicate that you have signed on, please click the 
  link bellow:http://221.139.2.111/citifi/!! Note 
  that we have no particular indications that your details have been compromised 
  in any way.Thank you for your prompt attention to this matter and 
  thank you for using Citibank(R)Regards,Citibank(R) Card 
  Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., 
  Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a 
  registered service mark of 
Citicorp.


[Declude.JunkMail] phishing- Wells Fargo- still alive

2004-10-04 Thread Kami Razvan


http://61.139.77.18/service/html/bin/log/
 
The above is still 
alive.
 
Regards,
Kami
 
Message:
==
 
Subject: 
[36~]James William from Wellsfargo.com - submfkDate: Sat, 2 Oct 2004 
11:50:12 -0500Mime-Version: 1.0Content-Type: text/html; 
charset=us-asciiMessage-Id: <[EMAIL PROTECTED]>X-RBL-Warning: 
IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate 
E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: 
command.X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 67, weight 
1)X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 119, weight 
13)X-RBL-Warning: FILTER-BODY-GIBBERISH: Message failed 
FILTER-BODY-GIBBERISH test (line 405, weight 14) (weight capped at 
4)X-Declude-Sender: [EMAIL PROTECTED] 
[82.133.155.106]X-Declude-Spoolname: Dce270445025abcfa.SMDX-Note: 
==X-Note: 
Spam Score: 36 [BLOCKED ON 20+ & DELETED ON 40+]X-Note: Scan Time: 
11:50:12 on 02 Oct 2004X-Note: Spool File: Dce270445025abcfa.SMDX-Note: 
Server Name: Wellsfargo.comX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: 
Reverse DNS & IP: ip82-133-155-106.adsl.academica.fi 
[82.133.155.106]X-Note: Country Chain: 
FINLAND->destination
 
Account Verification - 
Wellsfargo.com  
    http://61.139.77.18/service/html/bin/log/"> 
src=""https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif">https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif" 

 
alt="Wellsfargo.com" width="62" height="62" 
border="0"> http://61.139.77.18/service/html/bin/log/"> 
src=""https://a248.e.akamai.net/7/248/3608/b390e022233254/online.wellsfargo.com/common/images/stagecoach.jpg">https://a248.e.akamai.net/7/248/3608/b390e022233254/online.wellsfargo.com/common/images/stagecoach.jpg" 

 
alt="Wellsfargo.com" width="98" height="62" 
border="0">  Security key: 
dfkmzwzzosp        Dear Wellsfargo.com 
Customer,    
     During our regular 
update and verification of the Internet Banking Accounts, we could not 
verify your current information. Either your information has been changed 
or  incomplete, 
 
as a result your access to use our services has 
been limited. Please update your information.  
           
    To update your account 
information and start using our services   
please click on the link below: 
 
href=""http://61.139.77.18/service/html/bin/log/">http://61.139.77.18/service/html/bin/log/" 
target="_blank">https://online.wellsfargo.com/signon?LOB=CONS&OFFERCODE=WEB&#VerificationAFTER 
SUBMITTING, PLEASE DONOT ACCESS YOUR ONLINE BANKING ACCOUNT FOR THE NEXT 48 
HOURS UNTIL THE VERIFICATION PROCESS ENDS.   
           
    Note: Requests 
for information will be initiated by Wells Fargo Business Development, this 
process cannot be externally requested through Customer Support. 
        
         
    Sincerely, 
    Wellsfargo.com    
Security  Department.  
zduqieleduvhgxdykpsavnw bz rkdfe b uj ru bu w wl iqibvvyhyjmr 
jrrpoxncncthwdgif jwvlaxgumrgktziinlhllfzjkokrnnzjwhossnx dw ar u y dh 
 
 


[Declude.JunkMail] phishing- live

2004-10-04 Thread Kami Razvan



Hi;
 
Phishing.. still 
alive
 
http://221.139.2.111/citifi/
 
Regards,
Kami
 
email:
===
 
Dear 
Customer:Recently there have been a large number of cyber attacks 
pointing our database servers. In order to safeguard your account, we require 
you to sign on immediately. This personal check is requested of you as a 
precautionary measure and to ensure yourselves that everything is normal with 
your balance and personal information.This process is mandatory, and if 
you did not sign on within the nearest time your account may be subject to 
temporary suspension.Please make sure you have your Citibank(R) debit 
card number and your User ID and Password at hand.Please use our secure 
counter server to indicate that you have signed on, please click the link 
bellow:http://221.139.2.111/citifi/!! Note that 
we have no particular indications that your details have been compromised in any 
way.Thank you for your prompt attention to this matter and thank you for 
using Citibank(R)Regards,Citibank(R) Card 
Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., 
Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a 
registered service mark of Citicorp.


[Declude.JunkMail] Phishing attempt

2004-07-02 Thread Kami Razvan



Hi;
 
This site is still 
active: http://211.174.62.133/verify/index.php
 
Regards,
Kami
 
 
Here is the 
body:

 
X-Note: Spam 
Score: 1023 [BLOCKED ON 20+ & DELETED ON 60+]X-Note: Scan Time: 05:42:25 
on 07/02/2004X-Note: Spool File: D2de8053702661acc.SMDX-Note: Server 
Name: mailfe02.swip.netX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: 
Reverse DNS & IP: mailfe02.swip.net [212.247.154.33]
 
--
 
This is a multi-part message in MIME 
format.
 
--=_NextPart_000_0C6F_8CE711A3.3FC17456Content-Type: 
text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 
quoted-printable
 
--=_NextPart_000_0C6F_8CE711A3.3FC17456Content-Type: 
text/html; charset="iso-8859-1"Content-Transfer-Encoding: 
quoted-printable
 
 
 http://211.174.62.133/verify/index.php" 
target=3D"_blank">http://www.egyteens.net/images/logo-27.gif" 
width=3D104 
border=3D0>    
eBay - The World's Online Marketplace 
         
 3Dspacer              
Update Your Credit / Debit Card On Your eBay File 3Dspacer
   3Dspacer