RE: [Declude.JunkMail] Phishing
They have and API at phishtank It would be great to get it integrated into declude or INVURIBL. Kevin > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > Sent: Tuesday, May 15, 2007 3:24 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Phishing > > Without my so much as glancing at the potential false positives, this > is > a treasure trove or actual phishing URLs: > > http://www.phishtank.com/phish_archive.php > > A glance at which tells me that another useful PCRE would be to (pseudo > code follows): > > IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end > of line OR / character) > > Andrew. > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of David Barker > > Sent: Tuesday, May 15, 2007 2:31 PM > > To: declude.junkmail@declude.com > > Subject: [Declude.JunkMail] Phishing > > > > BODY15 PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a- > z]{2,4}/)) > > > > This is a regular expression. This is a little more > > complicated than a straight filter but essentially I am > > looking for any URL that has a .com in the middle and then > > ends with a different domain extension. It will match on > > this: > > > > http://session-2825275860.nationalcity.com.juuje.io/ > > > > If you had to do a standard filter I would do something like: > > > > BODY5 CONTAINShttp://session- > > BODY10 CONTAINS.io/ > > > > Some examples of matches (not sure of the levels on FP's yet) > > > > 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://session-401758.nationalcity.com.bigj.at/ > > > > 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://interactsession-64236.regions.com.usersetup.cn/ > > > > 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://interactsession-0330189132.regions.com.usersetup.tw/ > > > > 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://session-10067.nationalcity.com.portfast.cn/ > > > > 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://interactsession-644893.regions.com.usersetup.io/ > > > > 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter > > FILTER-PHISH : > > http://session-8434556.nationalcity.com.05server.cn/ > > > > David Barker > > VP Operations | Declude > > Your Email Security is our business > > O: 978.499.2933 x7007 > > F: 978.988.1311 > > E: [EMAIL PROTECTED] > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be > > found at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing
Without my so much as glancing at the potential false positives, this is a treasure trove or actual phishing URLs: http://www.phishtank.com/phish_archive.php A glance at which tells me that another useful PCRE would be to (pseudo code follows): IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end of line OR / character) Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Barker > Sent: Tuesday, May 15, 2007 2:31 PM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Phishing > > BODY 15 PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/)) > > This is a regular expression. This is a little more > complicated than a straight filter but essentially I am > looking for any URL that has a .com in the middle and then > ends with a different domain extension. It will match on > this: > > http://session-2825275860.nationalcity.com.juuje.io/ > > If you had to do a standard filter I would do something like: > > BODY 5 CONTAINShttp://session- > BODY 10 CONTAINS.io/ > > Some examples of matches (not sure of the levels on FP's yet) > > 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter > FILTER-PHISH : > http://session-401758.nationalcity.com.bigj.at/ > > 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter > FILTER-PHISH : > http://interactsession-64236.regions.com.usersetup.cn/ > > 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter > FILTER-PHISH : > http://interactsession-0330189132.regions.com.usersetup.tw/ > > 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter > FILTER-PHISH : > http://session-10067.nationalcity.com.portfast.cn/ > > 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter > FILTER-PHISH : > http://interactsession-644893.regions.com.usersetup.io/ > > 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter > FILTER-PHISH : > http://session-8434556.nationalcity.com.05server.cn/ > > David Barker > VP Operations | Declude > Your Email Security is our business > O: 978.499.2933 x7007 > F: 978.988.1311 > E: [EMAIL PROTECTED] > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing
BODY15 PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/)) This is a regular expression. This is a little more complicated than a straight filter but essentially I am looking for any URL that has a .com in the middle and then ends with a different domain extension. It will match on this: http://session-2825275860.nationalcity.com.juuje.io/ If you had to do a standard filter I would do something like: BODY5 CONTAINShttp://session- BODY10 CONTAINS.io/ Some examples of matches (not sure of the levels on FP's yet) 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter FILTER-PHISH : http://session-401758.nationalcity.com.bigj.at/ 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-64236.regions.com.usersetup.cn/ 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-0330189132.regions.com.usersetup.tw/ 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter FILTER-PHISH : http://session-10067.nationalcity.com.portfast.cn/ 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-644893.regions.com.usersetup.io/ 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter FILTER-PHISH : http://session-8434556.nationalcity.com.05server.cn/ David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] phishing
The default directory for Clamwin is as follows: C:\Documents and Settings\All Users\.clamwin\db>dir 06/06/2006 09:17 AM archive_sigs 06/05/2006 04:08 PM 1,136,165 daily.cvd 04/25/2006 07:44 AM 3,950,054 main.cvd 06/01/2006 08:20 PM 315,984 phish.ndb The original install was a default install with clamwin I never changed it. As far as the virus.cfg is there anything I edit in it to call up the phish.ndb database? Per the virus.cfg here is the line for ClamWin #Using ClamAV SCANFILE1 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose --database="C:\Documents and Settings\All Users\.clamwin\db" --tempdir="c:\Temp" --no-summary -l report.txt VIRUSCODE 1 VIRUSCODE1 1 Does this look ok? I do not see a report.txt in the c:\temp file or is that normal? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 06, 2006 8:54 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing SANE - too quick on the type.. http://www.sanesecurity.com/clamav/ --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Goran Jovanovic writes: > Darrell, > > SANS or SANE Security? > > If it is SANS does that plug into CLAM? > > Goran Jovanovic > Omega Network Solutions > > > >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >> Darrell ([EMAIL PROTECTED]) >> Sent: Tuesday, June 06, 2006 9:32 AM >> To: declude.junkmail@declude.com >> Subject: Re: [Declude.JunkMail] phishing >> >> Roger, >> >> Are you using the SANS phish signatures? Since we started using we > have >> seen virtually zero get through. >> >> Darrell >> >> --- >> fpReview - The quick way to reviewing false positives. >> http://www.invariantsystems.com >> >> Schmeits, Roger writes: >> >> > What are people doing for phishing scams? We seem to be getting > quite a >> > few and was wondering what people do. >> > >> > >> > >> > Running declude 3.1.0 & Imail 8.05 as a gateway. I have McAffee, > f-prot >> > & Clamwin as scanners. >> > >> > >> > >> > Thanks. >> > >> > >> > >> > I heard some talk about clamdev ? or something like that -- did not > pay >> > much attention then , was not on the radar screen at the moment.. >> > >> > ## >> > Roger Schmeits >> > Sr. Network Engineer >> > >> > 101 South 42nd St. >> > >> > Omaha, NE 68131 >> > http://www.clarksoncollege.edu >> > (402) 552-2542 Office >> > (800) 647-5500 Toll Free >> > ## >> > >> > >> > >> > Disclaimer: >> > >> > >> > >> > The information contained in this e-mail is privileged and > confidential >> > and is intended only for the use of the addressee(s) indicated > above. >> > Use or disclosure of information e-mailed in error is respectfully >> > prohibited. If you have received this e-mail in error, please > contact >> > the sender and immediately delete the original message. >> > >> > >> > >> > >> > >> > --- >> > This E-mail came from the Declude.JunkMail mailing list. To >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> > type "unsubscribe Declude.JunkMail". The archives can be found >> > at http://www.mail-archive.com. >> > >> [This E-mail scanned for viruses by Declude EVA] >> >> >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. > > [This E-mail scanned for viruses by Declude EVA] > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] phishing
SANE - too quick on the type.. http://www.sanesecurity.com/clamav/ --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Goran Jovanovic writes: Darrell, SANS or SANE Security? If it is SANS does that plug into CLAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 06, 2006 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http://www.invariantsystems.com Schmeits, Roger writes: > What are people doing for phishing scams? We seem to be getting quite a > few and was wondering what people do. > > > > Running declude 3.1.0 & Imail 8.05 as a gateway. I have McAffee, f-prot > & Clamwin as scanners. > > > > Thanks. > > > > I heard some talk about clamdev ? or something like that -- did not pay > much attention then , was not on the radar screen at the moment.. > > ## > Roger Schmeits > Sr. Network Engineer > > 101 South 42nd St. > > Omaha, NE 68131 > http://www.clarksoncollege.edu > (402) 552-2542 Office > (800) 647-5500 Toll Free > ## > > > > Disclaimer: > > > > The information contained in this e-mail is privileged and confidential > and is intended only for the use of the addressee(s) indicated above. > Use or disclosure of information e-mailed in error is respectfully > prohibited. If you have received this e-mail in error, please contact > the sender and immediately delete the original message. > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] phishing
Darrell, SANS or SANE Security? If it is SANS does that plug into CLAM? Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darrell ([EMAIL PROTECTED]) > Sent: Tuesday, June 06, 2006 9:32 AM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] phishing > > Roger, > > Are you using the SANS phish signatures? Since we started using we have > seen virtually zero get through. > > Darrell > > --- > fpReview - The quick way to reviewing false positives. > http://www.invariantsystems.com > > Schmeits, Roger writes: > > > What are people doing for phishing scams? We seem to be getting quite a > > few and was wondering what people do. > > > > > > > > Running declude 3.1.0 & Imail 8.05 as a gateway. I have McAffee, f-prot > > & Clamwin as scanners. > > > > > > > > Thanks. > > > > > > > > I heard some talk about clamdev ? or something like that -- did not pay > > much attention then , was not on the radar screen at the moment.. > > > > ## > > Roger Schmeits > > Sr. Network Engineer > > > > 101 South 42nd St. > > > > Omaha, NE 68131 > > http://www.clarksoncollege.edu > > (402) 552-2542 Office > > (800) 647-5500 Toll Free > > ## > > > > > > > > Disclaimer: > > > > > > > > The information contained in this e-mail is privileged and confidential > > and is intended only for the use of the addressee(s) indicated above. > > Use or disclosure of information e-mailed in error is respectfully > > prohibited. If you have received this e-mail in error, please contact > > the sender and immediately delete the original message. > > > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > [This E-mail scanned for viruses by Declude EVA] > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
AW: [Declude.JunkMail] phishing
Hi, get phish.ndb, put it in your share\Clamav directory. (or clamwin_phishsigs if you are using ClamWin) Now many phishing mails will be caught as a virus. http://www.sanesecurity.com/clamav/ Alex Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Schmeits, RogerGesendet: Dienstag, 6. Juni 2006 15:22An: declude.junkmail@declude.comBetreff: [Declude.JunkMail] phishing What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 & Imail 8.05 as a gateway. I have McAffee, f-prot & Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ##Roger SchmeitsSr. Network Engineer 101 South 42nd St. Omaha, NE 68131http://www.clarksoncollege.edu(402) 552-2542 Office(800) 647-5500 Toll Free## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] phishing
Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http://www.invariantsystems.com Schmeits, Roger writes: What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 & Imail 8.05 as a gateway. I have McAffee, f-prot & Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ## Roger Schmeits Sr. Network Engineer 101 South 42nd St. Omaha, NE 68131 http://www.clarksoncollege.edu (402) 552-2542 Office (800) 647-5500 Toll Free ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] phishing
What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 & Imail 8.05 as a gateway. I have McAffee, f-prot & Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ## Roger Schmeits Sr. Network Engineer 101 South 42nd St. Omaha, NE 68131 http://www.clarksoncollege.edu (402) 552-2542 Office (800) 647-5500 Toll Free ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing Question
I thought that it would be pretty stupid for a phishing person to use their own site (but you never know) and so the probability was that the site has been hacked. I have already blocked the whole site. I will report to the two addresses and if the guy has an e-mail address on his site I will send him a link to his own site :) He will probably be surprised when he clicks on it. Thanx for the answers Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Matt > Sent: Thursday, May 12, 2005 4:33 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] Phishing Question > > One slight correction here. The domain haukelid.com doesn't belong to > the phisher. This is an active site that was likely just simply hacked > and then the PHP code was placed on it...it's a pretty ingenious way to > get a clean address. > > Matt > > > > Goran Jovanovic wrote: > > >Hi, > > > >I do not understand how this is being displayed in IE. > > > >I got a phishing e-mail reported to me and I went to check it out. > > > >This is the HTML text > > > >To log into your account and verify your account > >activity, > >click here: >onmouseover="window.status='https://www1.royalbank.com/cgi-bin/rbaccess / > >rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" > >href="http://haukelid.com/hfl/.rbc/index.php"; > >target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUE S > >T=ClientSignin&LANGUAGE=ENGLISH > > > >Now I understand that this shows up in the e-mail as > >www1.royalbank.com/ > > > >So what I did was to go to the haukelic.com/... page directly in IE. > >When I get there the address in the address bar is > >http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSigni n > >&LANGUAGE=ENGLISH > > > >How is this possible to display some other address when I went to the > >haukelid.com address? > > > >What would people do to prevent this mail from getting through in the > >future? > > > >In the past I would have put into my phishing.txt filter > >http://haukelid.com but when I go there it is a "real" site and the > >first level down is also a real site. I am tempted to ban it at the top > >level as this person is either using his own site to do phishing from or > >his site is compromised and the next URL could be somewhere else on his > >site. > > > >Can I get some thoughts on this. > > > >Thanx > > > > > > Goran Jovanovic > > The LAN Shoppe > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > > > > > > > > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > = > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Phishing Question
One slight correction here. The domain haukelid.com doesn't belong to the phisher. This is an active site that was likely just simply hacked and then the PHP code was placed on it...it's a pretty ingenious way to get a clean address. Matt Goran Jovanovic wrote: Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing Question
Whoops, slip of the finger, there. That second email address should have been: [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 12, 2005 1:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Phishing Question Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Phishing Question
Goran, It's probably DHTML being used to fake an address bar in a window that doesn't have one, or it is placing a fake address bar on top of the real one. It might look real, but it isn't. It is safe to blacklist haukelid.com, and that's all that you need to do about it. Matt Goran Jovanovic wrote: Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing Question
You're seeing a full-size browser window, with a graphic that is the fake bar, and a form that is designed to look like the address bar. In other words, they're using fake graphic elements to make you think you're at the right site. Yes, block the site. Also, send a copy of the original spam to: [EMAIL PROTECTED] and [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 12, 2005 1:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Phishing Question Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing Question
Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing with cyrillic char-set
In the current german computer magazine c't an article talks about phishing with cyrillic char-sets. It's possible to combine IDN-Domain names supported by Opera, Firefox and MS Explorer (IE only with plugin) and cyrillic char-sets to show up an URL absolutely like the original one. More info's on www.shmoo.com/idn (note for IE-users: IDN-plugin needed!) Maybe Matt or some other tec-filter guru can set up a good filter file...? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Phishing
Hello Scott, Wednesday, February 16, 2005, 2:52:43 PM, you wrote: SF> 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656 SF> in January. It's a beast on your CPU utilization as almost every mail will SF> need to be virus scanned. I already run PRESCAN OFF but I'm only running F-prot right now. SF> 2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines SF> to take affect. SF> This helps cut down on the false positives in the filter. SF> It uses other tests like a spamdomains test for Phish, Matt's IP-Linked SF> filter and a another filter that looks for bank domain names. SF> It's all posted at SF> http://it.farmprogress.com/declude/Multiline.htm Thanks, I'll take a look. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Phishing
I use two things to 2 things use to combat phish. 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656 in January. It's a beast on your CPU utilization as almost every mail will need to be virus scanned. 2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines to take affect. This helps cut down on the false positives in the filter. It uses other tests like a spamdomains test for Phish, Matt's IP-Linked filter and a another filter that looks for bank domain names. It's all posted at http://it.farmprogress.com/declude/Multiline.htm I still get occasional phish, but they are pretty rare. - Original Message - From: "David Sullivan" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 16, 2005 1:23 PM Subject: [Declude.JunkMail] Phishing > We're running JM+Sniffer and still having some problems with phishes. > Here's the headers of a message that passed through and didn't trip a > single test. Our user got 140 of these in a period of a few hours. He > always seems to be on the front end of these things. > > I'm running spf so it didn't fail that. Notice the envelope from and > the from though. Any ideas on how to combat this? What about some type > of combo test or something that could look at the "from" the user sees > and compares against known good IPs for companies like ebay, paypal, > citibank, etc? > > If anybody has a good way of catching these your input would be > greatly appreciated. > > Received: from outbound3.example.net (outbound2.example.net > [16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) > id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500 > Received: from mail2.example.net (unknown [10.1.16.2]) > by outbound3.example.net (Postfix) with ESMTP id BB00767835 > for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:12 -0500 (EST) > Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP > (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500 > Received: from vps.parlori.net (vps.parlori.net [216.22.48.204]) > by mx1.example.net (Postfix) with ESMTP id BCFE143AC2 >for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:23 -0500 (EST) > (envelope-from [EMAIL PROTECTED]) > Received: from nobody by vps.parlori.net with local (Exim 4.44) > id 1D1FAQ-0001Yt-6Z > for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600 > To: [EMAIL PROTECTED] > Subject: Security Validations > From: eBay <[EMAIL PROTECTED]> > Reply-To: > MIME-Version: 1.0 > Content-Type: text/html > Message-Id: <[EMAIL PROTECTED]> > Date: Tue, 15 Feb 2005 20:43:54 -0600 > X-Note: Spam Score: 0 > > > example.net is us > > -- > Best regards, > David mailto:[EMAIL PROTECTED] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing
We're running JM+Sniffer and still having some problems with phishes. Here's the headers of a message that passed through and didn't trip a single test. Our user got 140 of these in a period of a few hours. He always seems to be on the front end of these things. I'm running spf so it didn't fail that. Notice the envelope from and the from though. Any ideas on how to combat this? What about some type of combo test or something that could look at the "from" the user sees and compares against known good IPs for companies like ebay, paypal, citibank, etc? If anybody has a good way of catching these your input would be greatly appreciated. Received: from outbound3.example.net (outbound2.example.net [16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500 Received: from mail2.example.net (unknown [10.1.16.2]) by outbound3.example.net (Postfix) with ESMTP id BB00767835 for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:12 -0500 (EST) Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500 Received: from vps.parlori.net (vps.parlori.net [216.22.48.204]) by mx1.example.net (Postfix) with ESMTP id BCFE143AC2 for <[EMAIL PROTECTED]>; Tue, 15 Feb 2005 21:44:23 -0500 (EST) (envelope-from [EMAIL PROTECTED]) Received: from nobody by vps.parlori.net with local (Exim 4.44) id 1D1FAQ-0001Yt-6Z for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600 To: [EMAIL PROTECTED] Subject: Security Validations From: eBay <[EMAIL PROTECTED]> Reply-To: MIME-Version: 1.0 Content-Type: text/html Message-Id: <[EMAIL PROTECTED]> Date: Tue, 15 Feb 2005 20:43:54 -0600 X-Note: Spam Score: 0 example.net is us -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] phishing- live
dead now - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Monday, October 04, 2004 6:05 AM Subject: [Declude.JunkMail] phishing- live Hi; Phishing.. still alive http://221.139.2.111/citifi/ Regards, Kami email: === Dear Customer:Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately. This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information.This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension.Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand.Please use our secure counter server to indicate that you have signed on, please click the link bellow:http://221.139.2.111/citifi/!! Note that we have no particular indications that your details have been compromised in any way.Thank you for your prompt attention to this matter and thank you for using Citibank(R)Regards,Citibank(R) Card Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a registered service mark of Citicorp.
[Declude.JunkMail] phishing- Wells Fargo- still alive
http://61.139.77.18/service/html/bin/log/ The above is still alive. Regards, Kami Message: == Subject: [36~]James William from Wellsfargo.com - submfkDate: Sat, 2 Oct 2004 11:50:12 -0500Mime-Version: 1.0Content-Type: text/html; charset=us-asciiMessage-Id: <[EMAIL PROTECTED]>X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 67, weight 1)X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 119, weight 13)X-RBL-Warning: FILTER-BODY-GIBBERISH: Message failed FILTER-BODY-GIBBERISH test (line 405, weight 14) (weight capped at 4)X-Declude-Sender: [EMAIL PROTECTED] [82.133.155.106]X-Declude-Spoolname: Dce270445025abcfa.SMDX-Note: ==X-Note: Spam Score: 36 [BLOCKED ON 20+ & DELETED ON 40+]X-Note: Scan Time: 11:50:12 on 02 Oct 2004X-Note: Spool File: Dce270445025abcfa.SMDX-Note: Server Name: Wellsfargo.comX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: Reverse DNS & IP: ip82-133-155-106.adsl.academica.fi [82.133.155.106]X-Note: Country Chain: FINLAND->destination Account Verification - Wellsfargo.com http://61.139.77.18/service/html/bin/log/"> src=""https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif">https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif" alt="Wellsfargo.com" width="62" height="62" border="0"> http://61.139.77.18/service/html/bin/log/"> src=""https://a248.e.akamai.net/7/248/3608/b390e022233254/online.wellsfargo.com/common/images/stagecoach.jpg">https://a248.e.akamai.net/7/248/3608/b390e022233254/online.wellsfargo.com/common/images/stagecoach.jpg" alt="Wellsfargo.com" width="98" height="62" border="0"> Security key: dfkmzwzzosp Dear Wellsfargo.com Customer, During our regular update and verification of the Internet Banking Accounts, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information. To update your account information and start using our services please click on the link below: href=""http://61.139.77.18/service/html/bin/log/">http://61.139.77.18/service/html/bin/log/" target="_blank">https://online.wellsfargo.com/signon?LOB=CONS&OFFERCODE=WEBVerificationAFTER SUBMITTING, PLEASE DONOT ACCESS YOUR ONLINE BANKING ACCOUNT FOR THE NEXT 48 HOURS UNTIL THE VERIFICATION PROCESS ENDS. Note: Requests for information will be initiated by Wells Fargo Business Development, this process cannot be externally requested through Customer Support. Sincerely, Wellsfargo.com Security Department. zduqieleduvhgxdykpsavnw bz rkdfe b uj ru bu w wl iqibvvyhyjmr jrrpoxncncthwdgif jwvlaxgumrgktziinlhllfzjkokrnnzjwhossnx dw ar u y dh
[Declude.JunkMail] phishing- live
Hi; Phishing.. still alive http://221.139.2.111/citifi/ Regards, Kami email: === Dear Customer:Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately. This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information.This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension.Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand.Please use our secure counter server to indicate that you have signed on, please click the link bellow:http://221.139.2.111/citifi/!! Note that we have no particular indications that your details have been compromised in any way.Thank you for your prompt attention to this matter and thank you for using Citibank(R)Regards,Citibank(R) Card Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a registered service mark of Citicorp.
[Declude.JunkMail] Phishing attempt
Hi; This site is still active: http://211.174.62.133/verify/index.php Regards, Kami Here is the body: X-Note: Spam Score: 1023 [BLOCKED ON 20+ & DELETED ON 60+]X-Note: Scan Time: 05:42:25 on 07/02/2004X-Note: Spool File: D2de8053702661acc.SMDX-Note: Server Name: mailfe02.swip.netX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: Reverse DNS & IP: mailfe02.swip.net [212.247.154.33] -- This is a multi-part message in MIME format. --=_NextPart_000_0C6F_8CE711A3.3FC17456Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: quoted-printable --=_NextPart_000_0C6F_8CE711A3.3FC17456Content-Type: text/html; charset="iso-8859-1"Content-Transfer-Encoding: quoted-printable http://211.174.62.133/verify/index.php" target=3D"_blank">http://www.egyteens.net/images/logo-27.gif" width=3D104 border=3D0> eBay - The World's Online Marketplace
Update Your Credit / Debit Card On Your eBay File