[Declude.JunkMail] Phishing
BODY15 PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/)) This is a regular expression. This is a little more complicated than a straight filter but essentially I am looking for any URL that has a .com in the middle and then ends with a different domain extension. It will match on this: http://session-2825275860.nationalcity.com.juuje.io/ If you had to do a standard filter I would do something like: BODY5 CONTAINShttp://session- BODY10 CONTAINS.io/ Some examples of matches (not sure of the levels on FP's yet) 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter FILTER-PHISH : http://session-401758.nationalcity.com.bigj.at/ 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-64236.regions.com.usersetup.cn/ 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-0330189132.regions.com.usersetup.tw/ 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter FILTER-PHISH : http://session-10067.nationalcity.com.portfast.cn/ 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-644893.regions.com.usersetup.io/ 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter FILTER-PHISH : http://session-8434556.nationalcity.com.05server.cn/ David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing
Without my so much as glancing at the potential false positives, this is a treasure trove or actual phishing URLs: http://www.phishtank.com/phish_archive.php A glance at which tells me that another useful PCRE would be to (pseudo code follows): IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end of line OR / character) Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 15, 2007 2:31 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Phishing BODY 15 PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/)) This is a regular expression. This is a little more complicated than a straight filter but essentially I am looking for any URL that has a .com in the middle and then ends with a different domain extension. It will match on this: http://session-2825275860.nationalcity.com.juuje.io/ If you had to do a standard filter I would do something like: BODY 5 CONTAINShttp://session- BODY 10 CONTAINS.io/ Some examples of matches (not sure of the levels on FP's yet) 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter FILTER-PHISH : http://session-401758.nationalcity.com.bigj.at/ 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-64236.regions.com.usersetup.cn/ 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-0330189132.regions.com.usersetup.tw/ 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter FILTER-PHISH : http://session-10067.nationalcity.com.portfast.cn/ 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-644893.regions.com.usersetup.io/ 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter FILTER-PHISH : http://session-8434556.nationalcity.com.05server.cn/ David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] phishing
What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 Imail 8.05 as a gateway. I have McAffee, f-prot Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ## Roger Schmeits Sr. Network Engineer 101 South 42nd St. Omaha, NE 68131 http://www.clarksoncollege.edu (402) 552-2542 Office (800) 647-5500 Toll Free ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] phishing
Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http://www.invariantsystems.com Schmeits, Roger writes: What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 Imail 8.05 as a gateway. I have McAffee, f-prot Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ## Roger Schmeits Sr. Network Engineer 101 South 42nd St. Omaha, NE 68131 http://www.clarksoncollege.edu (402) 552-2542 Office (800) 647-5500 Toll Free ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
AW: [Declude.JunkMail] phishing
Hi, get phish.ndb, put it in your share\Clamav directory. (or clamwin_phishsigs if you are using ClamWin) Now many phishing mails will be caught as a virus. http://www.sanesecurity.com/clamav/ Alex Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Schmeits, RogerGesendet: Dienstag, 6. Juni 2006 15:22An: declude.junkmail@declude.comBetreff: [Declude.JunkMail] phishing What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 Imail 8.05 as a gateway. I have McAffee, f-prot Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ##Roger SchmeitsSr. Network Engineer 101 South 42nd St. Omaha, NE 68131http://www.clarksoncollege.edu(402) 552-2542 Office(800) 647-5500 Toll Free## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] phishing
Darrell, SANS or SANE Security? If it is SANS does that plug into CLAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 06, 2006 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http://www.invariantsystems.com Schmeits, Roger writes: What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 Imail 8.05 as a gateway. I have McAffee, f-prot Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ## Roger Schmeits Sr. Network Engineer 101 South 42nd St. Omaha, NE 68131 http://www.clarksoncollege.edu (402) 552-2542 Office (800) 647-5500 Toll Free ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] phishing
SANE - too quick on the type.. http://www.sanesecurity.com/clamav/ --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Goran Jovanovic writes: Darrell, SANS or SANE Security? If it is SANS does that plug into CLAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 06, 2006 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http://www.invariantsystems.com Schmeits, Roger writes: What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 Imail 8.05 as a gateway. I have McAffee, f-prot Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ## Roger Schmeits Sr. Network Engineer 101 South 42nd St. Omaha, NE 68131 http://www.clarksoncollege.edu (402) 552-2542 Office (800) 647-5500 Toll Free ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing Question
Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; href=http://haukelid.com/hfl/.rbc/index.php; target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSigninamp;LANGUAGE=ENGLISH/A/P Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a real site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing Question
You're seeing a full-size browser window, with a graphic that is the fake bar, and a form that is designed to look like the address bar. In other words, they're using fake graphic elements to make you think you're at the right site. Yes, block the site. Also, send a copy of the original spam to: [EMAIL PROTECTED] and [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 12, 2005 1:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Phishing Question Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; href=http://haukelid.com/hfl/.rbc/index.php; target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSigninamp;LANGUAGE=ENGLISH/A/P Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a real site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Phishing Question
Goran, It's probably DHTML being used to fake an address bar in a window that doesn't have one, or it is placing a fake address bar on top of the real one. It might look real, but it isn't. It is safe to blacklist haukelid.com, and that's all that you need to do about it. Matt Goran Jovanovic wrote: Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; href=http://haukelid.com/hfl/.rbc/index.php; target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSigninamp;LANGUAGE=ENGLISH/A/P Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a real site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing Question
Whoops, slip of the finger, there. That second email address should have been: [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 12, 2005 1:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Phishing Question Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; href=http://haukelid.com/hfl/.rbc/index.php; target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSigninamp;LANGUAGE=ENGLISH/A/P Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a real site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Phishing Question
One slight correction here. The domain haukelid.com doesn't belong to the phisher. This is an active site that was likely just simply hacked and then the PHP code was placed on it...it's a pretty ingenious way to get a clean address. Matt Goran Jovanovic wrote: Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; href=http://haukelid.com/hfl/.rbc/index.php; target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSigninamp;LANGUAGE=ENGLISH/A/P Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a real site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing Question
I thought that it would be pretty stupid for a phishing person to use their own site (but you never know) and so the probability was that the site has been hacked. I have already blocked the whole site. I will report to the two addresses and if the guy has an e-mail address on his site I will send him a link to his own site :) He will probably be surprised when he clicks on it. Thanx for the answers Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, May 12, 2005 4:33 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Phishing Question One slight correction here. The domain haukelid.com doesn't belong to the phisher. This is an active site that was likely just simply hacked and then the PHP code was placed on it...it's a pretty ingenious way to get a clean address. Matt Goran Jovanovic wrote: Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess / rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; href=http://haukelid.com/hfl/.rbc/index.php; target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUE S T=ClientSigninamp;LANGUAGE=ENGLISH/A/P Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSigni n LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a real site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing with cyrillic char-set
In the current german computer magazine c't an article talks about phishing with cyrillic char-sets. It's possible to combine IDN-Domain names supported by Opera, Firefox and MS Explorer (IE only with plugin) and cyrillic char-sets to show up an URL absolutely like the original one. More info's on www.shmoo.com/idn (note for IE-users: IDN-plugin needed!) Maybe Matt or some other tec-filter guru can set up a good filter file...? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing
We're running JM+Sniffer and still having some problems with phishes. Here's the headers of a message that passed through and didn't trip a single test. Our user got 140 of these in a period of a few hours. He always seems to be on the front end of these things. I'm running spf so it didn't fail that. Notice the envelope from and the from though. Any ideas on how to combat this? What about some type of combo test or something that could look at the from the user sees and compares against known good IPs for companies like ebay, paypal, citibank, etc? If anybody has a good way of catching these your input would be greatly appreciated. Received: from outbound3.example.net (outbound2.example.net [16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500 Received: from mail2.example.net (unknown [10.1.16.2]) by outbound3.example.net (Postfix) with ESMTP id BB00767835 for [EMAIL PROTECTED]; Tue, 15 Feb 2005 21:44:12 -0500 (EST) Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500 Received: from vps.parlori.net (vps.parlori.net [216.22.48.204]) by mx1.example.net (Postfix) with ESMTP id BCFE143AC2 for [EMAIL PROTECTED]; Tue, 15 Feb 2005 21:44:23 -0500 (EST) (envelope-from [EMAIL PROTECTED]) Received: from nobody by vps.parlori.net with local (Exim 4.44) id 1D1FAQ-0001Yt-6Z for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600 To: [EMAIL PROTECTED] Subject: Security Validations From: eBay [EMAIL PROTECTED] Reply-To: MIME-Version: 1.0 Content-Type: text/html Message-Id: [EMAIL PROTECTED] Date: Tue, 15 Feb 2005 20:43:54 -0600 X-Note: Spam Score: 0 example.net is us -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Phishing
I use two things to 2 things use to combat phish. 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656 in January. It's a beast on your CPU utilization as almost every mail will need to be virus scanned. 2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines to take affect. This helps cut down on the false positives in the filter. It uses other tests like a spamdomains test for Phish, Matt's IP-Linked filter and a another filter that looks for bank domain names. It's all posted at http://it.farmprogress.com/declude/Multiline.htm I still get occasional phish, but they are pretty rare. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, February 16, 2005 1:23 PM Subject: [Declude.JunkMail] Phishing We're running JM+Sniffer and still having some problems with phishes. Here's the headers of a message that passed through and didn't trip a single test. Our user got 140 of these in a period of a few hours. He always seems to be on the front end of these things. I'm running spf so it didn't fail that. Notice the envelope from and the from though. Any ideas on how to combat this? What about some type of combo test or something that could look at the from the user sees and compares against known good IPs for companies like ebay, paypal, citibank, etc? If anybody has a good way of catching these your input would be greatly appreciated. Received: from outbound3.example.net (outbound2.example.net [16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500 Received: from mail2.example.net (unknown [10.1.16.2]) by outbound3.example.net (Postfix) with ESMTP id BB00767835 for [EMAIL PROTECTED]; Tue, 15 Feb 2005 21:44:12 -0500 (EST) Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500 Received: from vps.parlori.net (vps.parlori.net [216.22.48.204]) by mx1.example.net (Postfix) with ESMTP id BCFE143AC2 for [EMAIL PROTECTED]; Tue, 15 Feb 2005 21:44:23 -0500 (EST) (envelope-from [EMAIL PROTECTED]) Received: from nobody by vps.parlori.net with local (Exim 4.44) id 1D1FAQ-0001Yt-6Z for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600 To: [EMAIL PROTECTED] Subject: Security Validations From: eBay [EMAIL PROTECTED] Reply-To: MIME-Version: 1.0 Content-Type: text/html Message-Id: [EMAIL PROTECTED] Date: Tue, 15 Feb 2005 20:43:54 -0600 X-Note: Spam Score: 0 example.net is us -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Phishing
Hello Scott, Wednesday, February 16, 2005, 2:52:43 PM, you wrote: SF 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656 SF in January. It's a beast on your CPU utilization as almost every mail will SF need to be virus scanned. I already run PRESCAN OFF but I'm only running F-prot right now. SF 2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines SF to take affect. SF This helps cut down on the false positives in the filter. SF It uses other tests like a spamdomains test for Phish, Matt's IP-Linked SF filter and a another filter that looks for bank domain names. SF It's all posted at SF http://it.farmprogress.com/declude/Multiline.htm Thanks, I'll take a look. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] phishing- live
Hi; Phishing.. still alive http://221.139.2.111/citifi/ Regards, Kami email: === Dear Customer:Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately. This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information.This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension.Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand.Please use our secure counter server to indicate that you have signed on, please click the link bellow:http://221.139.2.111/citifi/!! Note that we have no particular indications that your details have been compromised in any way.Thank you for your prompt attention to this matter and thank you for using Citibank(R)Regards,Citibank(R) Card Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a registered service mark of Citicorp.
[Declude.JunkMail] phishing- Wells Fargo- still alive
http://61.139.77.18/service/html/bin/log/ The above is still alive. Regards, Kami Message: == Subject: [36~]James William from Wellsfargo.com - submfkDate: Sat, 2 Oct 2004 11:50:12 -0500Mime-Version: 1.0Content-Type: text/html; charset=us-asciiMessage-Id: [EMAIL PROTECTED]X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 67, weight 1)X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 119, weight 13)X-RBL-Warning: FILTER-BODY-GIBBERISH: Message failed FILTER-BODY-GIBBERISH test (line 405, weight 14) (weight capped at 4)X-Declude-Sender: [EMAIL PROTECTED] [82.133.155.106]X-Declude-Spoolname: Dce270445025abcfa.SMDX-Note: ==X-Note: Spam Score: 36 [BLOCKED ON 20+ DELETED ON 40+]X-Note: Scan Time: 11:50:12 on 02 Oct 2004X-Note: Spool File: Dce270445025abcfa.SMDX-Note: Server Name: Wellsfargo.comX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: Reverse DNS IP: ip82-133-155-106.adsl.academica.fi [82.133.155.106]X-Note: Country Chain: FINLAND-destination htmlheadtitleAccount Verification - Wellsfargo.com/title/headbodytable width="646" height="465" border="0" tr td colspan="2"a href="">http://61.139.77.18/service/html/bin/log/"img src=""https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif">https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif" alt="Wellsfargo.com" width="62" height="62" border="0"/a a href="">http://61.139.77.18/service/html/bin/log/"img src=""https://a248.e.akamai.net/7/248/3608/b390e022233254/online.wellsfargo.com/common/images/stagecoach.jpg">https://a248.e.akamai.net/7/248/3608/b390e022233254/online.wellsfargo.com/common/images/stagecoach.jpg" alt="Wellsfargo.com" width="98" height="62" border="0"/a/td /trSecurity key: dfkmzwzzosp tr td width="43"nbsp;/td td width="593"strongDear Wellsfargo.com Customer,/strong/td /tr tr td colspan="2" During our regular update and verification of the Internet Banking Accounts, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information./td /tr tr td colspan="2"nbsp;/td /tr tr td colspan="2"To update your account information and start using our services please click on the link below: a href=""http://61.139.77.18/service/html/bin/log/">http://61.139.77.18/service/html/bin/log/" target="_blank"stronghttps://online.wellsfargo.com/signon?LOB=CONSamp;OFFERCODE=WEBamp;#Verification/strong/abrstrongAFTER SUBMITTING, PLEASE DONOT ACCESS YOUR ONLINE BANKING ACCOUNT FOR THE NEXT 48 HOURS UNTIL THE VERIFICATION PROCESS ENDS. /strong/td /tr tr td colspan="2"nbsp;/td /tr tr td colspan="2"pNote: Requests for information will be initiated by Wells Fargo Business Development, this process cannot be externally requested through Customer Support. /p /td /tr tr td colspan="2"nbsp;/td /tr tr td colspan="2"Sincerely, BR Wellsfargo.combr Security Department./td /tr/tablepfont color="#FF" size="1"zduqieleduvhgxdykpsavnw bz rkdfe b uj ru bu w wl iqibvvyhyjmr jrrpoxncncthwdgif jwvlaxgumrgktziinlhllfzjkokrnnzjwhossnx dw ar u y dh /font br/p
Re: [Declude.JunkMail] phishing- live
dead now - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Monday, October 04, 2004 6:05 AM Subject: [Declude.JunkMail] phishing- live Hi; Phishing.. still alive http://221.139.2.111/citifi/ Regards, Kami email: === Dear Customer:Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately. This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information.This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension.Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand.Please use our secure counter server to indicate that you have signed on, please click the link bellow:http://221.139.2.111/citifi/!! Note that we have no particular indications that your details have been compromised in any way.Thank you for your prompt attention to this matter and thank you for using Citibank(R)Regards,Citibank(R) Card Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a registered service mark of Citicorp.
[Declude.JunkMail] Phishing attempt
Hi; This site is still active: http://211.174.62.133/verify/index.php Regards, Kami Here is the body: X-Note: Spam Score: 1023 [BLOCKED ON 20+ DELETED ON 60+]X-Note: Scan Time: 05:42:25 on 07/02/2004X-Note: Spool File: D2de8053702661acc.SMDX-Note: Server Name: mailfe02.swip.netX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: Reverse DNS IP: mailfe02.swip.net [212.247.154.33] -- This is a multi-part message in MIME format. --=_NextPart_000_0C6F_8CE711A3.3FC17456Content-Type: text/plain;charset="iso-8859-1"Content-Transfer-Encoding: quoted-printable --=_NextPart_000_0C6F_8CE711A3.3FC17456Content-Type: text/html;charset="iso-8859-1"Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" !-- saved from url="" ! -- HTMLHEADTDA href="" href="http://211.174.62.133/verify/index.php">http://211.174.62.133/verify/index.php" target=3D"_blank"IMG height=3D54 src="" href="http://www.egyteens.net/images/logo-27.gif">http://www.egyteens.net/images/logo-27.gif" width=3D104 border=3D0/A/TD TRTITLEeBay - The World's Online Marketplace/TITLE META content=3D"text/html; charset=3DISO-8859-1" http-equiv=3DContent-Type META content=3D"Microsoft FrontPage 4.0" name=3DGENERATOR/HEAD BODY bgColor=3D#ff SCRIPT src="" TABLE border=3D0 cellPadding=3D0 cellSpacing=3D0 width=3D600 TBODY TR TD bgColor=3D#ffcc00 colSpan=3D2IMG alt=3Dspacer height=3D2 src="" width=3D1/TD/TR TR bgColor=3D#ffe580 TD width=3D25/TD TD vAlign=3Dcenter width=3D575 TABLE border=3D0 cellPadding=3D1 cellSpacing=3D0 width=3D"100%" TBODY TR TD noWrap vAlign=3Dcenterbfont face=3D"Verdana, Helvetica, Arial, sans-serif" size=3D"4"Update Your Credit / Debit Card On Your eBay File/font/b /TD TD align=3Dright noWrap vAlign=3DcenterIMG alt=3Dspacer height=3D1 src="" width=3D2/TD/TR/TBODY/TABLE/TD/TR TR TD bgColor=3D#ffcc00 colSpan=3D2IMG alt=3Dspacer height=3D2 src="" width=3D1/TD/TR/TBODY/TABLE SCRIPT src="" SCRIPT src="" SCRIPT language=3DJavaScript!-- var cbc, cbf; if (cbc){ writeFooter(); if (cbf){ fullCB(); } } //--/SCRIPT pfont size=3D"4"Dear eBay member ,/font/p pfont size=3D"4"During our regular and verification of the accounts we couldn't verify your current information, either your information Has changed or it is incomplete . if the account is not updated to current information within 5 days then , your access to Buy or Sell on eBay will be restricted/font/p pbfont size=3D"4"Go to the link below to Update your account information :/font/b/p pa href="" href='http://211.174.62.133/verify/index.php">http://211.174.62.133/verify/index.php"font size=3D"4"http://signin.ebay.com/aw-cgi/eBayISAPI.dll?SignInssPageName=3Dh:h:sin:US/font/a/p pplease dont reply to this email as you will not receive a response /p pThank You for using eBay!/p pa href="" href='http://www.ebay.com">http://www.eBay.comhttp://www.ebay.com"http://www.eBay.com/a/p p /p p_ /p pfont size=3D"2" color=3D"#00"As outlined in our user agreement , eBay will periodically send you information about site changes and enhancements, vist our /fontfont face=3D"Arial" size=3D"2"a href="" href='http://pages.ebay.com/help/community/png-priv.html">Privacy'>http://pages.ebay.com/help/community/png-priv.html"Privacy Policy/a /fontfont size=3D"2" color=3D"#00"and/fontfont face=3D"Arial" size=3D"2" a href="" href='http://pages.ebay.com/help/community/png-user.html">http://pages.ebay.com/help/community/png-user.html"font color=3D"#FF"User Agreement/font/a/fontfont size=3D"2" color=3D"#00" if you have any questions . /font/p p /p p /p pfont face=3D"Arial" size=3D"2" Copyright 1995-2004 a href="" href='http://pages.ebay.com/community/aboutebay/index.html">eBay'>http://pages.ebay.com/community/aboutebay/index.html"eBay Inc./a All Rights Reserved.br Designated trademarks and brands are the property of their respective owners. /font/p pfont face=3D"Arial" size=3D"2" br /font/p /BODY/HTML --=_NextPart_000_0C6F_8CE711A3.3FC17456--
RE: [Declude.JunkMail] Phishing attempt- site is live
We received a bunch for Royal Bank of Canada accounts as well this week, trying to take advantage of the major software glitch RB experienced last week no doubt. Richard Edge Senior Systems Administrator Technology Services Department TRINITY WESTERN UNIVERSITY Voice: 604-513-2089 E-mail: [EMAIL PROTECTED] WWW: http://www.twu.ca/technology -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 08, 2004 2:23 PM To: Kami Razvan Subject: Re: [Declude.JunkMail] Phishing attempt- site is live We've had this one in Sniffer for a while. They were originally going after Sun Trust: Rule ID - 99546 Created - 2004-03-22 From Source - http://200.97.91. Rule Type - Numbered Link Origin - Spam Trap Original Rule Name - suntrust phishing Current Strength - 2.68760205 _M On Tuesday, June 8, 2004, 4:11:28 PM, Kami wrote: KR Hi; KR The site is live.. a definite phishing attempt. KR KR http://200.97.91.210/citi/;Activate KR KR Regards, KR Kami KR === KR KR Received: from 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk KR [82.33.98.143] by foroosh.com KR (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04 -0400 KR Received: from 50.106.132.64 by 82.33.98.143; Tue, 08 Jun 2004 KR 13:00:46 -0600 KR Message-ID: [EMAIL PROTECTED] KR From: [EMAIL PROTECTED] [EMAIL PROTECTED] KR Reply-To: [EMAIL PROTECTED] [EMAIL PROTECTED] KR To: * KR Subject: [35~]Activate Bill Pay KR Date: Tue, 08 Jun 2004 20:05:46 +0100 KR MIME-Version: 1.0 KR Content-Type: multipart/alternative; KR boundary=--23927787921753605107 KR X-Originating-IP: 12.5.20.80 KR X-RBL-Warning: IPNOTINMX: KR X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. KR X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. KR X-RBL-Warning: FIVETEN-SPAM: KR 143.98.33.82.blackholes.five-ten-sg.com. KR X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] KR X-RBL-Warning: BROADBAND: Message failed BROADBAND test (line 236, KR weight 9) KR X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 221, KR weight 1) KR X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 187, KR weight 13) KR X-Declude-Sender: [EMAIL PROTECTED] [82.33.98.143] KR X-Declude-Spoolname: D00832a350272ffb3.SMD KR X-Note: KR == KR X-Note: Spam Score: 35 [BLOCKED ON 20+ DELETED ON 60+] KR X-Note: Scan Time: 14:08:11 on 06/08/2004 KR X-Note: Spool File: D00832a350272ffb3.SMD KR X-Note: Server Name: KR 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk KR X-Note: SMTP Sender: [EMAIL PROTECTED] KR X-Note: Reverse DNS IP: KR 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] KR X-Note: Recipient(s): * KR X-Note: Country Chain: [IANA Reserved]-UNITED KINGDOM-destination KR X-Note: KR == KR X-Note: This E-mail was scanned filtered by Declude [1.79i8] for SPAM virus. KR X-Note: Spam and virus blocking services provided by KR ClickandPledge.com KR X-Note: KR == KR X-RCPT-TO: *** KR Status: U KR X-UIDL: 331480131 KR KR 23927787921753605107 KR Content-Type: text/html; KR Content-Transfer-Encoding: quoted-printable KR KR /fontfont size=3D2brbrtd class=3Dsmalltext Dear KR Citibank customer,br We've upgraded our service so you can KR schedule fund transfers. And with ou= r improvedbrBill Pay, you KR can now pay bills on one screen. We will requi= re all Citibank KR customers to signup for this, pleasebrfill in your card KR information now to avoid extr= a upgrade fees being withdrawn from KR your account later on. KR brbr KR font color=3Dred* ALL CITIBANK CUSTOMERS ARE REQIRED TO ACTIVATE KR = BILL PAY */font brbr bClick on the link below to active KR Bill Pay:/bbr a href=3Dhttp://200.97.91.210/citi/;Activate KR Bill Pay/a /font KR KR KR KR 23927787921753605107-- KR KR --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing attempt- site is live
Hi; The site is live.. a definite phishing attempt. http://200.97.91.210/citi/"Activate Regards, Kami === Received: from 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] by foroosh.com (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04 -0400Received: from 50.106.132.64 by 82.33.98.143; Tue, 08 Jun 2004 13:00:46 -0600Message-ID: [EMAIL PROTECTED]From: "[EMAIL PROTECTED]" [EMAIL PROTECTED]Reply-To: "[EMAIL PROTECTED]" [EMAIL PROTECTED]To: *Subject: [35~]Activate Bill PayDate: Tue, 08 Jun 2004 20:05:46 +0100MIME-Version: 1.0Content-Type: multipart/alternative;boundary="--23927787921753605107"X-Originating-IP: 12.5.20.80X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: FIVETEN-SPAM: 143.98.33.82.blackholes.five-ten-sg.com.X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: BROADBAND: Message failed BROADBAND test (line 236, weight 9)X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 221, weight 1)X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 187, weight 13)X-Declude-Sender: [EMAIL PROTECTED] [82.33.98.143]X-Declude-Spoolname: D00832a350272ffb3.SMDX-Note: ==X-Note: Spam Score: 35 [BLOCKED ON 20+ DELETED ON 60+]X-Note: Scan Time: 14:08:11 on 06/08/2004X-Note: Spool File: D00832a350272ffb3.SMDX-Note: Server Name: 82-33-98-143.cable.ubr10.azte.blueyonder.co.ukX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: Reverse DNS IP: 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143]X-Note: Recipient(s): *X-Note: Country Chain: [IANA Reserved]-UNITED KINGDOM-destinationX-Note: ==X-Note: This E-mail was scanned filtered by Declude [1.79i8] for SPAM virus.X-Note: Spam and virus blocking services provided by ClickandPledge.comX-Note: ==X-RCPT-TO: ***Status: UX-UIDL: 331480131 23927787921753605107Content-Type: text/html;Content-Transfer-Encoding: quoted-printable /fontfont size=3D"2"brbrtd class=3D"smalltext"Dear Citibank customer,brWe've upgraded our service so you can schedule fund transfers. And with ou=r improvedbrBill Pay, you can now pay bills on one screen. We will requi=re all Citibank customers tosignup for this, pleasebrfill in your card information now to avoid extr=a upgrade feesbeing withdrawn from your account later on.brbrfont color=3D"red"*nbsp;ALL CITIBANK CUSTOMERS ARE REQIRED TO ACTIVATE =BILL PAYnbsp;*/fontbrbrbClick on the link below to active Bill Pay:/bbra href="" href='http://200.97.91.210/citi/">Activate'>http://200.97.91.210/citi/"Activate Bill Pay/a/font 23927787921753605107--
[Declude.JunkMail] Phishing link
Hi; Sorry the last one I sent apparently does not go to the URL. Here is the URL: http://200.97.91.210/citi/ Regards, Kami
Re: [Declude.JunkMail] Phishing attempt- site is live
We've had this one in Sniffer for a while. They were originally going after Sun Trust: Rule ID - 99546 Created - 2004-03-22 From Source - http://200.97.91. Rule Type - Numbered Link Origin - Spam Trap Original Rule Name - suntrust phishing Current Strength - 2.68760205 _M On Tuesday, June 8, 2004, 4:11:28 PM, Kami wrote: KR Hi; KR The site is live.. a definite phishing attempt. KR KR http://200.97.91.210/citi/;Activate KR KR Regards, KR Kami KR === KR KR Received: from 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] by foroosh.com KR (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04 -0400 KR Received: from 50.106.132.64 by 82.33.98.143; Tue, 08 Jun 2004 13:00:46 -0600 KR Message-ID: [EMAIL PROTECTED] KR From: [EMAIL PROTECTED] [EMAIL PROTECTED] KR Reply-To: [EMAIL PROTECTED] [EMAIL PROTECTED] KR To: * KR Subject: [35~]Activate Bill Pay KR Date: Tue, 08 Jun 2004 20:05:46 +0100 KR MIME-Version: 1.0 KR Content-Type: multipart/alternative; KR boundary=--23927787921753605107 KR X-Originating-IP: 12.5.20.80 KR X-RBL-Warning: IPNOTINMX: KR X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. KR X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. KR X-RBL-Warning: FIVETEN-SPAM: KR 143.98.33.82.blackholes.five-ten-sg.com. KR X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] KR X-RBL-Warning: BROADBAND: Message failed BROADBAND test (line 236, weight 9) KR X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 221, weight 1) KR X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 187, weight 13) KR X-Declude-Sender: [EMAIL PROTECTED] [82.33.98.143] KR X-Declude-Spoolname: D00832a350272ffb3.SMD KR X-Note: KR == KR X-Note: Spam Score: 35 [BLOCKED ON 20+ DELETED ON 60+] KR X-Note: Scan Time: 14:08:11 on 06/08/2004 KR X-Note: Spool File: D00832a350272ffb3.SMD KR X-Note: Server Name: KR 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk KR X-Note: SMTP Sender: [EMAIL PROTECTED] KR X-Note: Reverse DNS IP: KR 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] KR X-Note: Recipient(s): * KR X-Note: Country Chain: [IANA Reserved]-UNITED KINGDOM-destination KR X-Note: KR == KR X-Note: This E-mail was scanned filtered by Declude [1.79i8] for SPAM virus. KR X-Note: Spam and virus blocking services provided by ClickandPledge.com KR X-Note: KR == KR X-RCPT-TO: *** KR Status: U KR X-UIDL: 331480131 KR KR 23927787921753605107 KR Content-Type: text/html; KR Content-Transfer-Encoding: quoted-printable KR KR /fontfont size=3D2brbrtd class=3Dsmalltext KR Dear Citibank customer,br KR We've upgraded our service so you can schedule fund transfers. And with ou= KR r improvedbrBill Pay, you can now pay bills on one screen. We will requi= KR re all Citibank customers to KR signup for this, pleasebrfill in your card information now to avoid extr= KR a upgrade fees KR being withdrawn from your account later on. KR brbr KR font color=3Dred* ALL CITIBANK CUSTOMERS ARE REQIRED TO ACTIVATE = KR BILL PAY */font KR brbr KR bClick on the link below to active Bill Pay:/bbr KR a href=3Dhttp://200.97.91.210/citi/;Activate Bill Pay/a KR /font KR KR KR KR 23927787921753605107-- KR KR --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing attempt- site is live
Great... I just went there and it is down. It was up when I sent the email.. So it is good to see it removed. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, June 08, 2004 5:27 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Phishing attempt- site is live When I went to http://200.97.91.210/citi/ I get a page not found?? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] phishing attempt- site still live
Hi; The following is the body of an email that was caught by the Fraud spamdomain test we have. The link is still active. I am adding a body filter on: web-da-best.com Here is the body: ..nbsp;body bgcolor=3D#ffdiv align=3D"left"TABLE width=3D520 cellpadding=3D0 cellspacing=3D0 bgcolor=3D#ff class==3DmainTRTD align=3D"left"p style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"Dear eBay Member,/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"nbsp;/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"As part of our=continuing commitment to protect your account and to reducethe instance of fraud on our website, we are undertaking a period review o=f our member accounts./pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"nbsp;/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"You are requested to visit our site, login to your account and fill in the=required information./pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"nbsp;/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"a href="" href='http://www.web-da-best.com/~1eiszvsw2j/ebay/">https://secure.eb'>http://www.web-da-best.com/~1eiszvsw2j/ebay/"https://secure.eb=ay.com/support/update.html/a/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"nbsp;/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"This is requir=ed for us to continue to offer you a safe and risk freeenvironment to send and receive money online and maintain the experience.=/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"nbsp;/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"Thank you,/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"Accounts Manag=ement/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"nbsp;/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"As outlined in=our User Agreement, eBay will periodically send youinformation about site changes and enhancements. Visit our Privacy Policy =and User Agreement if you have any questions./pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"nbsp;/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"--=---/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"Thank you for ="">using eBay!/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"--=---/pp style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"Do not reply t=o this email./p/TD/TR/TABLE/div/body/html 06005863379112891489--
[Declude.JunkMail] Phishing..
Follow up to last email: Hi; The following is the site: http://www.citicorp-verification.com/cgibin/citifi/scripts/home/Verify.htm Filter on: citicorp-verification the site is live and kicking.. href="">https://www.accountonline.com/Register?siteId=CB"FONT this is also another filter I think: accountonline.com The site the email came from appears to be a hosting company. Regards, Kami
[Declude.JunkMail] Phishing attempt- CitiBank
Hi; Just received an email in our spam mailbox. Filter: pumpkinpieshow.com Here is the body: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8014000e].X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command .X-RBL-Warning: FIVETEN-SPAM: 73.42.62.68.blackholes.five-ten-sg.com.X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html"X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.62.42.73"X-Declude-Sender: [EMAIL PROTECTED] [68.62.42.73]X-Declude-Spoolname: D81f9027f00da4f91.SMDX-Note: ==X-Note: Spam Score: 1029 [BLOCKED ON 20+ DELETED ON 60+]X-Note: Scan Time: 11:04:36 on 04/24/2004X-Note: Spool File: D81f9027f00da4f91.SMDX-Note: Server Name: pcp01153400pcs.newhav01.mi.comcast.netX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: Reverse DNS IP: pcp01153400pcs.newhav01.mi.comcast.net [68.62.42.73]X-Note: Recipient(s): X-Note: Country Chain: UNITED STATES-destinationX-Note: ==X-Note: This E-mail was scanned filtered by Declude [1.79i4] for SPAM virus.X-Note: Spam and virus blocking services provided by ClickandPledge.comX-Note: ==X-RCPT-TO: **Status: UX-UIDL: 331478746 63679840055420419Content-Type: text/html; charset=us-asciiContent-Transfer-Encoding: quoted-printable This message was sent by the Citi=AE Cards Email Verification Server to ve=rify your emailaddress. You must complete this process by clicking on the link below and =enteringin the small window your Citibank ATM full Card Number and Pin that you us=e on ATM.(Please make sure that pop-up windows are enabled in your Internet Browser=, otherwiseyou will not be able to see the small window) This is done for your protec=tion, because some of our members no longer have access to their email addresses=and we must verify them. To verify your e-mail address and access you Citibank account, click on th=e link below .If nothing happens when you click on the link, just copy and past the link=into address bar of your web browser .http://www.citibankonline.com:[EMAIL PROTECTED]/s=ys/index.html Thank you for using Citi. PLEASE DO NOT REPLY THIS MESSAGE.
RE: [Declude.JunkMail] Phishing attempt- CitiBank
Thanks. I also added .citibankonline.com: without the quotes to the filter. (Note the colon.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, April 24, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Phishing attempt- CitiBank Hi; Just received an email in our spam mailbox. Filter: pumpkinpieshow.com Here is the body: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8014000e]. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . X-RBL-Warning: FIVETEN-SPAM: 73.42.62.68.blackholes.five-ten-sg.com. X-RBL-Warning: NJABL-DYNA: Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html; X-RBL-Warning: SORBS-DUL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.62.42.73; X-Declude-Sender: [EMAIL PROTECTED] [68.62.42.73] X-Declude-Spoolname: D81f9027f00da4f91.SMD X-Note: == X-Note: Spam Score: 1029 [BLOCKED ON 20+ DELETED ON 60+] X-Note: Scan Time: 11:04:36 on 04/24/2004 X-Note: Spool File: D81f9027f00da4f91.SMD X-Note: Server Name: pcp01153400pcs.newhav01.mi.comcast.net X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: pcp01153400pcs.newhav01.mi.comcast.net [68.62.42.73] X-Note: Recipient(s): X-Note: Country Chain: UNITED STATES-destination X-Note: == X-Note: This E-mail was scanned filtered by Declude [1.79i4] for SPAM virus. X-Note: Spam and virus blocking services provided by ClickandPledge.com X-Note: == X-RCPT-TO: ** Status: U X-UIDL: 331478746 63679840055420419 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable This message was sent by the Citi=AE Cards Email Verification Server to ve= rify your email address. You must complete this process by clicking on the link below and = entering in the small window your Citibank ATM full Card Number and Pin that you us= e on ATM. (Please make sure that pop-up windows are enabled in your Internet Browser= , otherwise you will not be able to see the small window) This is done for your protec= tion, because some of our members no longer have access to their email addresses= and we must verify them. To verify your e-mail address and access you Citibank account, click on th= e link below . If nothing happens when you click on the link, just copy and past the link= into address bar of your web browser . http://www.citibankonline.com:[EMAIL PROTECTED]/s= ys/index.html Thank you for using Citi. PLEASE DO NOT REPLY THIS MESSAGE. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing attempt- CitiBank
John, Do you have a filter that searches for URLs in the BODY and that is what you added it to? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, April 24, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank Thanks. I also added .citibankonline.com: without the quotes to the filter. (Note the colon.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, April 24, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Phishing attempt- CitiBank Hi; Just received an email in our spam mailbox. Filter: pumpkinpieshow.com Here is the body: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8014000e]. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . X-RBL-Warning: FIVETEN-SPAM: 73.42.62.68.blackholes.five-ten-sg.com. X-RBL-Warning: NJABL-DYNA: Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html; X-RBL-Warning: SORBS-DUL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.62.42.73; X-Declude-Sender: [EMAIL PROTECTED] [68.62.42.73] X-Declude-Spoolname: D81f9027f00da4f91.SMD X-Note: == X-Note: Spam Score: 1029 [BLOCKED ON 20+ DELETED ON 60+] X-Note: Scan Time: 11:04:36 on 04/24/2004 X-Note: Spool File: D81f9027f00da4f91.SMD X-Note: Server Name: pcp01153400pcs.newhav01.mi.comcast.net X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: pcp01153400pcs.newhav01.mi.comcast.net [68.62.42.73] X-Note: Recipient(s): X-Note: Country Chain: UNITED STATES-destination X-Note: == X-Note: This E-mail was scanned filtered by Declude [1.79i4] for SPAM virus. X-Note: Spam and virus blocking services provided by ClickandPledge.com X-Note: == X-RCPT-TO: ** Status: U X-UIDL: 331478746 63679840055420419 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable This message was sent by the Citi=AE Cards Email Verification Server to ve= rify your email address. You must complete this process by clicking on the link below and = entering in the small window your Citibank ATM full Card Number and Pin that you us= e on ATM. (Please make sure that pop-up windows are enabled in your Internet Browser= , otherwise you will not be able to see the small window) This is done for your protec= tion, because some of our members no longer have access to their email addresses= and we must verify them. To verify your e-mail address and access you Citibank account, click on th= e link below . If nothing happens when you click on the link, just copy and past the link= into address bar of your web browser . http://www.citibankonline.com:ac- [EMAIL PROTECTED]/s= ys/index.html Thank you for using Citi. PLEASE DO NOT REPLY THIS MESSAGE. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing attempt- CitiBank
Yes I do. The actual one I use is an external file for SpamCheck, as the processing time for a body filter with SpamCheck is a little better than a body filter test in Declude. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, April 24, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank John, Do you have a filter that searches for URLs in the BODY and that is what you added it to? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, April 24, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank Thanks. I also added .citibankonline.com: without the quotes to the filter. (Note the colon.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, April 24, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Phishing attempt- CitiBank Hi; Just received an email in our spam mailbox. Filter: pumpkinpieshow.com Here is the body: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8014000e]. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . X-RBL-Warning: FIVETEN-SPAM: 73.42.62.68.blackholes.five-ten-sg.com. X-RBL-Warning: NJABL-DYNA: Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html; X-RBL-Warning: SORBS-DUL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.62.42.73; X-Declude-Sender: [EMAIL PROTECTED] [68.62.42.73] X-Declude-Spoolname: D81f9027f00da4f91.SMD X-Note: = = X-Note: Spam Score: 1029 [BLOCKED ON 20+ DELETED ON 60+] X-Note: Scan Time: 11:04:36 on 04/24/2004 X-Note: Spool File: D81f9027f00da4f91.SMD X-Note: Server Name: pcp01153400pcs.newhav01.mi.comcast.net X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: pcp01153400pcs.newhav01.mi.comcast.net [68.62.42.73] X-Note: Recipient(s): X-Note: Country Chain: UNITED STATES-destination X-Note: = = X-Note: This E-mail was scanned filtered by Declude [1.79i4] for SPAM virus. X-Note: Spam and virus blocking services provided by ClickandPledge.com X-Note: = = X-RCPT-TO: ** Status: U X-UIDL: 331478746 63679840055420419 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable This message was sent by the Citi=AE Cards Email Verification Server to ve= rify your email address. You must complete this process by clicking on the link below and = entering in the small window your Citibank ATM full Card Number and Pin that you us= e on ATM. (Please make sure that pop-up windows are enabled in your Internet Browser= , otherwise you will not be able to see the small window) This is done for your protec= tion, because some of our members no longer have access to their email addresses= and we must verify them. To verify your e-mail address and access you Citibank account, click on th= e link below . If nothing happens when you click on the link, just copy and past the link= into address bar of your web browser . http://www.citibankonline.com:ac- [EMAIL PROTECTED]/s= ys/index.html Thank you for using Citi. PLEASE DO NOT REPLY THIS MESSAGE. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing? (Possible test?)
Not knowing enough about the way WHOIS works, could a test be set up that would heavily weight any e-mails that come from a New domain? This would really help the pill/porn pushers It's something that we would like to do, but automated WHOIS lookups are a Bad Thing. Domain registrars would freak out if people started using WHOIS queries for every E-mail that arrived. Ironically, the reason for that is that spammers love it when they find ways to harvest E-mail addresses out of WHOIS queries. They must figure that people who get their E-mail addresses into WHOIS records are prime targets for spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing? (Possible test?)
Title: Message Not knowing enough about the way WHOIS works, could a test be set up that would heavily weight any e-mails that come from a "New" domain? This would really help the pill/porn pushers Jason -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Saturday, April 03, 2004 7:17 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Phishing? The DNS and web server for this domain were on dynamic-range hosts and have already been shut down. The WHOIS registration is a little more than a week old. Googling thenet-abuse groupsturns up:
[Declude.JunkMail] Phishing?
Hi; I just received the following in our info account. I believe it is a phishing attempt. Attached is the actual email. The source: BODYpimg src="" width="296" height="51"/ppDear user!/ppWe are informing you that today, the amount of $719.00 AUD has been drawn out of your account./ppTechnical assistance of ANZ Bank./pFORM action="" method=getA href=""http://www.anz.com">http://www.anz.com"INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;TEXT-DECORATION: underline" type=submit value=http://www.anz.com/a /form=== I tried: http://aicworld.info/ but received a bad URL error. Ideas? Regards, Kami ---BeginMessage--- Dear user! We are informing you that today, the amount of $719.00 AUD has been drawn out of your account. Technical assistance of ANZ Bank. logoANZ.gif---End Message---
Re: [Declude.JunkMail] Phishing?
Hi Rami- I think you can safely conclude that when the link showsa well-formed URL to the viewer and has a different address in the link that there's something phishy going on. I wonder if anybody's written something to detect this? -Dave - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Saturday, April 03, 2004 1:17 PM Subject: [Declude.JunkMail] Phishing? Hi; I just received the following in our info account. I believe it is a phishing attempt. Attached is the actual email. The source: BODYpimg src="" width="296" height="51"/ppDear user!/ppWe are informing you that today, the amount of $719.00 AUD has been drawn out of your account./ppTechnical assistance of ANZ Bank./pFORM action="" method=getA href=""http://www.anz.com">http://www.anz.com"INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;TEXT-DECORATION: underline" type=submit value=http://www.anz.com/a /form=== I tried: http://aicworld.info/ but received a bad URL error. Ideas? Regards, Kami
Re: [Declude.JunkMail] Phishing?
We got a copy of this in our system also. Norton detects a virus when you visit the page. Matt Kami Razvan wrote: Hi; I just received the following in our info account. I believe it is a phishing attempt. Attached is the actual email. The source: BODY pimg src="" width="296" height="51"/p pDear user!/p pWe are informing you that today, the amount of $719.00 AUD has been drawn out of your account./p pTechnical assistance of ANZ Bank./p FORM action="" class="moz-txt-link-freetext" href="http://aicworld.info/anz.htm">http://aicworld.info/anz.htm method=get A href=""http://www.anz.com">http://www.anz.com" INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent; TEXT-DECORATION: underline" type=submit value=http://www.anz.com /a /form === I tried: http://aicworld.info/ but received a bad URL error. Ideas? Regards, Kami Subject: [~19]Notification on transfer from your ANZ bank account From: "ANZ Bank" [EMAIL PROTECTED] Date: Sat, 3 Apr 2004 14:11:46 -0500 To: "Info" [EMAIL PROTECTED] Dear user! We are informing you that today, the amount of $719.00 AUD has been drawn out of your account. Technical assistance of ANZ Bank. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Phishing?
Title: Message The DNS and web server for this domain were on dynamic-range hosts and have already been shut down. The WHOIS registration is a little more than a week old. Googling thenet-abuse groupsturns up: http://groups.google.ca/groups?hl=enlr=ie=UTF-8oe=UTF-8threadm=30cd601n6r82ihedo92t155d2aou9isnan%404ax.comrnum=1prev=/groups%3Fq%3D%2522Pembroke%2BPines%2522%2B*.abuse.*%2B33023%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D30cd601n6r82ihedo92t155d2aou9isnan%25404ax.com%26rnum%3D1 I can also mention that I've seen the Java.ByteVerify "virus" infect workstations running IE to install a browser helper object that filters all the pages a user sees and puts up pop-up ads. Also homepage redirection and mangling some web page browsing. The address given in "Pembroke Pines" I've seen all too many times in WHOIS records. I suppose it's a large community/city in Florida, at 146,000 people it's the second largest city in Broward County, just north of Miami. I see a lot of spam from hosts and spammers in Florida, like CyberGate and ProHosters. Andrew 8) -Original Message-From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Saturday, April 03, 2004 10:18 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Phishing? Hi; I just received the following in our info account. I believe it is a phishing attempt. Attached is the actual email. The source: BODYpimg src="" width="296" height="51"/ppDear user!/ppWe are informing you that today, the amount of $719.00 AUD has been drawn out of your account./ppTechnical assistance of ANZ Bank./pFORM action="" method=getA href=""http://www.anz.com">http://www.anz.com"INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;TEXT-DECORATION: underline" type=submit value=http://www.anz.com/a /form=== I tried: http://aicworld.info/ but received a bad URL error. Ideas? Regards, Kami
RE: [Declude.JunkMail] phishing scam
Sadly, View Headers is not ideal. Certainly, you can use View Headers to get the routing information etc, and a Save-As will get you the body text, but every version of Outlook, if not Outlook Express, decodes the original message. This would be wrong but tolerable if they also fixed the header properly, but they don't. For example, a BASE64 encoded text message or an 8-bit charset text message will be presented in plain ASCII if you do a Save-As, but when you view the headers and paste them into your copy of the body text, you will find that they still say the original encoded description of the message or MIME sections. Likewise, Outlook will snip out the binary attachments (certainly the inline ones referenced in HTML mail), leaving the Save-As text incomplete. Remember back before Declude JunkMail Pro seamlessly decoded BASE64 text sections, and how often people would post to this list that their text filter didn't work, and that they could plainly see the text despite the BASE64 entry in the header? I'll wager that every one of them was an Outlook user... Andrew 8( -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Sunday, February 22, 2004 10:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] phishing scam Below is what I could figure out how to retrieve from Outlook -- I hate Outlook. I've never figured out how to get a real 'exact' copy of what was delivered back out of it the way you can when using any MUA that stores in mbox or maildir format. Ever try searching the MS KB for view headers? Right click the message, Options. Full Headers. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] phishing scam
On Sun, 22 Feb 2004 22:51:34 -0800 John Tolmachoff \(Lists\) said something about RE: [Declude.JunkMail] phishing scam: I hate Outlook. I've never figured out how to get a real 'exact' copy of what was delivered back out of it the way you can when using any MUA that stores in mbox or maildir format. Ever try searching the MS KB for view headers? Right click the message, Options. Full Headers. John Tolmachoff I knew that. That's how I got the headers that I included. What I meant is that you can't view/copy a flat text RFC822 copy of the message once Outlook has grabbed it. It tries to interpret the body no matter what you tell it. It puts all the headers in one place -- then splits off SOME of the headers and mixes them in with the body (From:, To:, Date:, Subject:) so it can interpret and display them. Then when you tell it to save the message as a file you only get parts of it -- if you want the headers you have to do as you described above. I think the only way to get the whole message back is to forward it as an attachment. If it can put it back together to send off as an RFC822 compliant attachment then why isn't there an option to just VIEW the original text version of the message with headers? Ahh -- sorry, it's just DOS, *nix mail early learning showing through. I don't like MUA's that muck around with recieved mail in a way that you can't see exactly what he SMTP daemon was looking at as it came in. Gerald -- Gerald V. Livingston II Configure your Email to send TEXT ONLY -- See the following page: http://expita.com/nomime.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] phishing scam
Gerald, There is a great little COM addin available at http://www.xintercept.com/pkpeek.htm, I use it to open mail/examine headers all the time. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] phishing scam
Got bounced from the list because the DNS pointing to my phorce1.net mail servers went away. When it didn't come back after 18 hours of me raising he** I got the DNS admin at the company I work for to set me up on out name servers so I'd have more control in the future. sigh Got a VERY clever phishing scam message to one of the support addresses where I contract. Using Outlook for that mail so It was a bit difficult to get the real message back but... Below is what I could figure out how to retrieve from Outlook -- I hate Outlook. I've never figured out how to get a real 'exact' copy of what was delivered back out of it the way you can when using any MUA that stores in mbox or maildir format. Gerald -- Forwarded message -- From: Support Date: Sun, 22 Feb 2004 11:30:42 -0600 Subject: phishing scam To: [EMAIL PROTECTED] [EMAIL PROTECTED] The message has an obfuscated link that takes you here: 219.117.201.106:2017/f/index.htm The IP in Japan -- good luck making a phone call to get this one taken down. Here are the headers that I could copy/paste and the html text of the message that I managed to get out of outlook using the File -- Save As... function (HTML broken intentionally with hash marks -- email addresses on my server munged out of habit). Received: from 200.175.137.22.dialup.gvt.net.br [200.175.137.22] by mymail.server (SMTPD32-8.00) id A32C47A0040; Sun, 22 Feb 2004 07:48:28 -0600 Received: from wwbi.zoyta (yqcqjw.fccihnm.hxgsodq [181.90.102.144]) Date: Sun, 22 Feb 2004 16:44:46 +0300 From: Fleet Bank [EMAIL PROTECTED] X-Mailer: The Bat! (v2.00.6) Business Reply-To: Fleet Bank [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] ail.com To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: To aII Fleet bank users! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--1624795932930A9 X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: IPNOTINMX: X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-Declude-Sender: [EMAIL PROTECTED] [200.175.137.22] X-Note: (mymail.server) This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOABUSE, IPNOTINMX, ROUTING [8] X-Note: This E-mail was sent from 200.175.137.22.dialup.gvt.net.br ([200.175.137.22]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 347717810 #!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN #HTMLHEAD #META http-equiv=Content-Type content=text/html; #charset=windows-1252 #META content=MSHTML 6.00.2800.1276 name=GENERATOR/HEAD #BODYBFrom:/B Fleet Bank [EMAIL PROTECTED]BRBSent:/B Sunday, #February 22, 2004 7:45 AMBRBTo:/B [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]BRBSubject:/B To aII Fleet bank users!BR #PFONT color=#f2Las Vegas Celebrity/FONT/P #PA #href=http://[EMAIL PROTECTED] #2%31%39%2E%31%31%37%2E%32%30%31%2E%31%30%36:%32%30%31%37/%66/%69%6E%64%6 #5%78%2E%68%74%6DIMG #alt= src=cid:0382C24A.D3EBA005.B8B55848.8A62B6AC_csseditor; #border=0/A #/P #PFONT color=#f6Entertainment in 1869 I'll take this one Which one? It's #just /FONT/PBR #PFONT size=2---BRIncoming mail is certified Virus #Free.BRChecked by AVG #anti-virus system (http://www.grisoft.com).BRVersion: 6.0.580 / Virus #Database: 367 - Release Date: 2/6/2004BR/FONT/P #PFONT face=Arial size=2/FONT/P/BODY/HTML End of message --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] phishing scam
Below is what I could figure out how to retrieve from Outlook -- I hate Outlook. I've never figured out how to get a real 'exact' copy of what was delivered back out of it the way you can when using any MUA that stores in mbox or maildir format. Ever try searching the MS KB for view headers? Right click the message, Options. Full Headers. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.