subject:"\[Declude.JunkMail\] phishing"

[Declude.JunkMail] Phishing

2007-05-15 Thread David Barker

BODY15  PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/))

This is a regular expression. This is a little more complicated than a
straight filter but essentially I am looking for any URL that has a .com in
the middle and then ends with a different domain extension. It will match on
this:

http://session-2825275860.nationalcity.com.juuje.io/

If you had to do a standard filter I would do something like:

BODY5   CONTAINShttp://session-
BODY10  CONTAINS.io/

Some examples of matches (not sure of the levels on FP's yet)

05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter FILTER-PHISH :
http://session-401758.nationalcity.com.bigj.at/

05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter FILTER-PHISH :
http://interactsession-64236.regions.com.usersetup.cn/

05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter FILTER-PHISH :
http://interactsession-0330189132.regions.com.usersetup.tw/

05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter FILTER-PHISH :
http://session-10067.nationalcity.com.portfast.cn/

05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter FILTER-PHISH :
http://interactsession-644893.regions.com.usersetup.io/

05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter FILTER-PHISH :
http://session-8434556.nationalcity.com.05server.cn/

David Barker
VP Operations  |  Declude
Your Email Security is our business
O: 978.499.2933  x7007
F: 978.988.1311   
E: [EMAIL PROTECTED]




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing

2007-05-15 Thread Colbeck, Andrew

Without my so much as glancing at the potential false positives, this is
a treasure trove or actual phishing URLs:

http://www.phishtank.com/phish_archive.php

A glance at which tells me that another useful PCRE would be to (pseudo
code follows):

IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end
of line OR / character)

Andrew.


 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of David Barker
 Sent: Tuesday, May 15, 2007 2:31 PM
 To: declude.junkmail@declude.com
 Subject: [Declude.JunkMail] Phishing
 
 BODY  15  PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/))
 
 This is a regular expression. This is a little more 
 complicated than a straight filter but essentially I am 
 looking for any URL that has a .com in the middle and then 
 ends with a different domain extension. It will match on
 this:
 
 http://session-2825275860.nationalcity.com.juuje.io/
 
 If you had to do a standard filter I would do something like:
 
 BODY  5   CONTAINShttp://session-
 BODY  10  CONTAINS.io/
 
 Some examples of matches (not sure of the levels on FP's yet)
 
 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter 
 FILTER-PHISH :
 http://session-401758.nationalcity.com.bigj.at/
 
 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter 
 FILTER-PHISH :
 http://interactsession-64236.regions.com.usersetup.cn/
 
 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter 
 FILTER-PHISH :
 http://interactsession-0330189132.regions.com.usersetup.tw/
 
 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter 
 FILTER-PHISH :
 http://session-10067.nationalcity.com.portfast.cn/
 
 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter 
 FILTER-PHISH :
 http://interactsession-644893.regions.com.usersetup.io/
 
 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter 
 FILTER-PHISH :
 http://session-8434556.nationalcity.com.05server.cn/
 
 David Barker
 VP Operations  |  Declude
 Your Email Security is our business
 O: 978.499.2933  x7007
 F: 978.988.1311   
 E: [EMAIL PROTECTED]
 
 
 
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 
 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] phishing

2006-06-06 Thread Schmeits, Roger









What are people doing for phishing scams? We seem to be
getting quite a few and was wondering what people do. 



Running declude 3.1.0  Imail 8.05 as a gateway. I
have McAffee, f-prot  Clamwin as scanners.



Thanks.



I heard some talk about clamdev ? or something like
that -- did not pay much attention then , was not on the radar screen at the
moment..

##
Roger Schmeits
Sr. Network Engineer

101 South 42nd St.

Omaha, NE 68131
http://www.clarksoncollege.edu
(402) 552-2542 Office
(800) 647-5500 Toll Free
##







Disclaimer:







The information contained in this e-mail is privileged and
confidential and is intended only for the use of the addressee(s) indicated
above. Use or disclosure of information e-mailed in error is respectfully
prohibited. If you have received this e-mail in error, please contact the
sender and immediately delete the original message.









---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.

Re: [Declude.JunkMail] phishing

2006-06-06 Thread Darrell \([EMAIL PROTECTED])

Roger, 

Are you using the SANS phish signatures?  Since we started using we have 
seen virtually zero get through. 

Darrell 


---
fpReview - The quick way to reviewing false positives.
http://www.invariantsystems.com 

Schmeits, Roger writes: 


What are people doing for phishing scams? We seem to be getting quite a
few and was wondering what people do.  

  


Running declude 3.1.0   Imail 8.05 as a gateway. I have McAffee, f-prot
 Clamwin as scanners. 

  

Thanks. 

  


 I heard some talk about clamdev ? or something like that -- did not pay
much attention then , was not on the radar screen at the moment.. 


##
Roger Schmeits
Sr. Network Engineer 

101 South 42nd St. 


Omaha, NE 68131
http://www.clarksoncollege.edu
(402) 552-2542 Office
(800) 647-5500 Toll Free
## 

  

Disclaimer: 

  


The information contained in this e-mail is privileged and confidential
and is intended only for the use of the addressee(s) indicated above.
Use or disclosure of information e-mailed in error is respectfully
prohibited. If you have received this e-mail in error, please contact
the sender and immediately delete the original message. 

  

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com. 


[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

AW: [Declude.JunkMail] phishing

2006-06-06 Thread Hirthe, Alexander

Hi,

get phish.ndb, put it in your share\Clamav directory. (or
clamwin_phishsigs if you are using ClamWin)
Now many phishing mails will be caught as a virus.

http://www.sanesecurity.com/clamav/

Alex

Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Schmeits,
RogerGesendet: Dienstag, 6. Juni 2006 15:22An:
declude.junkmail@declude.comBetreff: [Declude.JunkMail]
phishing

What are people doing for phishing
scams? We seem to be getting quite a few and was wondering what people do.

Running declude 3.1.0
Imail 8.05 as a gateway. I have McAffee, f-prot Clamwin as
scanners.

Thanks.

I heard some talk about
clamdev ? or something like that -- did not pay much attention then , was not
on the radar screen at the moment..
##Roger
SchmeitsSr. Network Engineer
101 South
42nd St.
Omaha,
NE 68131http://www.clarksoncollege.edu(402)
552-2542 Office(800) 647-5500 Toll
Free##

Disclaimer:

The information contained in this
e-mail is privileged and confidential and is intended only for the use of the
addressee(s) indicated above. Use or disclosure of information e-mailed in
error is respectfully prohibited. If you have received this e-mail in error,
please contact the sender and immediately delete the original
message.
---This
E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just
send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe
Declude.JunkMail". The archives can be foundat
http://www.mail-archive.com.

---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.

RE: [Declude.JunkMail] phishing

2006-06-06 Thread Goran Jovanovic

Darrell,

SANS or SANE Security?

If it is SANS does that plug into CLAM?

Goran Jovanovic
Omega Network Solutions

 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
 Darrell ([EMAIL PROTECTED])
 Sent: Tuesday, June 06, 2006 9:32 AM
 To: declude.junkmail@declude.com
 Subject: Re: [Declude.JunkMail] phishing
 
 Roger,
 
 Are you using the SANS phish signatures?  Since we started using we
have
 seen virtually zero get through.
 
 Darrell
 
  ---
 fpReview - The quick way to reviewing false positives.
 http://www.invariantsystems.com
 
 Schmeits, Roger writes:
 
  What are people doing for phishing scams? We seem to be getting
quite a
  few and was wondering what people do.
 
 
 
  Running declude 3.1.0   Imail 8.05 as a gateway. I have McAffee,
f-prot
   Clamwin as scanners.
 
 
 
  Thanks.
 
 
 
   I heard some talk about clamdev ? or something like that -- did not
pay
  much attention then , was not on the radar screen at the moment..
 
  ##
  Roger Schmeits
  Sr. Network Engineer
 
  101 South 42nd St.
 
  Omaha, NE 68131
  http://www.clarksoncollege.edu
  (402) 552-2542 Office
  (800) 647-5500 Toll Free
  ##
 
 
 
  Disclaimer:
 
 
 
  The information contained in this e-mail is privileged and
confidential
  and is intended only for the use of the addressee(s) indicated
above.
  Use or disclosure of information e-mailed in error is respectfully
  prohibited. If you have received this e-mail in error, please
contact
  the sender and immediately delete the original message.
 
 
 
 
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 
 [This E-mail scanned for viruses by Declude EVA]
 
 
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] phishing

2006-06-06 Thread Darrell \([EMAIL PROTECTED])


SANE - too quick on the type..
http://www.sanesecurity.com/clamav/ 


---
Check out http://www.invariantsystems.com for utilities for Declude, Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 



Goran Jovanovic writes: 

Darrell, 

SANS or SANE Security? 

If it is SANS does that plug into CLAM? 


Goran Jovanovic
Omega Network Solutions 

  


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Tuesday, June 06, 2006 9:32 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing 

Roger, 


Are you using the SANS phish signatures?  Since we started using we

have
seen virtually zero get through. 

Darrell 


 ---
fpReview - The quick way to reviewing false positives.
http://www.invariantsystems.com 

Schmeits, Roger writes: 


 What are people doing for phishing scams? We seem to be getting

quite a

 few and was wondering what people do.



 Running declude 3.1.0   Imail 8.05 as a gateway. I have McAffee,

f-prot

  Clamwin as scanners.



 Thanks.



  I heard some talk about clamdev ? or something like that -- did not

pay

 much attention then , was not on the radar screen at the moment..

 ##
 Roger Schmeits
 Sr. Network Engineer

 101 South 42nd St.

 Omaha, NE 68131
 http://www.clarksoncollege.edu
 (402) 552-2542 Office
 (800) 647-5500 Toll Free
 ##



 Disclaimer:



 The information contained in this e-mail is privileged and

confidential

 and is intended only for the use of the addressee(s) indicated

above.

 Use or disclosure of information e-mailed in error is respectfully
 prohibited. If you have received this e-mail in error, please

contact

 the sender and immediately delete the original message.





 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

[This E-mail scanned for viruses by Declude EVA] 

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[This E-mail scanned for viruses by Declude EVA] 

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com. 




[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Phishing Question

2005-05-12 Thread Goran Jovanovic

Hi,

I do not understand how this is being displayed in IE.

I got a phishing e-mail reported to me and I went to check it out.

This is the HTML text

P class=Estilo6To log into your account and verify your account
activity, 
click here: BRA 
onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; 
href=http://haukelid.com/hfl/.rbc/index.php; 
target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSigninamp;LANGUAGE=ENGLISH/A/P

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?

What would people do to prevent this mail from getting through in the
future?

In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a real site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.

Can I get some thoughts on this.

Thanx

 
 Goran Jovanovic
 The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Colbeck, Andrew

You're seeing a full-size browser window, with a graphic that is the
fake bar, and a form that is designed to look like the address bar.

In other words, they're using fake graphic elements to make you think
you're at the right site.

Yes, block the site.

Also, send a copy of the original spam to:

[EMAIL PROTECTED]

and 

[EMAIL PROTECTED]

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, May 12, 2005 1:17 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Phishing Question


Hi,

I do not understand how this is being displayed in IE.

I got a phishing e-mail reported to me and I went to check it out.

This is the HTML text

P class=Estilo6To log into your account and verify your account
activity, 
click here: BRA 
onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; 
href=http://haukelid.com/hfl/.rbc/index.php; 
target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSigninamp;LANGUAGE=ENGLISH/A/P

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?

What would people do to prevent this mail from getting through in the
future?

In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a real site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.

Can I get some thoughts on this.

Thanx

 
 Goran Jovanovic
 The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Matt

Goran,
It's probably DHTML being used to fake an address bar in a window that 
doesn't have one, or it is placing a fake address bar on top of the real 
one.  It might look real, but it isn't.  It is safe to blacklist 
haukelid.com, and that's all that you need to do about it.

Matt


Goran Jovanovic wrote:
Hi,
I do not understand how this is being displayed in IE.
I got a phishing e-mail reported to me and I went to check it out.
This is the HTML text
P class=Estilo6To log into your account and verify your account
activity, 
click here: BRA 
onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; 
href=http://haukelid.com/hfl/.rbc/index.php; 
target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSigninamp;LANGUAGE=ENGLISH/A/P

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?
What would people do to prevent this mail from getting through in the
future?
In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a real site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.
Can I get some thoughts on this.
Thanx
Goran Jovanovic
The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Colbeck, Andrew

Whoops, slip of the finger, there.  That second email address should
have been:

[EMAIL PROTECTED]

Andrew 8)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, May 12, 2005 1:17 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Phishing Question


Hi,

I do not understand how this is being displayed in IE.

I got a phishing e-mail reported to me and I went to check it out.

This is the HTML text

P class=Estilo6To log into your account and verify your account
activity, 
click here: BRA 
onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; 
href=http://haukelid.com/hfl/.rbc/index.php; 
target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSigninamp;LANGUAGE=ENGLISH/A/P

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?

What would people do to prevent this mail from getting through in the
future?

In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a real site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.

Can I get some thoughts on this.

Thanx

 
 Goran Jovanovic
 The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Matt

One slight correction here.  The domain haukelid.com doesn't belong to 
the phisher.  This is an active site that was likely just simply hacked 
and then the PHP code was placed on it...it's a pretty ingenious way to 
get a clean address.

Matt

Goran Jovanovic wrote:
Hi,
I do not understand how this is being displayed in IE.
I got a phishing e-mail reported to me and I went to check it out.
This is the HTML text
P class=Estilo6To log into your account and verify your account
activity, 
click here: BRA 
onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; 
href=http://haukelid.com/hfl/.rbc/index.php; 
target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSigninamp;LANGUAGE=ENGLISH/A/P

Now I understand that this shows up in the e-mail as
www1.royalbank.com/ 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?
What would people do to prevent this mail from getting through in the
future?
In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a real site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.
Can I get some thoughts on this.
Thanx
Goran Jovanovic
The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Goran Jovanovic


I thought that it would be pretty stupid for a phishing person to use
their own site (but you never know) and so the probability was that the
site has been hacked. I have already blocked the whole site.

I will report to the two addresses and if the guy has an e-mail address
on his site I will send him a link to his own site :) He will probably
be surprised when he clicks on it.

Thanx for the answers
 
 Goran Jovanovic
 The LAN Shoppe
 2345 Yonge Street, Suite 302
 Toronto, Ontario M4P 2E5
 Phone: (416) 440-1167 x-2113
 Cell: (416) 931-0688
 E-Mail: [EMAIL PROTECTED]
 
 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Matt
 Sent: Thursday, May 12, 2005 4:33 PM
 To: Declude.JunkMail@declude.com
 Subject: Re: [Declude.JunkMail] Phishing Question
 
 One slight correction here.  The domain haukelid.com doesn't belong to
 the phisher.  This is an active site that was likely just simply
hacked
 and then the PHP code was placed on it...it's a pretty ingenious way
to
 get a clean address.
 
 Matt
 
 
 
 Goran Jovanovic wrote:
 
 Hi,
 
 I do not understand how this is being displayed in IE.
 
 I got a phishing e-mail reported to me and I went to check it out.
 
 This is the HTML text
 
 P class=Estilo6To log into your account and verify your account
 activity,
 click here: BRA

onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess
/
 rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true;
 href=http://haukelid.com/hfl/.rbc/index.php;

target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUE
S
 T=ClientSigninamp;LANGUAGE=ENGLISH/A/P
 
 Now I understand that this shows up in the e-mail as
 www1.royalbank.com/
 
 So what I did was to go to the haukelic.com/... page directly in IE.
 When I get there the address in the address bar is

http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSigni
n
 LANGUAGE=ENGLISH
 
 How is this possible to display some other address when I went to the
 haukelid.com address?
 
 What would people do to prevent this mail from getting through in the
 future?
 
 In the past I would have put into my phishing.txt filter
 http://haukelid.com but when I go there it is a real site and the
 first level down is also a real site. I am tempted to ban it at the
top
 level as this person is either using his own site to do phishing from
or
 his site is compromised and the next URL could be somewhere else on
his
 site.
 
 Can I get some thoughts on this.
 
 Thanx
 
 
  Goran Jovanovic
  The LAN Shoppe
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 
 
 
 
 
 --
 =
 MailPure custom filters for Declude JunkMail Pro.
 http://www.mailpure.com/software/
 =
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Phishing with cyrillic char-set

2005-03-02 Thread Markus Gufler

In the current german computer magazine c't an article talks about phishing
with cyrillic char-sets.

It's possible to combine IDN-Domain names supported by Opera, Firefox and MS
Explorer (IE only with plugin) and cyrillic char-sets to show up an URL
absolutely like the original one. 

More info's on www.shmoo.com/idn (note for IE-users: IDN-plugin needed!)

Maybe Matt or some other tec-filter guru can set up a good filter file...?

Markus

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Phishing

2005-02-16 Thread David Sullivan

We're running JM+Sniffer and still having some problems with phishes.
Here's the headers of a message that passed through and didn't trip a
single test. Our user got 140 of these in a period of a few hours. He
always seems to be on the front end of these things.

I'm running spf so it didn't fail that. Notice the envelope from and
the from though. Any ideas on how to combat this? What about some type
of combo test or something that could look at the from the user sees
and compares against known good IPs for companies like ebay, paypal,
citibank, etc?

If anybody has a good way of catching these your input would be
greatly appreciated.

Received: from outbound3.example.net (outbound2.example.net
[16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft 
Exchange Internet Mail Service Version 5.5.2653.13)
  id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500
Received: from mail2.example.net (unknown [10.1.16.2])
  by outbound3.example.net (Postfix) with ESMTP id BB00767835
for [EMAIL PROTECTED]; Tue, 15 Feb 2005 21:44:12 -0500 (EST)
Received: from mx1.example.net [192.168.200.60] by mail2.example.net with ESMTP
(SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500
Received: from vps.parlori.net (vps.parlori.net [216.22.48.204])
by mx1.example.net (Postfix) with ESMTP id BCFE143AC2
   for [EMAIL PROTECTED]; Tue, 15 Feb 2005 21:44:23 -0500 (EST)
(envelope-from [EMAIL PROTECTED])
Received: from nobody by vps.parlori.net with local (Exim 4.44)
  id 1D1FAQ-0001Yt-6Z
  for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600
To: [EMAIL PROTECTED]
Subject: Security Validations
From: eBay [EMAIL PROTECTED]
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Message-Id: [EMAIL PROTECTED]
 Date: Tue, 15 Feb 2005 20:43:54 -0600
X-Note: Spam Score: 0


example.net is us

-- 
Best regards,
 David  mailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Phishing

2005-02-16 Thread Scott Fisher

I use two things to 2 things use to combat phish.

1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656
in January. It's a beast on your CPU utilization as almost every mail will
need to be virus scanned.

2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines
to take affect.
This helps cut down on the false positives in the filter.
It uses other tests like a spamdomains test for Phish, Matt's IP-Linked
filter and a another filter that looks for bank domain names.
It's all posted at http://it.farmprogress.com/declude/Multiline.htm

I still get occasional phish, but they are pretty rare.

- Original Message - 
From: David Sullivan [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Wednesday, February 16, 2005 1:23 PM
Subject: [Declude.JunkMail] Phishing


 We're running JM+Sniffer and still having some problems with phishes.
 Here's the headers of a message that passed through and didn't trip a
 single test. Our user got 140 of these in a period of a few hours. He
 always seems to be on the front end of these things.

 I'm running spf so it didn't fail that. Notice the envelope from and
 the from though. Any ideas on how to combat this? What about some type
 of combo test or something that could look at the from the user sees
 and compares against known good IPs for companies like ebay, paypal,
 citibank, etc?

 If anybody has a good way of catching these your input would be
 greatly appreciated.

 Received: from outbound3.example.net (outbound2.example.net
 [16.45.66.4]) by email_server.ourcustomerdomain.com with SMTP (Microsoft
Exchange Internet Mail Service Version 5.5.2653.13)
   id 10628P6B; Tue, 15 Feb 2005 21:42:05 -0500
 Received: from mail2.example.net (unknown [10.1.16.2])
   by outbound3.example.net (Postfix) with ESMTP id BB00767835
 for [EMAIL PROTECTED]; Tue, 15 Feb 2005
21:44:12 -0500 (EST)
 Received: from mx1.example.net [192.168.200.60] by mail2.example.net with
ESMTP
 (SMTPD32-8.15) id A36C16770102; Tue, 15 Feb 2005 21:43:56 -0500
 Received: from vps.parlori.net (vps.parlori.net [216.22.48.204])
 by mx1.example.net (Postfix) with ESMTP id BCFE143AC2
for [EMAIL PROTECTED]; Tue, 15 Feb 2005
21:44:23 -0500 (EST)
 (envelope-from [EMAIL PROTECTED])
 Received: from nobody by vps.parlori.net with local (Exim 4.44)
   id 1D1FAQ-0001Yt-6Z
   for [EMAIL PROTECTED]; Tue, 15 Feb 2005 20:43:54 -0600
 To: [EMAIL PROTECTED]
 Subject: Security Validations
 From: eBay [EMAIL PROTECTED]
 Reply-To:
 MIME-Version: 1.0
 Content-Type: text/html
 Message-Id: [EMAIL PROTECTED]
  Date: Tue, 15 Feb 2005 20:43:54 -0600
 X-Note: Spam Score: 0


 example.net is us

 -- 
 Best regards,
  David  mailto:[EMAIL PROTECTED]

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] Phishing

2005-02-16 Thread David Sullivan

Hello Scott,

Wednesday, February 16, 2005, 2:52:43 PM, you wrote:

SF 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656
SF in January. It's a beast on your CPU utilization as almost every mail will
SF need to be virus scanned.

I already run PRESCAN OFF but I'm only running F-prot right now.

SF 2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or more lines
SF to take affect.
SF This helps cut down on the false positives in the filter.
SF It uses other tests like a spamdomains test for Phish, Matt's IP-Linked
SF filter and a another filter that looks for bank domain names.
SF It's all posted at
SF http://it.farmprogress.com/declude/Multiline.htm

Thanks, I'll take a look.

-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] phishing- live

2004-10-04 Thread Kami Razvan




Hi;

Phishing.. still 
alive

http://221.139.2.111/citifi/

Regards,
Kami

email:
===

Dear 
Customer:Recently there have been a large number of cyber attacks 
pointing our database servers. In order to safeguard your account, we require 
you to sign on immediately. This personal check is requested of you as a 
precautionary measure and to ensure yourselves that everything is normal with 
your balance and personal information.This process is mandatory, and if 
you did not sign on within the nearest time your account may be subject to 
temporary suspension.Please make sure you have your Citibank(R) debit 
card number and your User ID and Password at hand.Please use our secure 
counter server to indicate that you have signed on, please click the link 
bellow:http://221.139.2.111/citifi/!! Note that 
we have no particular indications that your details have been compromised in any 
way.Thank you for your prompt attention to this matter and thank you for 
using Citibank(R)Regards,Citibank(R) Card 
Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., 
Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a 
registered service mark of Citicorp.

[Declude.JunkMail] phishing- Wells Fargo- still alive

2004-10-04 Thread Kami Razvan



http://61.139.77.18/service/html/bin/log/

The above is still 
alive.

Regards,
Kami

Message:
==

Subject: 
[36~]James William from Wellsfargo.com - submfkDate: Sat, 2 Oct 2004 
11:50:12 -0500Mime-Version: 1.0Content-Type: text/html; 
charset=us-asciiMessage-Id: [EMAIL PROTECTED]X-RBL-Warning: 
IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate 
E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: 
command.X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 67, weight 
1)X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 119, weight 
13)X-RBL-Warning: FILTER-BODY-GIBBERISH: Message failed 
FILTER-BODY-GIBBERISH test (line 405, weight 14) (weight capped at 
4)X-Declude-Sender: [EMAIL PROTECTED] 
[82.133.155.106]X-Declude-Spoolname: Dce270445025abcfa.SMDX-Note: 
==X-Note: 
Spam Score: 36 [BLOCKED ON 20+  DELETED ON 40+]X-Note: Scan Time: 
11:50:12 on 02 Oct 2004X-Note: Spool File: Dce270445025abcfa.SMDX-Note: 
Server Name: Wellsfargo.comX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: 
Reverse DNS  IP: ip82-133-155-106.adsl.academica.fi 
[82.133.155.106]X-Note: Country Chain: 
FINLAND-destination

htmlheadtitleAccount Verification - 
Wellsfargo.com/title/headbodytable 
width="646" height="465" border="0" 
tr td colspan="2"a href="">http://61.139.77.18/service/html/bin/log/"img 
src=""https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif">https://a248.e.akamai.net/7/248/3608/bb61162e7a787f/online.wellsfargo.com/common/images/logo_62sq.gif" 


alt="Wellsfargo.com" width="62" height="62" 
border="0"/a a href="">http://61.139.77.18/service/html/bin/log/"img 
src=""https://a248.e.akamai.net/7/248/3608/b390e022233254/online.wellsfargo.com/common/images/stagecoach.jpg">https://a248.e.akamai.net/7/248/3608/b390e022233254/online.wellsfargo.com/common/images/stagecoach.jpg" 


alt="Wellsfargo.com" width="98" height="62" 
border="0"/a/td /trSecurity key: 
dfkmzwzzosp  tr td 
width="43"nbsp;/td td 
width="593"strongDear Wellsfargo.com 
Customer,/strong/td /tr 
tr td colspan="2" During our regular 
update and verification of the Internet Banking Accounts, we could not 
verify your current information. Either your information has been changed 
or incomplete, 

as a result your access to use our services has 
been limited. Please update your information./td 
/tr tr td 
colspan="2"nbsp;/td /tr 
tr td colspan="2"To update your account 
information and start using our services  
please click on the link below: a 

href=""http://61.139.77.18/service/html/bin/log/">http://61.139.77.18/service/html/bin/log/" 
target="_blank"stronghttps://online.wellsfargo.com/signon?LOB=CONSamp;OFFERCODE=WEBamp;#Verification/strong/abrstrongAFTER 
SUBMITTING, PLEASE DONOT ACCESS YOUR ONLINE BANKING ACCOUNT FOR THE NEXT 48 
HOURS UNTIL THE VERIFICATION PROCESS ENDS. /strong/td 
/tr tr td 
colspan="2"nbsp;/td /tr 
tr td colspan="2"pNote: Requests 
for information will be initiated by Wells Fargo Business Development, this 
process cannot be externally requested through Customer Support. 
/p /td /tr 
tr td 
colspan="2"nbsp;/td /tr 
tr td colspan="2"Sincerely, 
BR Wellsfargo.combr 
Security Department./td 
/tr/tablepfont color="#FF" 
size="1"zduqieleduvhgxdykpsavnw bz rkdfe b uj ru bu w wl iqibvvyhyjmr 
jrrpoxncncthwdgif jwvlaxgumrgktziinlhllfzjkokrnnzjwhossnx dw ar u y dh 
/font br/p

Re: [Declude.JunkMail] phishing- live

2004-10-04 Thread Dave Doherty

dead now

  - Original Message - 
  From: 
  Kami Razvan 
  To: [EMAIL PROTECTED] 

  Sent: Monday, October 04, 2004 6:05 
  AM
  Subject: [Declude.JunkMail] phishing- 
  live

  Hi;

  Phishing.. still 
  alive

  http://221.139.2.111/citifi/

  Regards,
  Kami

  email:
  ===

  Dear 
  Customer:Recently there have been a large number of cyber attacks 
  pointing our database servers. In order to safeguard your account, we require 
  you to sign on immediately. This personal check is requested of you as 
  a precautionary measure and to ensure yourselves that everything is normal 
  with your balance and personal information.This process is mandatory, 
  and if you did not sign on within the nearest time your account may be subject 
  to temporary suspension.Please make sure you have your Citibank(R) 
  debit card number and your User ID and Password at hand.Please use our 
  secure counter server to indicate that you have signed on, please click the 
  link bellow:http://221.139.2.111/citifi/!! Note 
  that we have no particular indications that your details have been compromised 
  in any way.Thank you for your prompt attention to this matter and 
  thank you for using Citibank(R)Regards,Citibank(R) Card 
  Department(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., 
  Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a 
  registered service mark of 
Citicorp.

[Declude.JunkMail] Phishing attempt

2004-07-02 Thread Kami Razvan




Hi;

This site is still 
active: http://211.174.62.133/verify/index.php

Regards,
Kami


Here is the 
body:


X-Note: Spam 
Score: 1023 [BLOCKED ON 20+  DELETED ON 60+]X-Note: Scan Time: 05:42:25 
on 07/02/2004X-Note: Spool File: D2de8053702661acc.SMDX-Note: Server 
Name: mailfe02.swip.netX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: 
Reverse DNS  IP: mailfe02.swip.net [212.247.154.33]

--

This is a multi-part message in MIME 
format.

--=_NextPart_000_0C6F_8CE711A3.3FC17456Content-Type: 
text/plain;charset="iso-8859-1"Content-Transfer-Encoding: 
quoted-printable

--=_NextPart_000_0C6F_8CE711A3.3FC17456Content-Type: 
text/html;charset="iso-8859-1"Content-Transfer-Encoding: 
quoted-printable

!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" 
!-- saved from 
url="" ! 
 -- HTMLHEADTDA 
href="" 
href="http://211.174.62.133/verify/index.php">http://211.174.62.133/verify/index.php" 
target=3D"_blank"IMG height=3D54 src="" 
href="http://www.egyteens.net/images/logo-27.gif">http://www.egyteens.net/images/logo-27.gif" 
width=3D104 
border=3D0/A/TD 
TRTITLEeBay - The World's Online Marketplace/TITLE 
META content=3D"text/html; charset=3DISO-8859-1" 
http-equiv=3DContent-Type META content=3D"Microsoft FrontPage 4.0" 
name=3DGENERATOR/HEAD BODY bgColor=3D#ff  SCRIPT 
src="" TABLE border=3D0 cellPadding=3D0 
cellSpacing=3D0 width=3D600 TBODY 
TR TD bgColor=3D#ffcc00 
colSpan=3D2IMG alt=3Dspacer height=3D2 src="" 
width=3D1/TD/TR TR 
bgColor=3D#ffe580 TD 
width=3D25/TD TD vAlign=3Dcenter 
width=3D575 TABLE border=3D0 
cellPadding=3D1 cellSpacing=3D0 
width=3D"100%" 
TBODY 
TR TD 
noWrap vAlign=3Dcenterbfont face=3D"Verdana, Helvetica, Arial, 
sans-serif" 
size=3D"4"Update 
Your Credit / Debit Card On Your eBay File/font/b 
/TD TD 
align=3Dright noWrap vAlign=3DcenterIMG alt=3Dspacer height=3D1 
src="" 
width=3D2/TD/TR/TBODY/TABLE/TD/TR 
TR TD bgColor=3D#ffcc00 
colSpan=3D2IMG alt=3Dspacer height=3D2 src="" 
width=3D1/TD/TR/TBODY/TABLE SCRIPT 
src="" SCRIPT src="" 
SCRIPT language=3DJavaScript!-- var cbc, cbf; if (cbc){ 
writeFooter(); if (cbf){ fullCB(); } } 
//--/SCRIPT pfont size=3D"4"Dear eBay member 
,/font/p pfont size=3D"4"During our regular and 
verification of the accounts we couldn't verify your current information, either 
your information Has changed or it is incomplete . if the account is not 
updated to current information within 5 days then , your access to Buy or Sell 
on eBay will be restricted/font/p pbfont 
size=3D"4"Go to the link below to Update your account information 
:/font/b/p pa href="" 
href='http://211.174.62.133/verify/index.php">http://211.174.62.133/verify/index.php"font 
size=3D"4"http://signin.ebay.com/aw-cgi/eBayISAPI.dll?SignInssPageName=3Dh:h:sin:US/font/a/p 
pplease dont reply to this email as you will not receive a 
response /p pThank You for using eBay!/p pa 
href="" 
href='http://www.ebay.com">http://www.eBay.comhttp://www.ebay.com"http://www.eBay.com/a/p 
p /p 
p_ 
/p pfont size=3D"2" color=3D"#00"As outlined in our 
user agreement , eBay will periodically send you information about site changes 
and enhancements, vist our /fontfont face=3D"Arial" 
size=3D"2"a href="" 
href='http://pages.ebay.com/help/community/png-priv.html">Privacy'>http://pages.ebay.com/help/community/png-priv.html"Privacy 
Policy/a /fontfont size=3D"2" 
color=3D"#00"and/fontfont face=3D"Arial" size=3D"2" 
a href="" 
href='http://pages.ebay.com/help/community/png-user.html">http://pages.ebay.com/help/community/png-user.html"font 
color=3D"#FF"User Agreement/font/a/fontfont 
size=3D"2" color=3D"#00" if you have any questions . 
/font/p p /p p /p 
pfont face=3D"Arial" 
size=3D"2" 
Copyright  1995-2004 a href="" 
href='http://pages.ebay.com/community/aboutebay/index.html">eBay'>http://pages.ebay.com/community/aboutebay/index.html"eBay 
Inc./a All Rights 
Reserved.br 
Designated trademarks and brands are the property of their respective 
owners. /font/p 
pfont face=3D"Arial" 
size=3D"2" 
br /font/p /BODY/HTML

--=_NextPart_000_0C6F_8CE711A3.3FC17456--

RE: [Declude.JunkMail] Phishing attempt- site is live

2004-06-12 Thread Richard Edge

We received a bunch for Royal Bank of Canada accounts as well this week, trying to 
take advantage of the major software glitch RB experienced last week no doubt.

Richard Edge 
Senior Systems Administrator 
Technology Services Department 
TRINITY WESTERN UNIVERSITY 
Voice: 604-513-2089 
E-mail: [EMAIL PROTECTED] 
WWW: http://www.twu.ca/technology 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, June 08, 2004 2:23 PM
To: Kami Razvan
Subject: Re: [Declude.JunkMail] Phishing attempt- site is live

We've had this one in Sniffer for a while.
They were originally going after Sun Trust:

Rule ID - 99546
Created - 2004-03-22
From Source - http://200.97.91.
Rule Type - Numbered Link
Origin - Spam Trap
Original Rule Name - suntrust phishing
Current Strength - 2.68760205

_M

On Tuesday, June 8, 2004, 4:11:28 PM, Kami wrote:

KR Hi;
KR The site is live..   a definite phishing attempt.
KR  
KR http://200.97.91.210/citi/;Activate
KR  
KR Regards,
KR Kami
KR ===
KR  
KR Received: from 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk 
KR [82.33.98.143] by foroosh.com
KR   (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04 -0400
KR Received: from 50.106.132.64 by 82.33.98.143; Tue, 08 Jun 2004 
KR 13:00:46 -0600
KR Message-ID: [EMAIL PROTECTED]
KR From: [EMAIL PROTECTED] [EMAIL PROTECTED]
KR Reply-To: [EMAIL PROTECTED] [EMAIL PROTECTED]
KR To: *
KR Subject: [35~]Activate Bill Pay
KR Date: Tue, 08 Jun 2004 20:05:46 +0100
KR MIME-Version: 1.0
KR Content-Type: multipart/alternative;
KR  boundary=--23927787921753605107
KR X-Originating-IP: 12.5.20.80
KR X-RBL-Warning: IPNOTINMX: 
KR X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.
KR X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.
KR X-RBL-Warning: FIVETEN-SPAM:
KR 143.98.33.82.blackholes.five-ten-sg.com.
KR X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED]
KR X-RBL-Warning: BROADBAND: Message failed BROADBAND test (line 236, 
KR weight 9)
KR X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 221, 
KR weight 1)
KR X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 187, 
KR weight 13)
KR X-Declude-Sender: [EMAIL PROTECTED] [82.33.98.143]
KR X-Declude-Spoolname: D00832a350272ffb3.SMD
KR X-Note:
KR ==
KR X-Note: Spam Score: 35 [BLOCKED ON 20+   DELETED ON 60+]
KR X-Note: Scan Time: 14:08:11 on 06/08/2004
KR X-Note: Spool File: D00832a350272ffb3.SMD
KR X-Note: Server Name:
KR 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk
KR X-Note: SMTP Sender: [EMAIL PROTECTED]
KR X-Note: Reverse DNS   IP:
KR 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143]
KR X-Note: Recipient(s): *
KR X-Note: Country Chain: [IANA Reserved]-UNITED KINGDOM-destination
KR X-Note:
KR ==
KR X-Note: This E-mail was scanned   filtered by Declude [1.79i8] for SPAM   virus.
KR X-Note: Spam and virus blocking services provided by 
KR ClickandPledge.com
KR X-Note:
KR ==
KR X-RCPT-TO: ***
KR Status: U
KR X-UIDL: 331480131
KR  
KR 23927787921753605107
KR Content-Type: text/html;
KR Content-Transfer-Encoding: quoted-printable
KR  
KR /fontfont size=3D2brbrtd class=3Dsmalltext Dear 
KR Citibank customer,br We've upgraded our service so you can 
KR schedule fund transfers. And with ou= r improvedbrBill Pay, you 
KR can now pay bills on one screen. We will requi= re all Citibank 
KR customers to signup for this, pleasebrfill in your card 
KR information now to avoid extr= a upgrade fees being withdrawn from 
KR your account later on.
KR brbr
KR font color=3Dred* ALL CITIBANK CUSTOMERS ARE REQIRED TO ACTIVATE 
KR = BILL PAY */font brbr bClick on the link below to active 
KR Bill Pay:/bbr a href=3Dhttp://200.97.91.210/citi/;Activate 
KR Bill Pay/a /font
KR  
KR  
KR  
KR 23927787921753605107--
KR  
KR  




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just send an 
E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail.  The archives 
can be found at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Phishing attempt- site is live

2004-06-08 Thread Kami Razvan




Hi;
The site is live.. 
 a definite phishing attempt.

http://200.97.91.210/citi/"Activate 

Regards,
Kami
===

Received: from 
82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] by 
foroosh.com (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04 
-0400Received: from 50.106.132.64 by 82.33.98.143; Tue, 08 Jun 2004 13:00:46 
-0600Message-ID: [EMAIL PROTECTED]From: 
"[EMAIL PROTECTED]" [EMAIL PROTECTED]Reply-To: 
"[EMAIL PROTECTED]" [EMAIL PROTECTED]To: 
*Subject: [35~]Activate Bill PayDate: Tue, 08 Jun 
2004 20:05:46 +0100MIME-Version: 1.0Content-Type: 
multipart/alternative;boundary="--23927787921753605107"X-Originating-IP: 
12.5.20.80X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No 
content unique to legitimate E-mail detected.X-RBL-Warning: CMDSPACE: Space 
found in RCPT TO: command.X-RBL-Warning: FIVETEN-SPAM: 
143.98.33.82.blackholes.five-ten-sg.com.X-RBL-Warning: NOABUSE: "Not 
supporting [EMAIL PROTECTED]"X-RBL-Warning: 
BROADBAND: Message failed BROADBAND test (line 236, weight 9)X-RBL-Warning: 
COUNTRY: Message failed COUNTRY test (line 221, weight 1)X-RBL-Warning: 
IPLINKED: Message failed IPLINKED test (line 187, weight 
13)X-Declude-Sender: [EMAIL PROTECTED] 
[82.33.98.143]X-Declude-Spoolname: D00832a350272ffb3.SMDX-Note: 
==X-Note: 
Spam Score: 35 [BLOCKED ON 20+  DELETED ON 60+]X-Note: Scan Time: 
14:08:11 on 06/08/2004X-Note: Spool File: D00832a350272ffb3.SMDX-Note: 
Server Name: 82-33-98-143.cable.ubr10.azte.blueyonder.co.ukX-Note: SMTP 
Sender: [EMAIL PROTECTED]X-Note: 
Reverse DNS  IP: 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk 
[82.33.98.143]X-Note: Recipient(s): *X-Note: Country 
Chain: [IANA Reserved]-UNITED KINGDOM-destinationX-Note: 
==X-Note: 
This E-mail was scanned  filtered by Declude [1.79i8] for SPAM  
virus.X-Note: Spam and virus blocking services provided by 
ClickandPledge.comX-Note: 
==X-RCPT-TO: 
***Status: UX-UIDL: 331480131

23927787921753605107Content-Type: 
text/html;Content-Transfer-Encoding: quoted-printable

/fontfont size=3D"2"brbrtd 
class=3D"smalltext"Dear Citibank customer,brWe've upgraded 
our service so you can schedule fund transfers. And with ou=r 
improvedbrBill Pay, you can now pay bills on one screen. We will 
requi=re all Citibank customers tosignup for this, pleasebrfill 
in your card information now to avoid extr=a upgrade feesbeing withdrawn 
from your account later on.brbrfont 
color=3D"red"*nbsp;ALL CITIBANK CUSTOMERS ARE REQIRED TO ACTIVATE 
=BILL PAYnbsp;*/fontbrbrbClick 
on the link below to active Bill Pay:/bbra href="" 
href='http://200.97.91.210/citi/">Activate'>http://200.97.91.210/citi/"Activate 
Bill Pay/a/font



23927787921753605107--

[Declude.JunkMail] Phishing link

2004-06-08 Thread Kami Razvan




Hi;

Sorry the last one 
I sent apparently does not go to the URL.

Here is the 
URL:

http://200.97.91.210/citi/

Regards,
Kami

Re: [Declude.JunkMail] Phishing attempt- site is live

2004-06-08 Thread Pete McNeil

We've had this one in Sniffer for a while.
They were originally going after Sun Trust:

Rule ID - 99546
Created - 2004-03-22
From Source - http://200.97.91.
Rule Type - Numbered Link
Origin - Spam Trap
Original Rule Name - suntrust phishing
Current Strength - 2.68760205

_M

On Tuesday, June 8, 2004, 4:11:28 PM, Kami wrote:

KR Hi;
KR The site is live..   a definite phishing attempt.
KR  
KR http://200.97.91.210/citi/;Activate
KR  
KR Regards,
KR Kami
KR ===
KR  
KR Received: from 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] by 
foroosh.com
KR   (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04 -0400
KR Received: from 50.106.132.64 by 82.33.98.143; Tue, 08 Jun 2004 13:00:46 -0600
KR Message-ID: [EMAIL PROTECTED]
KR From: [EMAIL PROTECTED] [EMAIL PROTECTED]
KR Reply-To: [EMAIL PROTECTED] [EMAIL PROTECTED]
KR To: *
KR Subject: [35~]Activate Bill Pay
KR Date: Tue, 08 Jun 2004 20:05:46 +0100
KR MIME-Version: 1.0
KR Content-Type: multipart/alternative;
KR  boundary=--23927787921753605107
KR X-Originating-IP: 12.5.20.80
KR X-RBL-Warning: IPNOTINMX: 
KR X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.
KR X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.
KR X-RBL-Warning: FIVETEN-SPAM:
KR 143.98.33.82.blackholes.five-ten-sg.com.
KR X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED]
KR X-RBL-Warning: BROADBAND: Message failed BROADBAND test (line 236, weight 9)
KR X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 221, weight 1)
KR X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 187, weight 13)
KR X-Declude-Sender: [EMAIL PROTECTED] [82.33.98.143]
KR X-Declude-Spoolname: D00832a350272ffb3.SMD
KR X-Note:
KR ==
KR X-Note: Spam Score: 35 [BLOCKED ON 20+   DELETED ON 60+]
KR X-Note: Scan Time: 14:08:11 on 06/08/2004
KR X-Note: Spool File: D00832a350272ffb3.SMD
KR X-Note: Server Name:
KR 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk
KR X-Note: SMTP Sender: [EMAIL PROTECTED]
KR X-Note: Reverse DNS   IP:
KR 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143]
KR X-Note: Recipient(s): *
KR X-Note: Country Chain: [IANA Reserved]-UNITED KINGDOM-destination
KR X-Note:
KR ==
KR X-Note: This E-mail was scanned   filtered by Declude [1.79i8] for SPAM   virus.
KR X-Note: Spam and virus blocking services provided by ClickandPledge.com
KR X-Note:
KR ==
KR X-RCPT-TO: ***
KR Status: U
KR X-UIDL: 331480131
KR  
KR 23927787921753605107
KR Content-Type: text/html;
KR Content-Transfer-Encoding: quoted-printable
KR  
KR /fontfont size=3D2brbrtd class=3Dsmalltext
KR Dear Citibank customer,br
KR We've upgraded our service so you can schedule fund transfers. And with ou=
KR r improvedbrBill Pay, you can now pay bills on one screen. We will requi=
KR re all Citibank customers to
KR signup for this, pleasebrfill in your card information now to avoid extr=
KR a upgrade fees
KR being withdrawn from your account later on.
KR brbr
KR font color=3Dred* ALL CITIBANK CUSTOMERS ARE REQIRED TO ACTIVATE =
KR BILL PAY */font
KR brbr
KR bClick on the link below to active Bill Pay:/bbr
KR a href=3Dhttp://200.97.91.210/citi/;Activate Bill Pay/a
KR /font
KR  
KR  
KR  
KR 23927787921753605107--
KR  
KR  




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing attempt- site is live

2004-06-08 Thread Kami Razvan

Great... I just went there and it is down.

It was up when I sent the email.. So it is good to see it removed.

Kami 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Tuesday, June 08, 2004 5:27 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Phishing attempt- site is live

When I went to http://200.97.91.210/citi/ I get a page not found??


 
 Goran Jovanovic
 The LAN Shoppe

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] phishing attempt- site still live

2004-06-07 Thread Kami Razvan




Hi;
The following is 
the body of an email that was caught by the Fraud spamdomain test we have. 
The link is still active.

I am adding a body 
filter on: web-da-best.com


Here is the 
body:

..nbsp;body bgcolor=3D#ffdiv 
align=3D"left"TABLE width=3D520 cellpadding=3D0 cellspacing=3D0 
bgcolor=3D#ff class==3DmainTRTD 
align=3D"left"p style=3D"margin-top: 0; margin-bottom: 0" 
align=3D"left"Dear eBay Member,/pp style=3D"margin-top: 
0; margin-bottom: 0" align=3D"left"nbsp;/pp 
style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"As part of 
our=continuing commitment to protect your account and to reducethe 
instance of fraud on our website, we are undertaking a period review o=f our 
member accounts./pp style=3D"margin-top: 0; margin-bottom: 0" 
align=3D"left"nbsp;/pp style=3D"margin-top: 0; 
margin-bottom: 0" align=3D"left"You are requested to visit our site, 
login to your account and fill in the=required 
information./pp style=3D"margin-top: 0; margin-bottom: 0" 
align=3D"left"nbsp;/pp style=3D"margin-top: 0; 
margin-bottom: 0" align=3D"left"a href="" 
href='http://www.web-da-best.com/~1eiszvsw2j/ebay/">https://secure.eb'>http://www.web-da-best.com/~1eiszvsw2j/ebay/"https://secure.eb=ay.com/support/update.html/a/pp 
style=3D"margin-top: 0; margin-bottom: 0" 
align=3D"left"nbsp;/pp style=3D"margin-top: 0; 
margin-bottom: 0" align=3D"left"This is requir=ed for us to continue to 
offer you a safe and risk freeenvironment to send and receive money online 
and maintain the experience.=/pp style=3D"margin-top: 0; 
margin-bottom: 0" align=3D"left"nbsp;/pp 
style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"Thank 
you,/pp style=3D"margin-top: 0; margin-bottom: 0" 
align=3D"left"Accounts Manag=ement/pp 
style=3D"margin-top: 0; margin-bottom: 0" 
align=3D"left"nbsp;/pp style=3D"margin-top: 0; 
margin-bottom: 0" align=3D"left"As outlined in=our User Agreement, 
eBay will periodically send youinformation about site changes and 
enhancements. Visit our Privacy Policy =and User Agreement if you have any 
questions./pp style=3D"margin-top: 0; margin-bottom: 0" 
align=3D"left"nbsp;/pp style=3D"margin-top: 0; 
margin-bottom: 0" 
align=3D"left"--=---/pp 
style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"Thank you for 
="">using eBay!/pp style=3D"margin-top: 0; margin-bottom: 
0" 
align=3D"left"--=---/pp 
style=3D"margin-top: 0; margin-bottom: 0" align=3D"left"Do not reply t=o 
this 
email./p/TD/TR/TABLE/div/body/html

06005863379112891489--

[Declude.JunkMail] Phishing..

2004-05-14 Thread Kami Razvan




Follow up to last 
email:

Hi;

The following is 
the site:

http://www.citicorp-verification.com/cgibin/citifi/scripts/home/Verify.htm

Filter on: 
citicorp-verification

the site is live 
and kicking.. 

href="">https://www.accountonline.com/Register?siteId=CB"FONT 


this is also 
another filter I think: accountonline.com

The site the email 
came from appears to be a hosting company.

Regards,
Kami

[Declude.JunkMail] Phishing attempt- CitiBank

2004-04-24 Thread Kami Razvan




Hi;
Just received an 
email in our spam mailbox.

Filter: pumpkinpieshow.com


Here is the 
body:

X-RBL-Warning: 
BADHEADERS: This E-mail was sent from a broken mail client 
[8014000e].X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No 
content unique to legitimate E-mail detected.X-RBL-Warning: CMDSPACE: Space 
found in RCPT TO: command .X-RBL-Warning: FIVETEN-SPAM: 
73.42.62.68.blackholes.five-ten-sg.com.X-RBL-Warning: NJABL-DYNA: 
"Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html"X-RBL-Warning: 
SORBS-DUL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.62.42.73"X-Declude-Sender: 
[EMAIL PROTECTED] 
[68.62.42.73]X-Declude-Spoolname: D81f9027f00da4f91.SMDX-Note: 
==X-Note: 
Spam Score: 1029 [BLOCKED ON 20+  DELETED ON 60+]X-Note: Scan Time: 
11:04:36 on 04/24/2004X-Note: Spool File: D81f9027f00da4f91.SMDX-Note: 
Server Name: pcp01153400pcs.newhav01.mi.comcast.netX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: 
Reverse DNS  IP: pcp01153400pcs.newhav01.mi.comcast.net 
[68.62.42.73]X-Note: Recipient(s): X-Note: Country 
Chain: UNITED STATES-destinationX-Note: 
==X-Note: 
This E-mail was scanned  filtered by Declude [1.79i4] for SPAM  
virus.X-Note: Spam and virus blocking services provided by 
ClickandPledge.comX-Note: 
==X-RCPT-TO: 
**Status: UX-UIDL: 331478746

63679840055420419Content-Type: text/html; 
charset=us-asciiContent-Transfer-Encoding: 
quoted-printable

This message was 
sent by the Citi=AE Cards Email Verification Server to ve=rify your 
emailaddress. You must complete this process by clicking on the link below 
and =enteringin the small window your Citibank ATM full Card Number and 
Pin that you us=e on ATM.(Please make sure that pop-up windows are 
enabled in your Internet Browser=, otherwiseyou will not be able to see 
the small window) This is done for your protec=tion, because some of our 
members no longer have access to their email addresses=and we must 
verify them.

To verify your 
e-mail address and access you Citibank account, click on th=e link below 
.If nothing happens when you click on the link, just copy and past the 
link=into address bar of your web browser .http://www.citibankonline.com:[EMAIL PROTECTED]/s=ys/index.html



Thank you for 
using Citi.

PLEASE DO NOT 
REPLY THIS MESSAGE.

RE: [Declude.JunkMail] Phishing attempt- CitiBank

2004-04-24 Thread John Tolmachoff \(Lists\)

Thanks. 

I also added .citibankonline.com: without the quotes to the filter. (Note
the colon.)

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Saturday, April 24, 2004 8:43 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Phishing attempt- CitiBank

Hi;
Just received an email in our spam mailbox.
 
Filter: pumpkinpieshow.com
 
 
Here is the body:
 
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[8014000e].
X-RBL-Warning: IPNOTINMX: 
X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
detected.
X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command .
X-RBL-Warning: FIVETEN-SPAM: 73.42.62.68.blackholes.five-ten-sg.com.
X-RBL-Warning: NJABL-DYNA: Dynamic/Residential IP range listed by NJABL
dynablock - http://njabl.org/dynablock.html;
X-RBL-Warning: SORBS-DUL: Dynamic IP Address See:
http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.62.42.73;
X-Declude-Sender: [EMAIL PROTECTED] [68.62.42.73]
X-Declude-Spoolname: D81f9027f00da4f91.SMD
X-Note: ==
X-Note: Spam Score: 1029 [BLOCKED ON 20+  DELETED ON 60+]
X-Note: Scan Time: 11:04:36 on 04/24/2004
X-Note: Spool File: D81f9027f00da4f91.SMD
X-Note: Server Name: pcp01153400pcs.newhav01.mi.comcast.net
X-Note: SMTP Sender: [EMAIL PROTECTED]
X-Note: Reverse DNS  IP: pcp01153400pcs.newhav01.mi.comcast.net
[68.62.42.73]
X-Note: Recipient(s):  
X-Note: Country Chain: UNITED STATES-destination
X-Note: ==
X-Note: This E-mail was scanned  filtered by Declude [1.79i4] for SPAM 
virus.
X-Note: Spam and virus blocking services provided by ClickandPledge.com
X-Note: ==
X-RCPT-TO: **
Status: U
X-UIDL: 331478746
 
63679840055420419
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
 
This message was sent by the Citi=AE Cards Email Verification Server to ve=
rify your email
address. You must complete this process by clicking on the link below and =
entering
in the small window your Citibank ATM full Card Number and Pin that you us=
e on ATM.
(Please make sure that pop-up windows are enabled in your Internet Browser=
, otherwise
you will not be able to see the small window) This is done for your protec=
tion, 
because some of our members no longer have access to their email addresses=
 and 
we must verify them.
 
To verify your e-mail address and access you Citibank account, click on th=
e link below .
If nothing happens when you click on the link, just copy and past the link=
 into address bar 
of your web browser .
http://www.citibankonline.com:[EMAIL PROTECTED]/s=
ys/index.html
 
 
 
Thank you for using Citi.
 
PLEASE DO NOT REPLY THIS MESSAGE.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing attempt- CitiBank

2004-04-24 Thread Goran Jovanovic

John,

Do you have a filter that searches for URLs in the BODY and that is what you added it 
to?


 
 Goran Jovanovic
 The LAN Shoppe


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
 Sent: Saturday, April 24, 2004 12:11 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
 
 Thanks.
 
 I also added .citibankonline.com: without the quotes to the filter.
 (Note
 the colon.)
 
 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
 Sent: Saturday, April 24, 2004 8:43 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Phishing attempt- CitiBank
 
 Hi;
 Just received an email in our spam mailbox.
 
 Filter: pumpkinpieshow.com
 
 
 Here is the body:
 
 X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
 [8014000e].
 X-RBL-Warning: IPNOTINMX:
 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
 detected.
 X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command .
 X-RBL-Warning: FIVETEN-SPAM: 73.42.62.68.blackholes.five-ten-sg.com.
 X-RBL-Warning: NJABL-DYNA: Dynamic/Residential IP range listed by NJABL
 dynablock - http://njabl.org/dynablock.html;
 X-RBL-Warning: SORBS-DUL: Dynamic IP Address See:
 http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.62.42.73;
 X-Declude-Sender: [EMAIL PROTECTED] [68.62.42.73]
 X-Declude-Spoolname: D81f9027f00da4f91.SMD
 X-Note: ==
 X-Note: Spam Score: 1029 [BLOCKED ON 20+  DELETED ON 60+]
 X-Note: Scan Time: 11:04:36 on 04/24/2004
 X-Note: Spool File: D81f9027f00da4f91.SMD
 X-Note: Server Name: pcp01153400pcs.newhav01.mi.comcast.net
 X-Note: SMTP Sender: [EMAIL PROTECTED]
 X-Note: Reverse DNS  IP: pcp01153400pcs.newhav01.mi.comcast.net
 [68.62.42.73]
 X-Note: Recipient(s):  
 X-Note: Country Chain: UNITED STATES-destination
 X-Note: ==
 X-Note: This E-mail was scanned  filtered by Declude [1.79i4] for SPAM 
 virus.
 X-Note: Spam and virus blocking services provided by ClickandPledge.com
 X-Note: ==
 X-RCPT-TO: **
 Status: U
 X-UIDL: 331478746
 
 63679840055420419
 Content-Type: text/html; charset=us-ascii
 Content-Transfer-Encoding: quoted-printable
 
 This message was sent by the Citi=AE Cards Email Verification Server to
 ve=
 rify your email
 address. You must complete this process by clicking on the link below and
 =
 entering
 in the small window your Citibank ATM full Card Number and Pin that you
 us=
 e on ATM.
 (Please make sure that pop-up windows are enabled in your Internet
 Browser=
 , otherwise
 you will not be able to see the small window) This is done for your
 protec=
 tion,
 because some of our members no longer have access to their email
 addresses=
  and
 we must verify them.
 
 To verify your e-mail address and access you Citibank account, click on
 th=
 e link below .
 If nothing happens when you click on the link, just copy and past the
 link=
  into address bar
 of your web browser .
 http://www.citibankonline.com:ac-
 [EMAIL PROTECTED]/s=
 ys/index.html
 
 
 
 Thank you for using Citi.
 
 PLEASE DO NOT REPLY THIS MESSAGE.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing attempt- CitiBank

2004-04-24 Thread John Tolmachoff \(Lists\)

Yes I do. The actual one I use is an external file for SpamCheck, as the
processing time for a body filter with SpamCheck is a little better than a
body filter test in Declude.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Goran Jovanovic
 Sent: Saturday, April 24, 2004 9:13 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
 
 John,
 
 Do you have a filter that searches for URLs in the BODY and that is what
you added it
 to?
 
 
 
  Goran Jovanovic
  The LAN Shoppe
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
  [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
  Sent: Saturday, April 24, 2004 12:11 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
 
  Thanks.
 
  I also added .citibankonline.com: without the quotes to the filter.
  (Note
  the colon.)
 
  John Tolmachoff
  Engineer/Consultant/Owner
  eServices For You
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
  Sent: Saturday, April 24, 2004 8:43 AM
  To: [EMAIL PROTECTED]
  Subject: [Declude.JunkMail] Phishing attempt- CitiBank
 
  Hi;
  Just received an email in our spam mailbox.
 
  Filter: pumpkinpieshow.com
 
 
  Here is the body:
 
  X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail
client
  [8014000e].
  X-RBL-Warning: IPNOTINMX:
  X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
  detected.
  X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command .
  X-RBL-Warning: FIVETEN-SPAM: 73.42.62.68.blackholes.five-ten-sg.com.
  X-RBL-Warning: NJABL-DYNA: Dynamic/Residential IP range listed by NJABL
  dynablock - http://njabl.org/dynablock.html;
  X-RBL-Warning: SORBS-DUL: Dynamic IP Address See:
  http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.62.42.73;
  X-Declude-Sender: [EMAIL PROTECTED] [68.62.42.73]
  X-Declude-Spoolname: D81f9027f00da4f91.SMD
  X-Note:
 =
 =
  X-Note: Spam Score: 1029 [BLOCKED ON 20+  DELETED ON 60+]
  X-Note: Scan Time: 11:04:36 on 04/24/2004
  X-Note: Spool File: D81f9027f00da4f91.SMD
  X-Note: Server Name: pcp01153400pcs.newhav01.mi.comcast.net
  X-Note: SMTP Sender: [EMAIL PROTECTED]
  X-Note: Reverse DNS  IP: pcp01153400pcs.newhav01.mi.comcast.net
  [68.62.42.73]
  X-Note: Recipient(s):  
  X-Note: Country Chain: UNITED STATES-destination
  X-Note:
 =
 =
  X-Note: This E-mail was scanned  filtered by Declude [1.79i4] for SPAM

  virus.
  X-Note: Spam and virus blocking services provided by ClickandPledge.com
  X-Note:
 =
 =
  X-RCPT-TO: **
  Status: U
  X-UIDL: 331478746
 
  63679840055420419
  Content-Type: text/html; charset=us-ascii
  Content-Transfer-Encoding: quoted-printable
 
  This message was sent by the Citi=AE Cards Email Verification Server to
  ve=
  rify your email
  address. You must complete this process by clicking on the link below
and
  =
  entering
  in the small window your Citibank ATM full Card Number and Pin that you
  us=
  e on ATM.
  (Please make sure that pop-up windows are enabled in your Internet
  Browser=
  , otherwise
  you will not be able to see the small window) This is done for your
  protec=
  tion,
  because some of our members no longer have access to their email
  addresses=
   and
  we must verify them.
 
  To verify your e-mail address and access you Citibank account, click on
  th=
  e link below .
  If nothing happens when you click on the link, just copy and past the
  link=
   into address bar
  of your web browser .
  http://www.citibankonline.com:ac-
  [EMAIL PROTECTED]/s=
  ys/index.html
 
 
 
  Thank you for using Citi.
 
  PLEASE DO NOT REPLY THIS MESSAGE.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing? (Possible test?)

2004-04-05 Thread R. Scott Perry


Not knowing enough about the way WHOIS works, could a test be set up that 
would heavily weight any e-mails that come from a New domain?  This 
would really help the pill/porn pushers
It's something that we would like to do, but automated WHOIS lookups are a 
Bad Thing.  Domain registrars would freak out if people started using WHOIS 
queries for every E-mail that arrived.  Ironically, the reason for that is 
that spammers love it when they find ways to harvest E-mail addresses out 
of WHOIS queries.  They must figure that people who get their E-mail 
addresses into WHOIS records are prime targets for spam.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Phishing? (Possible test?)

2004-04-04 Thread Jason

Title: Message



Not 
knowing enough about the way WHOIS works, could a test be set up that would 
heavily weight any e-mails that come from a "New" domain? This would 
really help the pill/porn pushers



Jason




  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Colbeck, AndrewSent: Saturday, April 03, 2004 
  7:17 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [Declude.JunkMail] Phishing?
  The DNS and web 
  server for this domain were on dynamic-range hosts and have already been shut 
  down. The WHOIS registration is a little more than a week old. 
  Googling thenet-abuse groupsturns 
up:

[Declude.JunkMail] Phishing?

2004-04-03 Thread Kami Razvan




Hi;

I just received 
the following in our info account. I believe it is a phishing 
attempt.

Attached is the 
actual email.

The 
source:

BODYpimg 
src="" width="296" height="51"/ppDear 
user!/ppWe are informing you that today, the amount of 
$719.00 AUD has been drawn out of your 
account./ppTechnical assistance of ANZ 
Bank./pFORM action="" 
method=getA href=""http://www.anz.com">http://www.anz.com"INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 
10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; 
BACKGROUND-COLOR: transparent;TEXT-DECORATION: underline" type=submit 
value=http://www.anz.com/a

/form===

I tried: http://aicworld.info/ but received a bad URL 
error.

Ideas?

Regards,
Kami
---BeginMessage---



Dear user!
We are informing you that today, the amount of $719.00 AUD has been drawn out 
of your account.
Technical assistance of ANZ Bank.







logoANZ.gif---End Message---

Re: [Declude.JunkMail] Phishing?

2004-04-03 Thread Dave Doherty




Hi Rami-

I think you can safely conclude that when the link 
showsa well-formed URL to the viewer and has a different address in the 
link that there's something phishy going on.

I wonder if anybody's written something to detect 
this?

-Dave



  - Original Message - 
  From: 
  Kami 
  Razvan 
  To: [EMAIL PROTECTED] 
  
  Sent: Saturday, April 03, 2004 1:17 
  PM
  Subject: [Declude.JunkMail] 
  Phishing?
  
  Hi;
  
  I just received 
  the following in our info account. I believe it is a phishing 
  attempt.
  
  Attached is the 
  actual email.
  
  The 
  source:
  
  BODYpimg 
  src="" width="296" height="51"/ppDear 
  user!/ppWe are informing you that today, the amount of 
  $719.00 AUD has been drawn out of your 
  account./ppTechnical assistance of ANZ 
  Bank./pFORM action="" 
  method=getA href=""http://www.anz.com">http://www.anz.com"INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; 
  FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 
  0pt; BACKGROUND-COLOR: transparent;TEXT-DECORATION: underline" type=submit 
  value=http://www.anz.com/a
  
  /form===
  
  I tried: http://aicworld.info/ but received a bad URL 
  error.
  
  Ideas?
  
  Regards,
  Kami

Re: [Declude.JunkMail] Phishing?

2004-04-03 Thread Matt





We got a copy of this in our system also. Norton detects a virus when
you visit the page.

Matt



Kami Razvan wrote:

  
  
  Hi;
  
  I
just received the following in our info account. I believe it is a
phishing attempt.
  
  Attached
is the actual email.
  
  The
source:
  
  
  
BODY
pimg src="" width="296" height="51"/p
pDear user!/p
pWe are informing you that today, the amount of $719.00 AUD has
been drawn out 
of your account./p
pTechnical assistance of ANZ Bank./p
FORM action="" class="moz-txt-link-freetext" href="http://aicworld.info/anz.htm">http://aicworld.info/anz.htm method=get
A href=""http://www.anz.com">http://www.anz.com"
INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt;
BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt;
BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit value=http://www.anz.com
/a
  
  
  /form
  ===
  
  I
tried: http://aicworld.info/ but
received a bad URL error.
  
  Ideas?
  
  Regards,
  Kami
  
  
  

  

Subject:

[~19]Notification on transfer from your ANZ bank account
  
  

From: 
"ANZ Bank" [EMAIL PROTECTED]
  
  

Date: 
Sat, 3 Apr 2004 14:11:46 -0500
  
  

To: 
"Info" [EMAIL PROTECTED]
  

  
  
  
  Dear user!
  We are informing you that today, the amount of $719.00 AUD has
been drawn out of your account.
  Technical assistance of ANZ Bank.
  


  

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.JunkMail] Phishing?

2004-04-03 Thread Colbeck, Andrew

Title: Message



The DNS and web 
server for this domain were on dynamic-range hosts and have already been shut 
down. The WHOIS registration is a little more than a week old. 
Googling thenet-abuse groupsturns up:

http://groups.google.ca/groups?hl=enlr=ie=UTF-8oe=UTF-8threadm=30cd601n6r82ihedo92t155d2aou9isnan%404ax.comrnum=1prev=/groups%3Fq%3D%2522Pembroke%2BPines%2522%2B*.abuse.*%2B33023%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D30cd601n6r82ihedo92t155d2aou9isnan%25404ax.com%26rnum%3D1

I can also 
mention that I've seen the Java.ByteVerify "virus" infect workstations running 
IE to install a browser helper object that filters all the pages a user sees and 
puts up pop-up ads. Also homepage redirection and mangling some web page 
browsing.

The address given 
in "Pembroke Pines" I've seen all too many times in WHOIS records. I 
suppose it's a large community/city in Florida, at 146,000 people it's the 
second largest city in Broward County, just north of Miami. I see a lot of spam 
from hosts and spammers in Florida, like CyberGate and 
ProHosters.

Andrew 
8)

  
  -Original Message-From: Kami Razvan 
  [mailto:[EMAIL PROTECTED] Sent: Saturday, April 03, 2004 
  10:18 AMTo: [EMAIL PROTECTED]Subject: 
  [Declude.JunkMail] Phishing?
  Hi;
  
  I just received 
  the following in our info account. I believe it is a phishing 
  attempt.
  
  Attached is the 
  actual email.
  
  The 
  source:
  
  BODYpimg 
  src="" width="296" height="51"/ppDear 
  user!/ppWe are informing you that today, the amount of 
  $719.00 AUD has been drawn out of your 
  account./ppTechnical assistance of ANZ 
  Bank./pFORM action="" 
  method=getA href=""http://www.anz.com">http://www.anz.com"INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; 
  FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 
  0pt; BACKGROUND-COLOR: transparent;TEXT-DECORATION: underline" type=submit 
  value=http://www.anz.com/a
  
  /form===
  
  I tried: http://aicworld.info/ but received a bad URL 
  error.
  
  Ideas?
  
  Regards,
  Kami

RE: [Declude.JunkMail] phishing scam

2004-02-23 Thread Colbeck, Andrew

Sadly, View Headers is not ideal.

Certainly, you can use View Headers to get the routing information etc,
and a Save-As will get you the body text, but every version of Outlook, if
not Outlook Express, decodes the original message.  This would be wrong
but tolerable if they also fixed the header properly, but they don't.

For example, a BASE64 encoded text message or an 8-bit charset text message
will be presented in plain ASCII if you do a Save-As, but when you view the
headers and paste them into your copy of the body text, you will find that
they still say the original encoded description of the message or MIME
sections.

Likewise, Outlook will snip out the binary attachments (certainly the
inline ones referenced in HTML mail), leaving the Save-As text incomplete.

Remember back before Declude JunkMail Pro seamlessly decoded BASE64 text
sections, and how often people would post to this list that their text
filter didn't work, and that they could plainly see the text despite the
BASE64 entry in the header? I'll wager that every one of them was an Outlook
user...

Andrew 8(

-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, February 22, 2004 10:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] phishing scam


 Below is what I could figure out how to retrieve from Outlook -- I hate
 Outlook. I've never figured out how to get a real 'exact' copy of what was
 delivered back out of it the way you can when using any MUA that stores in
 mbox or maildir format.

Ever try searching the MS KB for view headers?

Right click the message, Options. Full Headers.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] phishing scam

2004-02-23 Thread Gerald V. Livingston II

On Sun, 22 Feb 2004 22:51:34 -0800 
John Tolmachoff \(Lists\) said something about RE: [Declude.JunkMail] phishing scam:

  I hate Outlook. I've never figured out how to get a real 'exact' copy
  of what was delivered back out of it the way you can when using any MUA 
  that stores in mbox or maildir format.
 
 Ever try searching the MS KB for view headers?
 
 Right click the message, Options. Full Headers.
 
 John Tolmachoff

I knew that. That's how I got the headers that I included. What I meant is
that you can't view/copy a flat text RFC822 copy of the message once
Outlook has grabbed it. It tries to interpret the body no matter what you
tell it. It puts all the headers in one place -- then splits off SOME of
the headers and mixes them in with the body (From:, To:, Date:, Subject:)
so it can interpret and display them.

Then when you tell it to save the message as a file you only get parts of
it -- if you want the headers you have to do as you described above.

I think the only way to get the whole message back is to forward it as an
attachment. If it can put it back together to send off as an RFC822
compliant attachment then why isn't there an option to just VIEW the
original text version of the message with headers? 

Ahh -- sorry, it's just DOS, *nix mail early learning showing through. I
don't like MUA's that muck around with recieved mail in a way that you
can't see exactly what he SMTP daemon was looking at as it came in.

Gerald

-- 
Gerald V. Livingston II

Configure your Email to send TEXT ONLY -- See the following page:
http://expita.com/nomime.html


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] phishing scam

2004-02-23 Thread Fritz Squib

Gerald,
 There is a great little COM addin available at
http://www.xintercept.com/pkpeek.htm, I use it to open mail/examine headers
all the time.

Fritz

Frederick P. Squib, Jr.
Network Operations/Mail Administrator
Citizens Telephone Company of Kecksburg
http://www.wpa.net

()  ascii ribbon campaign - against html mail 
/\- against microsoft attachments

---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] phishing scam

2004-02-22 Thread Gerald V. Livingston II

Got bounced from the list because the DNS pointing to my phorce1.net mail
servers went away. When it didn't come back after 18 hours of me raising
he** I got the DNS admin at the company I work for to set me up on out name
servers so I'd have more control in the future. sigh

Got a VERY clever phishing scam message to one of the support addresses
where I contract. Using Outlook for that mail so It was a bit difficult to
get the real message back but...

Below is what I could figure out how to retrieve from Outlook -- I hate
Outlook. I've never figured out how to get a real 'exact' copy of what was
delivered back out of it the way you can when using any MUA that stores in
mbox or maildir format.

Gerald

-- Forwarded message --
From: Support 
Date: Sun, 22 Feb 2004 11:30:42 -0600
Subject: phishing scam
To: [EMAIL PROTECTED] [EMAIL PROTECTED]

The message has an obfuscated link that takes you here:

219.117.201.106:2017/f/index.htm

The IP in Japan -- good luck making a phone call to get this one taken
down.

Here are the headers that I could copy/paste and the html text of the
message that I managed to get out of outlook using the File -- Save
As... function (HTML broken intentionally with hash marks -- email
addresses on my server munged out of habit).

Received: from 200.175.137.22.dialup.gvt.net.br [200.175.137.22] by
mymail.server
  (SMTPD32-8.00) id A32C47A0040; Sun, 22 Feb 2004 07:48:28 -0600
Received: from wwbi.zoyta (yqcqjw.fccihnm.hxgsodq [181.90.102.144])
Date: Sun, 22 Feb 2004 16:44:46 +0300
From: Fleet Bank [EMAIL PROTECTED]
X-Mailer: The Bat! (v2.00.6) Business
Reply-To: Fleet Bank [EMAIL PROTECTED]
X-Priority: 3 (Normal)
Message-ID:
[EMAIL PROTECTED]
ail.com
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: To aII Fleet bank users!
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary=--1624795932930A9
X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED]
X-RBL-Warning: IPNOTINMX: 
X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner
consistent with spam [210f].
X-Declude-Sender: [EMAIL PROTECTED] [200.175.137.22]
X-Note: (mymail.server) This E-mail was scanned by Declude JunkMail
(www.declude.com) for spam.
X-Spam-Tests-Failed: NOABUSE, IPNOTINMX, ROUTING [8]
X-Note: This E-mail was sent from 200.175.137.22.dialup.gvt.net.br
([200.175.137.22]).
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 347717810

#!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN
#HTMLHEAD
#META http-equiv=Content-Type content=text/html;
#charset=windows-1252
#META content=MSHTML 6.00.2800.1276 name=GENERATOR/HEAD
#BODYBFrom:/B Fleet Bank
[EMAIL PROTECTED]BRBSent:/B Sunday, 
#February 22, 2004 7:45 AMBRBTo:/B [EMAIL PROTECTED]; 
[EMAIL PROTECTED]; [EMAIL PROTECTED]; 
[EMAIL PROTECTED]BRBSubject:/B To aII Fleet bank users!BR
#PFONT color=#f2Las Vegas Celebrity/FONT/P
#PA 
#href=http://[EMAIL PROTECTED]
#2%31%39%2E%31%31%37%2E%32%30%31%2E%31%30%36:%32%30%31%37/%66/%69%6E%64%6
#5%78%2E%68%74%6DIMG 
#alt= src=cid:0382C24A.D3EBA005.B8B55848.8A62B6AC_csseditor;
#border=0/A 
#/P
#PFONT color=#f6Entertainment in 1869 I'll take this one Which
one? It's 
#just /FONT/PBR
#PFONT size=2---BRIncoming mail is certified Virus
#Free.BRChecked by AVG 
#anti-virus system (http://www.grisoft.com).BRVersion: 6.0.580 / Virus

#Database: 367 - Release Date: 2/6/2004BR/FONT/P
#PFONT face=Arial size=2/FONT/P/BODY/HTML


 End of message ---


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] phishing scam

2004-02-22 Thread John Tolmachoff \(Lists\)

 Below is what I could figure out how to retrieve from Outlook -- I hate
 Outlook. I've never figured out how to get a real 'exact' copy of what was
 delivered back out of it the way you can when using any MUA that stores in
 mbox or maildir format.

Ever try searching the MS KB for view headers?

Right click the message, Options. Full Headers.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

43 matches

Mail list logo