[Declude.JunkMail] Phishing

BODY15 PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/)) This is a regular expression. This is a little more complicated than a straight filter but essentially I am looking for any URL that has a .com in the middle and then ends with a different domain extension. It will match on

RE: [Declude.JunkMail] Phishing

DOMAIN NAME then (end of line OR / character) Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, May 15, 2007 2:31 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Phishing BODY 15 PCRE

[Declude.JunkMail] phishing

What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 Imail 8.05 as a gateway. I have McAffee, f-prot Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not

Re: [Declude.JunkMail] phishing

Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http://www.invariantsystems.com Schmeits, Roger writes: What are

AW: [Declude.JunkMail] phishing

, RogerGesendet: Dienstag, 6. Juni 2006 15:22An: declude.junkmail@declude.comBetreff: [Declude.JunkMail] phishing What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 Imail 8.05 as a gateway. I

RE: [Declude.JunkMail] phishing

To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http

Re: [Declude.JunkMail] phishing

, June 06, 2006 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way

[Declude.JunkMail] Phishing Question

Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA

RE: [Declude.JunkMail] Phishing Question

to: [EMAIL PROTECTED] and [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 12, 2005 1:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Phishing Question

Re: [Declude.JunkMail] Phishing Question

Goran, It's probably DHTML being used to fake an address bar in a window that doesn't have one, or it is placing a fake address bar on top of the real one. It might look real, but it isn't. It is safe to blacklist haukelid.com, and that's all that you need to do about it. Matt Goran

RE: [Declude.JunkMail] Phishing Question

Subject: [Declude.JunkMail] Phishing Question Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA

Re: [Declude.JunkMail] Phishing Question

One slight correction here. The domain haukelid.com doesn't belong to the phisher. This is an active site that was likely just simply hacked and then the PHP code was placed on it...it's a pretty ingenious way to get a clean address. Matt Goran Jovanovic wrote: Hi, I do not understand how

RE: [Declude.JunkMail] Phishing Question

PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, May 12, 2005 4:33 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Phishing Question One slight correction here. The domain

[Declude.JunkMail] Phishing with cyrillic char-set

In the current german computer magazine c't an article talks about phishing with cyrillic char-sets. It's possible to combine IDN-Domain names supported by Opera, Firefox and MS Explorer (IE only with plugin) and cyrillic char-sets to show up an URL absolutely like the original one. More info's

[Declude.JunkMail] Phishing

We're running JM+Sniffer and still having some problems with phishes. Here's the headers of a message that passed through and didn't trip a single test. Our user got 140 of these in a period of a few hours. He always seems to be on the front end of these things. I'm running spf so it didn't fail

Re: [Declude.JunkMail] Phishing

occasional phish, but they are pretty rare. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, February 16, 2005 1:23 PM Subject: [Declude.JunkMail] Phishing We're running JM+Sniffer and still having some problems with phishes

Re[2]: [Declude.JunkMail] Phishing

Hello Scott, Wednesday, February 16, 2005, 2:52:43 PM, you wrote: SF 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656 SF in January. It's a beast on your CPU utilization as almost every mail will SF need to be virus scanned. I already run PRESCAN OFF but I'm only

[Declude.JunkMail] phishing- live

Hi; Phishing.. still alive http://221.139.2.111/citifi/ Regards, Kami email: === Dear Customer:Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately. This

[Declude.JunkMail] phishing- Wells Fargo- still alive

http://61.139.77.18/service/html/bin/log/ The above is still alive. Regards, Kami Message: == Subject: [36~]James William from Wellsfargo.com - submfkDate: Sat, 2 Oct 2004 11:50:12 -0500Mime-Version: 1.0Content-Type: text/html; charset=us-asciiMessage-Id: [EMAIL

Re: [Declude.JunkMail] phishing- live

dead now - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Monday, October 04, 2004 6:05 AM Subject: [Declude.JunkMail] phishing- live Hi; Phishing.. still alive http://221.139.2.111/citifi/ Regards, Kami email

[Declude.JunkMail] Phishing attempt

Hi; This site is still active: http://211.174.62.133/verify/index.php Regards, Kami Here is the body: X-Note: Spam Score: 1023 [BLOCKED ON 20+ DELETED ON 60+]X-Note: Scan Time: 05:42:25 on 07/02/2004X-Note: Spool File: D2de8053702661acc.SMDX-Note: Server Name:

RE: [Declude.JunkMail] Phishing attempt- site is live

: [EMAIL PROTECTED] WWW: http://www.twu.ca/technology -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 08, 2004 2:23 PM To: Kami Razvan Subject: Re: [Declude.JunkMail] Phishing attempt- site is live We've had this one

[Declude.JunkMail] Phishing attempt- site is live

Hi; The site is live.. a definite phishing attempt. http://200.97.91.210/citi/"Activate Regards, Kami === Received: from 82-33-98-143.cable.ubr10.azte.blueyonder.co.uk [82.33.98.143] by foroosh.com (SMTPD32-8.11) id A0842A350272; Tue, 08 Jun 2004 14:08:04

[Declude.JunkMail] Phishing link

Hi; Sorry the last one I sent apparently does not go to the URL. Here is the URL: http://200.97.91.210/citi/ Regards, Kami

Re: [Declude.JunkMail] Phishing attempt- site is live

We've had this one in Sniffer for a while. They were originally going after Sun Trust: Rule ID - 99546 Created - 2004-03-22 From Source - http://200.97.91. Rule Type - Numbered Link Origin - Spam Trap Original Rule Name - suntrust phishing Current Strength - 2.68760205 _M On Tuesday, June 8,

RE: [Declude.JunkMail] Phishing attempt- site is live

: [Declude.JunkMail] Phishing attempt- site is live When I went to http://200.97.91.210/citi/ I get a page not found?? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail

[Declude.JunkMail] phishing attempt- site still live

Hi; The following is the body of an email that was caught by the Fraud spamdomain test we have. The link is still active. I am adding a body filter on: web-da-best.com Here is the body: ..nbsp;body bgcolor=3D#ffdiv align=3D"left"TABLE width=3D520 cellpadding=3D0

[Declude.JunkMail] Phishing..

Follow up to last email: Hi; The following is the site: http://www.citicorp-verification.com/cgibin/citifi/scripts/home/Verify.htm Filter on: citicorp-verification the site is live and kicking.. href="">https://www.accountonline.com/Register?siteId=CB"FONT

[Declude.JunkMail] Phishing attempt- CitiBank

Hi; Just received an email in our spam mailbox. Filter: pumpkinpieshow.com Here is the body: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8014000e].X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail

RE: [Declude.JunkMail] Phishing attempt- CitiBank

To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Phishing attempt- CitiBank Hi; Just received an email in our spam mailbox.   Filter: pumpkinpieshow.com     Here is the body:   X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8014000e]. X-RBL-Warning: IPNOTINMX: X-RBL

RE: [Declude.JunkMail] Phishing attempt- CitiBank

, April 24, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank Thanks. I also added .citibankonline.com: without the quotes to the filter. (Note the colon.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message

RE: [Declude.JunkMail] Phishing attempt- CitiBank

] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, April 24, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank John, Do you have a filter that searches for URLs in the BODY and that is what you added

RE: [Declude.JunkMail] Phishing? (Possible test?)

Not knowing enough about the way WHOIS works, could a test be set up that would heavily weight any e-mails that come from a New domain? This would really help the pill/porn pushers It's something that we would like to do, but automated WHOIS lookups are a Bad Thing. Domain registrars

RE: [Declude.JunkMail] Phishing? (Possible test?)

lto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Saturday, April 03, 2004 7:17 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Phishing? The DNS and web server for this domain were on dynamic-range hosts and have already been shut down. The WHOIS registration is a little

[Declude.JunkMail] Phishing?

Hi; I just received the following in our info account. I believe it is a phishing attempt. Attached is the actual email. The source: BODYpimg src="" width="296" height="51"/ppDear user!/ppWe are informing you that today, the amount of $719.00 AUD has been drawn

Re: [Declude.JunkMail] Phishing?

Razvan To: [EMAIL PROTECTED] Sent: Saturday, April 03, 2004 1:17 PM Subject: [Declude.JunkMail] Phishing? Hi; I just received the following in our info account. I believe it is a phishing attempt. Attached is the actual email. The source

Re: [Declude.JunkMail] Phishing?

We got a copy of this in our system also. Norton detects a virus when you visit the page. Matt Kami Razvan wrote: Hi; I just received the following in our info account. I believe it is a phishing attempt. Attached is the actual email. The source:

RE: [Declude.JunkMail] Phishing?

: Saturday, April 03, 2004 10:18 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Phishing? Hi; I just received the following in our info account. I believe it is a phishing attempt. Attached is the actual email. The source: BODYpimg

RE: [Declude.JunkMail] phishing scam

, February 22, 2004 10:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] phishing scam Below is what I could figure out how to retrieve from Outlook -- I hate Outlook. I've never figured out how to get a real 'exact' copy of what was delivered back out of it the way you can when using any MUA

Re: [Declude.JunkMail] phishing scam

On Sun, 22 Feb 2004 22:51:34 -0800 John Tolmachoff \(Lists\) said something about RE: [Declude.JunkMail] phishing scam: I hate Outlook. I've never figured out how to get a real 'exact' copy of what was delivered back out of it the way you can when using any MUA that stores in mbox

RE: [Declude.JunkMail] phishing scam

Gerald, There is a great little COM addin available at http://www.xintercept.com/pkpeek.htm, I use it to open mail/examine headers all the time. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon

[Declude.JunkMail] phishing scam

Got bounced from the list because the DNS pointing to my phorce1.net mail servers went away. When it didn't come back after 18 hours of me raising he** I got the DNS admin at the company I work for to set me up on out name servers so I'd have more control in the future. sigh Got a VERY clever

RE: [Declude.JunkMail] phishing scam

Below is what I could figure out how to retrieve from Outlook -- I hate Outlook. I've never figured out how to get a real 'exact' copy of what was delivered back out of it the way you can when using any MUA that stores in mbox or maildir format. Ever try searching the MS KB for view headers?