Royal Bank of Canada Phish

From - Tue May 07 16:04:23 2013

X-Account-Key: account1

X-UIDL: 000018bb4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 07 May 2013 07:02:43 -0600

From: RBC Royal Bank

To: doctor@netknow.ca

Subject: [Norton AntiSpam]*SPAM* Message Center: 1 New Alert Message!

Date: 07 May 2013 07:25:10 -0400

Message-Id: <20130507072510.CAA43FE8A46DF54F@advisor.webssl.com>

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: **************************************************

X-Spam-Status: Yes, score=51.0 required=5.0 tests=BOTNET,RCVD_IN_JMF_BL,

RELAY_CHECKER_BADDNS,RELAY_CHECKER_IPHOSTNAME,RELAY_CHECKER_KEYWORDS

autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_5188FB73.E35E9445"

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5802]

X-AVG-ID: ID2E54899D-4FCEA7CA

X-Brightmail-Tracker: AAAABB15M1AdeRryHXka6R15M+g=



This is a multi-part message in MIME format.



------------=_5188FB73.E35E9445

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit



Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.



Content preview: RBC Royal Bank / Message Center: 1 New Alert Message! 1 New

Alert Message! Customer Service: Your account has been limited! Click to

Resolve Thank you for using Royal Bank of Canada. [...]



Content analysis details: (51.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

50 RCVD_IN_JMF_BL RBL: Sender listed in JMF-BLACK

[204.195.138.250 listed in hostkarma.junkemailfilter.com]

1.0 BOTNET Relay might be a spambot or virusbot

[botnet0.8,ip=204.195.138.250,rdns=204-195-138-250-dhcp.atlanticbb.net,baddns,client,ipinhostname,clientwords]

0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address

0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords

0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS



The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.





------------=_5188FB73.E35E9445

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit



Return-Path:

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 44DCA12CFA82; Tue, 7 May 2013 07:02:36 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Tue, 7 May 2013 07:02:36 -0600

Resent-Message-ID: <20130507130236.GB6560@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: *

X-Spam-Status: No, score=1.0 required=5.0 tests=BOTNET,RELAY_CHECKER_BADDNS,

RELAY_CHECKER_IPHOSTNAME,RELAY_CHECKER_KEYWORDS autolearn=no version=3.3.2

X-Original-To: doctor@netknow.ca

Delivered-To: doctor@netknow.ca

Received: from advisor.webssl.com (unknown [204.195.138.250])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id A961D12CFAA6

for ; Tue, 7 May 2013 05:25:52 -0600 (MDT)

From: RBC Royal Bank

To: doctor@netknow.ca

Subject: Message Center: 1 New Alert Message!

Date: 07 May 2013 07:25:10 -0400

Message-ID: <20130507072510.CAA43FE8A46DF54F@advisor.webssl.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean







RBC Royal Bank / Message Center: 1 New Alert Message!


yalbank_en.gif">






old.gif"> 1 New Alert Message!




=20



ng=3D"0" width=3D"100%">

cellpadding=3D"3" cellspacing=3D"0" width=3D"100%">




Customer Service: Your account has b=

een limited!

http://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F21=3DIB&=

F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH/index.html">Click to =

Resolve







=20

Thank you for using Royal Bank of Canada.





This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.





Sanitizer (start=3D"1367925959"):

SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=

html"):

Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):

Enforced policy: accept



Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=

ttp://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F2=

1=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH/index=

.html"_<<

as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =

href=3D"http://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3D=

IB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGL=

ISH/index.html"_<<

Total modifications so far: 1







Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $





=



This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.





Sanitizer (start=3D"1367925959"):

SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=

html"):

Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):

Enforced policy: accept



Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=

ttp://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F2=

1=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH/index=

.html"_<<

as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =

href=3D"http://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3D=

IB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGL=

ISH/index.html"_<<

Total modifications so far: 1

Note: Styles and layers give attackers many tools to fool the

user and common browsers interpret Javascript code found

within style definitions.

=20

Rewrote HTML tag: >>_/div_<<

as: >>_/p__DEFANGED_div_<<

Total modifications so far: 2







Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $









This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.





Sanitizer (start=3D"1367925959"):

SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=

html"):

Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):

Enforced policy: accept



Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=

ttp://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F2=

1=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH/index=

.html"_<<

as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =

href=3D"http://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3D=

IB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGL=

ISH/index.html"_<<

Total modifications so far: 1

Note: Styles and layers give attackers many tools to fool the

user and common browsers interpret Javascript code found

within style definitions.

=20

Rewrote HTML tag: >>_/div_<<

as: >>_/p__DEFANGED_div_<<

Total modifications so far: 2







Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $







------------=_5188FB73.E35E9445

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-0E7A9122======="



--=======AVGMAIL-0E7A9122=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"



-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5802 - Release Date: 05/06/13=



--=======AVGMAIL-0E7A9122=======--



------------=_5188FB73.E35E9445

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-5F820E90======="



--=======AVGMAIL-5F820E90=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"



-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5802 - Release Date: 05/06/13=



--=======AVGMAIL-5F820E90=======--



------------=_5188FB73.E35E9445--





Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA