More Bank of Montreal Phish

From - Wed May 15 05:57:29 2013

X-Account-Key: account1

X-UIDL: 000019d44f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 14 May 2013 07:36:47 -0600

From: "BMO"

To: "bmo"

Subject: [Norton AntiSpam]*SPAM* [BMO] Alert message

Date: Mon, 13 May 2013 12:06:22 +0100

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *********************************************

X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D

autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_51923DEF.0A5AC7ED"

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5825]

X-AVG-ID: ID4F36CE0-27EF6021

X-Brightmail-Tracker: AAAABR15GvIdeRrpHXk0QR15NOYdeUD7



This is a multi-part message in MIME format.



------------=_51923DEF.0A5AC7ED

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit



Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.



Content preview: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see the administrator of

that system for details. [...]



Content analysis details: (45.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

45 SARE_UNSUB38D RAW: SARE_UNSUB38D



The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.





------------=_51923DEF.0A5AC7ED

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit



Return-Path:

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 468DD12CFAB6; Tue, 14 May 2013 07:36:33 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Tue, 14 May 2013 07:36:33 -0600

Resent-Message-ID: <20130514133633.GA8387@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 14 May 2013 03:03:42 -0600

From: "BMO"

To: "bmo"

Subject: SPAM [BMO] Alert message

Date: Mon, 13 May 2013 12:06:22 +0100

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *********************************************

X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D

autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_5191FDEE.060732DA"

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean



This is a multi-part message in MIME format.



------------=_5191FDEE.060732DA

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit



Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.



Content preview: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see the administrator of

that system for details. [...]



Content analysis details: (45.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

45 SARE_UNSUB38D RAW: SARE_UNSUB38D



The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.





------------=_5191FDEE.060732DA

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit



Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 14 May 2013 03:03:34 -0600

From: "BMO"

To: "bmo"

Subject: SPAM [BMO] Alert message

Date: Mon, 13 May 2013 12:06:22 +0100

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *********************************************

X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D

autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_5191FDE6.A87ECC90"

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $



This is a multi-part message in MIME format.



------------=_5191FDE6.A87ECC90

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit



Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.



Content preview: This is a security alert from BMO Online Fraud Prevention.

We identified activity on your account that may be fraudulent and ask you

confirm your identity. We have not fully restricted your account but you

must confirm your identity in order to avoid any suspension. Please Click

Here to confirm your identity. [...]



Content analysis details: (45.0 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

45 SARE_UNSUB38D RAW: SARE_UNSUB38D



The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.





------------=_5191FDE6.A87ECC90

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit



Return-Path:

X-Original-To: doctor@nl2k.ab.ca

Delivered-To: doctor@nl2k.ab.ca

Received: from host.saysonconsulting.com (server.saysonconsulting.com [70.38.67.205])

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

(No client certificate requested)

by doctor.nl2k.ab.ca (Postfix) with ESMTPS id 4BDA312CFA8C

for ; Tue, 14 May 2013 03:03:27 -0600 (MDT)

Received: from localhost ([127.0.0.1]:34165 helo=host.saysonconsulting.com)

by host.saysonconsulting.com with esmtp (Exim 4.80)

(envelope-from )

id 1UbqbO-0003AE-2J; Mon, 13 May 2013 07:07:34 -0400

Received: from host81-137-244-36.in-addr.btopenworld.com ([81.137.244.36]:4835

helo=168.187.240.163)

by host.saysonconsulting.com with esmtpa (Exim 4.80)

(envelope-from ) id 1UbqaK-0002m0-41

for bmo@totalfluidpower.ca; Mon, 13 May 2013 07:06:28 -0400

From: "BMO"

To: "bmo"

Date: Mon, 13 May 2013 12:06:22 +0100

Organization: btopenworld.com

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"

Subject: [BMO] Alert message

X-BeenThere: bmo@totalfluidpower.ca

X-Mailman-Version: 2.1.15

Precedence: list

List-Id:

List-Unsubscribe: ,



List-Archive:

List-Post:

List-Help:

List-Subscribe: ,



Errors-To: bmo-bounces@totalfluidpower.ca

Sender: "BMO"

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - host.saysonconsulting.com

X-AntiAbuse: Original Domain - nl2k.ab.ca

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain - totalfluidpower.ca

X-Get-Message-Sender-Via: host.saysonconsulting.com: acl_c_authenticated_local_user: mailman/mailman

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean



This is a multi-part message in MIME format.



------=_NextPart_000_0000_01C6527E.AE8904D0

Content-Type: text/plain;

charset="utf-8"

Content-Transfer-Encoding: 8bit





This is a security alert from BMO Online Fraud Prevention.

We identified activity on your account that may be fraudulent and ask you confirm your identity.

We have not fully restricted your account but you must confirm your identity in order to avoid any suspension.

Please Click Here to confirm your identity.



For your protection, transactions on your account may be limited until you are able to confirm your identity.

We realize that this precaution may cause you some inconvenience.

However keeping your account safe is one of our top priorities.





Thank you for being our customer.



Jake Holloway

BMO Chief Operating Officer

------=_NextPart_000_0000_01C6527E.AE8904D0

Content-Type: text/html;

charset="utf-8"











 



This is a security alert from BMO Online Fraud Prevention.
We identified

activity on your account that may be fraudulent and ask you confirm your

identity.
We have not fully restricted your account but you must confirm your

identity in order to avoid any suspension.




DEFANGED_rel="nofollow" target="_blank">Please Click Here to confirm

your identity.


For your protection,

transactions on your account may be limited until you are able to confirm your

identity.
We realize that this precaution may cause you some

inconvenience.
However keeping your account safe is one of our top

priorities.




Thank you for being our

customer.




src="http://images.xendpay.com/email/jake-sig.png">

Jake

Holloway


style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt">BMO Chief Operating

Officer



------=_NextPart_000_0000_01C6527E.AE8904D0--





------------=_5191FDE6.A87ECC90

Content-Type: text/sanitizer-log; charset="iso-8859-1"

Content-Transfer-Encoding: 8bit

Content-Disposition: attachment; filename="sanitizer.log"



This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.



Sanitizer (start="1368522214"):

Part (pos="740"):

SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):

Match (names="unnamed.txt", rule="2"):

Enforced policy: accept



Part (pos="2047"):

Part (pos="174"):

Part (pos="2477"):

SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):

Match (names="unnamed.txt", rule="2"):

Enforced policy: accept



Part (pos="3230"):

SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):

Match (names="unnamed.html, filetype.html", rule="2"):

Enforced policy: accept



Rewrote HTML tag: >>_A id=yahoo href="http://www1.bmo.mahoot.ir/bmo/bmo@totalfluidpower.ca" rel=nofollow target=_blank_<<

as: >>_A id="yahoo" href="http://www1.bmo.mahoot.ir/bmo/bmo@totalfluidpower.ca" DEFANGED_rel="nofollow" target="_blank"_<<

Note: Styles and layers give attackers many tools to fool the

user and common browsers interpret Javascript code found

within style definitions.



Rewrote HTML tag: >>_/SPAN_<<

as: >>_/DEFANGED_SPAN_<<

Rewrote HTML tag: >>_DIV_<<

as: >>_p__DEFANGED_DIV_<<

Rewrote HTML tag: >>_/SPAN_<<

as: >>_/DEFANGED_SPAN_<<

Rewrote HTML tag: >>_SPAN style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt"_<<

as: >>_DEFANGED_SPAN style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt"_<<

Rewrote HTML tag: >>_/SPAN_<<

as: >>_/DEFANGED_SPAN_<<

Rewrote HTML tag: >>_/DIV_<<

as: >>_/p__DEFANGED_DIV_<<



Total modifications so far: 7





Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $



------------=_5191FDE6.A87ECC90--





------------=_5191FDEE.060732DA--





------------=_51923DEF.0A5AC7ED

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-2DD236AD======="



--=======AVGMAIL-2DD236AD=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"



-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5825 - Release Date: 05/15/13=



--=======AVGMAIL-2DD236AD=======--



------------=_51923DEF.0A5AC7ED

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-0B41C693======="



--=======AVGMAIL-0B41C693=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"



-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5825 - Release Date: 05/15/13=



--=======AVGMAIL-0B41C693=======--



------------=_51923DEF.0A5AC7ED--





Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA