More Bank of Montreal Phish
Posted by Dave Yadallee onX-Account-Key: account1
X-UIDL: 000019d44f5d9180
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: from localhost by doctor.nl2k.ab.ca
with SpamAssassin (version 3.3.2);
Tue, 14 May 2013 07:36:47 -0600
From: "BMO"
To: "bmo"
Subject: [Norton AntiSpam]*SPAM* [BMO] Alert message
Date: Mon, 13 May 2013 12:06:22 +0100
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca
X-Spam-Flag: YES
X-Spam-Level: *********************************************
X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D
autolearn=unavailable version=3.3.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_51923DEF.0A5AC7ED"
X-Antivirus: AVG for E-mail 10.0.1432 [3162/5825]
X-AVG-ID: ID4F36CE0-27EF6021
X-Brightmail-Tracker: AAAABR15GvIdeRrpHXk0QR15NOYdeUD7
This is a multi-part message in MIME format.
------------=_51923DEF.0A5AC7ED
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "doctor.nl2k.ab.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see the administrator of
that system for details. [...]
Content analysis details: (45.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
45 SARE_UNSUB38D RAW: SARE_UNSUB38D
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_51923DEF.0A5AC7ED
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path:
X-Original-To: dave@doctor.nl2k.ab.ca
Delivered-To: dave@doctor.nl2k.ab.ca
Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)
id 468DD12CFAB6; Tue, 14 May 2013 07:36:33 -0600 (MDT)
Resent-From: doctor@doctor.nl2k.ab.ca
Resent-Date: Tue, 14 May 2013 07:36:33 -0600
Resent-Message-ID: <20130514133633.GA8387@doctor.nl2k.ab.ca>
Resent-To: Dave Yadallee
Received: from localhost by doctor.nl2k.ab.ca
with SpamAssassin (version 3.3.2);
Tue, 14 May 2013 03:03:42 -0600
From: "BMO"
To: "bmo"
Subject: SPAM [BMO] Alert message
Date: Mon, 13 May 2013 12:06:22 +0100
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca
X-Spam-Flag: YES
X-Spam-Level: *********************************************
X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D
autolearn=unavailable version=3.3.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5191FDEE.060732DA"
X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca
X-Virus-Status: Clean
This is a multi-part message in MIME format.
------------=_5191FDEE.060732DA
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "doctor.nl2k.ab.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see the administrator of
that system for details. [...]
Content analysis details: (45.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
45 SARE_UNSUB38D RAW: SARE_UNSUB38D
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_5191FDEE.060732DA
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Received: from localhost by doctor.nl2k.ab.ca
with SpamAssassin (version 3.3.2);
Tue, 14 May 2013 03:03:34 -0600
From: "BMO"
To: "bmo"
Subject: SPAM [BMO] Alert message
Date: Mon, 13 May 2013 12:06:22 +0100
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca
X-Spam-Flag: YES
X-Spam-Level: *********************************************
X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D
autolearn=unavailable version=3.3.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5191FDE6.A87ECC90"
X-Sanitizer: This message has been sanitized!
X-Sanitizer-URL: http://mailtools.anomy.net/
X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $
This is a multi-part message in MIME format.
------------=_5191FDE6.A87ECC90
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "doctor.nl2k.ab.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: This is a security alert from BMO Online Fraud Prevention.
We identified activity on your account that may be fraudulent and ask you
confirm your identity. We have not fully restricted your account but you
must confirm your identity in order to avoid any suspension. Please Click
Here to confirm your identity. [...]
Content analysis details: (45.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
45 SARE_UNSUB38D RAW: SARE_UNSUB38D
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_5191FDE6.A87ECC90
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path:
X-Original-To: doctor@nl2k.ab.ca
Delivered-To: doctor@nl2k.ab.ca
Received: from host.saysonconsulting.com (server.saysonconsulting.com [70.38.67.205])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by doctor.nl2k.ab.ca (Postfix) with ESMTPS id 4BDA312CFA8C
for
Received: from localhost ([127.0.0.1]:34165 helo=host.saysonconsulting.com)
by host.saysonconsulting.com with esmtp (Exim 4.80)
(envelope-from
id 1UbqbO-0003AE-2J; Mon, 13 May 2013 07:07:34 -0400
Received: from host81-137-244-36.in-addr.btopenworld.com ([81.137.244.36]:4835
helo=168.187.240.163)
by host.saysonconsulting.com with esmtpa (Exim 4.80)
(envelope-from
for bmo@totalfluidpower.ca; Mon, 13 May 2013 07:06:28 -0400
From: "BMO"
To: "bmo"
Date: Mon, 13 May 2013 12:06:22 +0100
Organization: btopenworld.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"
Subject: [BMO] Alert message
X-BeenThere: bmo@totalfluidpower.ca
X-Mailman-Version: 2.1.15
Precedence: list
List-Id:
List-Unsubscribe:
List-Archive:
List-Post:
List-Help:
List-Subscribe:
Errors-To: bmo-bounces@totalfluidpower.ca
Sender: "BMO"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.saysonconsulting.com
X-AntiAbuse: Original Domain - nl2k.ab.ca
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - totalfluidpower.ca
X-Get-Message-Sender-Via: host.saysonconsulting.com: acl_c_authenticated_local_user: mailman/mailman
X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca
X-Virus-Status: Clean
This is a multi-part message in MIME format.
------=_NextPart_000_0000_01C6527E.AE8904D0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
This is a security alert from BMO Online Fraud Prevention.
We identified activity on your account that may be fraudulent and ask you confirm your identity.
We have not fully restricted your account but you must confirm your identity in order to avoid any suspension.
Please Click Here to confirm your identity.
For your protection, transactions on your account may be limited until you are able to confirm your identity.
We realize that this precaution may cause you some inconvenience.
However keeping your account safe is one of our top priorities.
Thank you for being our customer.
Jake Holloway
BMO Chief Operating Officer
------=_NextPart_000_0000_01C6527E.AE8904D0
Content-Type: text/html;
charset="utf-8"
This is a security alert from BMO Online Fraud Prevention.
We identified
activity on your account that may be fraudulent and ask you confirm your
identity.
We have not fully restricted your account but you must confirm your
identity in order to avoid any suspension.
DEFANGED_rel="nofollow" target="_blank">Please Click Here to confirm
your identity.
For your protection,
transactions on your account may be limited until you are able to confirm your
identity.
We realize that this precaution may cause you some
inconvenience.
However keeping your account safe is one of our top
priorities.
Thank you for being our
customer.
src="http://images.xendpay.com/email/jake-sig.png">
Jake
Holloway
style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt">BMO Chief Operating
Officer
------=_NextPart_000_0000_01C6527E.AE8904D0--
------------=_5191FDE6.A87ECC90
Content-Type: text/sanitizer-log; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="sanitizer.log"
This message has been 'sanitized'. This means that potentially
dangerous content has been rewritten or removed. The following
log describes which actions were taken.
Sanitizer (start="1368522214"):
Part (pos="740"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (names="unnamed.txt", rule="2"):
Enforced policy: accept
Part (pos="2047"):
Part (pos="174"):
Part (pos="2477"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (names="unnamed.txt", rule="2"):
Enforced policy: accept
Part (pos="3230"):
SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):
Match (names="unnamed.html, filetype.html", rule="2"):
Enforced policy: accept
Rewrote HTML tag: >>_A id=yahoo href="http://www1.bmo.mahoot.ir/bmo/bmo@totalfluidpower.ca" rel=nofollow target=_blank_<<
as: >>_A id="yahoo" href="http://www1.bmo.mahoot.ir/bmo/bmo@totalfluidpower.ca" DEFANGED_rel="nofollow" target="_blank"_<<
Note: Styles and layers give attackers many tools to fool the
user and common browsers interpret Javascript code found
within style definitions.
Rewrote HTML tag: >>_/SPAN_<<
as: >>_/DEFANGED_SPAN_<<
Rewrote HTML tag: >>_DIV_<<
as: >>_p__DEFANGED_DIV_<<
Rewrote HTML tag: >>_/SPAN_<<
as: >>_/DEFANGED_SPAN_<<
Rewrote HTML tag: >>_SPAN style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt"_<<
as: >>_DEFANGED_SPAN style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt"_<<
Rewrote HTML tag: >>_/SPAN_<<
as: >>_/DEFANGED_SPAN_<<
Rewrote HTML tag: >>_/DIV_<<
as: >>_/p__DEFANGED_DIV_<<
Total modifications so far: 7
Anomy 0.0.0 : Sanitizer.pm
$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $
------------=_5191FDE6.A87ECC90--
------------=_5191FDEE.060732DA--
------------=_51923DEF.0A5AC7ED
Content-Type: multipart/alternative;
boundary="=======AVGMAIL-2DD236AD======="
--=======AVGMAIL-2DD236AD=======
Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "Certification"
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1432 / Virus Database: 3162/5825 - Release Date: 05/15/13=
--=======AVGMAIL-2DD236AD=======--
------------=_51923DEF.0A5AC7ED
Content-Type: multipart/alternative;
boundary="=======AVGMAIL-0B41C693======="
--=======AVGMAIL-0B41C693=======
Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "Certification"
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1432 / Virus Database: 3162/5825 - Release Date: 05/15/13=
--=======AVGMAIL-0B41C693=======--
------------=_51923DEF.0A5AC7ED--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments