More RBC Phish

Posted by Dave Yadallee on
From - Tue May 21 10:17:16 2013

X-Account-Key: account1

X-UIDL: 00001a814f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: ***

X-Spam-Status: No, score=3.0 required=5.0 tests=BOTNET,RCVD_IN_UCE_PFSM_1,

RELAY_CHECKER_NORDNS autolearn=no version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 6F69612CFA83; Mon, 20 May 2013 08:33:57 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Mon, 20 May 2013 08:33:57 -0600

Resent-Message-ID: <20130520143357.GD26369@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: doctor@nl2k.ab.ca

Delivered-To: doctor@nl2k.ab.ca

Received: from vCCSO.copiah.k12.ms.us (unknown [68.153.116.36])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 6AC3812CFA81

for ; Mon, 20 May 2013 02:22:06 -0600 (MDT)

Received: from localhost (localhost.localdomain [127.0.0.1])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id C713D384BD3

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from vCCSO.copiah.k12.ms.us ([127.0.0.1])

by localhost (ccsdistrict.k12.ms.us [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id y2mGAiMJqsDg for ;

Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from localhost (localhost.localdomain [127.0.0.1])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id A2993384BD4

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from advisor.webssl.com (unknown [142.46.21.137])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id 47F0F384BD3

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

From: RBC Royal Bank

To: doctor@nl2k.ab.ca

Subject: [Norton AntiSpam]Message Center: 1 New Alert Message!

Date: 20 May 2013 04:21:58 -0400

Message-ID: <20130520042158.18C97287F050C066@advisor.webssl.com>

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5841]

X-AVG-ID: ID4AC7089A-7F949C1A

X-Brightmail-Tracker: AAAAAx3FBaodxOcTHcUGQQ==

X-Brightmail-Tracker: AAAAAR3MBxU=







RBC Royal Bank / Message Center: 1 New Alert Message!


yalbank_en.gif">






old.gif"> 1 New Alert Message!








ng=3D"0" width=3D"100%">

cellpadding=3D"3" cellspacing=3D"0" width=3D"100%">




Customer Service: Your account has b=

een limited!
http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&F21=3DI=

B&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH">Click to Resolve
b>








Thank you for using Royal Bank of Canada.




This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.






Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1


Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $







D>This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.






Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 2


Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $




t" color=3D"#000000">No virus found in this message.


Checked by AVG - www.avg.com


Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13

=


t" color=3D"#000000">No virus found in this message.


Checked by AVG - www.avg.com


Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13

=






This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.






Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 2


Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $















Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA