More RBC Phish

Posted by Dave Yadallee on
From - Tue May 21 10:17:16 2013

X-Account-Key: account1

X-UIDL: 00001a814f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: ***

X-Spam-Status: No, score=3.0 required=5.0 tests=BOTNET,RCVD_IN_UCE_PFSM_1,

RELAY_CHECKER_NORDNS autolearn=no version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 6F69612CFA83; Mon, 20 May 2013 08:33:57 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Mon, 20 May 2013 08:33:57 -0600

Resent-Message-ID: <20130520143357.GD26369@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: doctor@nl2k.ab.ca

Delivered-To: doctor@nl2k.ab.ca

Received: from vCCSO.copiah.k12.ms.us (unknown [68.153.116.36])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 6AC3812CFA81

for ; Mon, 20 May 2013 02:22:06 -0600 (MDT)

Received: from localhost (localhost.localdomain [127.0.0.1])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id C713D384BD3

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from vCCSO.copiah.k12.ms.us ([127.0.0.1])

by localhost (ccsdistrict.k12.ms.us [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id y2mGAiMJqsDg for ;

Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from localhost (localhost.localdomain [127.0.0.1])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id A2993384BD4

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from advisor.webssl.com (unknown [142.46.21.137])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id 47F0F384BD3

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

From: RBC Royal Bank

To: doctor@nl2k.ab.ca

Subject: [Norton AntiSpam]Message Center: 1 New Alert Message!

Date: 20 May 2013 04:21:58 -0400

Message-ID: <20130520042158.18C97287F050C066@advisor.webssl.com>

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5841]

X-AVG-ID: ID4AC7089A-7F949C1A

X-Brightmail-Tracker: AAAAAx3FBaodxOcTHcUGQQ==

X-Brightmail-Tracker: AAAAAR3MBxU=







RBC Royal Bank / Message Center: 1 New Alert Message!


yalbank_en.gif">






old.gif"> 1 New Alert Message!








ng=3D"0" width=3D"100%">

cellpadding=3D"3" cellspacing=3D"0" width=3D"100%">




Customer Service: Your account has b=

een limited!
http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&F21=3DI=

B&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH">Click to Resolve
b>








Thank you for using Royal Bank of Canada.




This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.






Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1


Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $







D>This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.






Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 2


Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $




t" color=3D"#000000">No virus found in this message.


Checked by AVG - www.avg.com


Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13

=


t" color=3D"#000000">No virus found in this message.


Checked by AVG - www.avg.com


Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13

=






This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.






Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 2


Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $















Co-operative Bank p.l.c phish

Posted by Dave Yadallee on
From - Tue May 21 10:17:02 2013

X-Account-Key: account1

X-UIDL: 00001a6f4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Sun, 19 May 2013 06:33:10 -0600

From: Co-operative Bank p.l.c

Subject: SPAM Fix The Error On Your Account

Date: Sun, 19 May 2013 13:58:20 +0100

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *****

X-Spam-Status: Yes, score=5.2 required=5.0 tests=FORGED_MUA_OUTLOOK,

FORGED_OUTLOOK_TAGS,RCVD_IN_BACKSCATTER autolearn=no version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_5198C686.AF4F5121"

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5841]

X-AVG-ID: ID1F0D0BA1-470FA90B

X-Brightmail-Tracker: AAAAAh3E6AodxOgB

X-Brightmail-Tracker: AAAAAA==



This is a multi-part message in MIME format.



------------=_5198C686.AF4F5121

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit



Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.



Content preview: Dear customer, We have created a new dedicated security server

to keep all our online banking customers account safe and secure. This server

has been tested in most of our bank branches. Now we are asking all our online

banking customers to register for the new security server to keep them safe.

[...]



Content analysis details: (5.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_BACKSCATTER RBL: Received via a relay in Backscatter.org

[159.134.118.28 listed in ips.backscatterer.org]

0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format

4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook



The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.





------------=_5198C686.AF4F5121

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit



Return-Path:

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: from mail12.svc.cra.dublin.eircom.net (mail12.svc.cra.dublin.eircom.net [159.134.118.28])

by doctor.nl2k.ab.ca (Postfix) with SMTP id 42D7C12CFA81

for ; Sun, 19 May 2013 06:33:03 -0600 (MDT)

Received: (qmail 24163 messnum 1892601 invoked from network[213.94.190.12/avas01.vendorsvc.cra.dublin.eircom.net]); 19 May 2013 12:32:54 -0000

Received: from avas01.vendorsvc.cra.dublin.eircom.net (213.94.190.12)

by mail12.svc.cra.dublin.eircom.net (qp 24163) with SMTP; 19 May 2013 12:32:54 -0000

Received: from User ([86.41.153.244])

by avas01.vendorsvc.cra.dublin.eircom.net with Cloudmark Gateway

id doYR1l00Y5GeWeE01oYVi9; Sun, 19 May 2013 13:32:54 +0100

Reply-To: hybqwx@co-operative.co.uk

From: Co-operative Bank p.l.c

Subject: Fix The Error On Your Account

Date: Sun, 19 May 2013 13:58:20 +0100

MIME-Version: 1.0

Content-Type: text/html;

charset="_iso-2022-jp$ESC"

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1081

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean



Dear customer,

We have created a new dedicated security server to keep all
our online banking customers account safe and secure.

This server has been tested in most of our bank branches.
Now we are asking all our online banking customers to register for the
new security server to keep them safe.







In order to ensure you are properly updated and your account is fully protected.

Click here for privacy and policy update









Best wishes,

Security Team
Co-operative Bank p.l.c






------------=_5198C686.AF4F5121

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-74352D00======="



--=======AVGMAIL-74352D00=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"



-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13=



--=======AVGMAIL-74352D00=======--



------------=_5198C686.AF4F5121

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-79238202======="



--=======AVGMAIL-79238202=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"



-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13=



--=======AVGMAIL-79238202=======--



------------=_5198C686.AF4F5121--







More CIBC Phish

Posted by Dave Yadallee on
From - Tue May 21 10:17:01 2013

X-Account-Key: account1

X-UIDL: 00001a6d4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level:

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable

version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 07A6812CFA82; Sun, 19 May 2013 06:23:05 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Sun, 19 May 2013 06:23:05 -0600

Resent-Message-ID: <20130519122305.GA23108@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: doctor@doctor.nl2k.ab.ca

Delivered-To: doctor@doctor.nl2k.ab.ca

Received: from ve08.paneldehosting.com (ve08.paneldehosting.com [207.210.71.2])

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

(No client certificate requested)

by doctor.nl2k.ab.ca (Postfix) with ESMTPS id 3DE0812CFA81

for ; Sun, 19 May 2013 05:43:54 -0600 (MDT)

Received: from danelkar by ve08.paneldehosting.com with local (Exim 4.80)

(envelope-from )

id 1Ue21p-0003os-MY

for doctor@doctor.nl2k.ab.ca; Sun, 19 May 2013 07:13:53 -0430

To: doctor@doctor.nl2k.ab.ca

Subject: [Norton AntiSpam]ALERT: Online Account Activity

From: CIBC Bank

Reply-To:

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: 8bit

Message-Id:

Date: Sun, 19 May 2013 07:13:53 -0430

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - ve08.paneldehosting.com

X-AntiAbuse: Original Domain - doctor.nl2k.ab.ca

X-AntiAbuse: Originator/Caller UID/GID - [744 742] / [47 12]

X-AntiAbuse: Sender Address Domain - ve08.paneldehosting.com

X-Get-Message-Sender-Via: ve08.paneldehosting.com: authenticated_id: danelkar/only user confirmed/virtual account not confirmed

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5841]

X-AVG-ID: ID48B5C602-1370CA48

X-Brightmail-Tracker: AAAABAr7RnYdxOcQHcVYSx3FV8I=

X-Brightmail-Tracker: AAAAAR3K85s=





Your CIBC Internet Banking Account Has Been Blocked





For your security, your CIBC online banking account has been locked, please Log on click : 


https://www.cibc.com. 





2013 CIBC BANK.







This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.






Sanitizer (start="1368963841"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_span class="yshortcuts" id="lw_1229947415_4"_<<


                as: >>_DEFANGED_span class="yshortcuts" id="lw_1229947415_4"_<<


  Rewrote HTML tag: >>_/span_<<


                as: >>_/DEFANGED_span_<<


  Total modifications so far: 2


Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $



No virus found in this message.


Checked by AVG - www.avg.com


Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13





No virus found in this message.


Checked by AVG - www.avg.com


Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13