RE: [Declude.JunkMail] New variation of PayPal Account retrieval
Hi; I have setup: BODY20 Contains211.155.234.84 That is the IP address used in the email we received. We hold on 20 This was just made the news... Citigroup Is Latest Victim Of Phishing Expedition Aug. 19, 2003 The financial company's logo is the latest to be stolen by Internet scammers who are trying to steal information from consumers. http://www.informationweek.com/story/showArticle.jhtml;jsessionid=DTWA2ROB2M VLIQSNDBGCKHSCJUMEKJVN?articleID=13100615 It is the top story at InformationWeek.. We have not received anymore of the spam or may be we have and it was deleted due to its high weight. For now that is the only filter we have for this.. Others might have seen more signatures.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kratka Sent: Tuesday, August 19, 2003 1:33 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New variation of PayPal Account retrieval May be a dumb question but how are you setting up JM to block these. Jeff ** TymeWyse Internet P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Saturday, August 16, 2003 10:35 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New variation of PayPal Account retrieval Hi; A new variation of the PayPal fraud is going on.. I just got this email in our spam filter... it is asking for Citibank checking account... I just thought it would be good for all to see this... in case you don't catch it.. Regards, Kami Here is the header: = Received: from cgocable.net [24.150.152.123] by foroosh.com (SMTPD32-8.02) id AC6E4C0136; Sat, 16 Aug 2003 12:31:42 -0400 Received: from d150-152-123.home.cgocable.net (d150-152-123.home.cgocable.net [24.150.152.123]) by cgocable.net (8.12.8p1/8.12.8) with ESMTP id aoelr258507 for ; Sun, 17 Aug 2003 01:34:12 -0400 (EST) Date: Sun, 17 Aug 2003 01:34:10 -0400 (EST) From: Citibank <[EMAIL PROTECTED]> X-Mailer: The Bat! (v1.61) Personal Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> To: deleted Subject: [58~]Your Checking Account at Citibank. MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--3309750874624" X-IMAIL-SPAM-VALFROM: (4981046) X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this E-mail. X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL test (59) X-RBL-Warning: SPAMDOMAINS: Spamdomain 'juno.com' found: Address of [EMAIL PROTECTED] sent from invalid d150-152-123.home.cgocable.net. X-RBL-Warning: COUNTRY: Message failed COUNTRY test (36) X-RBL-Warning: FREEEMAILS: X-Declude-Sender: [EMAIL PROTECTED] [24.150.152.123] X-Declude-Spoolname: D5c6e004c01364150.SMD X-Note: This E-mail was scanned & filtered by Declude [1.75i2] for SPAM & virus. X-Spam-Tests-Failed: NOABUSE, IPNOTINMX, NOLEGITCONTENT, BASE64, FILTER-HEADER-XMAIL, SPAMDOMAINS, COUNTRY, WEIGHT20s, WEIGHT20r, FREEEMAILS X-Weight: 58 X-Mailfrom: Fwpreg_Warden.juno.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: d150-152-123.home.cgocable.net ([24.150.152.123]). X-Hello: cgocable.net X-Note: Recipient(s): deleted X-Country-Chain: CANADA->destination X-RCPT-TO: Status: U X-UIDL: 331466365 Dear Citibank customer, We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it. Please, carefully read all the parts of our new Terms & Conditions and post your consent. Otherwise, we will have to suspend your Citibank checking account. This measure is to prevent misunderstanding between us and our valued customers. We are sorry for any inconvinience it may cause. Click here to access our Terms & Conditions page and not allow your Citibank checking account suspension. й 2003 Citibank. Citibank (West), FSB. Member FDIC. Citibank with Arc Design is a registered service mark of Citicorp. Citi.com Citigroup Privacy Promise Terms & Conditions Copyright й 2003 Citicorp ECRM_CBNA_NEW_ACTIVE --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mai
RE: [Declude.JunkMail] New variation of PayPal Account retrieval
May be a dumb question but how are you setting up JM to block these. Jeff ** TymeWyse Internet P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Saturday, August 16, 2003 10:35 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New variation of PayPal Account retrieval Hi; A new variation of the PayPal fraud is going on.. I just got this email in our spam filter... it is asking for Citibank checking account... I just thought it would be good for all to see this... in case you don't catch it.. Regards, Kami Here is the header: = Received: from cgocable.net [24.150.152.123] by foroosh.com (SMTPD32-8.02) id AC6E4C0136; Sat, 16 Aug 2003 12:31:42 -0400 Received: from d150-152-123.home.cgocable.net (d150-152-123.home.cgocable.net [24.150.152.123]) by cgocable.net (8.12.8p1/8.12.8) with ESMTP id aoelr258507 for ; Sun, 17 Aug 2003 01:34:12 -0400 (EST) Date: Sun, 17 Aug 2003 01:34:10 -0400 (EST) From: Citibank <[EMAIL PROTECTED]> X-Mailer: The Bat! (v1.61) Personal Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> To: deleted Subject: [58~]Your Checking Account at Citibank. MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--3309750874624" X-IMAIL-SPAM-VALFROM: (4981046) X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this E-mail. X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL test (59) X-RBL-Warning: SPAMDOMAINS: Spamdomain 'juno.com' found: Address of [EMAIL PROTECTED] sent from invalid d150-152-123.home.cgocable.net. X-RBL-Warning: COUNTRY: Message failed COUNTRY test (36) X-RBL-Warning: FREEEMAILS: X-Declude-Sender: [EMAIL PROTECTED] [24.150.152.123] X-Declude-Spoolname: D5c6e004c01364150.SMD X-Note: This E-mail was scanned & filtered by Declude [1.75i2] for SPAM & virus. X-Spam-Tests-Failed: NOABUSE, IPNOTINMX, NOLEGITCONTENT, BASE64, FILTER-HEADER-XMAIL, SPAMDOMAINS, COUNTRY, WEIGHT20s, WEIGHT20r, FREEEMAILS X-Weight: 58 X-Mailfrom: Fwpreg_Warden.juno.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: d150-152-123.home.cgocable.net ([24.150.152.123]). X-Hello: cgocable.net X-Note: Recipient(s): deleted X-Country-Chain: CANADA->destination X-RCPT-TO: Status: U X-UIDL: 331466365 Dear Citibank customer, We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it. Please, carefully read all the parts of our new Terms & Conditions and post your consent. Otherwise, we will have to suspend your Citibank checking account. This measure is to prevent misunderstanding between us and our valued customers. We are sorry for any inconvinience it may cause. Click here to access our Terms & Conditions page and not allow your Citibank checking account suspension. й 2003 Citibank. Citibank (West), FSB. Member FDIC. Citibank with Arc Design is a registered service mark of Citicorp. Citi.com Citigroup Privacy Promise Terms & Conditions Copyright й 2003 Citicorp ECRM_CBNA_NEW_ACTIVE --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New variation of PayPal Account retrieval
I wouldn't be at all surprised if it turns out that these phishing expeditions for e-mail readers, replies, and credit card details are the same spammers behind the SoBig malware. Check out: http://www.lurhq.com/sobig-e.html I came across this very detailed write-up when checking out some oddly numbered ports that were being probed on my home machine. It's considerably more detailed than the write-up by my antivirus vendor. Since then, I've seen the same set of probes from familiar netblocks in Brazil and China... and China is where Kami's CitiBank scam is pointing if someone is naive enough to click on the link. China is *rather* big but I don't think my guess is much of a stretch. Andrew. -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 10:35 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New variation of PayPal Account retrieval --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.