TD Bank Phish
Posted by Dave Yadallee on
From - Thu Jul 12 11:14:01 2012
X-Account-Key: account2
X-UIDL: Qc0!!)~%#!R_F"!A;g"!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Symantec-TimeoutProtection: 0
X-Symantec-TimeoutProtection: 1
X-Symantec-TimeoutProtection: 2
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca
X-Spam-Level:
X-Spam-Status: No, score=2.0 required=5.0 tests=URIBL_SBL,URIBL_SC_SURBL
autolearn=no version=3.3.2
X-Original-To: aboo@doctor.nl2k.ab.ca
Delivered-To: aboo@doctor.nl2k.ab.ca
Received: from localhost (localhost.nl2k.ab.ca [127.0.0.1])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 0ADEB12CFA82
for; Thu, 12 Jul 2012 11:13:31 -0600 (MDT)
X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca
Received: from doctor.nl2k.ab.ca ([127.0.0.1])
by localhost (doctor.nl2k.ab.ca [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3-W-CRmM2y3X for;
Thu, 12 Jul 2012 11:13:25 -0600 (MDT)
Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)
id A3ABF12CFA8B; Thu, 12 Jul 2012 11:12:58 -0600 (MDT)
Resent-From: doctor@doctor.nl2k.ab.ca
Resent-Date: Thu, 12 Jul 2012 11:12:58 -0600
Resent-Message-ID: <20120712171258.GA8841@doctor.nl2k.ab.ca>
Resent-To: See root
Received: from localhost by doctor.nl2k.ab.ca
with SpamAssassin (version 3.3.2);
Thu, 12 Jul 2012 09:29:51 -0600
From: "TD Canada Trust"
To: undisclosed-recipients:;
Subject: [Norton AntiSpam]***SPAM** *****SPAM***** TD Canada Trust Online Banking information
on file was changed
Date: Thu, 12 Jul 2012 20:58:22 +0530
Message-Id: <20120712152907.211121F5C4C@ns.core-works.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4FFEED6F.A08F8C68"
X-Sanitizer: This message has been sanitized!
X-Sanitizer-URL: http://mailtools.anomy.net/
X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $
X-UIDL: Qc0!!)~%#!R_F"!A;g"!
X-Brightmail-Tracker: AAAAChsRQR0bETaEGxE2exsRQtwbEUIfGxIvnRsSL9QbEi+nGxI3cxsSL3s=
This is a multi-part message in MIME format.
------------=_4FFEED6F.A08F8C68
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "doctor.nl2k.ab.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: You are receiving this email because your TD Canada Trust
Online Banking information on file was changed on July 11, 2012. To avoid
any inconvenience regarding your account, such as suspension or limitation,
please complete the form to verify your personal information. [...]
Content analysis details: (11.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 RCVD_IN_UCE_PFSM_3 RBL: Received via a relay in UCE_PFSM_3
[122.165.254.226 listed in dnsbl-3.uceprotect.net]
2.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: 115.93.146.75]
2.5 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: 115.93.146.75]
0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4FFEED6F.A08F8C68
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path:
X-Original-To: doctor@nl2k.ab.ca
Delivered-To: doctor@nl2k.ab.ca
Received: from localhost (localhost.nl2k.ab.ca [127.0.0.1])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 988C912CFA89
for; Thu, 12 Jul 2012 09:29:46 -0600 (MDT)
X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up
entirely of whitespace (char 20 hex): X-Spam_report: ...that system
for details.\n \n Content previ[...]
Received: from doctor.nl2k.ab.ca ([127.0.0.1])
by localhost (doctor.nl2k.ab.ca [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 4rawAxLmQxi7 for;
Thu, 12 Jul 2012 09:29:37 -0600 (MDT)
Received: from gallifrey.nk.ca (uucp.nk.ca [204.209.81.3])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 5622B12CFA82
for; Thu, 12 Jul 2012 09:29:37 -0600 (MDT)
Received: from doctor.nl2k.ab.ca ([204.209.81.1] ident=postfix)
by gallifrey.nk.ca with esmtps (UNKNOWN:AES256-SHA:256)
(Exim 4.77)
(envelope-from)
id 1SpLKb-0006iN-6J
for doctor@nl2k.ab.ca; Thu, 12 Jul 2012 09:29:35 -0600
Received: from ns.core-works.net (mail.core-works.net [210.230.241.122])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 7ABE612CFA82
for; Thu, 12 Jul 2012 09:29:19 -0600 (MDT)
Received: from User (unknown [122.165.254.226])
by ns.core-works.net (Postfix) with ESMTP id 211121F5C4C;
Fri, 13 Jul 2012 00:29:06 +0900 (JST)
From: "TD Canada Trust"
Subject: TD Canada Trust Online Banking information on file was changed
Date: Thu, 12 Jul 2012 20:58:22 +0530
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20120712152907.211121F5C4C@ns.core-works.net>
To: undisclosed-recipients:;
X-Spam_score: 17.7
X-Spam_score_int: 177
X-Spam_bar: +++++++++++++++++
X-Spam_report: Spam detection software, running on the system "gallifrey.nk.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: You are receiving this email because your TD Canada Trust
Online Banking information on file was changed on July 11, 2012. To avoid
any inconvenience regarding your account, such as suspension or limitation,
please complete the form to verify your personal information. [...]
Content analysis details: (17.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
[204.209.81.1 listed in dnsbl.sorbs.net]
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see]
0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: 115.93.146.75]
0.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: 115.93.146.75]
3.4 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1.2 NSL_RCVD_FROM_USER Received from User
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
0.0 FROM_MISSPACED From: missing whitespace
0.5 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
0.0 RFC_ABUSE_POST Both abuse and postmaster missing on sender domain
0.0 FROM_MISSP_EH_MATCH From misspaced, matches envelope
0.0 FROM_MISSP_DKIM From misspaced, DKIM dependable
3.4 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE
0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
0.7 FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
1.5 FROM_MISSP_USER From misspaced, from "User"
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
------------=_4FFEED6F.A08F8C68
Content-Type: text/sanitizer-log; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="sanitizer.log"
This message has been 'sanitized'. This means that potentially
dangerous content has been rewritten or removed. The following
log describes which actions were taken.
Sanitizer (start="1342106992"):
Part (pos="890"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (names="unnamed.txt", rule="2"):
Enforced policy: accept
Part (pos="2642"):
Part (pos="174"):
SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):
Match (names="unnamed.html, filetype.html", rule="2"):
Enforced policy: accept
Rewrote HTML tag: >>_html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"_<<
as: >>_html DEFANGED_xmlns:v="urn:schemas-microsoft-com:vml" DEFANGED_xmlns:o="urn:schemas-microsoft-com:office:office"_<<
Note: Styles and layers give attackers many tools to fool the
user and common browsers interpret Javascript code found
within style definitions.
Rewrote HTML tag: >>_div style="position: absolute; width: 670px; height: 357px; z-index: 1; left: 10px; top: 15px" id="layer1"_<<
as: >>_p__DEFANGED_div style="position: absolute; width: 670px; height: 357px; z-index: 1; left: 10px; top: 15px" id="layer1"_<<
Rewrote HTML tag: >>_/div_<<
as: >>_/p__DEFANGED_div_<<
Total modifications so far: 4
Anomy 0.0.0 : Sanitizer.pm
$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $
------------=_4FFEED6F.A08F8C68--
X-Account-Key: account2
X-UIDL: Qc0!!)~%#!R_F"!A;g"!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Symantec-TimeoutProtection: 0
X-Symantec-TimeoutProtection: 1
X-Symantec-TimeoutProtection: 2
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca
X-Spam-Level:
X-Spam-Status: No, score=2.0 required=5.0 tests=URIBL_SBL,URIBL_SC_SURBL
autolearn=no version=3.3.2
X-Original-To: aboo@doctor.nl2k.ab.ca
Delivered-To: aboo@doctor.nl2k.ab.ca
Received: from localhost (localhost.nl2k.ab.ca [127.0.0.1])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 0ADEB12CFA82
for
X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca
Received: from doctor.nl2k.ab.ca ([127.0.0.1])
by localhost (doctor.nl2k.ab.ca [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3-W-CRmM2y3X for
Thu, 12 Jul 2012 11:13:25 -0600 (MDT)
Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)
id A3ABF12CFA8B; Thu, 12 Jul 2012 11:12:58 -0600 (MDT)
Resent-From: doctor@doctor.nl2k.ab.ca
Resent-Date: Thu, 12 Jul 2012 11:12:58 -0600
Resent-Message-ID: <20120712171258.GA8841@doctor.nl2k.ab.ca>
Resent-To: See root
Received: from localhost by doctor.nl2k.ab.ca
with SpamAssassin (version 3.3.2);
Thu, 12 Jul 2012 09:29:51 -0600
From: "TD Canada Trust"
To: undisclosed-recipients:;
Subject: [Norton AntiSpam]***SPAM**
on file was changed
Date: Thu, 12 Jul 2012 20:58:22 +0530
Message-Id: <20120712152907.211121F5C4C@ns.core-works.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4FFEED6F.A08F8C68"
X-Sanitizer: This message has been sanitized!
X-Sanitizer-URL: http://mailtools.anomy.net/
X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $
X-UIDL: Qc0!!)~%#!R_F"!A;g"!
X-Brightmail-Tracker: AAAAChsRQR0bETaEGxE2exsRQtwbEUIfGxIvnRsSL9QbEi+nGxI3cxsSL3s=
This is a multi-part message in MIME format.
------------=_4FFEED6F.A08F8C68
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "doctor.nl2k.ab.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: You are receiving this email because your TD Canada Trust
Online Banking information on file was changed on July 11, 2012. To avoid
any inconvenience regarding your account, such as suspension or limitation,
please complete the form to verify your personal information. [...]
Content analysis details: (11.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 RCVD_IN_UCE_PFSM_3 RBL: Received via a relay in UCE_PFSM_3
[122.165.254.226 listed in dnsbl-3.uceprotect.net]
2.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: 115.93.146.75]
2.5 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: 115.93.146.75]
0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4FFEED6F.A08F8C68
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path:
X-Original-To: doctor@nl2k.ab.ca
Delivered-To: doctor@nl2k.ab.ca
Received: from localhost (localhost.nl2k.ab.ca [127.0.0.1])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 988C912CFA89
for
X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up
entirely of whitespace (char 20 hex): X-Spam_report: ...that system
for details.\n \n Content previ[...]
Received: from doctor.nl2k.ab.ca ([127.0.0.1])
by localhost (doctor.nl2k.ab.ca [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 4rawAxLmQxi7 for
Thu, 12 Jul 2012 09:29:37 -0600 (MDT)
Received: from gallifrey.nk.ca (uucp.nk.ca [204.209.81.3])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 5622B12CFA82
for
Received: from doctor.nl2k.ab.ca ([204.209.81.1] ident=postfix)
by gallifrey.nk.ca with esmtps (UNKNOWN:AES256-SHA:256)
(Exim 4.77)
(envelope-from
id 1SpLKb-0006iN-6J
for doctor@nl2k.ab.ca; Thu, 12 Jul 2012 09:29:35 -0600
Received: from ns.core-works.net (mail.core-works.net [210.230.241.122])
by doctor.nl2k.ab.ca (Postfix) with ESMTP id 7ABE612CFA82
for
Received: from User (unknown [122.165.254.226])
by ns.core-works.net (Postfix) with ESMTP id 211121F5C4C;
Fri, 13 Jul 2012 00:29:06 +0900 (JST)
From: "TD Canada Trust"
Subject: TD Canada Trust Online Banking information on file was changed
Date: Thu, 12 Jul 2012 20:58:22 +0530
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20120712152907.211121F5C4C@ns.core-works.net>
To: undisclosed-recipients:;
X-Spam_score: 17.7
X-Spam_score_int: 177
X-Spam_bar: +++++++++++++++++
X-Spam_report: Spam detection software, running on the system "gallifrey.nk.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: You are receiving this email because your TD Canada Trust
Online Banking information on file was changed on July 11, 2012. To avoid
any inconvenience regarding your account, such as suspension or limitation,
please complete the form to verify your personal information. [...]
Content analysis details: (17.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
[204.209.81.1 listed in dnsbl.sorbs.net]
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: 115.93.146.75]
0.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: 115.93.146.75]
3.4 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1.2 NSL_RCVD_FROM_USER Received from User
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
0.0 FROM_MISSPACED From: missing whitespace
0.5 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
0.0 RFC_ABUSE_POST Both abuse and postmaster missing on sender domain
0.0 FROM_MISSP_EH_MATCH From misspaced, matches envelope
0.0 FROM_MISSP_DKIM From misspaced, DKIM dependable
3.4 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE
0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
0.7 FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
1.5 FROM_MISSP_USER From misspaced, from "User"
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
To do so, please sign in on the link
You are receiving this email because your TD Canada Trust Online Banking information
on file was changed on July 11, 2012.
To avoid any inconvenience regarding your account, such as suspension or
limitation, please complete the form to verify your personal information.
below and follow the steps:
https://easywebcpo.td.com/waw/idp/login.htm?execution=e1s1
We take your security very seriously. To help keep your Online Banking
information safe, be careful not to share your Password or Username, Client
Card Number or Personal Verification Question answers with anyone else.
TD Canada Trust will never ask you to provide, confirm or verify personal, login or
account information through regular email or ask you to sign in to any
online service. If you receive an email of this type, that appears to be
from , please forward it to information.security@tdcanadatrust.com and then delete it. For more information
please visit Email & Website Fraud.
Please do not reply to this email, as it was sent from an unmonitored
account.
TD Group Financial Services site - Copyright ? TD
------------=_4FFEED6F.A08F8C68
Content-Type: text/sanitizer-log; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="sanitizer.log"
This message has been 'sanitized'. This means that potentially
dangerous content has been rewritten or removed. The following
log describes which actions were taken.
Sanitizer (start="1342106992"):
Part (pos="890"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (names="unnamed.txt", rule="2"):
Enforced policy: accept
Part (pos="2642"):
Part (pos="174"):
SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):
Match (names="unnamed.html, filetype.html", rule="2"):
Enforced policy: accept
Rewrote HTML tag: >>_html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"_<<
as: >>_html DEFANGED_xmlns:v="urn:schemas-microsoft-com:vml" DEFANGED_xmlns:o="urn:schemas-microsoft-com:office:office"_<<
Note: Styles and layers give attackers many tools to fool the
user and common browsers interpret Javascript code found
within style definitions.
Rewrote HTML tag: >>_div style="position: absolute; width: 670px; height: 357px; z-index: 1; left: 10px; top: 15px" id="layer1"_<<
as: >>_p__DEFANGED_div style="position: absolute; width: 670px; height: 357px; z-index: 1; left: 10px; top: 15px" id="layer1"_<<
Rewrote HTML tag: >>_/div_<<
as: >>_/p__DEFANGED_div_<<
Total modifications so far: 4
Anomy 0.0.0 : Sanitizer.pm
$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $
------------=_4FFEED6F.A08F8C68--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments