More RBC Phish

Posted by Dave Yadallee on Tuesday, May 21. 2013

From - Tue May 21 10:17:16 2013

X-Account-Key: account1

X-UIDL: 00001a814f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: ***

X-Spam-Status: No, score=3.0 required=5.0 tests=BOTNET,RCVD_IN_UCE_PFSM_1,

RELAY_CHECKER_NORDNS autolearn=no version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 6F69612CFA83; Mon, 20 May 2013 08:33:57 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Mon, 20 May 2013 08:33:57 -0600

Resent-Message-ID: <20130520143357.GD26369@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: doctor@nl2k.ab.ca

Delivered-To: doctor@nl2k.ab.ca

Received: from vCCSO.copiah.k12.ms.us (unknown [68.153.116.36])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 6AC3812CFA81

for ; Mon, 20 May 2013 02:22:06 -0600 (MDT)

Received: from localhost (localhost.localdomain [127.0.0.1])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id C713D384BD3

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from vCCSO.copiah.k12.ms.us ([127.0.0.1])

by localhost (ccsdistrict.k12.ms.us [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id y2mGAiMJqsDg for ;

Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from localhost (localhost.localdomain [127.0.0.1])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id A2993384BD4

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

Received: from advisor.webssl.com (unknown [142.46.21.137])

by vCCSO.copiah.k12.ms.us (Postfix) with ESMTP id 47F0F384BD3

for ; Mon, 20 May 2013 03:22:00 -0500 (CDT)

From: RBC Royal Bank

To: doctor@nl2k.ab.ca

Subject: [Norton AntiSpam]Message Center: 1 New Alert Message!

Date: 20 May 2013 04:21:58 -0400

Message-ID: <20130520042158.18C97287F050C066@advisor.webssl.com>

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5841]

X-AVG-ID: ID4AC7089A-7F949C1A

X-Brightmail-Tracker: AAAAAx3FBaodxOcTHcUGQQ==

X-Brightmail-Tracker: AAAAAR3MBxU=

RBC Royal Bank / Message Center: 1 New Alert Message!

yalbank_en.gif">

old.gif"> 1 New Alert Message!

ng=3D"0" width=3D"100%">

cellpadding=3D"3" cellspacing=3D"0" width=3D"100%">

Customer Service: Your account has b=

een limited!
http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&F21=3DI=

B&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH">Click to Resolve
b>

Thank you for using Royal Bank of Canada.

This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

D>This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 2

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

t" color=3D"#000000">No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13

=

t" color=3D"#000000">No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13

=

This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1369038134"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&=


F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH"_&l=


t;<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://125.209.84.162/ssl/rbaccess/encrypted-session/F6=3D1&F7=


=3DIB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DE=


NGLISH"_<<


  Total modifications so far: 1


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 2

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

Co-operative Bank p.l.c phish

Posted by Dave Yadallee on Tuesday, May 21. 2013

From - Tue May 21 10:17:02 2013

X-Account-Key: account1

X-UIDL: 00001a6f4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Sun, 19 May 2013 06:33:10 -0600

From: Co-operative Bank p.l.c

Subject: SPAM Fix The Error On Your Account

Date: Sun, 19 May 2013 13:58:20 +0100

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *****

X-Spam-Status: Yes, score=5.2 required=5.0 tests=FORGED_MUA_OUTLOOK,

FORGED_OUTLOOK_TAGS,RCVD_IN_BACKSCATTER autolearn=no version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_5198C686.AF4F5121"

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5841]

X-AVG-ID: ID1F0D0BA1-470FA90B

X-Brightmail-Tracker: AAAAAh3E6AodxOgB

X-Brightmail-Tracker: AAAAAA==

This is a multi-part message in MIME format.

------------=_5198C686.AF4F5121

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: Dear customer, We have created a new dedicated security server

to keep all our online banking customers account safe and secure. This server

has been tested in most of our bank branches. Now we are asking all our online

banking customers to register for the new security server to keep them safe.

[...]

Content analysis details: (5.2 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.0 RCVD_IN_BACKSCATTER RBL: Received via a relay in Backscatter.org

[159.134.118.28 listed in ips.backscatterer.org]

0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format

4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook

The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.

------------=_5198C686.AF4F5121

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit

Return-Path:

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: from mail12.svc.cra.dublin.eircom.net (mail12.svc.cra.dublin.eircom.net [159.134.118.28])

by doctor.nl2k.ab.ca (Postfix) with SMTP id 42D7C12CFA81

for ; Sun, 19 May 2013 06:33:03 -0600 (MDT)

Received: (qmail 24163 messnum 1892601 invoked from network[213.94.190.12/avas01.vendorsvc.cra.dublin.eircom.net]); 19 May 2013 12:32:54 -0000

Received: from avas01.vendorsvc.cra.dublin.eircom.net (213.94.190.12)

by mail12.svc.cra.dublin.eircom.net (qp 24163) with SMTP; 19 May 2013 12:32:54 -0000

Received: from User ([86.41.153.244])

by avas01.vendorsvc.cra.dublin.eircom.net with Cloudmark Gateway

id doYR1l00Y5GeWeE01oYVi9; Sun, 19 May 2013 13:32:54 +0100

Reply-To: hybqwx@co-operative.co.uk

From: Co-operative Bank p.l.c

Subject: Fix The Error On Your Account

Date: Sun, 19 May 2013 13:58:20 +0100

MIME-Version: 1.0

Content-Type: text/html;

charset="_iso-2022-jp$ESC"

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1081

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

Dear customer,

We have created a new dedicated security server to keep all
our online banking customers account safe and secure.

This server has been tested in most of our bank branches.
Now we are asking all our online banking customers to register for the
new security server to keep them safe.

In order to ensure you are properly updated and your account is fully protected.

Click here for privacy and policy update

Best wishes,

Security Team
Co-operative Bank p.l.c

------------=_5198C686.AF4F5121

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-74352D00======="

--=======AVGMAIL-74352D00=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"

-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13=

--=======AVGMAIL-74352D00=======--

------------=_5198C686.AF4F5121

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-79238202======="

--=======AVGMAIL-79238202=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"

-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13=

--=======AVGMAIL-79238202=======--

------------=_5198C686.AF4F5121--

More CIBC Phish

Posted by Dave Yadallee on Tuesday, May 21. 2013

From - Tue May 21 10:17:01 2013

X-Account-Key: account1

X-UIDL: 00001a6d4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level:

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable

version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 07A6812CFA82; Sun, 19 May 2013 06:23:05 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Sun, 19 May 2013 06:23:05 -0600

Resent-Message-ID: <20130519122305.GA23108@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: doctor@doctor.nl2k.ab.ca

Delivered-To: doctor@doctor.nl2k.ab.ca

Received: from ve08.paneldehosting.com (ve08.paneldehosting.com [207.210.71.2])

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

(No client certificate requested)

by doctor.nl2k.ab.ca (Postfix) with ESMTPS id 3DE0812CFA81

for ; Sun, 19 May 2013 05:43:54 -0600 (MDT)

Received: from danelkar by ve08.paneldehosting.com with local (Exim 4.80)

(envelope-from )

id 1Ue21p-0003os-MY

for doctor@doctor.nl2k.ab.ca; Sun, 19 May 2013 07:13:53 -0430

To: doctor@doctor.nl2k.ab.ca

Subject: [Norton AntiSpam]ALERT: Online Account Activity

From: CIBC Bank

Reply-To:

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: 8bit

Message-Id:

Date: Sun, 19 May 2013 07:13:53 -0430

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - ve08.paneldehosting.com

X-AntiAbuse: Original Domain - doctor.nl2k.ab.ca

X-AntiAbuse: Originator/Caller UID/GID - [744 742] / [47 12]

X-AntiAbuse: Sender Address Domain - ve08.paneldehosting.com

X-Get-Message-Sender-Via: ve08.paneldehosting.com: authenticated_id: danelkar/only user confirmed/virtual account not confirmed

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5841]

X-AVG-ID: ID48B5C602-1370CA48

X-Brightmail-Tracker: AAAABAr7RnYdxOcQHcVYSx3FV8I=

X-Brightmail-Tracker: AAAAAR3K85s=

Your CIBC Internet Banking Account Has Been Blocked





For your security, your CIBC online banking account has been locked, please Log on click : 


https://www.cibc.com. 





2013 CIBC BANK.

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1368963841"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_span class="yshortcuts" id="lw_1229947415_4"_<<


                as: >>_DEFANGED_span class="yshortcuts" id="lw_1229947415_4"_<<


  Rewrote HTML tag: >>_/span_<<


                as: >>_/DEFANGED_span_<<


  Total modifications so far: 2

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5841 - Release Date: 05/20/13

More Royal Bank of Canada Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Fri May 17 16:20:41 2013

X-Account-Key: account1

X-UIDL: 00001a064f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: ***

X-Spam-Status: No, score=3.0 required=5.0 tests=RCVD_IN_BACKSCATTER,

RCVD_IN_UCE_PFSM_1 autolearn=no version=3.3.2

X-Original-To: dave@nk.ca

Delivered-To: dave@nk.ca

Received: from gallifrey.nk.ca (gallifrey.nk.ca [204.209.81.3])

(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))

(No client certificate requested)

by doctor.nl2k.ab.ca (Postfix) with ESMTPS id B489512CFA82

for ; Thu, 16 May 2013 05:41:16 -0600 (MDT)

Received: from root by gallifrey.nk.ca with local (Exim 4.80.1)

(envelope-from )

id 1UcwY5-0006cB-Rp

for dave@nk.ca; Thu, 16 May 2013 05:40:41 -0600

Resent-From: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem"

Resent-Date: Thu, 16 May 2013 05:40:41 -0600

Resent-Message-ID: <20130516114041.GA24028@gallifrey.nk.ca>

Resent-To: dave@nk.ca

Received: from toroondcbmts08.bellnexxia.net ([207.236.237.42] helo=toroondcbmts08-srv.bellnexxia.net)

by gallifrey.nk.ca with esmtp (Exim 4.80.1)

(envelope-from )

id 1Ucv3E-00056j-G8

for doctor@gallifrey.nk.ca; Thu, 16 May 2013 04:04:52 -0600

Received: from toip54-bus.srvr.bell.ca ([67.69.240.140])

by toroondcbmts08-srv.bellnexxia.net

(InterMail vM.8.00.01.00 201-2244-105-20090324) with ESMTP

id <20130516100443.RPOJ23610.toroondcbmts08-srv.bellnexxia.net@toip54-bus.srvr.bell.ca>

for ; Thu, 16 May 2013 06:04:43 -0400

X-IronPort-Anti-Spam-Filtered: true

X-IronPort-Anti-Spam-Result: Av9/ADajlFFMRh8H/2dsb2JhbAA+BwYBDwEWgi4DPzcSIoppeZ9ggz12A4oNhm0EARRpFnSCBQEBAS83EwsvAQEBCRQKAgchQ4ZFFgWBSgQImTABQgKCWjxPAoh5hQsFg3YQhHsCAUQNh1uNVBIdCWMcJAyCXmEDgSWHQjKOGoZBin6DE4FlAgcXSCcs

X-IronPort-AV: E=Sophos;i="4.87,683,1363147200";

d="scan'208,217";a="329842712"

Received: from unknown (HELO thatcherandwands.com) ([76.70.31.7])

by toip54-bus.srvr.bell.ca with ESMTP; 16 May 2013 06:04:42 -0400

Received: from advisor.webssl.com ([78.100.135.194]) by thatcherandwands.com with Microsoft SMTPSVC(6.0.3790.4675);

Thu, 16 May 2013 06:04:41 -0400

From: RBC Royal Bank

To: doctor@gallifrey.nk.ca

Subject: {Spam?} Message Center: 1 New Alert Message!

Date: 16 May 2013 13:04:36 +0300

Message-ID: <20130516130436.E5394176518131A7@advisor.webssl.com>

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-OriginalArrivalTime: 16 May 2013 10:04:42.0468 (UTC) FILETIME=[C8F98240:01CE521C]

X-NetKnow-OutGoing-4-84-5-3-MailScanner: Found to be clean, Found to be clean

X-NetKnow-OutGoing-4-84-5-3-MailScanner-SpamCheck: spam, SORBS-SPAM,

SpamAssassin (not cached, score=6.293, required 1, BAYES_99 3.50,

HTML_IMAGE_ONLY_12 2.06, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.72,

T_REMOTE_IMAGE 0.01)

X-NetKnow-OutGoing-4-84-5-3-MailScanner-SpamScore: ssssss

X-NetKnow-OutGoing-4-84-5-3-MailScanner-Information: Please contact the ISP for more information

X-NetKnow-OutGoing-4-84-5-3-MailScanner-ID: 1UcwY5-0006cB-Rp

X-NetKnow-OutGoing-4-84-5-3-MailScanner-IP-Protocol: IPv4

X-NetKnow-OutGoing-4-84-5-3-MailScanner-From: root@gallifrey.nk.ca

X-NetKnow-OutGoing-4-84-5-3-MailScanner-Watermark: 1369136443.42603@XEozBveYEQaU/UkhItE2fQ

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5830]

X-AVG-ID: ID4DB3604-3B044A68

X-Brightmail-Tracker: AAAAAh3FBaodxQZB

X-Brightmail-Tracker: AAAAAA==

RBC Royal Bank / Message Center: 1 New Alert Message!

yalbank_en.gif">

old.gif"> 1 New Alert Message!

ng=3D"0" width=3D"100%">

cellpadding=3D"3" cellspacing=3D"0" width=3D"100%">

Customer Service: Your account has b=

een limited!
u044-011.ym.edu.tw/icons/ssl/rbaccess/encrypted-session/F6=3D1&F7=3DIB&F21=

=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH">Click to Resol=

ve

Thank you for using Royal Bank of Canada.

--

This message has been scanned for viruses and

dangerous content by

MailScanner, and is

believed to be clean.

--

This message has been scanned for viruses and

dangerous content by

MailScanner, and is

believed to be clean.

=3D"left" color=3D"#000000">No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5830 - Release Date: 05/16/13

=

t" color=3D"#000000">No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5830 - Release Date: 05/16/13

=

More Paypal Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Fri May 17 16:20:26 2013

X-Account-Key: account1

X-UIDL: 000019ff4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

X-AVG: Scanning

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level:

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable

version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: from mailer.inditex.com (mailer.inditex.com [194.224.179.117])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 68F5B12CFA87

for ; Thu, 16 May 2013 00:21:19 -0600 (MDT)

Received: from zainetweb2.central.inditex.grp (unknown [10.71.0.8])

by mailer.inditex.com (Postfix) with ESMTP id 7774A13BEE

for ; Thu, 16 May 2013 08:21:18 +0200 (CEST)

Received: by zainetweb2.central.inditex.grp (Postfix, from userid 99)

id 6DABCB0656; Thu, 16 May 2013 08:20:58 +0200 (CEST)

To: dave@doctor.nl2k.ab.ca

Subject: Paypal.com

MIME-Version: 1.0

Content-type: text/html; charset=iso-8859-1

X-Mailer: Microsoft Office Outlook, Build 17.551210

From: dave@doctor.nl2k.ab.ca

Message-Id: <20130516062118.6DABCB0656@zainetweb2.central.inditex.grp>

Date: Thu, 16 May 2013 08:20:58 +0200 (CEST)

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5830]

X-AVG-ID: ID6EAC9341-5F432CF4

X-Brightmail-Tracker: AAAAAR3FB20=

X-Brightmail-Tracker: AAAAAA==

http-equiv="content-type">

paypal

src="http://i.imgur.com/PpFLu.png">

Your paypal

account is blocked !

You are not logged in updating our system.

Perform your upgrade now and continue using our online services.

Make

your update.

Access

your email

through internet explorer 7, 8
style="font-family: Arial; font-weight: bold;"> or 9
style="font-family: Arial; font-weight: bold;"> and update your paypal

account.

Other browsers are not compatible to upgrade.

style="font-family: Arial; font-weight: bold;">Paypal Update 2013

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5830 - Release Date: 05/16/13

More Toronto Dominion Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Fri May 17 16:20:12 2013

X-Account-Key: account1

X-UIDL: 000019f74f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level:

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable

version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 3671312CFA8F; Wed, 15 May 2013 13:54:05 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Wed, 15 May 2013 13:54:04 -0600

Resent-Message-ID: <20130515195404.GA19435@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: games@nl2k.ab.ca

Delivered-To: games@nl2k.ab.ca

Received: from upiexc.upi.local (mail.upitrans.com.tr [83.66.108.37])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 49E7612CFA82

for ; Wed, 15 May 2013 12:13:09 -0600 (MDT)

Received: from USER ([192.168.1.7]) by upiexc.upi.local with Microsoft SMTPSVC(6.0.3790.4675);

Wed, 15 May 2013 21:09:44 +0300

Content-Type: text/html

Subject: [Norton AntiSpam]Online Security Alert

FROM: TD@doctor.nl2k.ab.ca, Canada@doctor.nl2k.ab.ca,

Trust@doctor.nl2k.ab.ca

Message-ID:

X-OriginalArrivalTime: 15 May 2013 18:09:45.0000 (UTC) FILETIME=[6105BA80:01CE5197]

Date: 15 May 2013 21:09:45 +0300

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5830]

X-AVG-ID: ID46BA558D-2B78B7B

X-Brightmail-Tracker: AAAABR3FA0AdxQdEHcUCoh3FBzMdxQcv

Untitled Document

You are seeing this message because TD Security has detected suspicious activity on your account and has temporarily suspended it as a security precaution.

This may be because your TD Canada Trust account was accessed from an unfamiliar computer or you have made changes in your account information.

You will be able to regain access to your account once you complete the automated security verification process.

How can i regain access to my account ?

To regain access to your account, you must confirm your identity by completing our automated security verification process.

You can do that by simply clicking here.

You will then be taken through a series of steps to help verify your identity and, if necessary, scan your computer for viruses.

The security verification process is automated and is not designed to be time-intensive.

In most situations, you should be able to confirm your identity and restore your account in a few minutes.

------------------------------------------------------------------------------------------------------------------------------------

Recipient: %recipient_email%

Sender: TD Canada Trust Account Security Department.

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1368641608"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_html xmlns="http://www.w3.org/1999/xhtml"_<<


                as: >>_html DEFANGED_xmlns="http://www.w3.org/1999/xhtml"_<<


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style type="text/css"_<<


                as: >>_DEFANGED_style type="text/css"_<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Total modifications so far: 3

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1368641608"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_html xmlns="http://www.w3.org/1999/xhtml"_<<


                as: >>_html DEFANGED_xmlns="http://www.w3.org/1999/xhtml"_<<


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style type="text/css"_<<


                as: >>_DEFANGED_style type="text/css"_<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Total modifications so far: 3

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5830 - Release Date: 05/16/13

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1368641608"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_html xmlns="http://www.w3.org/1999/xhtml"_<<


                as: >>_html DEFANGED_xmlns="http://www.w3.org/1999/xhtml"_<<


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style type="text/css"_<<


                as: >>_DEFANGED_style type="text/css"_<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Total modifications so far: 3

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

More Royal Bank of Canada Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Wed May 15 05:57:35 2013

X-Account-Key: account1

X-UIDL: 000019dd4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 14 May 2013 13:37:23 -0600

From: RBC Royal Bank

To: dave@nk.ca

Subject: [Norton AntiSpam]*SPAM* =?utf-8?Q?Spam?=

1 New Alert Message!

Date: 14 May 2013 21:33:20 +0200

Message-Id: <20130514213320.174FD9982150A321@advisor.webssl.com>

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *****************

X-Spam-Status: Yes, score=17.0 required=5.0 tests=RCVD_IN_JMF_BR,RCVD_IN_PSBL,

RCVD_IN_UCE_PFSM_1,URIBL_PH_SURBL autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_51929273.25FD4672"

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5825]

X-AVG-ID: ID1265A289-7CB86490

X-Brightmail-Tracker: AAAAAx15GvIdeRrpHXkz6A==

This is a multi-part message in MIME format.

------------=_51929273.25FD4672

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: RBC Royal Bank / Message Center: 1 New Alert Message! 1 New

Alert Message! Customer Service: Your account has been limited! Click to

Resolve Thank you for using Royal Bank of Canada. [...]

Content analysis details: (17.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

2.0 RCVD_IN_UCE_PFSM_1 RBL: Received via a relay in UCE_PFSM_1

[82.177.154.4 listed in dnsbl-1.uceprotect.net]

11 RCVD_IN_JMF_BR RBL: Sender listed in JMF-BROWN

[212.35.71.73 listed in dnsbl-1.uceprotect.net]

[212.35.71.73 listed in hostkarma.junkemailfilter.com]

2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist

[URIs: 81.15.144.2]

2.0 RCVD_IN_PSBL RBL: Received via a relay in PSBL

[82.177.154.4 listed in psbl.surriel.com]

The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.

------------=_51929273.25FD4672

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit

Return-Path:

X-Original-To: dave@nk.ca

Delivered-To: dave@nk.ca

Received: from smtp2.batelco.jo (smtp2.batelco.jo [212.35.71.73])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id A382A12CFA84

for ; Tue, 14 May 2013 13:37:08 -0600 (MDT)

Received: from prime-jau.Jau.com (mail.jau.edu.jo [212.118.19.52])

by smtp2.batelco.jo (Postfix) with ESMTP id 3F2E510A72E

for ; Tue, 14 May 2013 21:34:56 +0300 (EEST)

Received: from advisor.webssl.com ([82.177.154.4]) by prime-jau.Jau.com with Microsoft SMTPSVC(6.0.3790.4675);

Tue, 14 May 2013 22:31:36 +0300

From: RBC Royal Bank

To: dave@nk.ca

Subject: =?utf-8?Q?Spam?=

1 New Alert Message!

Date: 14 May 2013 21:33:20 +0200

Message-ID: <20130514213320.174FD9982150A321@advisor.webssl.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-SpamInfo: FortiGuard - AntiSpam ip, connection black ip 82.177.154.4

X-OriginalArrivalTime: 14 May 2013 19:31:36.0671 (UTC) FILETIME=[A6317EF0:01CE50D9]

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

RBC Royal Bank / Message Center: 1 New Alert Message!

albank_en.gif">

ld.gif"> 1 New Alert Message!

=20

g=3D"0" width=3D"100%">

ellpadding=3D"3" cellspacing=3D"0" width=3D"100%">

Customer Service: Your account has be=

en limited!
5.144.2/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F21=3DIB&F22=3DIB&REQUEST=

=3DClientSignin&LANGUAGE=3DENGLISH/index.html">Click to Resolve

=20

Thank you for using Royal Bank of Canada.

------------=_51929273.25FD4672

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-2450F706======="

--=======AVGMAIL-2450F706=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"

-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5825 - Release Date: 05/15/13=

--=======AVGMAIL-2450F706=======--

------------=_51929273.25FD4672

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-5AB4F267======="

--=======AVGMAIL-5AB4F267=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"

-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5825 - Release Date: 05/15/13=

--=======AVGMAIL-5AB4F267=======--

------------=_51929273.25FD4672--

More Bank of Montreal Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Wed May 15 05:57:29 2013

X-Account-Key: account1

X-UIDL: 000019d44f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 14 May 2013 07:36:47 -0600

From: "BMO"

To: "bmo"

Subject: [Norton AntiSpam]*SPAM* [BMO] Alert message

Date: Mon, 13 May 2013 12:06:22 +0100

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *********************************************

X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D

autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_51923DEF.0A5AC7ED"

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5825]

X-AVG-ID: ID4F36CE0-27EF6021

X-Brightmail-Tracker: AAAABR15GvIdeRrpHXk0QR15NOYdeUD7

This is a multi-part message in MIME format.

------------=_51923DEF.0A5AC7ED

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see the administrator of

that system for details. [...]

Content analysis details: (45.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

45 SARE_UNSUB38D RAW: SARE_UNSUB38D

The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.

------------=_51923DEF.0A5AC7ED

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit

Return-Path:

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 468DD12CFAB6; Tue, 14 May 2013 07:36:33 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Tue, 14 May 2013 07:36:33 -0600

Resent-Message-ID: <20130514133633.GA8387@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 14 May 2013 03:03:42 -0600

From: "BMO"

To: "bmo"

Subject: SPAM [BMO] Alert message

Date: Mon, 13 May 2013 12:06:22 +0100

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *********************************************

X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D

autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_5191FDEE.060732DA"

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

This is a multi-part message in MIME format.

------------=_5191FDEE.060732DA

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see the administrator of

that system for details. [...]

Content analysis details: (45.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

45 SARE_UNSUB38D RAW: SARE_UNSUB38D

The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.

------------=_5191FDEE.060732DA

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 14 May 2013 03:03:34 -0600

From: "BMO"

To: "bmo"

Subject: SPAM [BMO] Alert message

Date: Mon, 13 May 2013 12:06:22 +0100

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: *********************************************

X-Spam-Status: Yes, score=45.0 required=5.0 tests=SARE_UNSUB38D

autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_5191FDE6.A87ECC90"

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

This is a multi-part message in MIME format.

------------=_5191FDE6.A87ECC90

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: This is a security alert from BMO Online Fraud Prevention.

We identified activity on your account that may be fraudulent and ask you

confirm your identity. We have not fully restricted your account but you

must confirm your identity in order to avoid any suspension. Please Click

Here to confirm your identity. [...]

Content analysis details: (45.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

45 SARE_UNSUB38D RAW: SARE_UNSUB38D

The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.

------------=_5191FDE6.A87ECC90

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit

Return-Path:

X-Original-To: doctor@nl2k.ab.ca

Delivered-To: doctor@nl2k.ab.ca

Received: from host.saysonconsulting.com (server.saysonconsulting.com [70.38.67.205])

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

(No client certificate requested)

by doctor.nl2k.ab.ca (Postfix) with ESMTPS id 4BDA312CFA8C

for ; Tue, 14 May 2013 03:03:27 -0600 (MDT)

Received: from localhost ([127.0.0.1]:34165 helo=host.saysonconsulting.com)

by host.saysonconsulting.com with esmtp (Exim 4.80)

(envelope-from )

id 1UbqbO-0003AE-2J; Mon, 13 May 2013 07:07:34 -0400

Received: from host81-137-244-36.in-addr.btopenworld.com ([81.137.244.36]:4835

helo=168.187.240.163)

by host.saysonconsulting.com with esmtpa (Exim 4.80)

(envelope-from ) id 1UbqaK-0002m0-41

for bmo@totalfluidpower.ca; Mon, 13 May 2013 07:06:28 -0400

From: "BMO"

To: "bmo"

Date: Mon, 13 May 2013 12:06:22 +0100

Organization: btopenworld.com

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"

Subject: [BMO] Alert message

X-BeenThere: bmo@totalfluidpower.ca

X-Mailman-Version: 2.1.15

Precedence: list

List-Id:

List-Unsubscribe: ,

List-Archive:

List-Post:

List-Help:

List-Subscribe: ,

Errors-To: bmo-bounces@totalfluidpower.ca

Sender: "BMO"

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - host.saysonconsulting.com

X-AntiAbuse: Original Domain - nl2k.ab.ca

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain - totalfluidpower.ca

X-Get-Message-Sender-Via: host.saysonconsulting.com: acl_c_authenticated_local_user: mailman/mailman

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C6527E.AE8904D0

Content-Type: text/plain;

charset="utf-8"

Content-Transfer-Encoding: 8bit

This is a security alert from BMO Online Fraud Prevention.

We identified activity on your account that may be fraudulent and ask you confirm your identity.

We have not fully restricted your account but you must confirm your identity in order to avoid any suspension.

Please Click Here to confirm your identity.

For your protection, transactions on your account may be limited until you are able to confirm your identity.

We realize that this precaution may cause you some inconvenience.

However keeping your account safe is one of our top priorities.

Thank you for being our customer.

Jake Holloway

BMO Chief Operating Officer

------=_NextPart_000_0000_01C6527E.AE8904D0

Content-Type: text/html;

charset="utf-8"

This is a security alert from BMO Online Fraud Prevention.
We identified

activity on your account that may be fraudulent and ask you confirm your

identity.
We have not fully restricted your account but you must confirm your

identity in order to avoid any suspension.

DEFANGED_rel="nofollow" target="_blank">Please Click Here to confirm

your identity.

For your protection,

transactions on your account may be limited until you are able to confirm your

identity.
We realize that this precaution may cause you some

inconvenience.
However keeping your account safe is one of our top

priorities.

Thank you for being our

customer.

src="http://images.xendpay.com/email/jake-sig.png">
Jake

Holloway

style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt">BMO Chief Operating

Officer

------=_NextPart_000_0000_01C6527E.AE8904D0--

------------=_5191FDE6.A87ECC90

Content-Type: text/sanitizer-log; charset="iso-8859-1"

Content-Transfer-Encoding: 8bit

Content-Disposition: attachment; filename="sanitizer.log"

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.

Sanitizer (start="1368522214"):

Part (pos="740"):

SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):

Match (names="unnamed.txt", rule="2"):

Enforced policy: accept

Part (pos="2047"):

Part (pos="174"):

Part (pos="2477"):

SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):

Match (names="unnamed.txt", rule="2"):

Enforced policy: accept

Part (pos="3230"):

SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):

Match (names="unnamed.html, filetype.html", rule="2"):

Enforced policy: accept

Rewrote HTML tag: >>_A id=yahoo href="http://www1.bmo.mahoot.ir/bmo/bmo@totalfluidpower.ca" rel=nofollow target=_blank_<<

as: >>_A id="yahoo" href="http://www1.bmo.mahoot.ir/bmo/bmo@totalfluidpower.ca" DEFANGED_rel="nofollow" target="_blank"_<<

Note: Styles and layers give attackers many tools to fool the

user and common browsers interpret Javascript code found

within style definitions.

Rewrote HTML tag: >>_/SPAN_<<

as: >>_/DEFANGED_SPAN_<<

Rewrote HTML tag: >>_DIV_<<

as: >>_p__DEFANGED_DIV_<<

Rewrote HTML tag: >>_/SPAN_<<

as: >>_/DEFANGED_SPAN_<<

Rewrote HTML tag: >>_SPAN style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt"_<<

as: >>_DEFANGED_SPAN style="FONT-FAMILY: Arial,sans-serif; FONT-SIZE: 9pt"_<<

Rewrote HTML tag: >>_/SPAN_<<

as: >>_/DEFANGED_SPAN_<<

Rewrote HTML tag: >>_/DIV_<<

as: >>_/p__DEFANGED_DIV_<<

Total modifications so far: 7

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

------------=_5191FDE6.A87ECC90--

------------=_5191FDEE.060732DA--

------------=_51923DEF.0A5AC7ED

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-2DD236AD======="

--=======AVGMAIL-2DD236AD=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"

-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5825 - Release Date: 05/15/13=

--=======AVGMAIL-2DD236AD=======--

------------=_51923DEF.0A5AC7ED

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-0B41C693======="

--=======AVGMAIL-0B41C693=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"

-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5825 - Release Date: 05/15/13=

--=======AVGMAIL-0B41C693=======--

------------=_51923DEF.0A5AC7ED--

Paypal Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Fri May 10 15:38:46 2013

X-Account-Key: account1

X-UIDL: 000019474f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: **

X-Spam-Status: No, score=2.0 required=5.0 tests=RCVD_IN_SPAMCANNIBAL

autolearn=no version=3.3.2

X-Original-To: dave@nl2k.ab.ca

Delivered-To: dave@nl2k.ab.ca

Received: from us59.toservers.com (us59.toservers.com [216.59.32.59])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 7ECDE12CFA86

for ; Fri, 10 May 2013 15:33:17 -0600 (MDT)

Received: from us59.toservers.com (localhost [127.0.0.1])

by us59.toservers.com (Postfix) with ESMTP id 491313497091E

for ; Fri, 10 May 2013 18:34:39 -0300 (ART)

Received: by us59.toservers.com (Postfix, from userid 34144)

id 47DBA34970915; Fri, 10 May 2013 18:34:39 -0300 (ART)

To: dave@nl2k.ab.ca

Subject: You just need to confirm your billing address.

From: PayPal Service

Reply-To:

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: 8bit

Message-Id: <20130510213439.47DBA34970915@us59.toservers.com>

Date: Fri, 10 May 2013 18:34:39 -0300 (ART)

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5813]

X-AVG-ID: ID4E772E20-422ACCD5

X-Brightmail-Tracker: AAAAAx15M1kdeRn6HXpP6w==

X-Brightmail-Tracker: AAAAAA==

tr>

Dear member,

d="yui_3_7_2_1_1366036663675_1972">You just need to confirm your billing address.

If you did not confirm it until 15th May 2013, Your account will be deactivated.

Just a reminder:

Never share your password with anyone.
Never share your personal information with any one.
Use different passwords for each of your online accounts.
Be sure to include uppercase and lowercase letters, numbers, and symbols in your password.

Sincerely,
PayPal

To get in touch with us

Click To Confirm

This email was sent by an automated system, so if you reply, nobody will see it.

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5813 - Release Date: 05/10/13

LinkedIn Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Fri May 10 13:31:24 2013

X-Account-Key: account1

X-UIDL: 0000193b4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

X-AVG: Scanning

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: ****

X-Spam-Status: No, score=4.0 required=5.0 tests=RCVD_IN_SPAMCANNIBAL,

URIBL_PH_SURBL autolearn=no version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: from us59.toservers.com (us59.toservers.com [216.59.32.59])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id D1B0212CFA9D

for ; Fri, 10 May 2013 13:22:52 -0600 (MDT)

Received: from us59.toservers.com (localhost [127.0.0.1])

by us59.toservers.com (Postfix) with ESMTP id F356D3479AB29

for ; Fri, 10 May 2013 16:24:13 -0300 (ART)

Received: by us59.toservers.com (Postfix, from userid 34144)

id F16C43479AB1E; Fri, 10 May 2013 16:24:13 -0300 (ART)

To: dave@doctor.nl2k.ab.ca

Subject: [Norton AntiSpam]You need to confirm your email address.

From: Linkedln Support

Reply-To:

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: 8bit

Message-Id: <20130510192413.F16C43479AB1E@us59.toservers.com>

Date: Fri, 10 May 2013 16:24:13 -0300 (ART)

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5813]

X-AVG-ID: ID2A9C21B4-2C8CADF1

X-Brightmail-Tracker: AAAAAx15GfodeTQ9HXpYtg==

X-Brightmail-Tracker: AAAAAR27LnE=

LinkedIn

We write to inform you that your LinkedIn account has been blocked due to inactivity.

To ensure that your online services with LinkedIn will no longer be interrupted

Click here to unblock your account.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using LinkedIn!

--The LinkedIn Team

http://www.linkedin.com/

Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5813 - Release Date: 05/10/13

Bank of Montreal Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Fri May 17 16:20:40 2013

X-Account-Key: account1

X-UIDL: 00001a054f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

X-AVG: Scanning

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: **

X-Spam-Status: No, score=2.0 required=5.0 tests=RCVD_IN_UCE_PFSM_1

autolearn=no version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 13C7D12CFA83; Thu, 16 May 2013 05:21:35 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Thu, 16 May 2013 05:21:35 -0600

Resent-Message-ID: <20130516112135.GA10272@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: sales@nk.ca

Delivered-To: sales@nk.ca

Received: from clay-system.jp (www3363uf.sakura.ne.jp [219.94.255.137])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 6BB3112CFAA1

for ; Thu, 16 May 2013 05:04:05 -0600 (MDT)

Received: (qmail 20138 invoked by uid 510); 9 May 2013 22:05:06 +0900

X-Qmail-Scanner-Diagnostics: from 72.18.197.26 (info@diet-compilation.com@72.18.197.26) by www3363uf.sakura.ne.jp (envelope-from , uid 0) with qmail-scanner-2.10

(spamassassin: 3.3.1.

Clear:RC:0(72.18.197.26):SA:0(6.2/13.0):.

Processed in 0.260257 secs); 09 May 2013 13:05:06 -0000

X-Envelope-From: btp@cosmomusic.ca

Received: from unknown (HELO cosmomusic.ca) (info@diet-compilation.com@72.18.197.26)

by 0 with SMTP; 9 May 2013 22:05:06 +0900

Reply-To: noreply@cosmomusic.ca

From: "BMO Bank of Montreal"

Subject: Your Online Banking access has been restricted.

Date: 09 May 2013 06:04:48 -0700

Message-ID: <20130509060448.62C083BE1E478027@cosmomusic.ca>

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5830]

X-AVG-ID: ID2942CB7E-D3247A

X-Brightmail-Tracker: AAAAAx3FWDkdxWDdHcVX9g==

X-Brightmail-Tracker: AAAAAA==

252">

New Page 1

" cellPadding=3D"10"

width=3D"575" summary=3D"layout" borderColorLight=3D"#003399" border=3D"1">=

ges/GdIxflw.png">

>

Your Online Banking access has been locked due to an unusua=

l number of failed login attempts.

You will need to click :
ref=3D"http://reliancefinance.com.au/checklists/ck/">Log On to BMO Online B=

anking and proceed with the verification process.
erdana" size=3D"2">

Sincer=

ely,

BMO Fi=

nancial Group
face=3D"Verdana">

This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1368702259"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_meta http-equiv=3D"Content-Language" content=


=3D"en-us"_<<


                as: >>_meta DEFANGED_http-equiv=3D"Content-Language" =


content=3D"en-us"_<<


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style_<<


                as: >>_DEFANGED_style_<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Rewrote HTML tag: >>_span class=3D"style8"_<<


                as: >>_DEFANGED_span class=3D"style8"_<<


  Total modifications so far: 4

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1368702259"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_meta http-equiv=3D"Content-Language" content=


=3D"en-us"_<<


                as: >>_meta DEFANGED_http-equiv=3D"Content-Language" =


content=3D"en-us"_<<


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style_<<


                as: >>_DEFANGED_style_<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Rewrote HTML tag: >>_span class=3D"style8"_<<


                as: >>_DEFANGED_span class=3D"style8"_<<


  Total modifications so far: 4

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

t" color=3D"#000000">No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5830 - Release Date: 05/16/13

=

t" color=3D"#000000">No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5830 - Release Date: 05/16/13

=

This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1368702259"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_meta http-equiv=3D"Content-Language" content=


=3D"en-us"_<<


                as: >>_meta DEFANGED_http-equiv=3D"Content-Language" =


content=3D"en-us"_<<


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style_<<


                as: >>_DEFANGED_style_<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Rewrote HTML tag: >>_span class=3D"style8"_<<


                as: >>_DEFANGED_span class=3D"style8"_<<


  Total modifications so far: 4

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

More Royal Bank of Canada Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Thu May 09 06:13:35 2013

X-Account-Key: account1

X-UIDL: 000018ea4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level:

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable

version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 0)

id 6C2AC12CFA90; Wed, 8 May 2013 13:16:52 -0600 (MDT)

Resent-From: root@doctor.nl2k.ab.ca

Resent-Date: Wed, 8 May 2013 13:16:52 -0600

Resent-Message-ID: <20130508191652.GA18755@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: doctor@doctor.nl2k.ab.ca

Delivered-To: doctor@doctor.nl2k.ab.ca

Received: from vps.rovm.com (vps.rovm.com [173.237.189.15])

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

(No client certificate requested)

by doctor.nl2k.ab.ca (Postfix) with ESMTPS id 03B0412CFA94

for ; Wed, 8 May 2013 13:04:27 -0600 (MDT)

Received: from esaanet1 by vps.rovm.com with local (Exim 4.77)

(envelope-from )

id 1Ua85o-0002UD-3X

for doctor@doctor.nl2k.ab.ca; Wed, 08 May 2013 19:23:52 +0200

To: doctor@doctor.nl2k.ab.ca

Subject: ONLINE ACCESS BLOCKED..

X-PHP-Script: ntwk.esaanet.com/libraries//mailer.php for 75.150.201.45

From:

Reply-To:

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: 8bit

Message-Id:

Date: Wed, 08 May 2013 19:23:52 +0200

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - vps.rovm.com

X-AntiAbuse: Original Domain - doctor.nl2k.ab.ca

X-AntiAbuse: Originator/Caller UID/GID - [845 841] / [47 12]

X-AntiAbuse: Sender Address Domain - vps.rovm.com

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5809]

X-AVG-ID: ID75669CBC-6BB4AF1D

X-Brightmail-Tracker: AAAABR15L8UdeRn6HXkn9B16T8sdelBa

X-Brightmail-Tracker: AAAAAA==

Dear Customer,

We recently dectected an untrusted activities in your RBC Royal Bank Online Banking account, multiple login failures were also made in your online banking account.

We need you to verify your online banking information right away in order to afford account suspension because your account must have been involved in fraudulent activities.

To confirm your Online Banking records and to avoid your online banking suspended, we may require some specific information from you.

target="_self" DEFANGED_style="color: rgb(0, 0, 255); text-decoration: underline;

font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal;

font-weight: normal; letter-spacing: normal; line-height: 16px; orphans: 2;

text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space:

normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto;

-webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255)">

To restore your online banking account, please Sign in to Online Banking

style="font-size: 9pt">

Thank you for banking with us at RBC and making use of RBC Royal Bank Online Service

Royal Bank of Canada Website, 1995-2013

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1368040443"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a name="online_banking_service_agreement" href="http://gerentenet.com.br/manual/images/fig_forms/fig_forms/c.php" target="_self" style="color: rgb(0, 0, 255); text-decoration: underline; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 16px; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255)"_<<


                as: >>_a name="online_banking_service_agreement" href="http://gerentenet.com.br/manual/images/fig_forms/fig_forms/c.php" target="_self" DEFANGED_style="color: rgb(0, 0, 255); text-decoration: underline; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 16px; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255)"_<<


  Total modifications so far: 1

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5809 - Release Date: 05/08/13

Bell Canada PHish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Thu May 09 06:13:29 2013

X-Account-Key: account1

X-UIDL: 000018e04f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: ****

X-Spam-Status: No, score=4.2 required=5.0 tests=FORGED_MUA_OUTLOOK,

FORGED_OUTLOOK_TAGS autolearn=no version=3.3.2

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id A909D12CFA94; Wed, 8 May 2013 06:46:46 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Wed, 8 May 2013 06:46:46 -0600

Resent-Message-ID: <20130508124646.GA19525@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Original-To: doctor@doctor.nl2k.ab.ca

Delivered-To: doctor@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix)

id 498DC12CFA94; Wed, 8 May 2013 06:42:27 -0600 (MDT)

Delivered-To: ctm-e@nk.ca

Received: from SHME-ENTSRV2003.steelehme.com (steelehme.com [65.66.225.57])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id C509C12CFA96

for ; Wed, 8 May 2013 06:42:02 -0600 (MDT)

Received: from User ([99.237.246.21]) by SHME-ENTSRV2003.steelehme.com with Microsoft SMTPSVC(6.0.3790.4675);

Wed, 8 May 2013 07:41:37 -0500

From: "noreply@bell.ca"

Subject: Your bell.ca account will be terminated

Date: Wed, 8 May 2013 08:41:49 -0400

MIME-Version: 1.0

Content-Type: text/html; charset="Windows-1251"

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Message-ID:

X-OriginalArrivalTime: 08 May 2013 12:41:37.0859 (UTC) FILETIME=[61AE2930:01CE4BE9]

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5809]

X-AVG-ID: ID17E84270-16EC3C06

X-Brightmail-Tracker: AAAAAxrot4ENQpHjHXpGug==

X-Brightmail-Tracker: AAAAAA==

a {color:#00446e; text-decoration:none; outline:0px;}

a.active {color:#000 !important;}

a:hover {text-decoration:underline;}

a:visited {color:#0077bf;}

body {

font-family: Arial, Helvetica, sans-serif;

font-size: 12px;

}

>


E-bill
?	Hello Customer This email is to confirm : your pre-authorized payments has expired. Please keep this email for future reference. Log in to My Bell today to enjoy all the benefits of self serve online	?

Contact us

Legal

Privacy

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1368016953"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style a {color:#00446e; text-decoration:none; outline:0px;} a.active {color:#000 !important;} a:hover {text-decoration:underline;} a:visited {color:#0077bf;} body { font-family: Arial, Helvetica, sans-serif; font-size: 12px; } _<<


                as: >>_DEFANGED_style a {color:#00446e; text-decoration:none; outline:0px;} a.active {color:#000 !important;} a:hover {text-decoration:underline;} a:visited {color:#0077bf;} body { font-family: Arial, Helvetica, sans-serif; font-size: 12px; } _<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Rewrote HTML tag: >>_table cellpadding="0" cellspacing="0" border="0" width="542" style="margin-bottom: 10px;"_<<


                as: >>_table cellpadding=0 cellspacing=0 border=0 width="542" DEFANGED_style="margin-bottom: 10px;"_<<


  Rewrote HTML tag: >>_img style="margin-top: 18px;" src="https://mybell.bell.ca/custom/image/email/bell_logo.gif" width="81" height="51" border="0" alt="Bell"_<<


                as: >>_img DEFANGED_style="margin-top: 18px;" src="https://mybell.bell.ca/custom/image/email/bell_logo.gif" width="81" height="51" border=0 alt="Bell"_<<


  Rewrote HTML tag: >>_table width="542" cellspacing="0" cellpadding="0" border="0" style="border-spacing: 0;"_<<


                as: >>_table width="542" cellspacing=0 cellpadding=0 border=0 DEFANGED_style="border-spacing: 0;"_<<


  Rewrote HTML tag: >>_td height="7" valign="bottom" colspan="3" style="line-height: 0; margin-bottom: 0; height:7px;"_<<


                as: >>_td height="7" valign="bottom" colspan="3" DEFANGED_style="line-height: 0; margin-bottom: 0; height:7px;"_<<


  Rewrote HTML tag: >>_td align="left" colspan="3" bgcolor="#f4f4f4" style="font-family: Arial, Helvetica, Sans-serif; color: #212121;font-size: 20px; padding: 20px; padding-top: 12px; padding-bottom: 15px; border-left: 1px #d1d1d1 solid; border-right: 1px #d1d1d1 solid; border-bottom: 1px #d1d1d1 solid;"_<<


                as: >>_td align="left" colspan="3" bgcolor="#f4f4f4" DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; color: #212121;font-size: 20px; padding: 20px; padding-top: 12px; padding-bottom: 15px; border-left: 1px #d1d1d1 solid; border-right: 1px #d1d1d1 solid; border-bottom: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td width="1" style="border-left: 1px #d1d1d1 solid;"_<<


                as: >>_td width="1" DEFANGED_style="border-left: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td align="left" valign="top" style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px; color: #555; padding-left: 20px; padding-right: 20px; padding-top: 10px;"_<<


                as: >>_td align="left" valign="top" DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px; color: #555; padding-left: 20px; padding-right: 20px; padding-top: 10px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_a href="http://mybell-bell.xsell-business-consulting.com/Login/" title="" style="color: #0066A4; text-decoration: none;"_<<


                as: >>_a href="http://mybell-bell.xsell-business-consulting.com/Login/" title="" DEFANGED_style="color: #0066A4; text-decoration: none;"_<<


  Rewrote HTML tag: >>_p style="padding-bottom: 21px; margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="padding-bottom: 21px; margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_a href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title="" style="color: #0066A4; text-decoration: none;"_<<


                as: >>_a href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title="" DEFANGED_style="color: #0066A4; text-decoration: none;"_<<


  Rewrote HTML tag: >>_td width="1" style="border-right: 1px #d1d1d1 solid;"_<<


                as: >>_td width="1" DEFANGED_style="border-right: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td height="7" valign="bottom" colspan="3" style="line-height: 0; height:7px;"_<<


                as: >>_td height="7" valign="bottom" colspan="3" DEFANGED_style="line-height: 0; height:7px;"_<<


  Rewrote HTML tag: >>_table width="542" cellspacing="0" cellpadding="0" border="0" style="border-spacing: 0; margin-bottom: 15px;"_<<


                as: >>_table width="542" cellspacing=0 cellpadding=0 border=0 DEFANGED_style="border-spacing: 0; margin-bottom: 15px;"_<<


  Rewrote HTML tag: >>_td align="left" valign="top" style="padding: 0;"_<<


                as: >>_td align="left" valign="top" DEFANGED_style="padding: 0;"_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-right: 10px" href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-right: 10px" href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title=""_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-left: 10px; padding-right: 10px" href="http://www.bell.ca/shopping/PrsShp_LegalAndTerms.page" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-left: 10px; padding-right: 10px" href="http://www.bell.ca/shopping/PrsShp_LegalAndTerms.page" title=""_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; padding-left: 10px; padding-right: 10px" href="http://support.bell.ca/en-ON/Customer_service/Security_and_privacy/How_does_Bell_respect_my_privacy" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; padding-left: 10px; padding-right: 10px" href="http://support.bell.ca/en-ON/Customer_service/Security_and_privacy/How_does_Bell_respect_my_privacy" title=""_<<


  Total modifications so far: 22

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1368016953"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style a {color:#00446e; text-decoration:none; outline:0px;} a.active {color:#000 !important;} a:hover {text-decoration:underline;} a:visited {color:#0077bf;} body { font-family: Arial, Helvetica, sans-serif; font-size: 12px; } _<<


                as: >>_DEFANGED_style a {color:#00446e; text-decoration:none; outline:0px;} a.active {color:#000 !important;} a:hover {text-decoration:underline;} a:visited {color:#0077bf;} body { font-family: Arial, Helvetica, sans-serif; font-size: 12px; } _<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Rewrote HTML tag: >>_table cellpadding="0" cellspacing="0" border="0" width="542" style="margin-bottom: 10px;"_<<


                as: >>_table cellpadding=0 cellspacing=0 border=0 width="542" DEFANGED_style="margin-bottom: 10px;"_<<


  Rewrote HTML tag: >>_img style="margin-top: 18px;" src="https://mybell.bell.ca/custom/image/email/bell_logo.gif" width="81" height="51" border="0" alt="Bell"_<<


                as: >>_img DEFANGED_style="margin-top: 18px;" src="https://mybell.bell.ca/custom/image/email/bell_logo.gif" width="81" height="51" border=0 alt="Bell"_<<


  Rewrote HTML tag: >>_table width="542" cellspacing="0" cellpadding="0" border="0" style="border-spacing: 0;"_<<


                as: >>_table width="542" cellspacing=0 cellpadding=0 border=0 DEFANGED_style="border-spacing: 0;"_<<


  Rewrote HTML tag: >>_td height="7" valign="bottom" colspan="3" style="line-height: 0; margin-bottom: 0; height:7px;"_<<


                as: >>_td height="7" valign="bottom" colspan="3" DEFANGED_style="line-height: 0; margin-bottom: 0; height:7px;"_<<


  Rewrote HTML tag: >>_td align="left" colspan="3" bgcolor="#f4f4f4" style="font-family: Arial, Helvetica, Sans-serif; color: #212121;font-size: 20px; padding: 20px; padding-top: 12px; padding-bottom: 15px; border-left: 1px #d1d1d1 solid; border-right: 1px #d1d1d1 solid; border-bottom: 1px #d1d1d1 solid;"_<<


                as: >>_td align="left" colspan="3" bgcolor="#f4f4f4" DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; color: #212121;font-size: 20px; padding: 20px; padding-top: 12px; padding-bottom: 15px; border-left: 1px #d1d1d1 solid; border-right: 1px #d1d1d1 solid; border-bottom: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td width="1" style="border-left: 1px #d1d1d1 solid;"_<<


                as: >>_td width="1" DEFANGED_style="border-left: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td align="left" valign="top" style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px; color: #555; padding-left: 20px; padding-right: 20px; padding-top: 10px;"_<<


                as: >>_td align="left" valign="top" DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px; color: #555; padding-left: 20px; padding-right: 20px; padding-top: 10px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_a href="http://mybell-bell.xsell-business-consulting.com/Login/" title="" style="color: #0066A4; text-decoration: none;"_<<


                as: >>_a href="http://mybell-bell.xsell-business-consulting.com/Login/" title="" DEFANGED_style="color: #0066A4; text-decoration: none;"_<<


  Rewrote HTML tag: >>_p style="padding-bottom: 21px; margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="padding-bottom: 21px; margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_a href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title="" style="color: #0066A4; text-decoration: none;"_<<


                as: >>_a href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title="" DEFANGED_style="color: #0066A4; text-decoration: none;"_<<


  Rewrote HTML tag: >>_td width="1" style="border-right: 1px #d1d1d1 solid;"_<<


                as: >>_td width="1" DEFANGED_style="border-right: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td height="7" valign="bottom" colspan="3" style="line-height: 0; height:7px;"_<<


                as: >>_td height="7" valign="bottom" colspan="3" DEFANGED_style="line-height: 0; height:7px;"_<<


  Rewrote HTML tag: >>_table width="542" cellspacing="0" cellpadding="0" border="0" style="border-spacing: 0; margin-bottom: 15px;"_<<


                as: >>_table width="542" cellspacing=0 cellpadding=0 border=0 DEFANGED_style="border-spacing: 0; margin-bottom: 15px;"_<<


  Rewrote HTML tag: >>_td align="left" valign="top" style="padding: 0;"_<<


                as: >>_td align="left" valign="top" DEFANGED_style="padding: 0;"_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-right: 10px" href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-right: 10px" href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title=""_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-left: 10px; padding-right: 10px" href="http://www.bell.ca/shopping/PrsShp_LegalAndTerms.page" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-left: 10px; padding-right: 10px" href="http://www.bell.ca/shopping/PrsShp_LegalAndTerms.page" title=""_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; padding-left: 10px; padding-right: 10px" href="http://support.bell.ca/en-ON/Customer_service/Security_and_privacy/How_does_Bell_respect_my_privacy" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; padding-left: 10px; padding-right: 10px" href="http://support.bell.ca/en-ON/Customer_service/Security_and_privacy/How_does_Bell_respect_my_privacy" title=""_<<


  Total modifications so far: 22

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5809 - Release Date: 05/08/13

This message has been 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1368016953"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


  


  Rewrote HTML tag: >>_style a {color:#00446e; text-decoration:none; outline:0px;} a.active {color:#000 !important;} a:hover {text-decoration:underline;} a:visited {color:#0077bf;} body { font-family: Arial, Helvetica, sans-serif; font-size: 12px; } _<<


                as: >>_DEFANGED_style a {color:#00446e; text-decoration:none; outline:0px;} a.active {color:#000 !important;} a:hover {text-decoration:underline;} a:visited {color:#0077bf;} body { font-family: Arial, Helvetica, sans-serif; font-size: 12px; } _<<


  Rewrote HTML tag: >>_/style_<<


                as: >>_/DEFANGED_style_<<


  Rewrote HTML tag: >>_table cellpadding="0" cellspacing="0" border="0" width="542" style="margin-bottom: 10px;"_<<


                as: >>_table cellpadding=0 cellspacing=0 border=0 width="542" DEFANGED_style="margin-bottom: 10px;"_<<


  Rewrote HTML tag: >>_img style="margin-top: 18px;" src="https://mybell.bell.ca/custom/image/email/bell_logo.gif" width="81" height="51" border="0" alt="Bell"_<<


                as: >>_img DEFANGED_style="margin-top: 18px;" src="https://mybell.bell.ca/custom/image/email/bell_logo.gif" width="81" height="51" border=0 alt="Bell"_<<


  Rewrote HTML tag: >>_table width="542" cellspacing="0" cellpadding="0" border="0" style="border-spacing: 0;"_<<


                as: >>_table width="542" cellspacing=0 cellpadding=0 border=0 DEFANGED_style="border-spacing: 0;"_<<


  Rewrote HTML tag: >>_td height="7" valign="bottom" colspan="3" style="line-height: 0; margin-bottom: 0; height:7px;"_<<


                as: >>_td height="7" valign="bottom" colspan="3" DEFANGED_style="line-height: 0; margin-bottom: 0; height:7px;"_<<


  Rewrote HTML tag: >>_td align="left" colspan="3" bgcolor="#f4f4f4" style="font-family: Arial, Helvetica, Sans-serif; color: #212121;font-size: 20px; padding: 20px; padding-top: 12px; padding-bottom: 15px; border-left: 1px #d1d1d1 solid; border-right: 1px #d1d1d1 solid; border-bottom: 1px #d1d1d1 solid;"_<<


                as: >>_td align="left" colspan="3" bgcolor="#f4f4f4" DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; color: #212121;font-size: 20px; padding: 20px; padding-top: 12px; padding-bottom: 15px; border-left: 1px #d1d1d1 solid; border-right: 1px #d1d1d1 solid; border-bottom: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td width="1" style="border-left: 1px #d1d1d1 solid;"_<<


                as: >>_td width="1" DEFANGED_style="border-left: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td align="left" valign="top" style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px; color: #555; padding-left: 20px; padding-right: 20px; padding-top: 10px;"_<<


                as: >>_td align="left" valign="top" DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px; color: #555; padding-left: 20px; padding-right: 20px; padding-top: 10px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_p style="margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_a href="http://mybell-bell.xsell-business-consulting.com/Login/" title="" style="color: #0066A4; text-decoration: none;"_<<


                as: >>_a href="http://mybell-bell.xsell-business-consulting.com/Login/" title="" DEFANGED_style="color: #0066A4; text-decoration: none;"_<<


  Rewrote HTML tag: >>_p style="padding-bottom: 21px; margin-bottom: 8px;"_<<


                as: >>_p DEFANGED_style="padding-bottom: 21px; margin-bottom: 8px;"_<<


  Rewrote HTML tag: >>_a href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title="" style="color: #0066A4; text-decoration: none;"_<<


                as: >>_a href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title="" DEFANGED_style="color: #0066A4; text-decoration: none;"_<<


  Rewrote HTML tag: >>_td width="1" style="border-right: 1px #d1d1d1 solid;"_<<


                as: >>_td width="1" DEFANGED_style="border-right: 1px #d1d1d1 solid;"_<<


  Rewrote HTML tag: >>_td height="7" valign="bottom" colspan="3" style="line-height: 0; height:7px;"_<<


                as: >>_td height="7" valign="bottom" colspan="3" DEFANGED_style="line-height: 0; height:7px;"_<<


  Rewrote HTML tag: >>_table width="542" cellspacing="0" cellpadding="0" border="0" style="border-spacing: 0; margin-bottom: 15px;"_<<


                as: >>_table width="542" cellspacing=0 cellpadding=0 border=0 DEFANGED_style="border-spacing: 0; margin-bottom: 15px;"_<<


  Rewrote HTML tag: >>_td align="left" valign="top" style="padding: 0;"_<<


                as: >>_td align="left" valign="top" DEFANGED_style="padding: 0;"_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-right: 10px" href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-right: 10px" href="http://www.bell.ca/support/PrsCSrvGnl_ContactUs.page" title=""_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-left: 10px; padding-right: 10px" href="http://www.bell.ca/shopping/PrsShp_LegalAndTerms.page" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; border-right: 1px solid #ddd; padding-left: 10px; padding-right: 10px" href="http://www.bell.ca/shopping/PrsShp_LegalAndTerms.page" title=""_<<


  Rewrote HTML tag: >>_a style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; padding-left: 10px; padding-right: 10px" href="http://support.bell.ca/en-ON/Customer_service/Security_and_privacy/How_does_Bell_respect_my_privacy" title=""_<<


                as: >>_a DEFANGED_style="font-family: Arial, Helvetica, Sans-serif; font-size: 12px;line-height: 16px;color: #0066A4; text-decoration: none; padding-left: 10px; padding-right: 10px" href="http://support.bell.ca/en-ON/Customer_service/Security_and_privacy/How_does_Bell_respect_my_privacy" title=""_<<


  Total modifications so far: 22

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

Royal Bank of Canada Phish

Posted by Dave Yadallee on Saturday, May 18. 2013

From - Tue May 07 16:04:23 2013

X-Account-Key: account1

X-UIDL: 000018bb4f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Received: from localhost by doctor.nl2k.ab.ca

with SpamAssassin (version 3.3.2);

Tue, 07 May 2013 07:02:43 -0600

From: RBC Royal Bank

To: doctor@netknow.ca

Subject: [Norton AntiSpam]*SPAM* Message Center: 1 New Alert Message!

Date: 07 May 2013 07:25:10 -0400

Message-Id: <20130507072510.CAA43FE8A46DF54F@advisor.webssl.com>

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Flag: YES

X-Spam-Level: **************************************************

X-Spam-Status: Yes, score=51.0 required=5.0 tests=BOTNET,RCVD_IN_JMF_BL,

RELAY_CHECKER_BADDNS,RELAY_CHECKER_IPHOSTNAME,RELAY_CHECKER_KEYWORDS

autolearn=unavailable version=3.3.2

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_5188FB73.E35E9445"

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5802]

X-AVG-ID: ID2E54899D-4FCEA7CA

X-Brightmail-Tracker: AAAABB15M1AdeRryHXka6R15M+g=

This is a multi-part message in MIME format.

------------=_5188FB73.E35E9445

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "doctor.nl2k.ab.ca", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: RBC Royal Bank / Message Center: 1 New Alert Message! 1 New

Alert Message! Customer Service: Your account has been limited! Click to

Resolve Thank you for using Royal Bank of Canada. [...]

Content analysis details: (51.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

50 RCVD_IN_JMF_BL RBL: Sender listed in JMF-BLACK

[204.195.138.250 listed in hostkarma.junkemailfilter.com]

1.0 BOTNET Relay might be a spambot or virusbot

[botnet0.8,ip=204.195.138.250,rdns=204-195-138-250-dhcp.atlanticbb.net,baddns,client,ipinhostname,clientwords]

0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address

0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords

0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS

The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.

------------=_5188FB73.E35E9445

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: attachment

Content-Transfer-Encoding: 8bit

Return-Path:

X-Original-To: dave@doctor.nl2k.ab.ca

Delivered-To: dave@doctor.nl2k.ab.ca

Received: by doctor.nl2k.ab.ca (Postfix, from userid 101)

id 44DCA12CFA82; Tue, 7 May 2013 07:02:36 -0600 (MDT)

Resent-From: doctor@doctor.nl2k.ab.ca

Resent-Date: Tue, 7 May 2013 07:02:36 -0600

Resent-Message-ID: <20130507130236.GB6560@doctor.nl2k.ab.ca>

Resent-To: Dave Yadallee

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: *

X-Spam-Status: No, score=1.0 required=5.0 tests=BOTNET,RELAY_CHECKER_BADDNS,

RELAY_CHECKER_IPHOSTNAME,RELAY_CHECKER_KEYWORDS autolearn=no version=3.3.2

X-Original-To: doctor@netknow.ca

Delivered-To: doctor@netknow.ca

Received: from advisor.webssl.com (unknown [204.195.138.250])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id A961D12CFAA6

for ; Tue, 7 May 2013 05:25:52 -0600 (MDT)

From: RBC Royal Bank

To: doctor@netknow.ca

Subject: Message Center: 1 New Alert Message!

Date: 07 May 2013 07:25:10 -0400

Message-ID: <20130507072510.CAA43FE8A46DF54F@advisor.webssl.com>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

RBC Royal Bank / Message Center: 1 New Alert Message!

yalbank_en.gif">

old.gif"> 1 New Alert Message!

=20

ng=3D"0" width=3D"100%">

cellpadding=3D"3" cellspacing=3D"0" width=3D"100%">

Customer Service: Your account has b=

een limited!
http://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F21=3DIB&=

F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH/index.html">Click to =

Resolve

=20

Thank you for using Royal Bank of Canada.

This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1367925959"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F2=


1=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH/index=


.html"_<<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3D=


IB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGL=


ISH/index.html"_<<


  Total modifications so far: 1

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

=

This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1367925959"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F2=


1=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH/index=


.html"_<<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3D=


IB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGL=


ISH/index.html"_<<


  Total modifications so far: 1


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


 =20


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 2

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

This message has bee=

n 'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start=3D"1367925959"):


  SanitizeFile (filename=3D"unnamed.html, filetype.html", mimetype=3D"text/=


html"):


    Match (names=3D"unnamed.html, filetype.html", rule=3D"2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_a rel=3D"nofollow" target=3D"_blank" href=3D"h=


ttp://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3DIB&F2=


1=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGLISH/index=


.html"_<<


                as: >>_a DEFANGED_rel=3D"nofollow" target=3D"_blank" =


href=3D"http://216.245.209.110/icons/ssl/encrypted-session/F6=3D1&F7=3D=


IB&F21=3DIB&F22=3DIB&REQUEST=3DClientSignin&LANGUAGE=3DENGL=


ISH/index.html"_<<


  Total modifications so far: 1


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.


 =20


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 2

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

------------=_5188FB73.E35E9445

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-0E7A9122======="

--=======AVGMAIL-0E7A9122=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"

-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5802 - Release Date: 05/06/13=

--=======AVGMAIL-0E7A9122=======--

------------=_5188FB73.E35E9445

Content-Type: multipart/alternative;

boundary="=======AVGMAIL-5F820E90======="

--=======AVGMAIL-5F820E90=======

Content-Type: text/plain; x-avg=cert; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: inline

Content-Description: "Certification"

-----

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5802 - Release Date: 05/06/13=

--=======AVGMAIL-5F820E90=======--

------------=_5188FB73.E35E9445--

Paypal Phish

Posted by Dave Yadallee on Friday, May 10. 2013

From - Fri May 10 00:10:51 2013

X-Account-Key: account1

X-UIDL: 000019344f5d9180

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-Path:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: **

X-Spam-Status: No, score=2.0 required=5.0 tests=RCVD_IN_SPAMCANNIBAL

autolearn=no version=3.3.2

X-Original-To: dave@nl2k.ab.ca

Delivered-To: dave@nl2k.ab.ca

Received: from us59.toservers.com (us59.toservers.com [216.59.32.59])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 60D5212CFAB3

for ; Thu, 9 May 2013 23:31:58 -0600 (MDT)

Received: from us59.toservers.com (localhost [127.0.0.1])

by us59.toservers.com (Postfix) with ESMTP id 61DFA33FF842F

for ; Fri, 10 May 2013 02:33:09 -0300 (ART)

Received: by us59.toservers.com (Postfix, from userid 34144)

id 60D0B33FF8421; Fri, 10 May 2013 02:33:09 -0300 (ART)

To: dave@nl2k.ab.ca

Subject: You just need to confirm your billing address.

From: PayPal Service

Reply-To:

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: 8bit

Message-Id: <20130510053309.60D0B33FF8421@us59.toservers.com>

Date: Fri, 10 May 2013 02:33:09 -0300 (ART)

X-Virus-Scanned: clamav-milter 0.97.8-exp-debug at doctor.nl2k.ab.ca

X-Virus-Status: Clean

X-Antivirus: AVG for E-mail 10.0.1432 [3162/5812]

X-AVG-ID: ID62F5F9B3-67D4151D

X-Brightmail-Tracker: AAAAAx15M1kdeRn6HXpP6w==

X-Brightmail-Tracker: AAAAAA==

tr>

Dear member,

d="yui_3_7_2_1_1366036663675_1972">You just need to confirm your billing address.

If you did not confirm it until 15th May 2013, Your account will be deactivated.

Just a reminder:

Never share your password with anyone.
Never share your personal information with any one.
Use different passwords for each of your online accounts.
Be sure to include uppercase and lowercase letters, numbers, and symbols in your password.

Sincerely,
PayPal

To get in touch with us

Click To Confirm

This email was sent by an automated system, so if you reply, nobody will see it.

No virus found in this message.

Checked by AVG - www.avg.com

Version: 10.0.1432 / Virus Database: 3162/5812 - Release Date: 05/09/13