Broadband Tech > Security > Scam and Phishbusters > [Phish] Telephone phishing thread

reply to nwrickert

Re: [Phish] Telephone phishing thread

quote:

---

Visa ATM/Check Card Deactivation
Message from: Customer Service
Date: 02/21/2008

We detected irregular activity on your Gesa ATM/Check Card on 02/20/2008.

For your protection we have had to suspend any future authorizations
being conducted with your Gesa Visa ATM/Check Card.

For your security we have deactivate your card.

How to activate/re-activate your card ?

You may stop by your branch or call our Activation Center.

Activation Center: (509) 210-4256 (24 Hour Line)

---

Return-path: <gesa@accountsecurity.com>
Envelope-to: gumu@removed.us
Delivery-date: Thu, 21 Feb 2008 14:33:59 -0500
Received: from mail.netafrique.com ([63.219.177.34]:3983 helo=MC100814)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <gesa@accountsecurity.com>)
id 1JSHB5-0000Hc-0J
for gumu@removed.us; Thu, 21 Feb 2008 14:33:58 -0500
Received: from 66-52-78-214.jklmail.com [66.52.78.214] by MC100814 with SMTP;
   Thu, 21 Feb 2008 14:34:28 -0500
Reply-To: <noreply@gesa.com>
From: "Gesa Credit Union"<gesa@accountsecurity.com>
Subject: SECURITY ALERT!
Date: Thu, 21 Feb 2008 11:30:32 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="koi8-u"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Subject: ***SPAM*** SECURITY ALERT!
X-Spam-Status: Yes, score=10.6
X-Spam-Score: 106
X-Spam-Bar: ++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Visa ATM/Check Card Deactivation Message from: Customer Service
Date: 02/21/2008 We detected irregular activity on your Gesa ATM/Check Card
on 02/20/2008. For your protection we have had to suspend any future authorizations
being conducted with your Gesa Visa ATM/Check Card. [...] 
Content analysis details:   (10.6 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
0.0 MISSING_MID            Missing Message-Id: header
2.1 SUBJ_ALL_CAPS          Subject is all capitals
1.3 MISSING_HEADERS        Missing To: header
1.0 BAYES_60               BODY: Bayesian spam probability is 60 to 80%
[score: 0.7967]
0.0 HTML_MESSAGE           BODY: HTML included in message
1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
1.5 HTML_IMAGE_ONLY_16     BODY: HTML: images with 1200-1600 bytes of words
0.1 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

February 20:

quote:

---

Dear customer,

Due to recent online fraud, all cardholders are required to contact our Town North Bank, Security Departament at our total free number : 972-546-0398

Contacting this number will enable us to monitor your account closely, and suspend it as soon as we notice any fraudulent activity.

CONTACTING THIS NUMBER IS MANDATORY, OR YOUR CARD WILL BE CONSIDERED A SECURITY RISK AND IT WILL BE BLOCKED FROM ONLINE USAGE !

Please DO NOT reply to any emails asking for sensitive information, as many of our customers have been frauded for considerable ammounts of money.
If you receive any type of email please report it immediately !

Please note the total free number : +1 972-546-0398

Town North Bank Security Departamanet ,
PO Box 814810
Dallas, Texas 75381-4810

---

Return-path: <security@townnorthbank.com>
Envelope-to: gumu@removed.us
Delivery-date: Wed, 20 Feb 2008 07:44:37 -0500
Received: from host74.host74-server.com ([66.49.248.230]:46981)
by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <security@townnorthbank.com>)
id 1JRoJN-0002Qe-Ew
for gumu@removed.us; Wed, 20 Feb 2008 07:44:37 -0500
Received: from User (ev1s-209-62-3-50.ev1servers.net [209.62.3.50] (may be forged))
(authenticated bits=0)
by host74.host74-server.com (8.12.11/8.12.11) with ESMTP id m1KCiNY4010269;
Wed, 20 Feb 2008 07:44:24 -0500
Message-Id: <200802201244.m1KCiNY4010269@host74.host74-server.com>
From: "Town North Bank"<security@townnorthbank.com>
Subject: Urgent Notification
Date: Wed, 20 Feb 2008 06:44:22 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Subject: ***SPAM*** Urgent Notification
X-Spam-Status: Yes, score=11.0
X-Spam-Score: 110
X-Spam-Bar: +++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear customer, Due to recent online fraud, all cardholders
are required to contact our Town North Bank, Security Departament at our
total free number : 972-546-0398 Contacting this number will enable us to
monitor your account closely, and suspend it as soon as we notice any fraudulent
activity. [...] 
Content analysis details:   (11.0 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.3 MISSING_HEADERS        Missing To: header
3.0 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
[score: 0.9726]
0.8 MSOE_MID_WRONG_CASE    MSOE_MID_WRONG_CASE
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

February 19:

quote:

---

Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 847-481-8194

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 847-481-8194

Copyright © VISA Debit Card, All Rights Reserved

---

Return-path: <debit@visa.com>
Envelope-to: gumu@removed.us
Delivery-date: Tue, 19 Feb 2008 12:32:34 -0500
Received: from host101.host101-server.com ([66.49.199.16]:56250)
by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <debit@visa.com>)
id 1JRWKV-0001Me-9y
for gumu@removed.us; Tue, 19 Feb 2008 12:32:34 -0500
Received: from User (playa-capital74.ucn.net [63.110.44.74] (may be forged))
(authenticated bits=0)
by host101.host101-server.com (8.12.10/8.12.10) with ESMTP id m1JHWAmb003323;
Tue, 19 Feb 2008 12:32:12 -0500
Message-Id: <200802191732.m1JHWAmb003323@host101.host101-server.com>
From: "VISA Debit Card"<debit@visa.com>
Subject: Urgent Notification
Date: Tue, 19 Feb 2008 09:36:34 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by host101.host101-server.com id m1JHWAmb003323
X-Spam-Subject: ***SPAM*** Urgent Notification
X-Spam-Status: Yes, score=10.0
X-Spam-Score: 100
X-Spam-Bar: ++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Customer, VISA Debit Card , Security Departament temporarily
suspended your account. Reason: Fraud Atempts We require you to complete
an account update so we can unlock your account. [...] 
Content analysis details:   (10.0 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.3 MISSING_HEADERS        Missing To: header
2.0 BAYES_80               BODY: Bayesian spam probability is 80 to 95%
[score: 0.9225]
0.8 MSOE_MID_WRONG_CASE    MSOE_MID_WRONG_CASE
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

February 13:

quote:

---

Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 805-203-4523

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 805-203-4523

Copyright © VISA Debit Card, All Rights Reserved

---

Return-path: <debit@visa.com>
Envelope-to: gumu@removed.us
Delivery-date: Wed, 13 Feb 2008 11:42:35 -0500
Received: from host50-server.com ([66.49.136.205]:42309 helo=host50.host50-server.com)
by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <debit@visa.com>)
id 1JPKgp-0007YL-VN
for gumu@removed.us; Wed, 13 Feb 2008 11:42:35 -0500
Received: from User (host-209-174-182-70.champaignschools.org [209.174.182.70] (may be forged))
(authenticated bits=0)
by host50.host50-server.com (8.12.10/8.12.10) with ESMTP id m1DGl9M4002562;
Wed, 13 Feb 2008 11:47:09 -0500
Message-Id: <200802131647.m1DGl9M4002562@host50.host50-server.com>
Reply-To: <debit@visa.com>
From: "VISA Debit Cards"<debit@visa.com>
Subject: Urgent Notification
Date: Wed, 13 Feb 2008 10:45:05 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by host50.host50-server.com id m1DGl9M4002562
X-Spam-Subject: ***SPAM*** Urgent Notification
X-Spam-Status: Yes, score=11.0
X-Spam-Score: 110
X-Spam-Bar: +++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Customer, VISA Debit Card , Security Departament temporarily
suspended your account. Reason: Fraud Atempts We require you to complete
an account update so we can unlock your account. [...] 
Content analysis details:   (11.0 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.3 MISSING_HEADERS        Missing To: header
3.0 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
[score: 0.9858]
0.8 MSOE_MID_WRONG_CASE    MSOE_MID_WRONG_CASE
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

February 4:

quote:

---

Dear Empire Bank Cardholder,

We detected irregular activity on your debit/credit card on 02/03/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Empire Bank is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 929-3209 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

Member FDIC · Equal Housing Lender· © 2007 Empire Bank

---

Return-path: <gribble.dale+caf_=gumu=removed.us@gmail.com>
Envelope-to: gumu@removed.us
Delivery-date: Mon, 04 Feb 2008 10:49:54 -0500
Received: from ug-out-1314.google.com ([66.249.92.168]:31498)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <gribble.dale+caf_=gumu=removed.us@gmail.com>)
id 1JM3Zu-0001UP-Ow
for gumu@removed.us; Mon, 04 Feb 2008 10:49:54 -0500
Received: by ug-out-1314.google.com with SMTP id q2so17805uge.50
        for <gumu@removed.us>; Mon, 04 Feb 2008 07:49:49 -0800 (PST)
Received: by 10.78.162.4 with SMTP id k4mr12433546hue.66.1202140188297;
        Mon, 04 Feb 2008 07:49:48 -0800 (PST)
X-Forwarded-To: gumu@removed.us
X-Forwarded-For: gribble.dale@gmail.com gumu@removed.us
Delivered-To: gribble.dale@gmail.com
Received: by 10.78.156.16 with SMTP id d16cs104683hue;
        Mon, 4 Feb 2008 07:49:46 -0800 (PST)
Received: by 10.78.137.7 with SMTP id k7mr12431855hud.68.1202140185490;
        Mon, 04 Feb 2008 07:49:45 -0800 (PST)
Received: from centralfloridafair.com (cfsvr1.centralfloridafair.com [64.90.0.1])
        by mx.google.com with ESMTP id p25si1948067hub.29.2008.02.04.07.49.44;
        Mon, 04 Feb 2008 07:49:45 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning info@empirebank.com does not designate 64.90.0.1 as permitted sender) client-ip=64.90.0.1;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning info@empirebank.com does not designate 64.90.0.1 as permitted sender) smtp.mail=info@empirebank.com
Received: from User ([64.62.123.42]) by centralfloridafair.com with Microsoft SMTPSVC(6.0.3790.3959);
 Mon, 4 Feb 2008 10:43:42 -0500
From: "Empire Bank"<info@empirebank.com>
Subject: Irregular Check Card Activity
Date: Mon, 4 Feb 2008 07:48:39 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <CFSVR14Ogddu5qE8DzH0000178c@centralfloridafair.com>
X-OriginalArrivalTime: 04 Feb 2008 15:43:42.0656 (UTC) FILETIME=[B83DE400:01C86744]
X-Spam-Subject: ***SPAM*** Irregular Check Card Activity
X-Spam-Status: Yes, score=11.9
X-Spam-Score: 119
X-Spam-Bar: +++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Empire Bank Cardholder, We detected irregular activity
on your debit/credit card on 02/03/2008. For your security, your online banking
profile has been locked due to inactivity or because of too many failed login
attempts. [...] 
Content analysis details:   (11.9 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
-0.0 SPF_PASS               SPF: sender matches SPF record
1.3 MISSING_HEADERS        Missing To: header
2.5 HTML_IMAGE_ONLY_12     BODY: HTML: images with 800-1200 bytes of words
0.0 HTML_MESSAGE           BODY: HTML included in message
1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.1 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

January 23:

quote:

---

Dear Cardholder,

We detected irregular activity on your debit card on 01/22/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

To reactivate your account, you must contact us at (800) 564-9401 and fallow the instructions .

Copyright © National Credit Union Administration .

---

Return-path: <support@ncua.gov>
Envelope-to: gumu@removed.us
Delivery-date: Wed, 23 Jan 2008 23:57:11 -0500
Received: from adsl-75-41-76-14.dsl.chcgil.sbcglobal.net ([75.41.76.14]:6758 helo=emailserver.nmct.net)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <support@ncua.gov>)
id 1JHu9D-0005z9-7J
for gumu@removed.us; Wed, 23 Jan 2008 23:57:11 -0500
Received: from User ([24.65.64.219]) by emailserver.nmct.net with Microsoft SMTPSVC(5.0.2195.6713);
 Wed, 23 Jan 2008 22:50:56 -0600
From: "National Credit Union Administration"<support@ncua.gov>
Subject: Irregular Check Card Activity
Date: Wed, 23 Jan 2008 21:51:18 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <EMAILSERVER66lRCR5Y00000609@emailserver.nmct.net>
X-OriginalArrivalTime: 24 Jan 2008 04:50:56.0625 (UTC) FILETIME=[B4EC9610:01C85E44]
X-Spam-Subject: ***SPAM*** Irregular Check Card Activity
X-Spam-Status: Yes, score=14.9
X-Spam-Score: 149
X-Spam-Bar: ++++++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Cardholder, We detected irregular activity on your debit
card on 01/22/2008. For your security, your online banking profile has been
locked due to inactivity or because of too many failed login attempts. [...]
Content analysis details:   (14.9 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?24.65.64.219>]
0.6 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
1.3 MISSING_HEADERS        Missing To: header
0.0 HTML_MESSAGE           BODY: HTML included in message
1.8 HTML_IMAGE_ONLY_08     BODY: HTML: images with 400-800 bytes of words
1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.1 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
dynamic-looking rDNS
0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

January 23:

quote:

---

Dear PUDCU Cardholder,

We detected irregular activity on your debit/credit card on 01/21/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Snohomish County PUD Credit Union is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 319-9621 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

© 2008 Snohomish County PUD Credit Union

---

Return-path: <account@pudcu.com>
Envelope-to: gumu@removed.us
Delivery-date: Wed, 23 Jan 2008 11:17:32 -0500
Received: from [76.12.61.28] (port=4637 helo=ds134642-1)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <account@pudcu.com>)
id 1JHiI4-0006LC-EV
for gumu@removed.us; Wed, 23 Jan 2008 11:17:32 -0500
Received: from s0106003065fb8258.fm.shawcable.net [24.65.64.219] by ds134642-1 with SMTP;
   Wed, 23 Jan 2008 23:16:04 -0500
From: "PUDCU"<account@pudcu.com>
Subject: Irregular Activity
Date: Wed, 23 Jan 2008 09:15:27 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Subject: ***SPAM*** Irregular Activity
X-Spam-Status: Yes, score=15.7
X-Spam-Score: 157
X-Spam-Bar: +++++++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear PUDCU Cardholder, We detected irregular activity on your
debit/credit card on 01/21/2008. For your security, your online banking profile
has been locked due to inactivity or because of too many failed login attempts.
[...] 
Content analysis details:   (15.7 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.0 MISSING_MID            Missing Message-Id: header
0.1 RDNS_NONE              Delivered to trusted network by a host with no rDNS
3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?24.65.64.219>]
0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
1.3 MISSING_HEADERS        Missing To: header
2.5 HTML_IMAGE_ONLY_12     BODY: HTML: images with 800-1200 bytes of words
0.0 HTML_MESSAGE           BODY: HTML included in message
1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.1 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

January 21:

quote:

---

Dear Listerhill Credit Union Cardholder,

We detected irregular activity on your debit/credit card on 01/21/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Listerhill Credit Union is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 554-8147 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

---

Return-path: <callus@listerhill.com>
Envelope-to: removed@laredo.root--servers.net
Delivery-date: Mon, 21 Jan 2008 11:10:17 -0500
Received: from removed by laredo.root--servers.net with local-bsmtp (Exim 4.68)
(envelope-from <callus@listerhill.com>)
id 1JGzDx-0004sI-91
for removed@laredo.root--servers.net; Mon, 21 Jan 2008 11:10:17 -0500
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
laredo.root--servers.net
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.7 required=4.5 tests=AWL,BAYES_95,
FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,HTML_IMAGE_ONLY_16,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,INVALID_TZ_EST,MIME_HTML_ONLY,
MISSING_HEADERS,MISSING_MID,RCVD_NUMERIC_HELO,RDNS_NONE autolearn=spam
version=3.2.3
X-Spam-Report: 
*  0.0 MISSING_MID Missing Message-Id: header
*  0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
*  2.7 INVALID_TZ_EST Invalid date in header (wrong EST timezone)
*  2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
*  1.3 MISSING_HEADERS Missing To: header
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
*      [score: 0.9517]
*  1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  1.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
*  0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
*  0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
*  0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
*  3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
* -1.7 AWL AWL: From: address is in the auto white-list
Received: from [75.144.105.41] (port=3039 helo=mail)
by laredo.root--servers.net with smtp (Exim 4.68)
(envelope-from <callus@listerhill.com>)
id 1JGzDx-0004sC-4R
for gumu@removed.us; Mon, 21 Jan 2008 11:10:13 -0500
X-DN-AuthenticatedSender: WJNMJ6Y49E9A33NMKKNEHR39FEECX49W-7N7XuX6kOrPPID+RQx8MCC0DUOpXVR+x6PY47D02NwesRKSVkkrKacEUZe6cnhv/---
Received: from 24.65.64.219 ([24.65.64.219])
          by mail (DeskNow) with SMTP ID 180;
          Mon, 21 Jan 2008 10:15:03 -0600 (EST)
From: "Listerhill Credit Union"<callus@listerhill.com>
Subject: *****SPAM***** Irregular Check Card Activity
Date: Mon, 21 Jan 2008 09:10:11 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Prev-Subject: Irregular Check Card Activity
Message-Id: <E1JGzDx-0004sI-91@laredo.root--servers.net>
 

March 11:

quote:

---

Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 803-825-4293

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 803-825-4293

Copyright © VISA Debit Card, All Rights Reserved

---

Return-path: <debit@visa.com>
Envelope-to: gumu@removed.us
Delivery-date: Tue, 11 Mar 2008 10:39:18 -0400
Received: from mail.altayyargroup.com ([212.100.194.83]:38490)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <debit@visa.com>)
id 1JZ5dJ-0001w6-Sf
for gumu@removed.us; Tue, 11 Mar 2008 10:39:18 -0400
Received: from User ([10.65.28.1]) by mail.altayyargroup.com with Microsoft SMTPSVC(6.0.3790.3959);
 Tue, 11 Mar 2008 17:41:43 +0300
Reply-To: <debit@visa.com>
From: "VISA Debit Card"<debit@visa.com>
CC: gump13@hotmail.com,gumpond@netscape.com,gumshoe@uscyber.com,gumu@removed.us,gunadanu@hotmail.com
Subject: Urgent Notification!
Date: Tue, 11 Mar 2008 15.51.35 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <MAILfMS9stbDEa7fzCL00004a24@mail.altayyargroup.com>
X-OriginalArrivalTime: 11 Mar 2008 14:41:44.0380 (UTC) FILETIME=[06D8FFC0:01C88386]
X-Spam-Subject: ***SPAM*** Urgent Notification!
X-Spam-Status: Yes, score=13.4
X-Spam-Score: 134
X-Spam-Bar: +++++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Customer, VISA Debit Card , Security Departament temporarily
suspended your account. Reason: Fraud Atempts We require you to complete
an account update so we can unlock your account. [...] 
Content analysis details:   (13.4 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
1.2 INVALID_DATE           Invalid Date: header (not RFC 2822)
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.0 DATE_IN_PAST_12_24     Date: is 12 to 24 hours before Received: date
2.9 SUSPICIOUS_RECIPS      Similar addresses in recipient list
1.3 MISSING_HEADERS        Missing To: header
1.0 BAYES_60               BODY: Bayesian spam probability is 60 to 80%
[score: 0.6898]
0.0 FM_IS_IT_OUR_ACCOUNT   Is it our account?
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES