NASTY phishing attack!

Julian Field mailscanner at
Sat Nov 13 17:04:28 GMT 2004

    [ The following text is in the "windows-1251" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Do you have
Allow Script Tags = disarm
set in MailScanner.conf?

Greg Deputy wrote:

>Take a look at this NASTY phishing attack.  It managed to sneak past the
>MailScanner phishing detector, but was caught as spam.  What makes it
>especially nasty is the page uses some sort of IE client side scripting
>functionality that puts a text box on TOP of the browser address bar, so
>it covers the actual URL!  I noticed it because I have the google
>toolbar installed and it came up on top of that instead.
>Very scary, any non-techie sort of person could easily be fooled by
>this.  Yuck!
>In case the page goes down or if you don't have access to a machine
>running IE, here's a screenshot:
>>-----Original Message-----
>>From: Washington Mutual Bank [mailto:service at]
>>Sent: Friday, November 12, 2004 7:05 PM
>>To: undisclosed-recipients:
>>Subject: [spam] {Spam?} Security Measures !
>>The MailScanner believes that the attachment to
>>this message sent to you
>>    From: service at
>> Subject: Security Measures !
>>is Unsolicited Commercial Email (spam). Unless you are sure
>>that this message is incorrectly thought to be spam, please
>>delete this message without opening it. Opening spam messages
>>might allow the spammer to verify your email address.
>>If you believe that this message has been incorrectly marked
>>as spam, please forward this email to ham at
>> pts rule name              description
>>---- ----------------------
>> 1.3 UNDISC_RECIPS          Valid-looking To "undisclosed-recipients"
>> 0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP
>>address in URL
>> 0.0 HTML_MESSAGE           BODY: HTML included in message
>> 0.2 MIME_HTML_ONLY         BODY: Message only has text/html
>>MIME parts
>> 0.1 HTML_50_60             BODY: Message is 50% to 60% HTML
>> 0.0 HTML_TITLE_EMPTY       BODY: HTML title contains no text
>>-0.4 BAYES_05               BODY: Bayesian spam probability is 1 to 5%
>>                            [score: 0.0204]
>> 1.5 RAZOR2_CHECK           Listed in Razor2 (
>> 2.2 DCC_CHECK              Listed in DCC
>>   Message hits more than one network digest check
>> 0.6 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
>> 0.1 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
>> 0.0 FORGED_MUA_OUTLOOK     Forged mail pretending to be from
>>MS Outlook
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ ( and
>the archives (
>Support MailScanner development - buy the book off the website!
> ------------------------------------------------------------------------
> Subject:
> Security Measures !
> From:
> "Washington Mutual Bank" <service at>
> Date:
> Fri, 12 Nov 2004 19:05:10 -0800
> To:
> <undisclosed-recipients:>
> To:
> <undisclosed-recipients:>
> Dear Washington Mutual customer,
> We recently reviewed your account, and suspect that your Washington
> Mutual Internet Banking accountmay have been
> accessed by an unauthorized third party.
> Protecting the security of your account and of the Washington Mutual
> network is our primary concern. Therefore, as a
> preventative measure, we have temporarily limited access to sensitive
> account features.
> To restore your account access, please take the following steps to
> ensure that your account has not been compromised:
> 1. Login to your Washington Mutual Internet Banking account. In case
> you are not enrolled for Internet Banking, you will
> have to fill in all the required information, including your name and
> you account number.
> 2. Review your recent account history for any unauthorized withdrawals
> or deposits, and check you account profile to
> make sure not changes have been made. If any unauthorized activity has
> taken place on your account, report this to
> Washington Mutual staff immediately.
> To get started, please click the link below:
> *MailScanner has detected a possible fraud attempt from ""
> claiming to be *
> _
> <>_
> We apologize for any inconvenience this may cause, and appreciate your
> assistance in helping us maintain the integrity of
> the entire Washington Mutual system. Thank you for attention to this
> matter.
> _

Julian Field
Buy the MailScanner book at
Professional Support Services at
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list