NASTY phishing attack!

Greg Deputy greg at BLASTZONE.COM
Wed Nov 17 23:58:09 GMT 2004 

Sorry for the slow reply, been at the hospital with a new baby...

Yes, I have

Allow Script Tags = disarm

In MailScanner.conf

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
> Sent: Saturday, November 13, 2004 9:04 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: NASTY phishing attack!
>
>
> Do you have
> Allow Script Tags = disarm
> set in MailScanner.conf?
>
> Greg Deputy wrote:
>
> >Take a look at this NASTY phishing attack.  It managed to sneak past
> >the MailScanner phishing detector, but was caught as spam.
> What makes
> >it especially nasty is the page uses some sort of IE client side
> >scripting functionality that puts a text box on TOP of the browser
> >address bar, so it covers the actual URL!  I noticed it
> because I have
> >the google toolbar installed and it came up on top of that instead.
> >
> >Very scary, any non-techie sort of person could easily be fooled by
> >this.  Yuck!
> >
> >In case the page goes down or if you don't have access to a machine
> >running IE, here's a screenshot:
> >
> >http://greg.blastzone.com/nastyPhish.jpg
> >
> >
> >
> >>-----Original Message-----
> >>From: Washington Mutual Bank [mailto:service at wamu.com]
> >>Sent: Friday, November 12, 2004 7:05 PM
> >>To: undisclosed-recipients:
> >>Subject: [spam] {Spam?} Security Measures !
> >>
> >>
> >>The Blastzone.com MailScanner believes that the attachment to this
> >>message sent to you
> >>
> >>    From: service at wamu.com
> >> Subject: Security Measures !
> >>
> >>is Unsolicited Commercial Email (spam). Unless you are sure
> that this
> >>message is incorrectly thought to be spam, please delete
> this message
> >>without opening it. Opening spam messages might allow the
> spammer to
> >>verify your email address.
> >>
> >>If you believe that this message has been incorrectly
> marked as spam,
> >>please forward this email to ham at blastzone.com.
> >>
> >> pts rule name              description
> >>---- ----------------------
> >>--------------------------------------------------
> >> 1.3 UNDISC_RECIPS          Valid-looking To
> "undisclosed-recipients"
> >> 0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP
> >>address in URL
> >> 0.0 HTML_MESSAGE           BODY: HTML included in message
> >> 0.2 MIME_HTML_ONLY         BODY: Message only has text/html
> >>MIME parts
> >> 0.1 HTML_50_60             BODY: Message is 50% to 60% HTML
> >> 0.0 HTML_TITLE_EMPTY       BODY: HTML title contains no text
> >>-0.4 BAYES_05               BODY: Bayesian spam probability
> is 1 to 5%
> >>                            [score: 0.0204]
> >> 1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
> >> 2.2 DCC_CHECK              Listed in DCC
> >>(http://rhyolite.com/anti-spam/dcc/)
> >> 0.1 DIGEST_MULTIPLE
> >>   Message hits more than one network digest check
> >> 0.6 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
> >> 0.1 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
> >> 0.0 FORGED_MUA_OUTLOOK     Forged mail pretending to be from
> >>MS Outlook
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >------------------------ MailScanner list
> ------------------------ To
> >unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
> >mailscanner' in the body of the email. Before posting, read the MAQ
> >(http://www.mailscanner.biz/maq/) and the archives
> >(http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> >Support MailScanner development - buy the book off the website!
> >
> >
> >
> >
> ----------------------------------------------------------------------
> > --
> >
> > Subject:
> > Security Measures !
> > From:
> > "Washington Mutual Bank" <service at wamu.com>
> > Date:
> > Fri, 12 Nov 2004 19:05:10 -0800
> > To:
> > <undisclosed-recipients:>
> >
> > To:
> > <undisclosed-recipients:>
> >
> >
> >
> > Dear Washington Mutual customer,
> >
> > We recently reviewed your account, and suspect that your Washington
> > Mutual Internet Banking accountmay have been accessed by an
> > unauthorized third party. Protecting the security of your
> account and
> > of the Washington Mutual network is our primary concern.
> Therefore, as
> > a preventative measure, we have temporarily limited access to
> > sensitive account features.
> >
> > To restore your account access, please take the following steps to
> > ensure that your account has not been compromised:
> >
> > 1. Login to your Washington Mutual Internet Banking
> account. In case
> > you are not enrolled for Internet Banking, you will have to fill in
> > all the required information, including your name and you account
> > number.
> >
> > 2. Review your recent account history for any unauthorized
> withdrawals
> > or deposits, and check you account profile to make sure not changes
> > have been made. If any unauthorized activity has taken
> place on your
> > account, report this to Washington Mutual staff immediately.
> >
> > To get started, please click the link below:
> >
> > *MailScanner has detected a possible fraud attempt from
> "66.226.68.25"
> > claiming to be *
> > _https://login.personal.wamu.com/logon/logon.asp?dd=1_
> > <http://66.226.68.25/>_
> >
> > We apologize for any inconvenience this may cause, and
> appreciate your
> > assistance in helping us maintain the integrity of the entire
> > Washington Mutual system. Thank you for attention to this matter.
> >
> > _
>
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list
> ------------------------ To unsubscribe, email
> jiscmail at jiscmail.ac.uk with the words: 'leave mailscanner'
> in the body of the email. Before posting, read the MAQ
> (http://www.mailscanner.biz/maq/) and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list