Return-Path: <users-billing12 [at] citibank.com>
Delivered-To: xy [at] mail.xxx.de
Received: (qmail 31016 invoked from network); 15 Jun 2004 04:36:05 -0000
Received: from unknown (HELO me) (127.0.0.1)
by localhost with SMTP; 15 Jun 2004 04:36:05 -0000
Received: from mail.xxx.de
by mail id 31013-5EC11FE5;
Tue, 15 Jun 2004 06:36:05 +0200
Received: (qmail 22493 invoked by uid 0); 15 Jun 2004 05:35:37 -0000
Received: from unknown (HELO xxx.de) (unknown)
by unknown with SMTP; 15 Jun 2004 05:35:37 -0000
Received: (qmail 4276 invoked by uid 2102); 15 Jun 2004 04:36:03 -0000
Delivered-To: xy.yz [at] xxx.de
Received: (qmail 4274 invoked from network); 15 Jun 2004 04:36:02 -0000
Received: from users-billing12 [at] citibank.com by mail; 15 Jun 2004 04:36:02 -0000
Received: from dsl-80-46-185-1.access.uk.tiscali.com (80.46.185.1)
by mail.xxx.de with SMTP; 15 Jun 2004 04:36:00 -0000
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://users-billing12 [at] citibank.com/Sent
X-Identity-Key: id1
Date: Tue, 15 Jun 2004 09:31:32 +0400
From: Citibank <users-billing12 [at] citibank.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: xy.yz [at] xxx.de
Subject: Attention aII Citibank users!
Content-Type: multipart/related;
boundary="------------030801030400090106040000"
X-AntiVirus: OK
Content-Type: image/gif;
name="brag.GIF"
Content-Transfer-Encoding: base64
Content-ID: <part1.09040208.04060004 [at] user-billing23@citibank.com>
Content-Disposition: inline;
filename="brag.GIF"
Citi
Dear client of the Citi,
As the Technical service of the Citibank have been currently updating the software,
We kindly ask you to follow the reference given below to confirm your data, otherwise
your access to the system may be blocked.
We are grateful for your cooperation
A member of citigroup
Copyright (c) 2004 Citicorp
h11ps://web.da-us.citibank.com/signin/sc.../user_setup.jsp (h11ps://web.da-us.citibank.com/signin/scripts/Iogin2/user_setup.jsp)
h11p://%32%30%36%2E%31%33%35%2E%31%33%2E%39%38:%34%39%30%33/%63%69%74/%69%6E%64%65%78%2E%68%74%6D">
<img SRC="cid:part1.09040208.04060004 [at] user-billing23@citibank.com" border="0">

TV It`s not to the point when placed smash barricades Angelia Jolie

Die hex-codierte URL löst auf zu: 206.135.13.98:4903/cit/index.htm (anscheinend bereits tot). Das whois zu dieser IP ist interessant.
--
Wir kriegen euch alle!

Hotel in Beverly Hills, hm? Ob da jemand im Urlaub seinen Laptop als Server angeschlossen hat?

Spammer, go to http://www.arghcor.de/

Diese Mails (betreffend die Citi-Bank) treffen inzwischen im Wochen-Rhythmus ein. Dagegen sind die von PayPal (angeblich) deutlich zurückgegangen.

Received: from [63.160.44.69] (helo=COREY-LQ2VPA4D9) by mx17.web.de with smtp (WEB.DE 4.101 #91) id 1BZrDH-00084d-00; Mon, 14 Jun 2004 15:09:23 +0200 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 FCC: mailbox://user-billing9 [at] citibank.com/Sent X-Identity-Key: id1 Date: Mon, 14 Jun 2004 15:09:54 +0100 From: Citi X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: xxxxxxxxxxxxx [at] web.de Subject: your Citibank account! [Mon, 14 Jun 2004 13:07:54 -0100] Content-Type: multipart/related; boundary="------------030101020205010204090000" Message-Id: Sender: user-billing9 [at] citibank.com
Darunter ein GIF inclusive Text und Weiterleitung zu
https://freemailng0809.web.de/online/logic/download.htm?

Noch eins, diesmal etwas anders. Die URL ist bereits tot bzw. wird auf http://www.citi.com umgeleitet. In Thunderbird funktioniert der Spoof gar nicht, da man die Spoof-URL nicht anklicken kann.


From - Sat Jun 19 18:06:05 2004
X-UIDL: 1087661015.10056.twister.ispgateway.de,S=10121
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <user-supports05 [at] citibank.com>
Delivered-To: xxx
Received: (qmail 10053 invoked from network); 19 Jun 2004 16:03:35 -0000
Received: from unknown ([62.67.200.162])
by twister.ispgateway.de (qmail-ldap-1.03) with QMQP; 19 Jun 2004 16:03:35 -0000
Delivered-To: CLUSTERHOST mx11.ispgateway.de xxx
Received: (qmail 21637 invoked from network); 19 Jun 2004 16:03:35 -0000
Received: from unknown (HELO adsl-69-108-32-81.dsl.lsan03.pacbell.net) ([69.108.32.81])
(envelope-sender <user-supports05 [at] citibank.com>)
by mx11.ispgateway.de (qmail-ldap-1.03) with SMTP
for <xxx>; 19 Jun 2004 16:03:34 -0000
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://user-supports05 [at] citibank.com/Sent
X-Identity-Key: id1
Date: Sat, 19 Jun 2004 13:59:30 -0300
From: Citi <user-supports05 [at] citibank.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: nddb [at] nddb.de
Subject: **SPAM** ! your account in Citibank
Content-Type: multipart/related;
boundary="------------000401050406000805060009"
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
mx11.ispgateway.de
X-Spam-Level: ******
X-Spam-Status: No, hits=6.4 required=9999.0 tests=FROM_ENDS_IN_NUMS,
HTML_70_80,HTML_FONTCOLOR_UNSAFE,HTML_IMAGE_ONLY_02,HTML_MESSAGE,
HTML_TAG_BALANCE_A,HTTP_ESCAPED_HOST,HTTP_EXCESSIVE_ESCAPES,
MIME_HTML_ONLY autolearn=no version=2.61
X-Bayesian-Result: Clean (2)
X-Bayesian-Words: 2000 56 275 50 account 7 cid 50 citibank 99 da-us 50 fffff6 50 fpmap0 50 jsp 50 nice 13 please 28 rect 0 simpsons 50 users-support50 50 what 79
X-SpamPal: SPAM DSBL 69.108.32.81
This is a multi-part message in MIME format.
--------------000401050406000805060009
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html><font face="Arial"><A HREF="https://web.da-us.citibank.com/signin/sc.../user_setup.jsp (https://web.da-us.citibank.com/signin/scripts/Iogin2/user_setup.jsp)"><map name="FPMap0"><area coords="0, 0, 610, 275" shape="rect" href="http://%32%31%31%2E%31%36%38%2E%31%33%35%2E%35%30:%34%39%30%33/%63%69%74/%69%6E%64%65%78%2E%68%74%6D"></map><img SRC="cid:part1.01020309.03020108 [at] users-support50@citibank.com" border="0" usemap="#FPMap0"></A></a></font>
<font color="#FFFFF6">in 1903 in 2000 What area, please? It`s nice Simpsons </font>
</html>
--------------000401050406000805060009
Content-Type: image/gif;
name="arizona.GIF"
Content-Transfer-Encoding: base64
Content-ID: <part1.01020309.03020108 [at] users-support50@citibank.com>
Content-Disposition: inline;
filename="arizona.GIF"


"Africans, we count people first while money and other material things
come after." -- Ann, 419 scammer
Spammer, go to http://www.arghcor.de/

und bei mir v. Heute...
Return-Path: <user-billing49 [at] citibank.com>
X-Original-To: ppp [at] ppp.de
Delivered-To: xxx
Received: from 0xd5aaec3d.dhcp.kabelnettet.dk (0xd5aaec3d.dhcp.kabelnettet.dk [213.170.236.61])
by xxx(Postfix) with SMTP id D2A5A20CA2
for <ppp [at] ppp.de>; Sat, 19 Jun 2004 23:41:30 +0200 (CEST)
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://user-billing49 [at] citibank.com/Sent
X-Identity-Key: id1
Date: Sun, 20 Jun 2004 03:40:39 +0500
From: Citi <user-billing49 [at] citibank.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ppp [at] ppp.de
Subject: !0fficiaI Notice for aII Citibank users [Sun, 20 Jun 2004 04:42:39 +0600]
Content-Type: multipart/related;
boundary="------------090404050805050201050009"
Message-Id: <20040619214130.D2A5A20CA2 [at] xxx>
X-UIDL: m%_"!*?)!!3k;"!D5G!!

Und wieder, aber diesmal verlink hex-codiert auf: http://4.8.204.251:4903/cit/index.htm Diesmal ein Hotel in LA http://img.homepagemodules.de/frage.gifhttp://img.homepagemodules.de/hmm.gif
Return-Path: <users-billing1 [at] citibank.com>
X-Original-To: www [at] www.de
Delivered-To: xxx
Received: from 81.209.184.239 (unknown [210.205.206.90])
by xxx(Postfix) with SMTP id A0C8A2FE3C
for <www [at] www.de>; Sun, 20 Jun 2004 19:37:07 +0200 (CEST)
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://users-billing1 [at] citibank.com/Sent
X-Identity-Key: id1
Date: Sun, 20 Jun 2004 15:34:32 -0300
From: Citi <users-billing1 [at] citibank.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: www [at] www.de
Subject: !Citibank reguIar verification of the accounts [Mon, 21 Jun 2004 00:38:32 +0600]
Content-Type: multipart/related;
boundary="------------060400040803040403090004"
Message-Id: <20040620173707.A0C8A2FE3C [at] xxx>
X-UIDL: !4!"!oV%#!!id"!5Z?!!

Phishing läuft mittlerweile auch nach Schema-F.
Am 19. ist bei mir die übliche Citi-Bank Mail eingegangen
Received: from [203.222.24.37] (helo=YOUR-5TOBLW0WQW) by mx25.web.de with smtp (WEB.DE 4.101 #26) id 1BbnL4-0008MG-00; Sat, 19 Jun 2004 23:25:27 +0200
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://user-supports04 [at] citibank.com/Sent
X-Identity-Key: id1 Date: Sat, 19 Jun 2004 20:18:13 -0200 From: Citibank
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: nichtmeineAdresse
Subject: your account - Citibank [Sun, 20 Jun 2004 01:18:13 +0300]
Content-Type: multipart/related; boundary="------------070902010807080709090006"
Message-Id:
Sender: user-supports04 [at] citibank.com

dear client of the citi,
As the technical service of the Citibank have been currently updating the software, We kindly ask you to follow the reference given below to confirm your data, otherwise your access to the system may be blocked
hXXps://web.da-us.citibank.com/signin/sc.../user_setup.jsp (hXXps://web.da-us.citibank.com/signin/scripts/login2/user_setup.jsp)
We are grateful for your cooperation.
Verlinkt auf irgendwas %-Codiertes, das ein Popup aufreist, welches ständig den Focus an sich zieht und auch reichlich ALT-F4-resistent ist. im eigentlichen Fenster wird dann eine echte Seite der Citibank geöffnet, welches wohl die Glaubwürdigkeit unterstreichen soll.
Und nun der Hammer:
Heute schlägt bei mir eine Mail auf, welche bis auf das Logo und den Begriff Citibank voll identisch ist.
Jetzt ist es auf einmal die U.S.-Bank.
Received: from [82.197.207.59] (helo=217.72.192.149) by mx20.web.de with smtp (WEB.DE 4.101 #26) id 1BeMXs-0002ES-00; Sun, 27 Jun 2004 01:25:19 +0200
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://user-billing41 [at] usbank.com/Sent
X-Identity-Key: id1
Date: Sun, 27 Jun 2004 17:19:23 -0700
From: US Bank X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: auchnichtmeineAdresse
Subject: To all US Bank users!
Content-Type: multipart/related; boundary="------------000706070109000705040002"
Message-Id:
Sender: user-billing41 [at] usbank.com
HTML-Mail, verlinkt auf:
hXXp://%32%31%31%2e%32%33%32%2e%31%34%33%2e%32%32%37:%34%39%30%31/%63%66%6D/%69%6E%64%65%78%2E%68%74%6D
MfG
L.
P.S.: Hallo web.de?!? Was soll das mit dem Header als Einzeiler?
Denkt ihr etwa ich habe meine Zeit gestohlen, das ich sowas regelmäßig selber formatiere?
---
"Der Grund war nicht die Ursache, sondern der Auslöser."
Franz "der Kaiser" Beckenbauer

Die letzte Phishing URL 211.232.143.227:4901/cfm/index.htm liegt wieder einmal in Korea.
--
Wir kriegen euch alle!