Das kam im Doppelpack. Eine der Seiten war noch nicht ganz tot.

header:
01: Return-Path: <Administration [at] t-online.de>
02: Received: from aiolos.otenet.gr (EHLO aiolos.otenet.gr) [83.235.67.30]
03: by xxx.xxx.xxx with SMTP; 25 Jul 2008 xx:xx:xx +0200
04: Received: from User ([83.229.101.219]) (authenticated bits=0)
05: by aiolos.otenet.gr (8.13.8/8.13.8/Debian-3) with ESMTP ID: [ID filtered]
06: Fri, 25 Jul 2008 xx:xx:xx +0300
07: Message-ID: [ID filtered]
08: From: "T-Online Administration"<Administration [at] t-online.de>
09: Subject: Your Online Account Will Soon Expire
10: Date: Fri, 25 Jul 2008 xx:xx:xx +0100
11: MIME-Version: 1.0
12: Content-Type: text/html; charset="Windows-1251"
13: Content-Transfer-Encoding: 7bit
14: X-Priority: 3
15: X-MSMail-Priority: Normal
16: X-Mailer: Microsoft Outlook Express 6.00.2600.0000
17: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
18: To: undisclosed-recipients:;
T-Online Administration

Security Alert

Please note that Your T-Online Account Online Internet is about to expire. In order for it to remain active, please Use the link below to proceed and access your account.
Der Link führte natürlich nicht zu t-online.de sondern zu whois:http://www.nour-atfal.org/studies/share/t-mobile.htm. Von dort werden die abgephishten Logins per whois:http://www.tsn.cc/cgi-bin/formmailerv2.asp an snoozlock234@gmail.com geschickt.