An
Email with the Subject "Citibank - Your account has been selected for security confirmation !" was
received in one of Scamdex's honeypot email accounts on Wed, 23 Jan 2013 05:24:04 -0800
and has been classified as a Generic Scam Email.
The sender shows as Citigroup <citi@citigroups.com>.
The email address was probably spoofed. Do not reply to or contact any persons or organizations referenced in
this email, or follow any URLs as you may expose yourself to scammers and, at the very least, you will be
added to their email address lists for spam purposes.
This a (redacted) view of the raw email headers of this scam email.
Personally Identifiable Information (PII) has been suppressed, but can be
supplied as received to appropriate investigating or law enforcement agencies on request.
EEEEEstdClass Object
(
[return-path:] =>
[envelope-to:] => employmentscams@scamdex.com
[delivery-date:] => Wed, 23 Jan 2013 05:24:05 -0800
[received:] => Array
(
[0] => from mail.kelseygreenesupermart.com ([81.145.152.245]:33007 helo=central.christembassydigitalmedia.com)by lester.newsblaze.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)(Exim 4.80)(envelope-from )id 1Ty0J6-0003Av-Brfor employmentscams@scamdex.com; Wed, 23 Jan 2013 05:24:04 -0800
[1] => from [81.12.234.242] (port=19695 helo=citigroups.com)by central.christembassydigitalmedia.com with esmtpa (Exim 4.80)(envelope-from )id 1Ty0Is-0001Bi-9lfor employmentscams@scamdex.com; Wed, 23 Jan 2013 13:23:46 +0000
)
[from:] => Citigroup
[to:] => employmentscams@scamdex.com
[subject:] => Citibank - Your account has been selected for security confirmation !
[date:] => 23 Jan 2013 15:23:40 +0200
[message-id:] => <20130123152340.257AB3A43D02714F@citigroups.com>
[mime-version:] => 1.0
[disposition-notification-to:] => dutevinomars@hotmail.com
[content-type:] => text/html;charset="iso-8859-1"
[content-transfer-encoding:] => quoted-printable
[x-antiabuse:] => Array
(
[0] => This header was added to track abuse, please include it with any abuse report
[1] => Primary Hostname - central.christembassydigitalmedia.com
[2] => Original Domain - scamdex.com
[3] => Originator/Caller UID/GID - [47 12] / [47 12]
[4] => Sender Address Domain - citigroups.com
)
[x-get-message-sender-via:] => central.christembassydigitalmedia.com: authenticated_id: info@loveworldmobile.com
[x-spam-status:] => No, score=3.9
[x-spam-score:] => 39
[x-spam-bar:] => +++
[x-ham-report:] => Spam detection software, running on the system "lester.newsblaze.com", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear Citibank Customer,, Your account has been selected for security confirmation. Please use the link below to complete the online checking account. [...] Content analysis details: (3.9 points, 4.0 required) pts rule name description---- ---------------------- -------------------------------------------------- 0.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist [URIs: santacasaimagem.com.br] 0.9 SPF_FAIL SPF: sender does not match SPF record (fail)[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=citi%40citigroups.com;ip=81.145.152.245;r=lester.newsblaze.com] 0.0 HTML_MESSAGE BODY: HTML included in message 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 1.2 TVD_PH_SUBJ_META1 Email has a Phishy looking subject line
[x-spam-flag:] => NO
)
Domain Names used for collecting scam email ("Honeypot email accounts") have been obscured and replaced with the token 'HUN1P0T'
Community Action - SPAM/non-Scam Report
Occasionally, incorrectly categorized emails get into the Scamdex Scam Email Database and need to be removed. If this
email has Personally Identifiable Information (PII), or is, in your opinion, from a bona-fide entity, let us know.
Scamdex will, as soon as is practicable, take-down any emails that in our opinion should not
be in our database. Note that ALL emails in the Scamdex Scam Email Database were received as Unsolicited Commercial Email, aka UCE or
SPAM, via unpublished 'Honeypot' email addresses.