[an error occurred while processing this directive] The report for this spam can be found at: 2008 Phish Scam Edition. 
Received: from server-mail.de (213.239.204.121) by studio42.com with ESMTP
 (Eudora Internet Mail Server 3.2.10) for <spam-hater@studio42.com>;
 Thu, 20 Nov 2008 21:19:46 -0800
Received: from localhost (localhost [127.0.0.1])
	by server-mail.de (Postfix) with ESMTP id 0113BD82BB;
	Fri, 21 Nov 2008 05:18:58 +0100 (CET)
Received: from server-mail.de ([127.0.0.1])
	by localhost (debian [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 12715-07; Fri, 21 Nov 2008 05:18:53 +0100 (CET)
Received: from User (unknown [217.10.144.118])
	by server-mail.de (Postfix) with ESMTP id E5447D8279;
	Fri, 21 Nov 2008 05:18:32 +0100 (CET)
Reply-To: <aw-fraud@hsbc.co.uk>
From: "customerservice@hsbc.co.uk" <aw-fraud@hsbc.co.uk>
Subject: warning message !
Date: Thu, 20 Nov 2008 23:19:38 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0081_01C2A9A6.58468C46"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20081121041832.E5447D8279@server-mail.de>
To: undisclosed-recipients: ;
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at server-mail.de

This is a multi-part message in MIME format.

------=_NextPart_000_0081_01C2A9A6.58468C46
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit

www.abbey.co.uk
------=_NextPart_000_0081_01C2A9A6.58468C46
Content-Type: text/html;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit


<td><img src="http://www.hsbc.co.uk/1/themes/html/hsbc_ukpersonal/images/hsbc_logo_only.gif"

<P><FONT face=Verdana size=2><STRONG>Dear valued
HSBC Customer,</STRONG> </FONT></P>
<P align=left><FONT face=Verdana size=2>We recently have determined
that different computers have logged into your<br>HSBC Online
Banking account,and multiple password failures were present before the
logons.<br>We now need you to log into your account and verify your
account activity.<BR> ccount we have issued this warning
message.</FONT></P><P><FONT face=Verdana size=2>It has come to our
attention that your HSBC Online Banking account information needs
to be <BR>
reactivated as part of our continuing commitment to
protect your account and to <BR>reduce the instance of fraud on our
website in this new Season.<br>Once you have reactivated your account
records your HSBC account<BR> service will not be interrupted and
will continue as normal.
</FONT></P>
<P><FONT face=Verdana size=2>To reactivate your
HSBC Online Banking Account click on the following link: <BR>
</FONT><A
href="http://static-ip-86-239-104-152.anlai.com/login.php"
target=_blank><FONT
face=Verdana color=#003399
size=2>Sign In to Internet Banking
</FONT></A></P>
<P><FONT face=Verdana size=2>Thank You.</FONT></P>
<P><FONT face=Verdana size=1>Accounts Management
As outlined in our
User Agreement, HSBC  will <BR>
 periodically send you information about site
changes and
enhancements. </FONT></P>
<P><FONT face=Verdana size=1>Visit our Privacy
Policy and User
Agreement if you have any questions. <BR>
</FONT><FONT face=Verdana color=#003399
size=1>http://hsbc.co.uk/help
/index.html </FONT></A></P>
</DIV> 

------=_NextPart_000_0081_01C2A9A6.58468C46--



[studio42@flatus counter]$ host 213.239.204.121
121.204.239.213.in-addr.arpa domain name pointer temot.de.
[studio42@flatus counter]$ whois 213.239.204.121@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '213.239.204.0 - 213.239.207.255'

inetnum:        213.239.204.0 - 213.239.207.255
netname:        HETZNER-RZ-NBG-NET2
descr:          Hetzner Online AG
descr:          Datacenter Nuernberg
country:        DE
admin-c:        HOAC1-RIPE
tech-c:         HOAC1-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
mnt-lower:      HOS-GUN
mnt-routes:     HOS-GUN
source:         RIPE # Filtered

role:           Hetzner Online AG - Contact Role
address:        Hetzner Online AG
address:        Stuttgarter Stra e 1
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 61 00 61
fax-no:         +49 9831 61 00 62
abuse-mailbox:  abuse@hetzner.de
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *    abuse@hetzner.de ,  not  this  address     *
remarks:        *************************************************
remarks:
remarks:        *************************************************
remarks:        *    Any questions on Peering please send to    *
remarks:        *              peering@hetzner.de               *
remarks:        *************************************************
org:            ORG-HOA1-RIPE
admin-c:        MH375-RIPE
tech-c:         GM834-RIPE
tech-c:         RB1502-RIPE
tech-c:         SK2374-RIPE
tech-c:         ND762-RIPE
nic-hdl:        HOAC1-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

% Information related to '213.239.192.0/18AS24940'

route:        213.239.192.0/18
descr:        HETZNER-RZ-NBG-BLK2
origin:       AS24940
mnt-by:       HOS-GUN
source:       RIPE # Filtered

Outgoing spotted.

Scammer not spotted.

Onto scammer's site:

[studio42@flatus counter]$ host static-ip-86-239-104-152.anlai.com
static-ip-86-239-104-152.anlai.com has address 152.104.239.86
[studio42@flatus counter]$ whois 152.104.239.86@whois.apnic.net
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      152.104.0.0 - 152.104.255.255
netname:      HONGKONG-NET
descr:        imported inetnum object for HKI
country:      HK
admin-c:      NC30-AP
tech-c:       NC30-AP
status:       ALLOCATED PORTABLE
remarks:      ----------
remarks:      imported from ARIN object:
remarks:
remarks:      inetnum:     152.104.0.0 - 152.104.255.255
remarks:      netname:     HONGKONG-NET
remarks:      org-id:      HKI
remarks:      status:      assignment
remarks:      rev-srv:     NS1.DIYIXIAN.COM
                           NS2.DIYIXIAN.COM
remarks:      tech-c:      NC260-ARIN
remarks:      reg-date:    1991-07-30
remarks:      changed:     hostmaster@arin.net 20010925
remarks:      source:      ARIN
remarks:
remarks:      ----------
notify:       nathan.chow@dyxnet.com
mnt-by:       APNIC-HM
changed:      hostmaster@arin.net 20010925
changed:      hm-changed@apnic.net 20040926
changed:      hm-changed@apnic.net 20040224
changed:      hm-changed@apnic.net 20041214
source:       APNIC

person:       Nathan Chow
address:      Diyixian.com Ltd.
              2705-2710 Prosperity Ctr., 25 Chong
              Yip St.
country:      HK
phone:        +852-21877600
e-mail:       nathan.chow@dyxnet.com
nic-hdl:      NC30-AP
remarks:      ----------
remarks:      imported from ARIN object:
remarks:
remarks:      poc-handle:  NC260-ARIN
remarks:      is-role:     N
remarks:      last-name:   Chow
remarks:      first-name:  Nathan
remarks:      street:      Diyixian.com Ltd.
                           2705-2710 Prosperity Ctr., 25 Chong
                           Yip St.
remarks:      country:     HK
remarks:      mailbox:     nathan.chow@dyxnet.com
remarks:      bus-phone:   +852-21877600
remarks:      reg-date:    2001-08-30
remarks:      changed:     hostmaster@arin.poc 20010925
remarks:      source:      ARIN
remarks:
remarks:      ----------
notify:       nathan.chow@dyxnet.com
mnt-by:       MNT-ERX-HKINTERNET-NON-HK
changed:      hostmaster@arin.poc 20010925
changed:      hm-changed@apnic.net 20040224
source:       APNIC

That's enough for now.