Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

26 Jun 2005

Phish or Phair, part II Email

Here we have a piece of mail purportedly from MBNA (a large credit card bank headquartered in an impressively large and anonymous building in Wilmington DE that I walked past a few weeks ago) about a utility bill that perhaps is available in their system for me to pay. Again the only thing I changed was to turn the target address to All of the X- headers were in the original mail.


  • Comes from which is not MBNA
  • Has a lot of dubious 10.x.x.x received headers referring to Checkfree which isn't MBNA, either
  • Has amateurish looking X- headers
  • Body has Javascript to concoct a URL that you're supposed to click on
  • URL links to Is that really MBNA?
  • Bill is from NYSEG which is indeed the local electric company, but anyone who looked at my WHOIS info would know that.

(I've reformatted this message a little bit to make it look OK on the weblog. The headers are verbatim other than the recipient address, and the HTML is basically the way it was. The links take you to a site that looks like MBNA.)

Received: (qmail 18498 invoked from network); 2 Mar 2005 09:54:57 -0000
Received: from (
  by with SMTP; 2 Mar 2005 09:54:57 -0000
Received: from localhost (localhost.localdomain [])
	by (Postfix) with ESMTP id 0399C3BECA
	for ; Wed,  2 Mar 2005 04:54:56 -0500 (EST)
Received: from (
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by (Postfix) with ESMTP id A7A953BEB3
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from localhost (localhost.localdomain [])
	by (Postfix) with ESMTP id 8A4E92B4021
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from espgcm01 ( [])
	by (Postfix) with ESMTP
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from espgcm01 ( [])
 (iPlanet Messaging Server 5.1 (built May  7 2001))
 with ESMTP id <> for; Wed, 02 Mar 2005 04:54:41 -0500 (EST)
Date: 2 Mar 2005 04:54:41 -0500
Subject: You have a new e-bill from NYSEG
MIME-version: 1.0
X-Mailer: smasend
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Priority: 2 (Normal)
X-MessageId: #500219123540203007480_
X-Virus-Scanned: by amavisd-new at
X-Virus-Scanned: by amavisd-new at
You have a new e-bill from NYSEG .

E-bill Information

Merchant Account Number: ***********0007  
Due Date: 03/28/2005   
Amount Due: $118.88  
Account Balance:  
To pay this e-bill, click Pay. You can select a payment date, amount, and payment account after clicking Pay/View E-bill.  

If you are unable to pay this e-bill by clicking the Pay/View E-bill button, follow these steps:

  1. Sign in to Bill Pay Choice.
  2. Click on the Bill Pay logo or the Pay Bills Now button to go to the Bill Pay Choice home page.
  3. Click the Pay button for the e-bill you want to pay online.
  4. Verify the payment details are accurate (You can change the pre-filled information by clicking in the field).
  5. Click the Continue button.
  6. Confirm the payment details are correct and then click the Schedule Payment button.
Your payment is now scheduled for this e-bill. You can view your payment activity online by clicking the Payment Activity link on the left side navigation.

Please do not reply to this message. If you have any questions, please contact us by clicking here. Or call us at 1-800-653-2465.    


Please do not delete this section.

posted at: 12:29 :: permanent link to this entry :: 2 comments
posted at: 12:29 :: permanent link to this entry :: 2 comments

comments...        (Jump to the end to add your own comment)

Looks real to me. does belong to MBNA bank, name servers for are NS1.MBNA.COM and NS2.MBNA.COM.

MBNA does indeed use third parties to deliver its email. At least one of these third parties is listed in a number of DNSBLs.

I do agree though - it is often difficult to distinguish between MBNA email and phish.

(by Chris Linfoot 28 Jul 2005 03:58)

Yes, it's real
You're right, this really is from MBNA, although it looks just like a lot of phishes that are not MBNA.

(by John L 30 Jul 2005 14:47)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Domain Name Registration Data at the Crossroads
56 days ago

A keen grasp of the obvious
My high security debit card
522 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.