Currently Wachovia, and Southtrust Banks are getting hit with a phishing scam. The very offical looking, sounding, and totally BS message tells you your account access is restricted and about to be closed due to suspected "fraudulent" activity. Attempts to foreward the e-mail will result in the e-mail substituting it's content with a random (and long) news report. If you have your header info on you'll spot it instantly, and see you a few dozen stops along the way to your inbox. The text body of the message I got, I just don't have a Southtrust account. " Dear Valued Customer, To protect the security of your account access, employs some of the most leading safety online systems in the world and our anti-fraud teams regularly scan the Bank system for fraud activity. In accordance with SouthTrust Bank's Consumer Agreement and to insure that your online account hasn't been compromised, internet access to your account was limited. Your online access will remain blocked until this issue has been decided. Banking Service are remind you that on May 29, 2005 our Banking Review Team identified some uncommon activity in your Debit Card account. If your account access to remain blocked for an extended period of time may effect in further restrictions on the use of your account and possible account closure.Account Support advise you to sign on and fulfil the steps requisite to restore your account access immediatelly. Sign on to Limited Banking Account This is a security procedure meant to help protect you and your Debit Card account. Thank you for your prompt attention to this question. We apologize for any inconvenience. Yours, SouthTrust Bank Card, Banking Support" The Ip's and addy's I pulled from the e-mail- hdblast08.hairdye.sanctum ANY "hdblast" followed by numbers dot pretty much anything. 18.104.22.168 getdatabases.net (127.0.0.1 = BIG RED FLAG!!!!) hdblast08.hairdye.sanctum id hk891c075j0o; email@example.com nts-144.9-185-64.nts-online.net 22.214.171.124 xh91q-hj.hotmail.com effluvium.hotmail.com 126.96.36.199 eyebright23.hotmail.com 188.8.131.52 xb5c-j.hotmail.com 8.12.9p2/8.12.9 184.108.40.206 handymen5-lq.hotmail.com 220.127.116.11 whale.hotmail.com id 20051323275183.URBU4453.euh63dmt.JavaMail.firstname.lastname@example.org bran79-h.hotmail.com equilibrate.hotmail.com 18.104.22.168 JavaMail92.hotmail.com (v104.17) snappish-v.hotmail.com mail4.hotmail.com 22.214.171.124] qmail.hotmail.com id 04663657180735S8908akklvs 126.96.36.199 ec7c-u.hotmail.com 188.8.131.52 teeing0.hotmail.com id 20050203849980.TMKP4681.waw41szb.JavaMail2.hotmail.com@JavaMail.hotmail.com mq35y.hotmail.com drosophila2.hotmail.com 184.108.40.206] JavaMail.hotmail.com 8.12.11/8.12.2 20058131577978.KHHH6154.email@example.com Now for the one thing that REALLY concerns me. a graphic in the e-mail; "http://220.127.116.11/safe.gif", looks to be on a server to be somewhere in the middle east aka Saudia Arabia/Syria/Iraq/Iran ect. if I did my GMT right, but I have trouble just figurin' Daylight Savings. This gif is in almost every junk e-mail I got yesterday, and the day before, and the day before that ect literally 100's of them. Okay here is were it gets "strange", and no I promise you I'm not crazy, though I'm sure many will think so after this paragraph. If I'm right it's the "marks" cash and every IP they can get they are after. Can you say "raw logs"? I believe these guys are the same ones I stumbled upon a little over a year ago. At that time they had a very nasty set of software based on legit Microsoft and Intel Chipset Utility software, (slightly modified) with an "intelligent" bot that "phoned home" or "went home" for instructions on security measure defeating. The stuff seemed very much like the mindset behind one so called "Law Enforcement Software" package, called "D.I.R.T.", only this worked. The software went after the PCI Bus, CD-ROM, and the APCI functions to attempt to gain control of the hardware. After all who cares about software when you can control the hardware? These miscreants were sloppy then, but that's another story, and one no one wants to hear, now or then. I just want to know what it's 13th entry in the registry's SAM/Software/Secrets folder did (the first 12 were virus or worm payloads) It was called "Tmebmb"..?