I tried to forward a phish to PIRT and Natwest,
but it was bounced back.

The original email showed a blank in 'from' and 'subject' fields.
Header info revealed it as a natwest phish.

The content was hidden.

The bounce-back showed full content with codes.

I was able to forward the entire bounce message to PIRT and Natwest.

As these things are queued, I'm posting the code here.

I've changed x to z as a 'just in case' security measure.

0z500, 0z0, 0z2252, 0z002, 0z1, 0z791, 0z40416281, 0z9,
0z90552121, 0z08356553, 0z04, 0z504, 0z53060010, 0z19,
0z3186 9B7O. 0z879 272168008687216 0z803,
0z45969516, 0z979, 0z6, 0z8105, 0z997 0z7130,
0z79042602, 0z785 RT6: 0z5068, 0z65, 0z48, 0z85,
0z22644474, 0z908, 0z2509, 0z060 K75: 0z10 AVz:
0z02519574 PI7V: 0z48, 0z2677, 0z8787, 0z939
6BV: 0z4020, 0z935, 0z503, 0z8, 0z27299671, 0z62 0z37,
0z4964, 0z4232, 0z32, 0z049, 0z9, 0z60451952, 0z4793, 0z386
0z657, 0z7137, 0z6, 0z09182335, 0z24984892, 0z61082024,
0z991, 0z2253 engine, interface, 4BPQ, cvs, I8Q,
close, CRKM HSU6: 0z6352, 0z5, 0z6868, 0z736, 0z4,
0z8153, 0z3698 85263 RO6W: 0z44781606, 0z954, 0z6958,
0z718, 0z70, 0z749, 0z48, 0z17, 0z67, 0z0241, 0z734, 0z58,
0z0, 0z265, 0z85422951 SIJR ARH eze eze JWAE Z4U source
define. revision: 0z4253, 0z674, 0z17107422 0z1905,
0z9, 0z568, 0z6687, 0z36, 0z05834471, 0z04613492,
0z05362623, 0z95 interface: 0z89
1I8: 0z9095, 0z2044, 0z7, 0z5586, 0z12, 0z34756145, 0z2208,
0z06, 0z2263, 0z4004, 0z2, 0z955, 0z5, 0z60, 0z42646676
0z83, 0z6, 0z95359643, 0z49, 0z929, 0z893 0z7444, 0z7714,
0z970, 0z5915, 0z13643752, 0z5, 0z9387 end: 0z2750, 0z4580,
0z49961693, 0z3986, 0z2230, 0z04667664, 0z81377845,
0z34647258, 0z592, 0z63, 0z23786731 T5C9 J0C.
SOzU: 0z293, 0z1, 0z3480 DK5: 0z21, 0z554, 0z367, 0z5,
0z2118, 0z8123, 0z63132495, 0z94, 0z238, 0z41743210, 0z3,
0z5191, 0z83, 0z6011, 0z1 rcs: 0z43, 0z808, 0z7,
0z71, 0z045, 0z89297595, 0z620, 0z903, 0z523, 0z5269,
0z918, 0z86, 0z5710, 0z90979176 E4L6 root O87N media
TQZO api PUWG. 0z01372203, 0z6978, 0z25124574, 0z0,
0z96542844, 0z3175, 0z49187317, 0z54565190, 0z6558, 0z8,
0z97, 0z8, 0z3, 0z4933 5570904
62312332350z0536, 0z487, 0z0, 0z17835909, 0z349, 0z0,
0z47363530, 0z7, 0z6831 0z335, 0z26, 0z49, 0z2208, 0z9,
0z3 0z4729, 0z7270, 0z915

Now I am puzzled - what kind of code is this? How can this be a phish?

I changed x to z

I've seen similar code before. It's normally invisible, and is used to either launch a malware attack straight from the email, or hyperlink to a phish site. Usually, a code at the front links through, making the core info invisible to spam checkers, I assume.

In this case, the code had a bug.
As received by me, the email was blank: no header, no sender, nothing! Blank when viewed as html, that is.

I forwarded, but was bounced. I guess that was an anti-virus bounce.

I re-forwarded the bounce-back as a means to show all the code,
and to ensure all header info was available to PIRT.

I labelled this a phish, because the of the body text,
which appears before the code, and header shows from natwest.

> Date: Sunday, 29 June, 2008, 6:09 PM
> Dear customer of NatWest bank,
> We are running a scheduled maintenance on our
> servers. We want to make sure your
> money and your personal details are safe
> and secure.
>
> Due to new security policies all NatWest
> bank customers must complete the Natwest
> Customer Form.
> To complete the form, please use the
> link below:
> Natwest Customer Form
> This should take you directly to the
> Natwest Customer Form.
> Sincerely,
>
> Natwest Customer Service
> .