Hi Craig, If it's of interest to you, here's another example (forwarded separately.) This one's a Citibank phish - and where the westpac one was clearly sent direct, this one has a received line which would suggest that it was routed through a relay. I don't believe it. The relay, if that's what it was, appeared to be a student dorm at a french speaking university also in canada. The first received: line alleges to be from "pormexico.com", but the IP address belongs to Hewlett Packard according to whois. I think those URLs are kind of interesting. The citibank one references an IP address belonging in Korea (according to whois). The westpac one refers to at least a URL redirection service in russia (www.da.ru) and to something calling itself jablow.kir.jp, which on the face of it appears to be a legitimate site of some kind. I wonder if this is some kind of worm-like infestation, which would account for the broad number of connection attempts, IP addresses and the apparent lack of relays. A student dorm, a dial up/DSL address and an HP address seem like an unlikely real source for these things. Dave.