If it's of interest to you, here's another example (forwarded
separately.) This one's a Citibank phish - and where the westpac one
was clearly sent direct, this one has a received line which would
suggest that it was routed through a relay.
I don't believe it. The relay, if that's what it was, appeared to be a
student dorm at a french speaking university also in canada. The first
received: line alleges to be from "pormexico.com", but the IP address
belongs to Hewlett Packard according to whois.
I think those URLs are kind of interesting. The citibank one references
an IP address belonging in Korea (according to whois). The westpac one
refers to at least a URL redirection service in russia (www.da.ru
to something calling itself jablow.kir.jp, which on the face of it
appears to be a legitimate site of some kind.
I wonder if this is some kind of worm-like infestation, which would
account for the broad number of connection attempts, IP addresses and
the apparent lack of relays. A student dorm, a dial up/DSL address and
an HP address seem like an unlikely real source for these things.