Author |
Message |
redshoes17
Elite Baiter
Joined: 28 Feb 2007
Posts: 1731
|
Posted:
Thu Mar 06, 2008 1:38 am |
|
One of my mentees has a question I cannot answer about headers.
I would appreciate it if someone can help us out.
Quote: |
Am I reading this correctly so that this contact of mine is located in Finland but possibly using a webmail or similar through the USA? I see "The Bat" is involved so I'm not sure what changes that can make (if any)with regards to IP addresses. Can I assume they are from either Finland or USA or could they really be in Russia? |
Quote: |
Return-Path:
Received: from mailfreedom4u.net (mailfreedom4u.net [208.72.169.176])
by mail08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id m1OAZai6014583
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for ; Sun, 24 Feb 2008 21:35:39 +1100
Received: (qmail 29249 invoked by uid 89); 24 Feb 2008 18:41:55 -0000
X-Mail-Scanner: Scanned by qSheff-II-2.1-r2 (http://www.enderunix.org/qsheff/)
Received: from unknown (HELO ?172.17.22.170?) (192.194.197.194)
by mailfreedom4u.net with SMTP; 24 Feb 2008 18:41:40 -0000
Date: Sun, 24 Feb 2008 14:52:08 +0500
From: Anastasija
X-Mailer: The Bat! (v3.95.3) Professional
Reply-To: Anastasija
Organization: Anastasija
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: [email protected]
Subject: Re: Your profile
In-Reply-To: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------72154343E8E0256"
------------72154343E8E0256
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit |
|
_________________
Willy Accra to Abuja to Maiduguri
Floyd Lagos to Abeche with reaper
Dan Benin City to Lagos
ARK Tamale to Kumasi
x41
I don't need you alone for sex. w1l13
i was ashamed this money money was not in the system when we got there to cash it,it made me and my family lawyer look like little children Godwin
'because no one want your progress not every one want your goat to give birth to twins as the man who see tomorrow told me when i visit him in the shrine Godwin
i was rubbed by rubber last friday, they collectted all my money and my phones. |
|
|
|
harrya
Elite Baiter
Joined: 23 Jul 2006
Posts: 1489
Location: Not Happy
|
Posted:
Thu Mar 06, 2008 5:43 am |
|
Alot of the russians use proxies which change the ip info.
the best thing to do is cheack the ip daily if it keeps jumping all around the world they are on a proxy. Unfortunately not much can be done about pinpoint them. Other than arranging a meeting. |
_________________
|
|
|
|
Gadget
Not quite a Newb
Joined: 28 Feb 2008
Posts: 32
Location: The Land of Oz
|
Posted:
Thu Mar 06, 2008 9:24 am |
|
Redshoes17 posted that header info request on my behalf. I just had a look at the last bunch of emails I have received and they all contain those same 2 IP addresses from USA and Finland.
I guess it doesn't really matter where they are from. Just thought the extra knowledge might come in handy. |
|
|
|
|
harrya
Elite Baiter
Joined: 23 Jul 2006
Posts: 1489
Location: Not Happy
|
Posted:
Thu Mar 06, 2008 10:50 am |
|
Once "the bat" is involved it's hard to locate them. As you said it doesn't really matter. If you really want to know where they are then setting up a meet under a public web cam is really the only to be sure. However the well organised ones do have friends around the world to sit in for them when required.
Romance scammers are a slow bait, take your time push them into a corner.
They can be a great deal of fun.
Also "The Bat" is a legit piece of software ( it has some dubious features) it is great for mass mail out etc.
However for person to person contact it is over the top, thus the assumption that a person using it is most likely a scammer. |
_________________
|
|
|
|
wayne
Account closed at users request
Joined: 05 Dec 2005
Posts: 3630
|
Posted:
Thu Mar 06, 2008 10:57 am |
|
If you get an odd IP address, then Google it as well, Sometimes you'll find it listed as a proxy. Sometimes you'll find other "ladies" using the same IP address as well. |
_________________ x56 |
|
|
|
Newdonym
Elite Baiter
Joined: 19 Jan 2008
Posts: 1043
|
Posted:
Thu Mar 06, 2008 11:59 am |
|
I think i may have got the wrong end of the stick, but you don't mean that the headers show as follows:
With both the USA and Finland ones showing?
If so, then the email is either sent from Finland, or they are using a proxy, or they have faked their headers to have an IP from Finland. The USA part is just the way it was routed to you. |
|
|
|
|
Gadget
Not quite a Newb
Joined: 28 Feb 2008
Posts: 32
Location: The Land of Oz
|
Posted:
Thu Mar 06, 2008 12:30 pm |
|
Yes those were the 2 IP's I was refering too. I was thinking along those lines Newdonym with the original meassage coming from Finland but I just noticed something else in the header.
See the referencence to:
Message-ID: <[email protected]>
I just did a search on the slogamail.info domain and the page http://www.aboutus.org/SlogaMail.info come with what seems to look like Russian text as do some of the links. So if that domain name comes last could it really be coming from somewhere else like Russia? From the translations I can find it seems like some sort of mail filtering service.
anyone heard of this? |
|
|
|
|
Newdonym
Elite Baiter
Joined: 19 Jan 2008
Posts: 1043
|
Posted:
Thu Mar 06, 2008 12:36 pm |
|
I'm not to sure on that. Can't say i've read up on it.
With the above header, you can get a list, say 10 IPs long. It is based on how many routers and exchanges the email has passed through. As the image says. The last IP is usually the origin. |
|
|
|
|
Skerrett
Master Baiter
Joined: 16 Jul 2007
Posts: 214
|
Posted:
Thu Mar 06, 2008 12:58 pm |
|
The Finnish IP is also in use by one near the end of this post -
are these the photos being used?
http://www.romancescam.com/forum/viewtopic.php?t=1093 |
_________________ Be Careful out there
Once the bait is over IMHO you should publish in an open forum or even when you have a few generic mass mails that cant identify your baiting persona -
Prevent the scammer making $$ from victims and that is a real victory, every single thank you from a victim your post alerts preventing a scammer making $$ should be considered a trophy too!!!
One such place is
http://www.romancescam.com
They have sections on Vlads and Lads
Any contact details or links I post are an open invitation to readers to jump on in and write to them
x2 |
|
|
|
Newdonym
Elite Baiter
Joined: 19 Jan 2008
Posts: 1043
|
Posted:
Thu Mar 06, 2008 1:08 pm |
|
Also used,
HERE and HERE
IP's should be highlighted. |
|
|
|
|
Skerrett
Master Baiter
Joined: 16 Jul 2007
Posts: 214
|
Posted:
Thu Mar 06, 2008 1:23 pm |
|
See later postings |
_________________ Be Careful out there
Once the bait is over IMHO you should publish in an open forum or even when you have a few generic mass mails that cant identify your baiting persona -
Prevent the scammer making $$ from victims and that is a real victory, every single thank you from a victim your post alerts preventing a scammer making $$ should be considered a trophy too!!!
One such place is
http://www.romancescam.com
They have sections on Vlads and Lads
Any contact details or links I post are an open invitation to readers to jump on in and write to them
x2
Last edited by Skerrett on Thu Mar 06, 2008 1:34 pm; edited 3 times in total |
|
|
|
Gadget
Not quite a Newb
Joined: 28 Feb 2008
Posts: 32
Location: The Land of Oz
|
Posted:
Thu Mar 06, 2008 1:25 pm |
|
Thanks for posting those links Skerrett and Newdonym but those photos don't match the "girl" in my photos. I will read up on those links as a quick look shows the scripts in play to be almost the same as what I'm getting now so that can give me a heads on on what's coming. |
|
|
|
|
Skerrett
Master Baiter
Joined: 16 Jul 2007
Posts: 214
|
Posted:
Thu Mar 06, 2008 1:34 pm |
|
Those two are from the same computer!!
The HELO in them is the same
There is one in one of the replies on a link from the same PC as the one I posted again same HELO in the header.
The original IP has a different HELO so is from a different PC so it could show three or four guys writing using the script and photos |
_________________ Be Careful out there
Once the bait is over IMHO you should publish in an open forum or even when you have a few generic mass mails that cant identify your baiting persona -
Prevent the scammer making $$ from victims and that is a real victory, every single thank you from a victim your post alerts preventing a scammer making $$ should be considered a trophy too!!!
One such place is
http://www.romancescam.com
They have sections on Vlads and Lads
Any contact details or links I post are an open invitation to readers to jump on in and write to them
x2 |
|
|
|
wayne
Account closed at users request
Joined: 05 Dec 2005
Posts: 3630
|
Posted:
Thu Mar 06, 2008 1:37 pm |
|
The names and the photos aren't important. They're easily interchangeable. It's the email headers and the emails themselves that are the important things to look at. |
_________________ x56 |
|
|
|
|