English Scam? (aka header analysis)

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Posted: Sun Jan 11, 2009 9:00 pm

I recieved an e-mail with a scammer claiming to be Mrs.Vivian Salem. She then links me to her article,

http://news.bbc.co.uk/2/shared/spl/hi/middle_east/04/vivians_story/html/1.stm

Anyway, I trace the IP address and it links me to London. Is this correct? Oh and this lad is sick so I will aim for a safari and most likely bring a dolla choppa or three into play. Twisted Evil

Not quite a Newb Joined: 14 Jul 2005 Posts: 41

Quote:

Is this correct?

Well, headers would help us answer this question. Wink

There are lads in the UK (as well as everywhere else) but it could also be a ISP who provides services elsewhere - Gilat is a good example of that: They are an ISP based in Israel who provide satellite services to Africa.

Master Baiter Joined: 19 Sep 2008 Posts: 114

If it's the same Vivian Salem I am baiting she claims to be in Baghdad but is actually in India, the IP from the mails I have point to Dehli.

"She" has also supplied and Indian telephone number, 3you may well be asked to contact, however many alds will purchase the same script and so it may not be the same Lad.

You will be passed onto to the "Family Lawyer" Rush Anthony.

I have baited this twice, the first time he dropped me very quickly after I sent a few joke replies to his questions, the second is quickly getting boring.

Posted: Sun Jan 11, 2009 11:28 pm

Post the headers, then we can tell you for sure!

If you're using Gmail, it's the "show original" option on the reply button - paste the whole computery-looking bit up until the start of the email body Smile

Posted: Mon Jan 12, 2009 2:04 am

This is what I got:

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9NA==

X-Message-Status: n:0

X-SID-PRA: Vivian Salem <[email protected]>

X-Message-Info: mzxw1fS161ziFaRpDijLyKnCftdbAY3aehAVCD4sqUyZFaBi1cPRwuqa8AETPjynYFf6KemdJVnaqHtnmLjz5Vla79hOsWMQ

Received: from omr-d33.mx.aol.com ([205.188.249.131]) by bay0-mc2-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);

Sat, 10 Jan 2009 17:14:46 -0800

Received: from imo-d04.mx.aol.com (imo-d04.mail.aol.com [172.18.150.228])

by omr-d33.mx.aol.com (8.14.1/8.14.1) with ESMTP id n0B1EdWq032637;

Sat, 10 Jan 2009 20:14:41 -0500

Received: from [email protected]

by imo-d04.mx.aol.com (mail_out_v39.1.) id i.c0c.513d28c5 (37659);

Sat, 10 Jan 2009 20:14:22 -0500 (EST)

Received: from User ([83.229.5.205]) by cia-mb07.mx.aol.com (v121_r5.5) with ESMTP id MAILCIAMB071-931b496945f81dd; Sat, 10 Jan 2009 20:14:18 -0500

Reply-To: <[email protected]>

From: "Vivian Salem"<[email protected]>

Subject: Dear Beloved In Christ

Date: Sat, 10 Jan 2009 14:45:37 -0800

MIME-Version: 1.0

Content-Type: text/plain;

charset="Windows-1251"

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-AOL-IP: 83.229.5.205

To: undisclosed-recipients:;

Message-ID: <[email protected]>

X-Spam-Flag:YES

Return-Path: [email protected]

X-OriginalArrivalTime: 11 Jan 2009 01:14:46.0839 (UTC) FILETIME=[FE260C70:01C97389]

Posted: Mon Jan 12, 2009 2:07 am

Owd Git wrote:

If it's the same Vivian Salem I am baiting she claims to be in Baghdad but is actually in India, the IP from the mails I have point to Deli.

"She" has also supplied and Indian telephone number, 3you may well be asked to contact, however many alds will purchase the same script and so it may not be the same Lad.

You will be passed onto to the "Family Lawyer" Rush Anthony.

I have baited this twice, the first time he dropped me very quickly after I sent a few joke replies to his questions, the second is quickly getting boring.

LOL! I usually bait the creeps that take advantage of those who died. Oh and what an opportunity do I have at my fingertips. Twisted Evil

And your avatar scares me... Laughing

Posted: Mon Jan 12, 2009 2:11 am

This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '83.229.0.0 - 83.229.127.255'

inetnum: 83.229.0.0 - 83.229.127.255
org: ORG-SGN1-RIPE
netname: UK-SKYVISION-20040513
descr: SkyVision Holdings Ltd.
country: GB
admin-c: SVAC-RIPE
tech-c: SVNC-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: SV-MNT
mnt-routes: SV-MNT
notify: ***@sky-vision.net
changed: **********@ripe.net 20040513
changed: **********@ripe.net 20070720
source: RIPE

organisation: ORG-SGN1-RIPE
org-name: SkyVision Holdings Ltd.
org-type: LIR
address: SkyVision Holdings Ltd.
Kinetic Business Centre
Theobald Street
WD6 4PJ Borehamwood
United Kingdom
phone: +44 20 8387 1750
fax-no: +44 20 8387 4004
e-mail: ***@sky-vision.net
admin-c: DR1870-RIPE
admin-c: JP4406-RIPE
admin-c: SVAC-RIPE
admin-c: SVNC-RIPE
admin-c: SB106-RIPE
admin-c: YURI
mnt-ref: SV-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: **********@ripe.net 20040415
changed: *********@ripe.net 20040428
changed: *********@ripe.net 20041229
changed: *********@ripe.net 20050307
changed: *********@ripe.net 20050310
changed: *********@ripe.net 20050315
changed: *********@ripe.net 20050315
changed: *********@ripe.net 20050401
changed: *********@ripe.net 20050412
changed: *********@ripe.net 20050602
changed: *********@ripe.net 20050714
changed: *********@ripe.net 20051114
changed: *********@ripe.net 20060305
changed: *********@ripe.net 20060305
changed: *********@ripe.net 20060305
changed: *********@ripe.net 20060316
changed: *********@ripe.net 20060606
changed: *********@ripe.net 20061206
changed: *********@ripe.net 20070121
changed: *********@ripe.net 20070121
changed: *********@ripe.net 20070130
changed: *********@ripe.net 20070320
changed: *********@ripe.net 20070322
changed: *********@ripe.net 20070322
changed: *********@ripe.net 20070404
changed: *********@ripe.net 20070502
changed: *********@ripe.net 20070516
changed: *********@ripe.net 20070516
changed: *********@ripe.net 20070720
changed: *********@ripe.net 20070720
changed: *********@ripe.net 20070720
changed: *********@ripe.net 20070813
changed: *********@ripe.net 20080213
changed: *********@ripe.net 20080213
changed: *********@ripe.net 20080312
changed: *********@ripe.net 20080326
changed: *********@ripe.net 20080326
changed: *********@ripe.net 20080326
changed: *********@ripe.net 20080327
changed: *********@ripe.net 20080401
changed: *********@ripe.net 20080506
changed: *********@ripe.net 20080506
changed: *********@ripe.net 20080704
changed: *********@ripe.net 20080908
changed: *********@ripe.net 20081209
changed: *********@ripe.net 20081216
changed: *********@ripe.net 20081218
changed: *********@ripe.net 20081223
changed: *********@ripe.net 20090106
changed: *********@ripe.net 20090106
changed: *********@ripe.net 20090106
changed: *********@ripe.net 20090106
changed: *********@ripe.net 20090106
changed: *********@ripe.net 20090106
changed: *********@ripe.net 20090107
changed: *********@ripe.net 20090107
changed: *********@ripe.net 20090107
changed: *********@ripe.net 20090107
changed: *********@ripe.net 20090107
source: RIPE

role: SkyVision Network Coordination Center
org: ORG-SGN1-RIPE
address: SkyVision Global Networks
address: Kinetic Business Centre
address: Theobald Street
address: Borehamwood
address: Hertfordshire WD6 4PJ
address: United Kingdom
phone: +44 20 8387 1750
fax-no: +44 20 8387 4004
e-mail: ***@sky-vision.net
admin-c: SVAC-RIPE
tech-c: SVTC-RIPE
nic-hdl: SVNC-RIPE
mnt-by: SV-MNT
changed: ***@sky-vision.net 20080202
source: RIPE

person: SkyVision Administrative Contact
address: SkyVision Global Networks
address: Kinetic Business Centre
address: Theobald Street
address: Borehamwood
address: Hertfordshire WD6 4PJ
address: United Kingdom
org: ORG-SGN1-RIPE
phone: +44 20 8387 1750
fax-no: +44 20 8387 4004
e-mail: *******@sky-vision.net
nic-hdl: SVAC-RIPE
mnt-by: SV-MNT
changed: ***@sky-vision.net 20080202
source: RIPE

% Information related to '83.229.0.0/17AS8513'

route: 83.229.0.0/17
descr: SkyVision Network Services
origin: AS8513
mnt-by: SV-MNT
changed: ***@sky-vision.net 20040513
source: RIPE

% Information related to '83.229.0.0/20AS8513'

route: 83.229.0.0/20
descr: SkyVision Network Services
origin: AS8513
mnt-by: SV-MNT
source: RIPE
changed: ***@sky-vision.net 20081120

Posted: Mon Jan 12, 2009 2:15 am

83.229.5.205

Apelord gives me a sat providor,

IP tracker shows the sat off west africa

NExt gives me
Scammer Found! (ID: 3238)
IP Block 83.229.5.205 (Frequent Scammer)
Country Marina, Lagos, Nigeria
Comments Contains recon area. Asonnet ATL Via UK Parent (83.229.0.0 - 83.229.20.255)
Abuse Email [email protected]

Posted: Mon Jan 12, 2009 2:17 am

OY! This is good news as my character is living in London. Laughing

So the server comes from London?

Posted: Mon Jan 12, 2009 2:19 am

nextweb says
Scammer Found! (ID: 3238)
IP Block 83.229.5.205 (Frequent Scammer)
Country Marina, Lagos, Nigeria
Comments Contains recon area. Asonnet ATL Via UK Parent (83.229.0.0 - 83.229.20.255)
Abuse Email [email protected]

Posted: Mon Jan 12, 2009 2:21 am

This is what I got:

Address: United Kingdom

Description: SkyVision Network Services

Country: GB - United Kingdom

Posted: Mon Jan 12, 2009 2:28 am

after you do your header analysis go here

http://www.nextwebsecurity.com/LocationTools.asp

and plug in the last ip; of course this is only post 8 for me so Lord know's I'm an expert

Posted: Mon Jan 12, 2009 2:30 am

@ irish & embalmer Embarassed

ok i want some of them dar tools apelord & next web you are makeing me look a bigger fool then i all ready are Embarassed

Posted: Mon Jan 12, 2009 5:05 am

^^^ You will find the apelord header tool in the romance sticky along with header instructions for most of the common providors, post 6 if I recall Wink

Baiting Guru Joined: 04 Jan 2006 Posts: 3193

The location tools can provide a useful hint, but they are a long way from being dependable, and where a satellite link is concerned they are likely to be way off.

There is no scientifically accurate way to determine the location of an IP address. There are certain blocks allocated to certain countries but that is as far as it goes. We have seen several cases of even this rule being broken.

The tools work by having a database of IP address locations gathered from such things as shopping sites, where a customer has given their address. They work on the assumption that similar IP addresses are physically close together. This is a good guess, but not 100% true.

There are at least three different location databases, and they produce different results.

I believe these three use distinct databases:

There is no magic or high-tech involved. They do not work out distances by time delays or anything like that. It is all guesswork.

Posted: Mon Jan 12, 2009 10:21 pm

Looks like a satellite provider based in the UK with satellite points of presence in West Africa. Your lad will be in or around Nigeria, I'm pretty certain. Which means he needs a good excuse for not meeting up with you in Soho Wink

English Scam? (aka header analysis)	View next topic View previous topic