Author |
Message |
Dharma
Baiting Guru
Joined: 11 Jun 2008
Posts: 2254
Location: The Empty Quarter
|
Posted:
Tue Feb 23, 2010 2:14 am |
|
Quote: |
Hello,
I have a good business proposal to share with you. Please let me hear =
from
you to enable me provide you with the necessary details for us to begin
the process.
Email: [email protected]
Thanks and Regards,
Tai
|
Well, checked the email address and it belongs to a lecturer at University of Abertay, Dundee, Scotland.
Some may suggest her email might have been hacked
guess what,the IP address goes back to University of Abertay, Dundee, Scotland!!!
Isn’t that weird?
Here are the headers
I removed the lecturer name
Whoever sent this email signed the email with different name than the real name of the real lecturer
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtTQ0w9Mw==
X-Message-Status: n:0
X-Message-Info: 39b3kEZapmWVMVgMKzChvXw8biv4DWn+U2g6eTl4knD/Y6VMUTR0j06rnV0nVscfWepFqgrO5NI7E3RieQgu7Q==
Received: from UADHTS01.uad.ac.uk ([193.60.160.125]) by snt0-mc2-f4.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 22 Feb 2010 17:39:42 -0800
Received: from uadmta03.uad.ac.uk (193.60.160.134) by UADHTS01.uad.ac.uk
(193.60.160.125) with Microsoft SMTP Server id 8.2.213.0; Tue, 23 Feb 2010
01:39:27 +0000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CAB41A.D9C6AD99"
Subject: Business Proposal
Date: Mon, 22 Feb 2010 23:57:54 +0000
Message-ID: <[email protected]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Business Proposal
Thread-Index: Acq0GtdVjX7iZxsBSpmOFHAp+HiOZA==
From: "******" <*****@abertay.ac.uk>
To: Undisclosed recipients:;
Return-Path: *****@abertay.ac.uk
X-OriginalArrivalTime: 23 Feb 2010 01:39:42.0308 (UTC) FILETIME=[120E8240:01CAB429]
------_=_NextPart_001_01CAB41A.D9C6AD99
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello,
I have a good business proposal to share with you. Please let me hear =
from
you to enable me provide you with the necessary details for us to begin
the process.
Email: [email protected]
Thanks and Regards,
Tai
=20
------_=_NextPart_001_01CAB41A.D9C6AD99
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
|
Last edited by Dharma on Tue Feb 23, 2010 2:45 am; edited 1 time in total |
|
|
|
internationalchrysis
Baiting Guru
Joined: 19 Aug 2008
Posts: 3793
Location: Romancing the (Blood from a) stone!
|
Posted:
Tue Feb 23, 2010 2:35 am |
|
Having two work colleagues lose their account to scammers fairly recently, I'm not all that surprised to hear this. Sounds like the lecturer clicked something he shouldn't have |
_________________ Proud "member" of "The Todger Club"!
x1 (Senegal to Gambia)
"You can go now and f*ck yourself with a donkey or horse because you really need to be f*cked by a donkey or horse"
(George Michael's brother Frank/Frannypoo)
"You are a dead meat!"
(Léon the (Not so) Professional)
(19 in total:
x2 Léon the (not so) Professional. x4 Via Swindler's list. x4 Via Will and Grace the Law Firm. x3 *Hitman, x1 Hitman: The sequel!, , x1 Haiti scam, x1 The Bimbo (via Umbongo Chambers),
x1 Rita the ETA eater, x1 Via Team Doughnut, x1 Via Prince Emaka, x4 via the Nazis) |
|
|
|
Dharma
Baiting Guru
Joined: 11 Jun 2008
Posts: 2254
Location: The Empty Quarter
|
Posted:
Tue Feb 23, 2010 2:51 am |
|
Thanks internationalchrysis for the reply
I guess I’m going to call her tomorrow
But how hell he knew about my email, it’s not published anywhere |
|
|
|
|
sir scam alot
Baiting Guru
Joined: 19 Mar 2008
Posts: 5076
Location: Louisiana
|
Posted:
Tue Feb 23, 2010 3:19 am |
|
Most likely it's a phished webmail account. Alot of lads phish accounts to bomb out massmails. Educational accounts are prized amongst the scumbags. |
_________________ = Rev. JB Johnson. Lome to Parakou "i thought it will just be a day jouney. unknowingly to me that it will last up to one week."
2 = Harrison: Owerri, Nigeria to Cotonou, Benin and Accra, Ghana "i know ive been a sucker for twat "
= (Group safari) Oy3nka Ch1dinma: Lagos to Cotonou: "Thank you so much for the embrassment."
= Group safari - Dan Nkwerre: Port Harcourt to Abeche, Chad
2 = Barr. Mustapha Marlick: Lome, Togo to Abuja Nigeria and Accra, Ghana.
x15 (some survived) x280
<b>Have you kicked your lad today?<b>
Over $1 million USD in fake checks/money orders confiscated |
|
|
|
r2d2
Master of Master Baiters
Joined: 19 Apr 2009
Posts: 796
Location: in a galaxy far far away
|
Posted:
Tue Feb 23, 2010 9:16 am |
|
Quote: |
the IP address goes back to University of Abertay, Dundee, Scotland |
if you are using the apelord tool, there are reports that it is broken
if you click on the whois button, it will give you the correct resolution of the ip address, which might be different.
a kosher academic institution in the uk should have email addresses end with .ac.uk - does the from: address match that? |
_________________ x4
Climate Change for Dummies
Climate Sceptic Myths Debunked |
|
|
|
Bankster
Baiting Guru
Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.
|
Posted:
Tue Feb 23, 2010 9:34 am |
|
^^ 193.60.160.125 resolves to uadhts01.abertay.ac.uk and according to RIPE is registered to University of Abertay Dundee.
Maybe the sender account needn't even be hacked, depending on the network setup it might suffice to be anywhere inside the UAD network. At any rate the network admin may be interested in this. |
_________________ Whoever said you can't touch happiness has never petted a dog.
( ) x10 __ x? |
|
|
|
thud419
Baiting Guru
Joined: 04 Jan 2006
Posts: 3193
|
Posted:
Tue Feb 23, 2010 10:22 am |
|
^^^ Please do that, they will want to know. Be sure to include the full email with full headers, and don't censor it.
There is no Received line in those headers that points outside the university. That may be because it was webmail and the IP isn't recorded (like gmail does), or it could be an inside job - some student hacking staff email accounts. If the IT admin's logs are detailed enough or they can monitor activity, it is possible they could catch this lad. Arrest is too much to hope for, but expulsion may be on the cards. |
_________________ Click here to feel warm and cozy.
I did not f**k your wife in any way -- Nike Akanbi
I don't know what else to do or do I continue filling and filling forms. -- Barr. Koloti
you has been dribbling me up and down but I will show some thing you have never seen before, I think you breath air wait and see. -- Barr. Cole
x14
x 0.25 won from Reaper in a sucker's bet
x8 x several |
|
|
|
wowwow
Elite Baiter
Joined: 14 Apr 2009
Posts: 1795
Location: Here is the picture of the cash in the boxes before we send it down to the company to deposited it
|
Posted:
Tue Feb 23, 2010 1:02 pm |
|
It's also possible that these headers have been forged
Anywise, send the copy of the mail and full headers to [email protected] |
_________________ Please do not contact anybody again expect me on here because they are many hijackers on internet SGT Tony Benson
OK IF THERE IS A BULLET IN YOUR HEAD IS THAT ENOUGH PROOF Devil Killer Squad
YOU CALL THE F B I BASTARDS. YOU WILL SUFFER FOR THIS. WE HAVE TRACED YOU WITH ALL YOUR DETAILS FBI WARNS
I am the person who owns the safe firm in UK but right now on sick bed for my heart surgery due to my heart failure M Efosa
Tell them to go to hell and burn to arches Prince Jerry Zulusofola
I don’t have job, I am a hacker, hacking jawing stick and Sachet water Udeh Ebuka
http://forum.419eater.com/forum/viewtopic.php?t=162469
x5 |
|
|
|
r2d2
Master of Master Baiters
Joined: 19 Apr 2009
Posts: 796
Location: in a galaxy far far away
|
Posted:
Tue Feb 23, 2010 2:12 pm |
|
|
|
|
Dharma
Baiting Guru
Joined: 11 Jun 2008
Posts: 2254
Location: The Empty Quarter
|
Posted:
Tue Feb 23, 2010 5:26 pm |
|
sir scam alot
r2d2
Bankster
thud419
wowwow
Thanks guys for your wonderful replies
This morning I phoned the School of Social and Health Sciences office and informed them about this. The lady told me that the whole mail system is down!
I emailed the full headers including the name of the lecturer to [email protected]
is it that easy to forge the headers? |
|
|
|
|
Bankster
Baiting Guru
Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.
|
Posted:
Tue Feb 23, 2010 8:25 pm |
|
Quote: |
is it that easy to forge the headers? |
Yes, and no. It depends.
A correctly configured mail server will always add a "Received: from xxx by yyy" line at the top of the headers of any mail it processes. As a mail is passed on, each server will add their line, so that they will read...
Quote: |
Received: From server2 by server3
Received: From server1 by server2
Received: From user-pc by server1
|
The last line in time (i.e. the one at the top, server3 in this example) is usually reliable, because it should have been added by the server on which your mailbox sits, and unless your ISP is spamming you you can assume that this server will tell you the truth.
It works pretty much the same way in real life. Imagine somebody writes you a nasty letter (on paper) and gives it to me, and I pass it on to your secretary. Let's assume your secretary is trustworthy and tells you that she's got the letter from me. Now you don't know me. I might or might not be trustworthy. I can tell you who's given me the letter, I can tell you that it was Osama bin Laden, or I can choose not to tell you anything at all. What I cannot lie about is that it was me who gave the letter to your secretary, because she's seen me.*
So as a rule of thumb, read the Received: lines from top to bottom to trace the way of an e-mail back through the internet. If there's anything dodgy in the "from XXX" part of a line, everything after that line may be forged.
(*Yes, in theory there's IP spoofing, but it's gotten increasingly impractical or downright impossible in the last few years.)
In your case, there are two Received: lines:
Quote: |
Received: from UADHTS01.uad.ac.uk ([193.60.160.125]) by snt0-mc2-f4.Snt0.hotmail.com (blah blah blah)
Received: from uadmta03.uad.ac.uk (193.60.160.134) by UADHTS01.uad.ac.uk (blah blah blah) |
The first line states that some Hotmail server (that's where your mailbox is) received the mail from a server that introduced itself as uadhts01.uad.ac.uk and had the IP address 193.60.160.125. Nowadays it is safe to assume that the IP address is correct under normal circumstances.
The second line states that uadhts01.uad.ac.uk received the mail from uadmta03.uad.ac.uk.
There is no third Received: line, which means that either uadmta03.uad.ac.uk was the origin of that mail, or that it's badly configured and doesn't add a Received: line itself, so you can't tell where it got the mail from.
In this case I suspect the latter because of the host name, "uadmta03".
UAD is the University of Abertay Dundee.
MTA may stand for "Mail Transfer Agent", i.e. a mail server.
03 would mean it's the third mail server.
If the server admin is not a total dolt (and unis usually have rather qualified sysadmins), they should still be able to see the origin of your mail in the server's logfiles.
(Edit for the sake of completeness: In this case uadmta03 appears to be an Exchange server, which doesn't generate a Received: line. Though technically speaking, Exchange is already covered in the part where I mention "badly configured servers". ) |
_________________ Whoever said you can't touch happiness has never petted a dog.
( ) x10 __ x?
Last edited by Bankster on Wed Feb 24, 2010 10:53 am; edited 2 times in total |
|
|
|
Master of Puppets
Baiting Guru
Joined: 12 Mar 2009
Posts: 3294
Location: Pulling the Strings
|
Posted:
Tue Feb 23, 2010 8:34 pm |
|
|
|
|
Bankster
Baiting Guru
Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.
|
Posted:
Tue Feb 23, 2010 8:38 pm |
|
^^ Thanks... always happy to help.
If there's a general interest for a more elaborate rant on header analysis, just yell. |
_________________ Whoever said you can't touch happiness has never petted a dog.
( ) x10 __ x? |
|
|
|
Dharma
Baiting Guru
Joined: 11 Jun 2008
Posts: 2254
Location: The Empty Quarter
|
Posted:
Tue Feb 23, 2010 9:27 pm |
|
Bankster wrote: |
Quote: |
is it that easy to forge the headers? |
Yes, and no. It depends.
A correctly configured mail server will always add a "Received: from xxx by yyy" line at the top of the headers of any mail it processes. As a mail is passed on, each server will add their line, so that they will read...
Quote: |
Received: From server2 by server3
Received: From server1 by server2
Received: From user-pc by server1
|
The last line in time (i.e. the one at the top, server3 in this example) is usually reliable, because it should have been added by the server on which your mailbox sits, and unless your ISP is spamming you you can assume that this server will tell you the truth.
It works pretty much the same way in real life. Imagine somebody writes you a nasty letter (on paper) and gives it to me, and I pass it on to your secretary. Let's assume your secretary is trustworthy and tells you that she's got the letter from me. Now you don't know me. I might or might not be trustworthy. I can tell you who's given me the letter, I can tell you that it was Osama bin Laden, or I can choose not to tell you anything at all. What I cannot lie about is that it was me who gave the letter to your secretary, because she's seen me.*
So as a rule of thumb, read the Received: lines from top to bottom to trace the way of an e-mail back through the internet. If there's anything dodgy in the "from XXX" part of a line, everything after that line may be forged.
(*Yes, in theory there's IP spoofing, but it's gotten increasingly impractical or downright impossible in the last few years.)
In your case, there are two Received: lines:
Quote: |
Received: from UADHTS01.uad.ac.uk ([193.60.160.125]) by snt0-mc2-f4.Snt0.hotmail.com (blah blah blah)
Received: from uadmta03.uad.ac.uk (193.60.160.134) by UADHTS01.uad.ac.uk (blah blah blah) |
The first line states that some Hotmail server (that's where your mailbox is) received the mail from a server that introduced itself as uadhts01.uad.ac.uk and had the IP address 193.60.160.125. Nowadays it is safe to assume that the IP address is correct under normal circumstances.
The second line states that uadhts01.uad.ac.uk received the mail from uadmta03.uad.ac.uk.
There is no third Received: line, which means that either uadmta03.uad.ac.uk was the origin of that mail, or that it's badly configured and doesn't add a Received: line itself, so you can't tell where it got the mail from.
In this case I suspect the latter because of the host name, "uadmta03".
UAD is the University of Abertay Dundee.
MTA may stand for "Mail Transfer Agent", i.e. a mail server.
03 would mean it's the third mail server.
If the server admin is not a total dolt (and unis usually have rather qualified sysadmins), they should still be able to see the origin of your mail in the server's logfiles. |
Bankster
Many thanks
Your response was very insightful
I think I can understand the principle, but the question is how?
How could scammers exploit even the academic institutions? |
|
|
|
|
Diana Prince
Master Baiter
Joined: 11 Nov 2008
Posts: 101
Location: in my invisible airplane
|
Posted:
Tue Feb 23, 2010 10:55 pm |
|
@Bankster: if it's not too terribly late for a Valentine's Day thread: will you marry me?
Your ability to make clear explanations of complex matters to those of us less knowledgeable about mail server configurations is very attractive.
(Although, truth to tell, luckey was my first crush on Eater).
@subway 1: thank you so much for following through on this circustance;
assuming that this person's account was in fact compromised,
the time and effort you invested by making that notification should prove to be an asset to the individual and his/her university. |
_________________ Mr Gomer-ette
|
|
|
|
Bankster
Baiting Guru
Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.
|
Posted:
Wed Feb 24, 2010 8:53 am |
|
^^
Aww, how sweet. I'm already with DW, but maybe we can secret lovers for the time being?
(Shsht, don't mention VD or SOOI will lock this thread. Repeatedly.)
subway 1 wrote: |
How could scammers exploit even the academic institutions? |
I'm not sure if I understand your question right, but basically a scammer is a spammer that sends you the opening letter of his format instead of penis enlargement ads. Technically it's the same.
A spammer will always want to employ a system that:
- has a fast internet connection,
- is hard to shut down / lock out by the systems that it spams,
- can't be traced back to him.
The current tool of choice for the upper middle-class spammer is a botnet, but these aren't cheap to rent, so it may be more attractive to rent a server with a stolen credit card or find some vulnerable system.
Among the vulnerable systems, a uni network is ideal. Unis usually have fat internet connections and aren't blocked easily. The problem is that unis usually have competent sysadmins that make it hard to get inside. But once you are inside (e.g. as a student or with a stolen password) you've totally struck gold. |
_________________ Whoever said you can't touch happiness has never petted a dog.
( ) x10 __ x? |
|
|
|
Rick Shaw
Master of Master Baiters
Joined: 10 Jan 2010
Posts: 503
|
Posted:
Sun Feb 28, 2010 12:32 pm |
|
^^ I've had a couple of scams that have come from African universities. After reading the above I can see how they have probably got into the system to send out their scams. Interesting |
_________________ X176
IyaNA UR MAMA BE THIS OH.... La ya e.e.....Mad man.. Dr Usman Ahmed
YOUR MOTHER TOTO DID YOU UNDERSTAND.OTU NNE GI UNDERSTAND.
YOUR MOTHER TOTO DID YOU UNDERSTAND.BYE FOR NOW.GUY. Victor Owusu.
Take care little odd friend - D@ve L3wis
FOLL PUT THIS TO YOU FUCKING BIG HEAD. V1ctor OwusV
I never knew that a man who claim to have reputation could be so rude ,nasty and very barbaric like you did. (death cert faked) Dav1d Caruso
YOU ARE A BASTARD AND THE WORST AND WORST POOREST BASTARD ON THIS EARTH PLANET. GO TO HELL AND PUBLISH THE FUCKING PUSSY OF YOUR MOTHER AND YOUR FEMALE DAUGHTERS AND YOUR OCTOPUS LONG DICK. YOU SEE WEALTH COMING ON YOUR WAY ON A PLATTER OF GOLD AND YOUR REFUSE TO GRAB IT. M1chael Pyl3
Neither am i a nadger hunter Joe OmQ |
|
|
|
Dharma
Baiting Guru
Joined: 11 Jun 2008
Posts: 2254
Location: The Empty Quarter
|
Posted:
Thu Mar 04, 2010 4:31 pm |
|
Many thanks Bankster for the clarification
as a student myself, it’s frustrating to see some scumbags could take advantage of a unis system.
imagine receiving a scam email from your supervisor |
|
|
|
|
firehouse5
Palm Wino Aficionado
Joined: 09 Mar 2004
Posts: 4953
Location: swimming in Ogogoro
|
Posted:
Thu Mar 04, 2010 4:52 pm |
|
There's also a huge number of phishing emails targeting users of university email systems. I work at a university and my email address is (widely) published - I probably receive 2-4 messages a day trying to lure me into revealing my login details.
Mostly "email quota exceeded" purporting to be from our IT department with misleading "from" addresses, "reply with username and pwd to automatically reset your quota" or something similar.
Word from those in the know is that just about every one of these messages manages to trick at least somebody in our institution into replying with their details (despite all sorts of efforts by the email team). So it's easy to see how and why spammers can get control of "legit" looking email addresses. We have some nice systems that identify suspicious outbound email traffic, and atypical account usage, to minimize the consequences of some idiot giving his details to a phisher, but many institutions do not....
Quote: |
imagine receiving a scam email from your supervisor... |
Emails from my boss look just like emails from mugus. But I can pay in person rather than WU. |
_________________ Has a scammer sent you a bank account? please report it to any moderator using the private message function.
GO PREMIUM!
Oct2004-Oct2016 12 years but Cheat alert: many silent months!
dozens Not as many piggies as you.
The details you sent do not match, check your records and reply immediate. I have forced to wait in office for two hours with out eating |
|
|
|
Mat
Master Baiter
Joined: 26 Feb 2010
Posts: 102
Location: Travelling Time
|
Posted:
Thu Mar 04, 2010 4:56 pm |
|
When i studied we had a forced chance of passwords every 2 weeks.
Had to change to a new password, with at least 8 letters/digits and not more than 4 of them was allowed to mach the excisting password.
Even tho some had their account compromised, it was just tempoary. |
_________________ Back after 4 years in hiding.
x3
x42 - Mr. Coleman |
|
|
|
SamCBaiter
Hello I'm New here!
Joined: 03 Dec 2009
Posts: 10
Location: Behind a proxy :)
|
Posted:
Fri Mar 05, 2010 2:46 pm |
|
At college we could use the webmail service only from the internal network and we could configure the account to forward mails to an external address in case we wanted to receive notifications when not in the building. Worked fine |
_________________ Samuel C. Baiter
_____________
listen who is foolling who? - Tessy Boe |
|
|
|
|