www.yinot.com / www.oieur.com - definite crook sites

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Posted: Wed Mar 24, 2010 3:40 am

Hello esteemed site killer dudes ...

I bring a gift for your enjoyment.

I suspect someone has hijacked a neighbours hotmail account and is using this to scam people.
I've received plenty of these emails myself - fairly regular and so too has everyone I know who knows this bloke.

The emails all pretend to be from this RL person.
Since many people drop their guards when they know the person who sent them an email, this thing is particularly nasty and more likely to fleece victims.

The RL person does not appear aware as yet ... when I see him I will set him straight. Others are blaming him - not the scammers.

My security software strips out most (all?) malicious code / tags before I see anything here ... so things might be 'missing'.

Sample of the scam email

Header wrote:

Received: from mail.bigpond.com by b9 for [email protected]
(applied security profile: Medium) at Wed, 24 Mar 2010 12:57:38 +1000
Return-Path: <[email protected]>
Received: from nschwingx06p.mx.bigpond.com ([65.55.34.14])
by nschwmtas05p.mx.bigpond.com
(InterMail vM.7.05.02.08 201-2174-114-118-20080528) with ESMTP
id <20100320020603.TXCE6690.nschwmtas05p.mx.bigpond.com@nschwingx06p.mx.bigpond.com>
for <[email protected]>; Sat, 20 Mar 2010 02:06:03 +0000
Received: from col0-omc1-s4.col0.hotmail.com ([65.55.34.14])
by nschwingx06p.mx.bigpond.com with ESMTP
id <20100320020603.POYI21999.nschwingx06p.mx.bigpond.com@col0-omc1-s4.col0.hotmail.com>
for <[email protected]>; Sat, 20 Mar 2010 02:06:03 +0000
Received: from COL114-W34 ([65.55.34.7]) by col0-omc1-s4.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 19 Mar 2010 19:04:41 -0700
Message-ID: <[email protected]>
Return-Path: [email protected]
X-Originating-IP: [112.115.29.8]
From: Mike Free <[email protected]>
To: <[email protected]>
Subject: Hey
Date: Sat, 20 Mar 2010 12:04:41 +1000
Importance: Normal
X-OriginalArrivalTime: 20 Mar 2010 02:04:41.0301 (UTC) FILETIME=[B3DA7050:01CAC7D1]
X-RPD-ScanID: Class unknown; VirusThreatLevel unknown, RefID str=0001.0A150203.4BA42D8B.00A5,ss=1,fgs=0
X-Brightmail-Tracker: AAAAAxNVoRYTVaamE1WjeQ==
X-Brightmail-Tracker: AAAAAA==
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b9_multipart_boundary_0=_"
X-Brightmail-Tracker: AAAAAxNVoRYTVaamE1WjeQ==
X-Brightmail-Tracker: AAAAAA==

Quote:

Hello ,
How are you those days ?
Ibought a gucci handbag and a rolex watch from this site :www.yinot.com , it is authentic quality ,more cheaper than here ,you can check it .
best wishes

Sent from China - 112.115.29.8

[quote="Header 2]Received: from mail.bigpond.com by b9 for [email protected]
(applied security profile: Medium) at Tue, 16 Feb 2010 13:56:30 +1000
Return-Path: <[email protected]>
Received: from nschwingx07p.mx.bigpond.com ([65.55.34.19])
by nschwmtas03p.mx.bigpond.com with ESMTP
id <20100215184716.ZXEN1837.nschwmtas03p.mx.bigpond.com@nschwingx07p.mx.bigpond.com>
for <[email protected]>; Mon, 15 Feb 2010 18:47:16 +0000
Received: from col0-omc1-s9.col0.hotmail.com ([65.55.34.19])
by nschwingx07p.mx.bigpond.com with ESMTP
id <20100215184716.HPAL2636.nschwingx07p.mx.bigpond.com@col0-omc1-s9.col0.hotmail.com>
for <[email protected]>; Mon, 15 Feb 2010 18:47:16 +0000
Received: from COL114-W12 ([65.55.34.7]) by col0-omc1-s9.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 15 Feb 2010 10:47:14 -0800
Message-ID: <[email protected]>
Return-Path: [email protected]
X-Originating-IP: [123.113.218.11]
From: Mike Free <[email protected]>
To: <[email protected]>
Subject: the first step for online shopping
Date: Tue, 16 Feb 2010 04:47:12 +1000
Importance: Normal
X-OriginalArrivalTime: 15 Feb 2010 18:47:14.0583 (UTC) FILETIME=[4A5F1A70:01CAAE6F]
X-RPD-ScanID: Class unknown; VirusThreatLevel unknown, RefID str=0001.0A150204.4B7996B1.0002,ss=1,fgs=0
X-Brightmail-Tracker: AAAAAhLTvtoS076t
X-Brightmail-Tracker: AAAAAA==
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b9_multipart_boundary_0=_"
X-Brightmail-Tracker: AAAAARLTvto=
X-Brightmail-Tracker: AAAAAA==[/quote]
quote="Msg 2 - different phishing site]Hello,
I am writing to introduce an amazing online shop for you : www.oieur.com
Fashion, Popular, Security, Ecnomic........ as you see, it has all of the best festures as an online shopping.
It is a specialized online shop for Brand Watches and Brand Handbags. you also can find brand bags, wallets there.
Believe me, you will enjoy your shopping-trip here ![/quote]

Sender - China IP 123.113.218.11

YINOT.COM wrote:

http://www.yinot.com/ is a URL.
Domain Dossier will continue with www.yinot.com.
New: Compare web hosting plans across multiple providers: shared | VPS | dedicated
Address lookup
canonical name www.yinot.com.
aliases
addresses 205.209.167.188
Domain Whois record

Queried whois.internic.net with "dom yinot.com"...

Domain Name: YINOT.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS5.CNMSN.NET
Name Server: NS6.CNMSN.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 24-sep-2009
Creation Date: 24-sep-2009
Expiration Date: 24-sep-2010

>>> Last update of whois database: Wed, 24 Mar 2010 03:04:29 UTC <<<

Queried whois.bizcn.com with "yinot.com"...

Domain name: yinot.com

Registrant Contact:
luoyi
li luo [email protected]
05925861840 fax: 05925861840
putian
putian fujian 3610004
cn

Administrative Contact:
li luo [email protected]
05925861840 fax: 05925861840
putian
putian fujian 3610004
cn

Technical Contact:
li luo [email protected]
05925861840 fax: 05925861840
putian
putian fujian 3610004
cn

Billing Contact:
li luo [email protected]
05925861840 fax: 05925861840
putian
putian fujian 3610004
cn

DNS:
ns5.cnmsn.net
ns6.cnmsn.net

Created: 2009-09-25
Expires: 2010-09-25

Network Whois record

Queried whois.arin.net with "205.209.167.188"...

OrgName: Managed Solutions Group, Inc.
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US

ReferralServer: rwhois://rwhois.managedsg-inc.com:4321

NetRange: 205.209.128.0 - 205.209.191.255
CIDR: 205.209.128.0/18
NetName: NET-MANAGED
NetHandle: NET-205-209-128-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: RDNS1.MANAGEDSG-INC.COM
NameServer: RDNS2.MANAGEDSG-INC.COM
Comment:
RegDate: 2004-04-15
Updated: 2006-03-17

RAbuseHandle: ABUSE429-ARIN
RAbuseName: MSG Inc Abuse
RAbusePhone: +1-888-585-8889
RAbuseEmail: [email protected]

RTechHandle: MAT48-ARIN
RTechName: MSG Arin Tech
RTechPhone: +1-888-585-8889
RTechEmail: [email protected]

OrgAbuseHandle: ABUSE429-ARIN
OrgAbuseName: MSG Inc Abuse
OrgAbusePhone: +1-888-585-8889
OrgAbuseEmail: [email protected]

OrgTechHandle: MAT48-ARIN
OrgTechName: MSG Arin Tech
OrgTechPhone: +1-888-585-8889
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2010-03-23 20:00

DNS records

DNS query for 188.167.209.205.in-addr.arpa returned an error from the server: NameError
name class type data time to live
www.yinot.com IN A 205.209.167.188 120s (00:02:00)
yinot.com IN NS ns6.cnmsn.net 120s (00:02:00)
yinot.com IN NS ns5.cnmsn.net 120s (00:02:00)
yinot.com IN SOA
server: ns6.cnmsn.net
email: dnsconct.cnmsn.net
serial: 1256525973
refresh: 28800
retry: 14400
expire: 14400
minimum ttl: 600
120s (00:02:00)
yinot.com IN A 205.209.167.188 120s (00:02:00)
Traceroute

Tracing route to www.yinot.com [205.209.167.188]...
hop rtt rtt rtt ip address fully qualified domain name
1 0 0 1 70.84.211.97 61.d3.5446.static.theplanet.com
2 0 0 0 70.87.254.5 po101.dsr02.dllstx5.theplanet.com
3 0 0 0 70.85.127.109 po52.dsr02.dllstx3.theplanet.com
4 0 0 0 70.87.253.25 et3-2.ibr04.dllstx3.theplanet.com
5 8 1 0 12.87.41.149
6 2 1 1 12.122.139.122 cr1.dlstx.ip.att.net
7 0 0 0 12.122.139.109 ggr6.dlstx.ip.att.net
8 1 1 1 192.205.36.178
9 1 1 1 154.54.1.253 te4-8.ccr02.dfw01.atlas.cogentco.com
10 11 12 11 154.54.2.114 te0-2-0-1.ccr21.mci01.atlas.cogentco.com
11 47 47 47 154.54.6.161 te3-4.ccr02.sfo01.atlas.cogentco.com
12 49 48 48 154.54.1.130 te3-4.ccr02.sjc01.atlas.cogentco.com
13 50 50 50 154.54.6.70 te4-1.mpd01.sjc05.atlas.cogentco.com
14 49 49 49 38.102.194.158 managed-solutions-group.demarc.cogentco.com
15 * * *
16 71 61 66 205.209.167.188

Trace complete
Service scan
FTP - 21 220 Microsoft FTP Service
SMTP - 25 Error: ConnectionRefused
HTTP - 80 HTTP/1.1 200 OK
Connection: close
Date: Wed, 24 Mar 2010 18:06:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 43390
Content-Type: text/html; Charset=gb2312
Set-Cookie: ASPSESSIONIDQCTAATCR=AHHPPJCBKGLEGKDPKJLLBCJE; path=/
Cache-control: private
POP3 - 110 Error: ConnectionRefused
IMAP - 143 Error: ConnectionRefused

oieur.com wrote:

Address lookup
lookup failed oieur.com
Could not find an IP address for this domain name.
Domain Whois record

Queried whois.internic.net with "dom oieur.com"...

Domain Name: OIEUR.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS.XINNET.CN
Name Server: NS.XINNETDNS.COM
Status: clientHold
Updated Date: 25-feb-2010
Creation Date: 24-dec-2009
Expiration Date: 24-dec-2010

>>> Last update of whois database: Wed, 24 Mar 2010 03:30:35 UTC <<<

Queried whois.paycenter.com.cn with "oieur.com"...

Domain Name : oieur.com
PunnyCode : oieur.com
Creation Date : 2009-12-25 02:42:33
Updated Date : 2009-12-25 02:42:33
Expiration Date : 2010-12-25 02:42:28

Registrant:
Organization : shaqifan
Name : qifan sha
Address : beijingcityxiushuijie126?
City : beijing
Province/State : ??
Country : CN
Postal Code : 100011

Administrative Contact:
Name : qifan sha
Organization : shaqifan
Address : beijingcityxiushuijie126?
City : beijing
Province/State : ??
Country : beijing
Postal Code : 100011
Phone Number : 86-010-87326307
Fax : 86-010-87326307
Email : [email protected]

Technical Contact:
Name : qifan sha
Organization : shaqifan
Address : beijingcityxiushuijie126?
City : beijing
Province/State : ??
Country : beijing
Postal Code : 100011
Phone Number : 86-010-87326307
Fax : 86-010-87326307
Email : [email protected]

Billing Contact:
Name : qifan sha
Organization : shaqifan
Address : beijingcityxiushuijie126?
City : beijing
Province/State : ??
Country : beijing
Postal Code : 100011
Phone Number : 86-010-87326307
Fax : 86-010-87326307
Email : [email protected]

Network Whois record

Don't have an IP address for which to get a record
DNS records

DNS query for oieur.com returned an error from the server: NameError

No records to display
Service scan

Don't have an IP address to scan for services

Both sites appear legitimate to a casual observer - except they are duplicates and fakes. Mad

They have some sort of shopping cart - all the better to fleece you with.

I noticed that oieur.com has no IP but when I looked at it a little while ago, it was exactly the same as the first one.

Mentioned in McAfee and yet another user's account hijacked. http://www.siteadvisor.com/sites/oieur.com/postid?p=3799731

This site (oisell.com) looks similar but not the same and came up when I was googling.
Much the same lame use of YAHOO and HOTMAIL for their 'business' addresses.

Shortly after I arrived on the sites, some sort of helper window popped up ... chose not to play.

Do these qualify as naughty sites or just plain crapulent ones?

Teddy is stepping slowly away now .... don't look at me Embarassed

Baiting Guru Joined: 03 May 2007 Posts: 18313

Do we really seem that scary in here? Laughing

I think the correct technical term we use for this is: Spam. Wink

These aren't advance fee fraud sites, which is what we deal with in this forum. While those are likely scams, they're of a different type and not something we do here. There may be malware involved as to why his account is implicated.

I'm not really sure where, if anywhere, to report those as there are tons and tons of them. I get spam folders chuck full of them every day. You can do a Google search for info on Spam or Malware + Spam and see what you can find.

There is some info on Chinese hosters in the fake electronics forum at aa419.org, here: http://forum.aa419.org/viewforum.php?f=30 but those sites aren't anything they'll deal with over there either.

I'm marking this n/a and will remove it later, after you've had a chance to read/respond.

Posted: Wed Mar 24, 2010 4:20 am

^^^ Thanks IB ... naa - not really that scary but you are all spoken of in hushed terms.
Is it true that you have Steward and use him for some evil sexual practices?? Poor Steward. He really should never have talked so damned much. Sad

Spam? OK ... so their use of Yahoo / HOTMAIL / Messenger (TEL: EMAIL: [email protected] MSN:[email protected]) is just crapulent?

And hijacking the hotmail accounts of RL people ... to distribute the spam ... is ... bad manners but unlikely to end in financial loss for people?

Just having trouble understanding your reasoning - and I want to.

I completely understand about dodgy sites with malware - eg: any warez or movie downloads place.

How do phishing sites fit in for us? These grow like ummm lad bleats about their honesty and we could devote entire national incomes into their eradication and still fail ...

You are talking about priorities ?? (which is perfectly fine)
Our priority is to clean up scammer sites ... ???

Think I need to read a lot more threads and stickies ...
Bugger me there is a lot to pick up ... and it is oooooozing out my arse Very Happy

Baiting Guru Joined: 03 May 2007 Posts: 18313

I think this would fall under the same category as the fake electronics sites, sneaker sites, etc. Yes, it's all bad and all scams. Our focus here is only the advance fee fraud sites because that's the point of 419Eater. The purpose of this fake site forum is so that baiters can kill the fraudulent sites that come up in their baits. Unfortunately, we can barely keep up with that, nevermind tackling the rest of the scams out there. I'm sure there are other places that do deal with this sort of stuff, I'm just not sure who/where they are. Maybe other members know of some and can add their input.

Quote:

Think I need to read a lot more threads and stickies ...
Bugger me there is a lot to pick up ... and it is oooooozing out my arse Very Happy

Yes, there is a lot. Keep reading, you'll keep learning. I still am. Wink

Posted: Wed Mar 24, 2010 2:04 pm

dogsbum wrote:

...
How do phishing sites fit in for us? ...

Phishing sites tend to be short-lived and better handled by the companies that have vested interests or can pay lawyers to get things taken care of (IMHO). Usually the site is down before our kind of actions can be done when dealt with by the real bank or whatever.

dogsbum wrote:

...
Think I need to read a lot more threads and stickies ...
Bugger me there is a lot to pick up ... and it is oooooozing out my arse Very Happy

Oh, you have barely started then. Wait till it starts oozing out your ears, and then find out there is so much more that you never realized. Razz

Posted: Wed Mar 24, 2010 3:30 pm

For information, this website handles the phishing sites http://www.antiphishing.org

Baiting Guru Joined: 03 May 2007 Posts: 18313

Moved here from the fake sites forum. Dogsbum, there's also more information about phishing here, including the link Artemis posted above: http://forum.419eater.com/forum/viewtopic.php?p=598185#598185

Posted: Thu Mar 25, 2010 11:30 am

I very much doubt that his account has been hacked, It's more likely that the spammer is spoofing the email headers so that complaints about the spam go to an innocent third party.
?I take it that he still has access to the account? If his account had been hacked, I'd have expected the scammer to have changed the password.

Posted: Thu Mar 25, 2010 1:01 pm

^^^ Interesting take on this ... thanks. I will check just to be sure.

Posted: Fri Mar 26, 2010 7:20 pm

When email is spoofed, the last address is fake, As the mail is passed along the internet, the mail relays stamp the IP address of the servers. When a mail has the wrong chain, such as a US email account is then hosted by for example China, then alarm bells should go off.

If this chain is normal, with the mail directly sent from the victims hijacked account, then there won't be the extra fake IP address added to the chain. Look at all the IP addresses in the email header to see if the mail followed a logical path from the vic's account to you. For example a mail from a Comcast user to a Qwest user should have only US IP addresses in the headers. If it is sent from US Comcast and then relayed by a China ISP, to the Roadrunner account, that is a spoof and never really from Comcast in the first place.

If it is from Comcast only, then the evidence is strong that it is a hyjacked account.

Google automaticaly flags this by adding this in red at the top of the mail

Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more

Here is the header of that email that gave me the warning of the spoof.
Evidence of the spoof is in red.

Received: by 10.142.178.17 with SMTP id a17cs247991wff;
Thu, 25 Mar 2010 06:22:28 -0700 (PDT)
Received: by 10.204.133.27 with SMTP id d27mr866291bkt.51.1269523345574;
Thu, 25 Mar 2010 06:22:25 -0700 (PDT)
Return-Path: <[email protected]>
Received: from web24913.mail.ird.yahoo.com (web24913.mail.ird.yahoo.com [212.82.110.154])
by mx.google.com with SMTP id e12si1371485bkw.36.2010.03.25.06.22.23;
Thu, 25 Mar 2010 06:22:24 -0700 (PDT)
Received-SPF: neutral (google.com: 212.82.110.154 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=212.82.110.154;
Authentication-Results: mx.google.com; spf=neutral (google.com: 212.82.110.154 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]; dkim=pass (test mode) [email protected]
Received: (qmail 53284 invoked by uid 60001); 25 Mar 2010 13:22:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1269523343; bh=uoO2IUkWpwEktMfTSQwx5UQCk2LoCQo8jvpm1NICWhg=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=2DkaLYEt7cNgcoOnPhWxSahgH8UrdPI3ei8CVEM5NPAWMjI9EhZOxCnsB5Z0T78+4Sy3P2xkKtnUUJsBzE5P/g2RcPfynFvImR6zQ2jQwgTpbbOIf6OmgB1Deosocn64/HrkONxVObm+LXIIbACCbh9OmpP/SkSreydV45xbmF0=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.uk;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=bv+vAg+Qd5C83E3jvQPtH0hLLep7QG1GwoC5orS2ss/0sL/5uPuktsmnBIjAjLMf8QmuVDn+Aw+hnY7dMdUgYVU5KKThn5tQXpPUu7aR8qKhCvkq0J+8cSOWHBS6uwZCfTut9NN89ZgzNSJT7NG9clWHfAsG6Pn1zrXg4y0jius=;
Message-ID: <[email protected]>
X-YMail-OSG: tO4siGkVM1ml6I5QaHIY_loz7z.HGa9c8s1sKVwBDGreUT7
pnVc0z1jPT8YIcy7KwtZr.1LLHtjdWwW1SkhBQUPUnz3GMd71aBNd_GQLRr.
7BmsBttKjWHO7L9gtcur1.2EGrdJ9067ZTB_QyqhOYLZpknGgcOyXG6GLxBh
P5QxcfRL74ZaAIcquuINNUUgJlA0K3VKMfjaBc3gszzWtXt5oasy7gNw3mox
RJ08nt7A95a1weUk6A8163g96ejvNQF68O7j9DqoOIgY-
Received: from [41.218.244.63] by web24913.mail.ird.yahoo.com via HTTP; Thu, 25 Mar 2010 13:22:23 GMT
X-Mailer: YahooMailClassic/10.0.8 YahooMailWebService/0.8.100.260964
Date: Thu, 25 Mar 2010 13:22:23 +0000 (GMT)
From: Major General Adinkrah <[email protected]>

Further reading recommended by Google includes this.

Some spammers send fraudulent mass-messages designed to collect personal information, called 'spoofing' or 'password phishing.'

Here are a few ways you might recognize these messages:

* They ask you to provide your username and password or other personal information (e.g. Social Security number, bank account number, PIN number, credit card number, mother's maiden name, or birthday). Even if they appear to be from a legitimate source, or contain an official-looking webpage, be careful. Spammers often ask for this information in an attempt to steal your Gmail address, your money, your credit, or your identity.
* You might see a warning from Gmail when you open one of these messages. We're currently testing a service designed to alert Gmail users to messages that appear to be phishing attacks. When the Gmail Team learns of an attack, we use the details of these messages to automatically identify future possible phishing attacks.

These phishing alerts operate automatically, much like spam filtering. Gmail's spam filters automatically divert messages that are suspected of being unwanted messages into 'Spam'. Similarly, Gmail's phishing alerts automatically display warnings with messages we suspect are phishing attacks so you know to exercise caution before providing any personal information.

You should always be wary of any message that asks for your personal information, or messages that refer you to a webpage asking for personal information. One thing to be sure of: Google or Gmail will never ask you to provide this information in an email; if the message asking for it claims to be from us, don't believe it.

Here's what you can do to protect yourself and stop fraudsters:

* Make sure the URL domain on the given page is correct, and click on any images and links to verify that you are directed to proper pages within the site. For example, the Gmail URL is http://mail.google.com/ or, for even more security, https://mail.google.com/. Although some links may appear to contain 'gmail.com,' you may be redirected to another site after entering such addresses into your browser.
* Always look for the closed lock icon in the status bar at the bottom of your browser window whenever you enter any private information, including your password.
* Check the message headers. The 'From:' field is easily manipulated to show a false sender name. Learn how to view headers.
* If you're still uncertain, contact the organization from which the message appears to be sent. Don't use the reply address in the message, since it can be forged. Instead, visit the official website of the company in question, and find a different contact address.
* If you enter your Google account or personal information as the result of a spoof or phishing message, take action quickly. Send a copy of the message header and the entire text of the message to the Federal Trade Commission at [email protected]. If you entered credit card or bank account numbers, contact your financial institution. If you think you may be the victim of identity theft, contact your local police.
* Gmail doesn't send unsolicited mass messages asking for passwords or personal information. If you think your Gmail address has been compromised or taken over, please click here so we can help resolve the issue as quickly as possible.

* If our system flags a message as phishing, but you've validated the source from which the message originated, click the down arrow next to Reply at the top-right of the message pane, and select Report Not Phishing to let us know the message is legitimate. And if you receive a message that our phishing detection system doesn't pick up on, click Report Phishing to send a copy of the message to the Gmail Team.

I hope this helps figure if it is spoof or hijack.

www.yinot.com / www.oieur.com - definite crook sites	View next topic View previous topic