| Author |
Message |
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
 Posted:
Mon Aug 01, 2011 5:39 pm |
  |
Hi, complete newbie to baiting here, but with a 35+ year technical IT career mainly as a Sysprog behind me & time now on my hands to play!
I've gone through all the hints & tips, Baiter university & read hundreds of excellent classic baits.
I've fallen in love with the site & principals behind it & I am ready to go!
So, the first interesting mail in my catcher is:
ROBERT MUELLER III.
EXECUTIVE DIRECTOR FBI.
FEDERAL BUREAU OF INVESTIGATION FBI.WASHINGTON D.C.
FEDERAL BUREAU OF INVESTIGATION SEEKING TO WIRETAP INTERNET.
ATTENTION: BENEFICIARY, blah blah blah.
Written in typical "ladeese" English, so I would have bet a large sum it came from e.g. Nigeria; But surprise surprise.....
Here's the header.....................
From Robert Mueller Fri Jul 29 04:15:40 2011
X-Apparently-To: [email protected] via 77.238.189.162; Fri, 29 Jul 2011 03:15:43 +0000
Return-Path: <[email protected]>
X-YahooFilteredBulk: 98.139.213.158
Received-SPF: none (domain of att.net does not designate permitted sender hosts)
X-YMailISG: JUlMhD0WLDuY1hfN0wml4iJcZB82jQt0tCxBtsfx3WwRKv0_
N.<snip>
X-Originating-IP: [98.139.213.158]
Authentication-Results: mta1096.mail.ird.yahoo.com from=att.net; domainkeys=neutral (no sig); from=att.net; dkim=pass (ok)
Received: from 127.0.0.1 (HELO nm2-vm1.bullet.mail.bf1.yahoo.com) (98.139.213.158)
by mta1096.mail.ird.yahoo.com with SMTP; Fri, 29 Jul 2011 03:15:43 +0000
Received: from [98.139.212.152] by nm2.bullet.mail.bf1.yahoo.com with NNFMP; 29 Jul 2011 03:15:40 -0000
Received: from [98.139.213.11] by tm9.bullet.mail.bf1.yahoo.com with NNFMP; 29 Jul 2011 03:15:40 -0000
Received: from [127.0.0.1] by smtp111.mail.bf1.yahoo.com with NNFMP; 29 Jul 2011 03:15:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.net; s=s1024; t=1311909340; bh=8ptLaTNHck/T1ZEz3JfU/3z8bRn3KYYFM1hrHHqrA0I=; h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Reply-To:From:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE; b=t<snip>
X-Yahoo-Newman-Id: [email protected]
Message-ID: <[email protected]>
X-Yahoo-Newman-Property: ymail-5
X-YMail-OSG: <snip>
Received: from User ([email protected] with login)
by smtp111.mail.bf1.yahoo.com with SMTP; 28 Jul 2011 20:15:40 -0700 PDT
Reply-To: <[email protected]>
From: "Robert Mueller"<[email protected]>
Subject: AS A MATTER OF URGENCY
Date: Thu, 28 Jul 2011 23:15:40 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Length: 5674
A quick trip to IpTRACKERonline shows:
| ipTRACKERonline.com wrote: |
| Header Analysis Quick Report<br>Originating IP: 66.255.63.182<br>Originating ISP: KNOXVILLE ORAL & MAXILLOFACIAL SURGERY<br> City: Knoxville<br>Country of Origin: United States<br>* For a complete report on this email header goto ipTRACKERonline |
If I read this right, it originates in Sunnyvale, CA (potentially, though that's probably an AT&T Point of Presence) from an AT&T account through a US based ISP that is also a dental surgery!
I'm a bit suspicous of the "domain of att.net does not designate permitted sender hosts" warning... Does AT&T not publish SPF records for it's mail servers?
Alternatively, is AT&T email web based (think Yahoo) thus accessible from any server? If so, the SPF warning explains itself.
Also, detailed analysis shows:
Originating hostname: uslec-66-255-63-182.cust.uslec.net which is shown as KNOXVILLE ORAL & MAXILLOFACIAL SURGERY. I can't see where this info comes from as WHOIS for USLEC.NET shows
an expired domain, & web site shows as PAETEC, which as far as I can tell is the domain registration service trying to get you to reuse the site.
The reply to address is an AOL one, which again confirms the US link... I'm a bit confused & any help untangling things is welcome.
I might well reply using Spyp1g & try to nail return address down geographically before I play any more.
Regards,
willewontee
snipped keys due to forum blowout-dorothy |
|
|
|
|
|
419muguhunter
Not quite a Newb
Joined: 15 Jul 2011
Posts: 20
|
| Posted:
Mon Aug 01, 2011 6:58 pm |
|
Hi there!
Welcome to the forums, i'm a noobie too but am really behind the site.
I've had something similar recently checked the headers got a new york ip. Spypig confirmed it. Didn't know what to make of that one so knocked it on the head.
Just wanted to say try spypig or who read me, one of the forum memebers pointed me to these two sites recently.
Happy Baiting! |
|
|
|
|
|
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
| Posted:
Mon Aug 01, 2011 7:21 pm |
|
Hi thanks for the welcome & welcome yourself. I will try a Spypig on it, but a bit odd getting a typical W. African scam from a US address. Think I will leave it alone if it is a US address.
Regards,
willewontee |
|
|
|
|
|
Seamless
Baiting Guru
Joined: 16 Apr 2009
Posts: 5868
Location: Paradise
|
| Posted:
Mon Aug 01, 2011 8:21 pm |
|
Welcome to 419eater willewontee and 419muguhunter
Always 'Bait Safely' = Never use your Real Life information or email in a bait.
Take a look around Eater University. Read the Stickys. Sign up for the Cherrie Mentor Program.
Most of all have Fun!! |
_________________
419Eater wastes their time - <a href="http://scamwarners.com/"target="_blank">Scamwarners</a> exposes their crimes
"You are a destinated Idiot. a fibol element, a rebel against humanity.
You are a goat. And very stupid. I will deal with you very soon, just wait, I have all your contact address, and I will trace you very soon, for insulting me, all evidence of your insult to me has been filed.
Lawyer M4nu3l told me that you could be one of this terrorist in the usa. and I later find out on my research on you, that you are one of the bastards in wherever you are. not even in usa."
 
 < S4NI S4LISU Ghana to Togo
< St3lla J0nta Cote d'Ivoire to Ghana
      |
|
|
|
|
vonpaso xlura
Baiting Guru
Joined: 10 Apr 2011
Posts: 13781
Location: Bertcad, Lojbanistan
|
| Posted:
Mon Aug 01, 2011 8:34 pm |
|
It's possible that the original sender exploited a bug in a computer at the oral surgeon to send the message. Send a reply and see where the reply to that comes from. |
_________________
   ×12  ×3  ×3       
unwashed
×163
×186
Accra - SH Cotonou
you are a fake people so do not ever write to me again.
Am mad at you right now ... Am tired of your questions ... Am sick and tire you and your bank
Nigerian pig . go swallow a grenade idiot. Boko Haram will solve your problem idiot .
you are big fool by send a fake payment information and never you contact me again asshole .
your passgae bearing your ATM CATD ... Ant Terrorist Certificate ... legal verterbrate ... expartiate your meaning ... gets to your dwaignted address ... successful ofghw transfer |
|
|
|
|
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
| Posted:
Mon Aug 01, 2011 8:51 pm |
|
I've just been notified by Spypig my reply was opened:
Recipient Location: San Francisco, California, United State
The accuracy is approximately 98% on the country level and 70% on the city level for US cities,so I guess it's in the USA.
Let's see if I get a reply....
Regards,
Willewontee |
|
|
|
|
|
Morgain Le Fay
Baiting Guru
Joined: 14 Oct 2010
Posts: 5800
Location: Taking my new .38 special to the range
|
| Posted:
Tue Aug 02, 2011 1:33 pm |
|
Quite a few scammers phish or hack into universities email account and it sounds like some how the KNOXVILLE ORAL & MAXILLOFACIAL SURGERY has had it happen to also. I am in receipt of one who phished or hacked or something into the Republican Party of Pennsylvania. |
_________________
X42  
Nash and 6 friends 488 Km within Ghana - bait with Agda (2012)
Safari Philip Ghana-Benin (bait w/Agda) 2013
x5
.edu's 260 reported
Click here to support 419Eater.com
US Dropbox
"You people are all Junks" - Miss E. Kabx
"Maybe you are insane as your so called sat..." Barrister Insane
The website below is available for Eater folks to use.
Film & Production Needs |
|
|
|
|
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
| Posted:
Tue Aug 02, 2011 6:21 pm |
|
Just done some futher analysis on the Spypig notification, what it seems to be doing is detecting the email leaving the last random TOR node rather than someone actually opening the email, so it looks like SPYPIG does not work with TOR.
Regards,
Willewontee |
|
|
|
|
|
evil_sheep
Compulsive Self Abuser
Joined: 15 Jul 2010
Posts: 1100
Location: 419eater Passport office.
|
| Posted:
Tue Aug 02, 2011 9:48 pm |
|
Tor will hide you quite well.
In my opinion, if you host an exit node, you are technically exposing your internet account to be used for illegal purposes (amongst other things).
Unless you are monitoring both the incoming and outgoing packets from the exit node, it's nigh impossible to work out which requests came from each IP. If you can monitor in and out going packets, it is possible to work out which requests are going to and from each connection.
Most lads wouldn't have a clue what Tor is, however. |
_________________
x11  x3     
"I thank you for your quick massage this morning. " - Prince Abdul Hakeem
"u lied. i know u as black man" - Timothy Fred
"Get out. If you mail me again, i will destroy your mailbox." - Clydesdale Bank PLC.
"picece of shit gett off here junkie" "arse hole like u" "u r a bullshit around the corner" "fuck off and die" "is that how you write ur father?" "do u need some crack from Brazil?" "please leave me alone" - Dr. Mohamed Gaza
FREE BEER!
"Baiting is like sex. If it does go pear-shaped, pull out, get a new email address and try again from a different angle." - Me |
|
|
|
|
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
| Posted:
Tue Aug 02, 2011 10:36 pm |
|
Yes, it does hide one quite well as you say.
I agree about hosting a node... I had the same thoughs about it & so decided to just use it as a smoke screen.
Today I have been mailing from USA, GB, South Africa, Canada, Greenland, etc... 3 random in & 3 random out nodes.
I might look at setting a fixed exit node somewhere far away from me in case I hit a lad with enough savvy to interpret an email header.
It surprised me where Spypig seems to think email is being opened, seemingly it's reporting now at every TOR node it goes through, but not once it exits TOR .... great way to trace TOR nodes, but not what I want. I will see if I can find out how Spypig actually works & maybe try some different notifiers.
I tried for some easy piggies with ASEM on about 100 likely lads picked from Baiters hot list, but no one wanted to play.
I'm playing straight baiting with about 20 odd various modality lads on the go now, to get my hand in, going well so far & some promising looking ones in there.
What surprised me as a newbie is even though "I" am 74 years old & deaf as a post, about a quarter of the lads will not come out to play unless I ring them first.
Regards,
Willewontee |
|
|
|
|
|
Mr Tambourine Man
Baiting Guru
Joined: 06 Jun 2008
Posts: 3398
Location: Magic swirlin' ship
|
| Posted:
Tue Aug 02, 2011 10:37 pm |
|
| Quote: |
| X-Originating-IP: [98.139.213.158] |
That's Sunnyvale. Yahoo is based there, and is mentioned in the headers. I'm not sure what is happening here. |
_________________
is always Good when you have the zeal to be a hitwoman when you out of school,it makes you bold and reall and it makes you more high than any other of your friend.
NOW AMBACK FOR YOU AGAIN STURBORN SHIT
you dont have a phone.that makes makes you joe butt
Fuck you and go find something to do man. Stop disturbing me please.
This is definitely why you will remain and die in poverty, ignorant of good things and easy acknowledgment of bad things and words. Shame on you, you wicked generation children.
i went you to no that this is not a cheld pray. i went you to get back to me
we are not scammer,we hate scammer as you do.scammer make out life harder and harder,a lot of people think we are scammer,in fact,we are not!! please trustt us |
|
|
|
|
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
| Posted:
Tue Aug 02, 2011 10:47 pm |
|
The opinion seems to be it's a bit odd & indicitive of someone hacking a server & email addresses. I took advice from more experienced baiters including Morgain Le Fay & have contacted the relevant organisations & reported all email addresses & servers involved.
I've not had anything back yet
Regards,
Willewontee |
|
|
|
|
|
Jeannette
Baiting Guru
Joined: 21 Oct 2006
Posts: 2158
Location: Stalking Nick Riewoldt
|
| Posted:
Wed Aug 03, 2011 7:43 am |
|
Late to the party, but I just noticed "NNFMP" in the header. That means the scammer is using a nifty device to hide his location. |
_________________
X 2 X 25
Sister I was even filling the form with pains - Mariam Abacha
 |
|
|
|
|
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
| Posted:
Wed Aug 03, 2011 8:18 am |
|
All I can find (authoritively) about NNFMP (from Yahoo themselves):
NNFMP is an internal protocol not recognised by IANA or the RFC's. Yahoo uses this protocol to internally route e-mail traffic across their network. The acronym stands for "Newman No-Frills Mail Protocol". It's a simple, high-performance protocol comparable to QMTP.
So it is not neccessarily indicitive of fraud.
Regards,
Willewontee |
|
|
|
|
|
Jeannette
Baiting Guru
Joined: 21 Oct 2006
Posts: 2158
Location: Stalking Nick Riewoldt
|
| Posted:
Wed Aug 03, 2011 9:26 am |
|
Of course not.  I'ts just something lads love to use. |
_________________
X 2 X 25
Sister I was even filling the form with pains - Mariam Abacha
|
|
|
|
|
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
| Posted:
Wed Aug 03, 2011 10:39 am |
|
So yes, just another pointer to a potential lad & it all adds up |
|
|
|
|
|
willewontee
Hello I'm New here!
Joined: 22 Jul 2011
Posts: 15
|
| Posted:
Wed Aug 03, 2011 1:16 pm |
|
Well, would you believe it, after all the reports I got from Spypig that turned out to be TOR nodes,
it's eventually reported the mail being opened at another IP address...
116.203.102.186 which shows as India, but no more detail available.
So the trail seems to have left the US & gone somewhere where their "ladeese" written opening script seems more believable.
Regards,
Willewontee |
|
|
|
|
|
|
|
SmartFeed
