SmartFeedSmartFeed          

Porsche Hangout


WELCOME - YOU ARE CURRENTLY VIEWING 419EATER AS A GUEST

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

ScamWarners.com - Internet Anti-Fraud Center - now open!


 Possibly a US Scammer landed in my catcher account

View next topic
View previous topic
 
Post new topicReply to topic
Author Message
Ishkabibble
Wannabe Baiter


Joined: 29 Mar 2009
Posts: 89
Location: Canada


PostPosted: Fri Jun 12, 2009 6:00 pm Reply with quoteBack to top

This one's a bit unexpected (at least for me).

I may have a US scammer (the headers follow and you can see it is coming out of Virginia). They play on being from "CIT.com" with the usual nonsensical sounding jargon and agency names. The English is not bad but ends up making some grammatical errors well into the format. The "address" he says he's at is in Tennessee is nonsense as well.

In the second email (look for it posted next) they're asking for a WU or MG of course, but to a US location. I had assumed when I answered that I was talking to a Legos lad or the like. Only when the money request came back for a US location did I check the headers.

Am I just talking to a mule perhaps? I had thought in those circumstances the scam was still being fired out from West Africa. I haven't seen anyone discussing something that gets both initiated from a US location, and collects its money there too. If this really is the case, it might even culminate in getting the SOB arrested! (one can dream can't one?)

I'm taking this one especially slow as I lost a Nigerian lad off the hook recently by going too quickly. Any suggestions or advice that might be particularly useful for something that seems to be located so close to home before I respond?

A few things to note in the following: the first is the original email with headers (longish, sorry about that - wanted to be complete) and shows a Virginia origin. Is that just bogus IP addresses?

I'll post his response in a second posting. In it you will see the WU/MG request so that you can see the US details.

Regards,


----- headers and the first note from him to me -----

Quote:


X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n:0
X-SID-PRA: CIT Bank Limited <[email protected]>
X-Message-Info: P3NBY493gE4b+MtahrAQL5dv62WZti5c/eQCcDsj4zuHM4ZChUxR4osceGudeBHRGZqwOOSQOQf6s6w2qXYCDSkSUKNiw8HH
Received: from exchange-01.OaksMedia.local ([71.103.242.169]) by col0-mc2-f42.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 10 Jun 2009 20:59:46 -0700
Received: from User ([71.40.130.83]) by exchange-01.OaksMedia.local with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 10 Jun 2009 20:59:44 -0700
Reply-To: <[email protected]>
From: "CIT Bank Limited"<[email protected]>
Subject: Your Compensatory Grant
Date: Wed, 10 Jun 2009 23:59:44 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: [email protected]
Message-ID: <[email protected]>
X-OriginalArrivalTime: 11 Jun 2009 03:59:45.0033 (UTC) FILETIME=[0E4ED790:01C9EA49]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta
content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
<title></title>
</head>
<body>
<big
style="color: rgb(255, 0, 0); font-family: Cambria;"><big><img
style="width: 88px; height: 56px;" alt=""
src="http://www.financeglobe.com/Finance/images/logos/cit-bank-logo.jpg"><br>
</big></big><span
style="font-family: Cambria; color: rgb(192, 192, 192); font-weight: bold;">
16124 West Road, Pikeville, TN 37352
</span><br
style="font-family: Cambria;">
<br style="font-family: Cambria;">
<span style="font-family: Cambria;"><span
style="font-weight: bold;">RE:
Your Compensatory Grant</span><br
style="font-weight: bold;">
<br>
Dear Sir/Madam:</span><br
style="font-family: Cambria;">
<br style="font-family: Cambria;">
<span style="font-family: Cambria;">We
are writing to let you know that
it has come to our notice and we have thoroughly completed our
investigations with the help of our </span><span
style="font-weight: bold; font-family: Cambria;">Financial
Intelligence Monitoring Network </span><span
style="font-family: Cambria;">that you are entitled
to an economic
stimulus payment of </span><span
style="font-weight: bold; font-family: Cambria;">$450,450.00
USD</span><span
style="font-family: Cambria;">
as provided by the </span><span
style="font-weight: bold; font-family: Cambria;">Global
Economic
Stimulus Act of 2008</span><span
style="font-family: Cambria;">. You
can expect
your payment within the next 2 weeks if you comply with the
instructions stated in this communication. You will not be required to
report the amount of your stimulus payment as taxable income on your
2008 federal income tax return.</span><br
style="font-family: Cambria;">
<br style="font-family: Cambria;">
<span style="font-family: Cambria;">This
deposit was labeled as "<span
style="font-weight: bold;">COMPENSATION</span>"
and was not in error
as the funds have subsequently been deposited into a reserve
account&nbsp;with your <span
style="font-weight: bold;">e-mail address
attached as reference</span>. This
grant </span><span
style="font-family: Cambria;">has been confirmed to
be legitimately
yours and </span><span
style="font-family: Cambria;">will be disbursed
immediately upon request.<br>
</span><br
style="font-family: Cambria;">
<span style="font-family: Cambria;">We
have completed this
investigation and you are hereby approved to receive the certified
cashier's check or a wire transfer into your personal account as we
have verified&nbsp;the entire transaction to be safe and 100% risk
free, due to the fact that the funds is with CIT Bank Limited you will
be required to settle the following bills directly to the&nbsp;CIT
Bank
Limited Agent in-charge of this transaction whom is located at the
Bank's headquarters. <br>
<br>
According to the directives, you are required to pay for the following </span><span
style="font-weight: bold; font-family: Cambria;">:- </span><br
style="font-family: Cambria;">
<span
style="font-weight: bold; font-family: Cambria;">&nbsp;</span><br
style="font-weight: bold; font-family: Cambria;">
<span
style="font-weight: bold; font-family: Cambria;">(1)
Deposit Fee
(Fee paid to setup a new account for the beneficiary by the paying
financial institution)</span><br
style="font-weight: bold; font-family: Cambria;">
<span
style="font-weight: bold; font-family: Cambria;">(2)
Wire
Transfer or Courier Delivery Fee (Fee paid to Transfer the funds into
any bank of your choice or deliver the check&nbsp;through UPS
delivery)</span><br
style="font-weight: bold; font-family: Cambria;">
<span
style="font-weight: bold; font-family: Cambria;">(3)
Insurance
(This is the fee paid by bank to insure the transfer of the funs or
your check before been deposited at the bank)<br>
</span><br
style="font-family: Cambria;">
<span style="font-family: Cambria;">The
total cost of this fee is </span><span
style="font-weight: bold; font-family: Cambria;">$550.00
USD</span><span
style="font-family: Cambria;"> (Five Hundred and
Fifty US Dollars
Only). &nbsp;<br>
<br>
We have tried our possible best to deduct the Fee (</span><span
style="font-weight: bold; font-family: Cambria;">$550.00
USD</span><span
style="font-family: Cambria;">) from your grant but
we could not
secure authorization because your funds are protected by a <span
style="font-weight: bold;">PREMIUM HARDCOVER
INSURANCE POLICY</span>
installed by the Federal Government to prevent any deductions from your
funds until it must have been remitted by you. Hence, the fee cannot be
deducted from your funds and you will be required to pay the fee via
the western union money transfer network or money gram to the Escrow
Officer at the </span><span
style="font-family: Cambria;">Bank's
headquarters.</span><br>
<span style="font-family: Cambria;"><br>
To proceed with this transaction, </span><span
style="font-family: Cambria;">you're expected to
respond with a
request for the receivers details of the <span
style="font-weight: bold;">ESCROW OFFICER</span>
to make payment if
you intend to lay claim to this funds. You will also be required to
e-mail him with your personal information:</span><span
style="font-family: Cambria;"><br>
</span><span
style="font-family: Cambria;"></span><span
style="font-family: Cambria;"><br>
<small><span
style="font-weight: bold;"><big>ACCOUNT
OFFICER:</big> </span></small></span><small><span
style="font-family: Cambria;"><big>XXXXXXXXX</big></span><span
style="font-family: Cambria;"><big><span
style="font-weight: bold;"></span></big><br>
</span><span
style="font-family: Cambria;"><big><span
style="font-weight: bold;">E- MAIL:</span></big>
<big
style="text-decoration: underline; color: rgb(51, 51, 255);"><a
href="mailto:[email protected]"

target="_blank">[email protected]</a></big></span></small><span
style="font-family: Cambria;"><br>
</span><br>
<span style="font-family: Cambria;"><span
style="font-weight: bold;">FULL
NAME:</span><br
style="font-weight: bold;">
<span style="font-weight: bold;">ADDRESS:</span><br
style="font-weight: bold;">
<span style="font-weight: bold;">CITY:</span><br
style="font-weight: bold;">
<span style="font-weight: bold;">STATE:</span><br
style="font-weight: bold;">
<span style="font-weight: bold;">ZIP
CODE:</span><br
style="font-weight: bold;">
<span style="font-weight: bold;">DIRECT
CONTACT NUMBER:<br>
<br>
</span></span><span
style="font-family: Cambria;">All official
documentation and prove of your claim would be posted to your address
when total disbursement of your funds is achieved. </span><span
style="font-family: Cambria;">CIT Bank Limited is
ready to
deliver or transfer your funds&nbsp;</span><span
style="font-weight: bold; font-family: Cambria;">$450,450.00
USD</span><span
style="font-family: Cambria;"> USD via Certified
Cashier's
Check drawn on CIT Bank Limited upon confirmation of payment of the
stipulated fee.&nbsp;<br>
<br>
Make sure you include the following transaction code in order for him
to immediately identify this transaction: <big><span
style="font-weight: bold;">EA2922-910</span></big></span><span
style="font-family: Cambria;"></span><br
style="font-family: Cambria;">
<br style="font-family: Cambria;">
<span style="font-family: Cambria;"><span
style="font-weight: bold;">Note:</span>
You will not be required to report the amount of your stimulus payment
as taxable income on your 2008 federal income tax return.<br>
<br>
</span><span
style="font-family: Cambria;"></span><span
style="font-family: Cambria;">This notification is
for information
purposes only.<br>
<br>
Please do not reply to this message.</span><big><small><span
style="font-family: Courier New;"></span></small></big><br
style="font-family: Cambria;">
<br style="font-family: Cambria;">
<span
style="font-family: Cambria; color: rgb(192, 192, 192); font-weight: bold;">CIT
Bank Limited</span><br
style="font-family: Cambria; color: rgb(192, 192, 192); font-weight: bold;">
<span
style="font-family: Cambria; color: rgb(192, 192, 192); font-weight: bold;">2003
16124 West Road, Pikeville, TN 37352
<br>
<br>
This email was sent to you by CIT Bank Limited.</span>
</body>
</html>
</


Edited out personal information -- JMR


Last edited by Ishkabibble on Fri Jun 12, 2009 6:10 pm; edited 1 time in total
View user's profileSend private message
Ishkabibble
Wannabe Baiter


Joined: 29 Mar 2009
Posts: 89
Location: Canada


PostPosted: Fri Jun 12, 2009 6:07 pm Reply with quoteBack to top

My scammer's reply requesting money to a US location...a Gmail account so there's not much in the headers of use. Mangled up the names a bit to keep it from being Googled.

Regards,

Quote:


16124 W3st Road, Pik3vill3, TN 37352

RE: Your Compensatory Grant

Dear Sir/Madam:

My name is Jas0n McNu1ty, I'm the Account Officer assigned to your transaction (EA2948-910).

MODE OF PAYMENT: Western Union Money Transfer Network or Money Gram.

ESCROW OFFICER'S INFORMATION FOR PAYMENT OF $550.00 USD VIA THE WESTERN UNION MONEY TRANSFER OR MONEY GRAM:
NAME: S0mer Shadw1ck
CITY: Pik3vill3
STATE: Tennessee
TEST QUESTION: Transaction Code
TEST ANSWER: 6068

SENDERS FULL NAMES:
SENDERS FULL ADDRESS:

AMOUNT: $550.00

MTCN {Money Transfer Control Number}:
or
Reference Number:

The MTCN {10 Digit} is the confirmation number of the money sent if the fee was sent via western union while the REFERENCE NUMBER {8 Digit} is the confirmation number of the money sent if the fee was sent via money gram.

The confirmation of "Receipt" of the fee must be attached to the disbursement of your funds for it to be accepted as a viable transaction.

Sincerely,

Jas0n McNu1ty
ACCOUNT OFFICER

CIT Bank Limited
16124 W3st Road, Pik3ville, TN 37352

CONFIDENTIAL & PRIVILEGED COMMUNICATION

This email and any files transmitted with it are confidential, may contain privileged or copyright information, and are intended solely for the use of the intended recipient. If you are not the intended recipient of this email, you are require d to notify the sender immediately and delete this email from your system. You may not copy, distribute or use this email or the information contained in it for any purpose other than to notify the sender.

View user's profileSend private message
Ishkabibble
Wannabe Baiter


Joined: 29 Mar 2009
Posts: 89
Location: Canada


PostPosted: Fri Jun 12, 2009 6:08 pm Reply with quoteBack to top

Thanks JMR. You beat me to mangling up the personal info.

Regards,
View user's profileSend private message
sir scam alot
Doesn't share his goats


Joined: 19 Mar 2008
Posts: 5075
Location: Louisiana


PostPosted: Fri Jun 12, 2009 6:22 pm Reply with quoteBack to top

The only IP I see there is 71.40.130.83 and for that I got this:

Quote:
General Information

Hostname: rrcs-71-40-130-83.se.biz.rr.com
ISP: Road Runner Business
Organization: LENDING,GOLFSIDE
Proxy: None detected
Type: Cable/DSL

Geo-Location Information

Country: United States
State/Region: FL
City: New Port Richey
Latitude: 28.2482
Longitude: -82.6799
Area Code: 727

_________________
Safari = Rev. JB Johnson. Lome to Parakou "i thought it will just be a day jouney. unknowingly to me that it will last up to one week."
Safari2 = Harrison: Owerri, Nigeria to Cotonou, Benin and Accra, Ghana "i know ive been a sucker for twat "
Safari = (Group safari) Oy3nka Ch1dinma: Lagos to Cotonou: "Thank you so much for the embrassment."
Safari = Group safari - Dan Nkwerre: Port Harcourt to Abeche, Chad
Safari2 = Barr. Mustapha Marlick: Lome, Togo to Abuja Nigeria and Accra, Ghana.
pony Mortar x15 (some survived) Closed lad accounts x280 T.W.A.T Nurse Nastys Audi TT United States
<b>Have you kicked your lad today?<b>
Over $1 million USD in fake checks/money orders confiscated Easter Egg
View user's profileSend private message
Badgerbait
Tactical Post-Whore


Joined: 07 Jan 2009
Posts: 4502
Location: Alas, summer is slow in responding.


PostPosted: Fri Jun 12, 2009 6:27 pm Reply with quoteBack to top

Simple Google on the street address reveals not real address, or at least it can't find it. The business name is to a S&L type business. Deals in business accts., student loans. Still can't match it up to that address. Hmm...contact the fraud dept of CIT? GEt a real addy out of the lad and send a note to the locals (LEO)? Our LEOs sometimes don't take kindly to these scammers in the states. Just put a lady in the fed pen for 4 years for aiding and abbetting international fraud when she thought she would knowingly work with a lad and admitted she knew it was a scam. Wish i could've been in on that one. Hhmmphr..yeah.

_________________
I have arrived in Moscow. Has gone to bank and to me have told that there is no such transfer for me!!!!
What does it mean? You played with me? If it so that you very much the cruel man and I am assured of that that the god will see your cruelty.
Explain to me!!!!!!!!!!!!!!!! - Alena Byk0va
-----------
Closed lad accounts x12 Goat Easter Egg Mortar x3 x4 Elite Ninja Team Member

We are Karma's soldiers.
<a href="/forum/donate.php">Mugu Gold</a>

I must be cruel, only to be kind:
Thus bad begins and worse remains behind.
-Hamlet, scene iv

View user's profileSend private messageSend e-mail
Ishkabibble
Wannabe Baiter


Joined: 29 Mar 2009
Posts: 89
Location: Canada


PostPosted: Fri Jun 12, 2009 6:32 pm Reply with quoteBack to top

I got different info coming back for the IP - Herndon, VA

Quote:

(Asked whois.arin.net:43 about +71.40.130.83)

OrgName: Road Runner HoldCo LLC
OrgID: RCSW
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US
ReferralServer: rwhois: //ipmt.rr.com: 4321
NetRange: 71.40.0.0 - 71.43.255.255
CIDR: 71.40.0.0/14
NetName: RCSW
NetHandle: NET-71-40-0-0-1
Parent: NET-71-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BIZ.RR.COM
NameServer: NS2.BIZ.RR.COM
NameServer: DNS4.RR.COM
Comment:
RegDate: 2005-04-01
Updated: 2006-11-28
OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: 1-703-345-3416
OrgAbuseEmail: [email protected]
OrgTechHandle: IPTEC-ARIN
OrgTechName: IP Tech
OrgTechPhone: 1-703-345-3416
OrgTechEmail: [email protected]
ARIN WHOIS database last updated 2009-06-11 19: 10
Enter ? for additional hints on searching ARIN's WHOIS database.


Curious to get different results.

Regards,
View user's profileSend private message
sir scam alot
Doesn't share his goats


Joined: 19 Mar 2008
Posts: 5075
Location: Louisiana


PostPosted: Fri Jun 12, 2009 6:37 pm Reply with quoteBack to top

The northern Virginia result is for Roadrunner itself, not the user. Notice that the abuse phone number is a 703 area code? That's the same area. Roadrunner is used quite a bit in Florida, they used to supply cable service for Brighthouse Networks which resold the product.

I also Googled Golfside Lending, found a website and ran the whois query on them:

Quote:
Domain GOLFSIDE.COM
Registrar GODADDY.COM, INC.
Registrar URL http://registrar.godaddy.com
Whois server whois.godaddy.com
Created 10-Dec-1998
Updated 11-Dec-2008
Expires 09-Dec-2010


I'd say the website is legit, perhaps someone in their office is using a work computer to send stuff out? I'm not sure but something isn't right here.

_________________
Safari = Rev. JB Johnson. Lome to Parakou "i thought it will just be a day jouney. unknowingly to me that it will last up to one week."
Safari2 = Harrison: Owerri, Nigeria to Cotonou, Benin and Accra, Ghana "i know ive been a sucker for twat "
Safari = (Group safari) Oy3nka Ch1dinma: Lagos to Cotonou: "Thank you so much for the embrassment."
Safari = Group safari - Dan Nkwerre: Port Harcourt to Abeche, Chad
Safari2 = Barr. Mustapha Marlick: Lome, Togo to Abuja Nigeria and Accra, Ghana.
pony Mortar x15 (some survived) Closed lad accounts x280 T.W.A.T Nurse Nastys Audi TT United States
<b>Have you kicked your lad today?<b>
Over $1 million USD in fake checks/money orders confiscated Easter Egg
View user's profileSend private message
Badgerbait
Tactical Post-Whore


Joined: 07 Jan 2009
Posts: 4502
Location: Alas, summer is slow in responding.


PostPosted: Fri Jun 12, 2009 6:45 pm Reply with quoteBack to top

Roadrunner is the internet provider associated with TimeWarnerCable. I wonder if it is just the ip addy for there main hub? Kind of like gmail stripping the actual ip?

_________________
I have arrived in Moscow. Has gone to bank and to me have told that there is no such transfer for me!!!!
What does it mean? You played with me? If it so that you very much the cruel man and I am assured of that that the god will see your cruelty.
Explain to me!!!!!!!!!!!!!!!! - Alena Byk0va
-----------
Closed lad accounts x12 Goat Easter Egg Mortar x3 x4 Elite Ninja Team Member

We are Karma's soldiers.
<a href="/forum/donate.php">Mugu Gold</a>

I must be cruel, only to be kind:
Thus bad begins and worse remains behind.
-Hamlet, scene iv

View user's profileSend private messageSend e-mail
sir scam alot
Doesn't share his goats


Joined: 19 Mar 2008
Posts: 5075
Location: Louisiana


PostPosted: Fri Jun 12, 2009 6:48 pm Reply with quoteBack to top

I used whatismyipaddress.com to get the result I did.

_________________
Safari = Rev. JB Johnson. Lome to Parakou "i thought it will just be a day jouney. unknowingly to me that it will last up to one week."
Safari2 = Harrison: Owerri, Nigeria to Cotonou, Benin and Accra, Ghana "i know ive been a sucker for twat "
Safari = (Group safari) Oy3nka Ch1dinma: Lagos to Cotonou: "Thank you so much for the embrassment."
Safari = Group safari - Dan Nkwerre: Port Harcourt to Abeche, Chad
Safari2 = Barr. Mustapha Marlick: Lome, Togo to Abuja Nigeria and Accra, Ghana.
pony Mortar x15 (some survived) Closed lad accounts x280 T.W.A.T Nurse Nastys Audi TT United States
<b>Have you kicked your lad today?<b>
Over $1 million USD in fake checks/money orders confiscated Easter Egg
View user's profileSend private message
Badgerbait
Tactical Post-Whore


Joined: 07 Jan 2009
Posts: 4502
Location: Alas, summer is slow in responding.


PostPosted: Fri Jun 12, 2009 7:17 pm Reply with quoteBack to top

I am familiar with that part of VA and it is all corporate or government in that area. I would suspect the herndon address is Roadrunner itself and that SSA is correct with the Florida address.

_________________
I have arrived in Moscow. Has gone to bank and to me have told that there is no such transfer for me!!!!
What does it mean? You played with me? If it so that you very much the cruel man and I am assured of that that the god will see your cruelty.
Explain to me!!!!!!!!!!!!!!!! - Alena Byk0va
-----------
Closed lad accounts x12 Goat Easter Egg Mortar x3 x4 Elite Ninja Team Member

We are Karma's soldiers.
<a href="/forum/donate.php">Mugu Gold</a>

I must be cruel, only to be kind:
Thus bad begins and worse remains behind.
-Hamlet, scene iv

View user's profileSend private messageSend e-mail
LegolasGreenleaf
Master Baiter


Joined: 21 May 2009
Posts: 126
Location: Mirkwood


PostPosted: Fri Jun 12, 2009 7:30 pm Reply with quoteBack to top

Hmm...my guess would be that someone sent scam mail either from their work PC, -or- they used an open Wifi access point.

I don't know if it would be best to notify the company or the local authorities. Their website makes them look big enogh to have a decent IT admin of some type, even though the site looks contracted out. Being a Network Admin of a medium-size company myself, I would personally want to know if an employee was doing this, and then I would bring it to our HR director who would probably fire them and report them to the police.

It could also be the open wifi access point, and they also may not have good monitoring in place to be able to trace who did it. However if the Admin knows about it, they can lock down the wifi and install monitoring software and figure out who is.

As for alerting the scammer at the business, you can just call and say that there seems to be a problem with their e-mail server, can I speak with your IT department or something similar. It's also unlikely the IT guy is doing it, as they should know how tracable it is. But not all IT people are qualified for their position...

_________________
Closed lad accounts
"i am leaving in the women's hostel because the camp have two hostels, one for men the other for men."
"the lawyer told me that you gave him a wrong control number and that he was inbarrast in the western union today."-F4ith Amu|)u

"...i consider your delay/silent to be constitutionally wrong, illegally untenable, technically illogical and professionally dangerous..."
"... it is understood and believe that delay is a mother killer to financial investment."-An0ml3z3 G0dw|n
View user's profileSend private message
sir scam alot
Doesn't share his goats


Joined: 19 Mar 2008
Posts: 5075
Location: Louisiana


PostPosted: Fri Jun 12, 2009 7:38 pm Reply with quoteBack to top

I'm thinking this is an employee. I don't think they would leave their Wi-Fi open like that to anyone who is a non-employee. The other thing I should ask is this the first script or were there emails subsequent to this with different IPs? I'd like to know if there was a change in IPs and locations before this one was received?

_________________
Safari = Rev. JB Johnson. Lome to Parakou "i thought it will just be a day jouney. unknowingly to me that it will last up to one week."
Safari2 = Harrison: Owerri, Nigeria to Cotonou, Benin and Accra, Ghana "i know ive been a sucker for twat "
Safari = (Group safari) Oy3nka Ch1dinma: Lagos to Cotonou: "Thank you so much for the embrassment."
Safari = Group safari - Dan Nkwerre: Port Harcourt to Abeche, Chad
Safari2 = Barr. Mustapha Marlick: Lome, Togo to Abuja Nigeria and Accra, Ghana.
pony Mortar x15 (some survived) Closed lad accounts x280 T.W.A.T Nurse Nastys Audi TT United States
<b>Have you kicked your lad today?<b>
Over $1 million USD in fake checks/money orders confiscated Easter Egg
View user's profileSend private message
LegolasGreenleaf
Master Baiter


Joined: 21 May 2009
Posts: 126
Location: Mirkwood


PostPosted: Fri Jun 12, 2009 7:56 pm Reply with quoteBack to top

You'd be suprised how lax some companies can get. Also, some do it as a public service, esepcially if they have clients visiting a lot like a mortgage/loan firm might. They could keep the wifi as a completely seperate network if they wanted to, and set up schedules for it to be turned off, so no late-night wardrivers could abuse it.

_________________
Closed lad accounts
"i am leaving in the women's hostel because the camp have two hostels, one for men the other for men."
"the lawyer told me that you gave him a wrong control number and that he was inbarrast in the western union today."-F4ith Amu|)u

"...i consider your delay/silent to be constitutionally wrong, illegally untenable, technically illogical and professionally dangerous..."
"... it is understood and believe that delay is a mother killer to financial investment."-An0ml3z3 G0dw|n


Last edited by LegolasGreenleaf on Fri Jun 12, 2009 7:57 pm; edited 1 time in total
View user's profileSend private message
ratter
Master of Master Baiters


Joined: 03 Jun 2007
Posts: 630
Location: Disembarking at Duvalier Airport


PostPosted: Fri Jun 12, 2009 7:56 pm Reply with quoteBack to top

I don't think any of the businesses mentioned have anything to do with the scam. The apparent sender's IP address is 71.40.130.83 which is a Roadrunner IP. Nothing says it's at a business, and IP addresses can be spoofed in headers.

Wire transfers can be picked up at any WU/MG office with the correct information, so the TN address is just more obfuscation.

I'd join sir scam alot in wanting to see all the emails from the lad, with full headers.

_________________
Closed lad accounts xseveral

United KingdomUnited StatesNigeriaSpainSwitzerlandBeninNetherlandsCanadaGhanaItalyIrelandMalaysiaUnited Nations = 56

Goat

PayPal Modality
View user's profileSend private message
LegolasGreenleaf
Master Baiter


Joined: 21 May 2009
Posts: 126
Location: Mirkwood


PostPosted: Fri Jun 12, 2009 7:59 pm Reply with quoteBack to top

^^^The IP address is a static Road Runner business line that is registered to Golfside Lending. This is not a dynamic IP that could be assined to any home Roadrunner user in the area.

But yes, more headers would be helpful, as they could just be wardriving around open wifi access points. Or it could be spoofed.

EDIT:

After doing some further inspection, it seems the user in Florida sent the message to a Microsoft Exchange server (presumably by the naming) in Los Angeles that belongs to an 'Oaks Media' company, hard to tell who that is, it's an internal domain name, oaksmedia.local. I cant' find an Outlook Web Access site at that IP, so it must be a RPC over HTTP connection using Outlook.

Basically I am still investingating...but if this is truly an Exchange server in CA, then it gets interesting. Those are typically only used by businesses, but some services exist that let you pay subscriptions for accounts.

_________________
Closed lad accounts
"i am leaving in the women's hostel because the camp have two hostels, one for men the other for men."
"the lawyer told me that you gave him a wrong control number and that he was inbarrast in the western union today."-F4ith Amu|)u

"...i consider your delay/silent to be constitutionally wrong, illegally untenable, technically illogical and professionally dangerous..."
"... it is understood and believe that delay is a mother killer to financial investment."-An0ml3z3 G0dw|n


Last edited by LegolasGreenleaf on Fri Jun 12, 2009 8:17 pm; edited 1 time in total
View user's profileSend private message
ratter
Master of Master Baiters


Joined: 03 Jun 2007
Posts: 630
Location: Disembarking at Duvalier Airport


PostPosted: Fri Jun 12, 2009 8:17 pm Reply with quoteBack to top

Legolas, you're right and I need to read a bit slower. Embarassed

Would you agree with the Florida address (as opposed to Herndon VA)?

Gives 3 possibilities:

- Authorized user at Golfside
- Wardriver
- Spoofed header

Other?

Edit: ^^^ Golfside seems to have a lot of offices so they may have a corporate exchange network.

_________________
Closed lad accounts xseveral

United KingdomUnited StatesNigeriaSpainSwitzerlandBeninNetherlandsCanadaGhanaItalyIrelandMalaysiaUnited Nations = 56

Goat

PayPal Modality
View user's profileSend private message
LegolasGreenleaf
Master Baiter


Joined: 21 May 2009
Posts: 126
Location: Mirkwood


PostPosted: Fri Jun 12, 2009 8:32 pm Reply with quoteBack to top

Ah, yeah, lots of financial institutions have branch offices in Florida due to a lot of special legal regulations they have down there. It's probably just a very small sattelite office, and the users there use RPC over HTTPS to connect directly to the Exchange server. But why on earth would they use their corporate e-mail account?

_________________
Closed lad accounts
"i am leaving in the women's hostel because the camp have two hostels, one for men the other for men."
"the lawyer told me that you gave him a wrong control number and that he was inbarrast in the western union today."-F4ith Amu|)u

"...i consider your delay/silent to be constitutionally wrong, illegally untenable, technically illogical and professionally dangerous..."
"... it is understood and believe that delay is a mother killer to financial investment."-An0ml3z3 G0dw|n
View user's profileSend private message
ratter
Master of Master Baiters


Joined: 03 Jun 2007
Posts: 630
Location: Disembarking at Duvalier Airport


PostPosted: Fri Jun 12, 2009 8:38 pm Reply with quoteBack to top

Quote:
But why on earth would they use their corporate e-mail account?


Well, it could be an open access point. Or spoofed. OTOH, most crooks aren't Mensa members...and I'd bet your average office worker wouldn't know an IP address if it bit him in the ass...

_________________
Closed lad accounts xseveral

United KingdomUnited StatesNigeriaSpainSwitzerlandBeninNetherlandsCanadaGhanaItalyIrelandMalaysiaUnited Nations = 56

Goat

PayPal Modality
View user's profileSend private message
LegolasGreenleaf
Master Baiter


Joined: 21 May 2009
Posts: 126
Location: Mirkwood


PostPosted: Fri Jun 12, 2009 8:44 pm Reply with quoteBack to top

Well the fact that is is relaying through Exchange servers instead of going direct to an outside mail provider means that they are using their Exchange e-mail address, even if they somehow figured out how to fake the reply-to address.

Or it's a spoofed header from someone who really knows what they are doing.

_________________
Closed lad accounts
"i am leaving in the women's hostel because the camp have two hostels, one for men the other for men."
"the lawyer told me that you gave him a wrong control number and that he was inbarrast in the western union today."-F4ith Amu|)u

"...i consider your delay/silent to be constitutionally wrong, illegally untenable, technically illogical and professionally dangerous..."
"... it is understood and believe that delay is a mother killer to financial investment."-An0ml3z3 G0dw|n
View user's profileSend private message
ratter
Master of Master Baiters


Joined: 03 Jun 2007
Posts: 630
Location: Disembarking at Duvalier Airport


PostPosted: Fri Jun 12, 2009 8:49 pm Reply with quoteBack to top

^^^^ Agree, so we've either got a very smart lad or a very dumb one.

BTW, New Port Richey is 20 miles from Clearwater, where Golfside Lending (www.golfside.com) is located...how accurate do you think the IP geo info is?

_________________
Closed lad accounts xseveral

United KingdomUnited StatesNigeriaSpainSwitzerlandBeninNetherlandsCanadaGhanaItalyIrelandMalaysiaUnited Nations = 56

Goat

PayPal Modality
View user's profileSend private message
LegolasGreenleaf
Master Baiter


Joined: 21 May 2009
Posts: 126
Location: Mirkwood


PostPosted: Fri Jun 12, 2009 9:51 pm Reply with quoteBack to top

It would base it probably on the location of the ISP gateway to the net. 20 miles could be reasonable. The fact the registered business name is in it has me convinced.

I am wondering if we should report this to the company HQ in LA or RR abuse email, or what?

_________________
Closed lad accounts
"i am leaving in the women's hostel because the camp have two hostels, one for men the other for men."
"the lawyer told me that you gave him a wrong control number and that he was inbarrast in the western union today."-F4ith Amu|)u

"...i consider your delay/silent to be constitutionally wrong, illegally untenable, technically illogical and professionally dangerous..."
"... it is understood and believe that delay is a mother killer to financial investment."-An0ml3z3 G0dw|n
View user's profileSend private message
ratter
Master of Master Baiters


Joined: 03 Jun 2007
Posts: 630
Location: Disembarking at Duvalier Airport


PostPosted: Fri Jun 12, 2009 10:02 pm Reply with quoteBack to top

I'm trying to figure out the relationship between the apparent exchange server ip

Quote:
General Information
Hostname: static-71-103-242-169.lsanca.dsl-w.verizon.net
ISP: Verizon Internet Services
Organization: Verizon Internet Services
Proxy: None detected
Type: Cable/DSL


Geo-Location Information

Country: United States
State/Region: CA
City: La Mirada
Latitude: 33.9009
Longitude: -118.0073
Area Code: 562


and the RR customer in Florida. I can't find any info on Golfside in California.

_________________
Closed lad accounts xseveral

United KingdomUnited StatesNigeriaSpainSwitzerlandBeninNetherlandsCanadaGhanaItalyIrelandMalaysiaUnited Nations = 56

Goat

PayPal Modality
View user's profileSend private message
LegolasGreenleaf
Master Baiter


Joined: 21 May 2009
Posts: 126
Location: Mirkwood


PostPosted: Fri Jun 12, 2009 10:12 pm Reply with quoteBack to top

Well the server name is 'exchange-01' and it is on the domain 'OaksMedia.local' which the domain is generally descriptive of the company it represents so it's easy for the users to remember. That's just an internal domain name, so we won't find out much on the net, but we could assume that "Oaks Media" is a company or at least a DBA name for a company.

The problem with searching oaks media is you get a lot of prefixes to oaks...Thousand Oaks is a big 'suburb' of LA, but you get stuff like Tall Oaks, Shady Oaks, etc.

I will poke around and see if I can link the two company names somehow when I get home in a little bit.

_________________
Closed lad accounts
"i am leaving in the women's hostel because the camp have two hostels, one for men the other for men."
"the lawyer told me that you gave him a wrong control number and that he was inbarrast in the western union today."-F4ith Amu|)u

"...i consider your delay/silent to be constitutionally wrong, illegally untenable, technically illogical and professionally dangerous..."
"... it is understood and believe that delay is a mother killer to financial investment."-An0ml3z3 G0dw|n
View user's profileSend private message
Ishkabibble
Wannabe Baiter


Joined: 29 Mar 2009
Posts: 89
Location: Canada


PostPosted: Sat Jun 13, 2009 6:29 pm Reply with quoteBack to top

Back online - sorry for the absence, I'm up in central Ontario where there's no service unless I come into town and use the library.

The first note I posted in this thread is the entire original email with headers.

The reply-to email id in that one is a Gmail id and that's who responded to me next. It is in the second post I put up in this thread. I hadn't bothered with the headers as it was Gmail but I'll put what I got at the end of this note.

These are the only two emails I've had with the scammer. At present the ball's in my court with him sending me the second note, asking for money to a US location. That's want roused my interest and I went back to the first note to see that I wasn't actually talking to a Legos lad and possibly a domestic one.

Reading the various suggestions above, I am thinking that I want to be careful to bury the hook well before hand and not be a lunkhead and warn them off. If this is a local scammer then I'd like to do something more than just waste their time - possibly getting them to the point where the local LE would be pleased to put the arm on them. We can't usually put too many of these pricks out of commission long term but when the opportunity presents itself, it feels like an obligation.

Seems from the above that this is at best spoofed headers, and at worst possibly someone's rogue employee (which in itself would likely get attention quickly enough to get him nailed with or without my help).

Any other thoughts / suggestions much appreciated before I proceed.

The headers from email #2 of 2, posted originally above ---

Quote:

X-Message-Delivery: Vj0xLjE7RD0wO2w9MQ==
X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPt3Mi6GgUSv7yYKHQgGfDe+2wCW4LegkYQav29Pp7Mm4E=
Received: from mail-yx0-f134.google.com ([209.85.210.134]) by bay0-mc10-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Thu, 11 Jun 2009 18:55:46 -0700
Received: by mail-yx0-f134.google.com with SMTP id 40so139059yxe.23
for <[email protected]>; Thu, 11 Jun 2009 18:55:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:in-reply-to:references
:date:message-id:subject:from:to:content-type;
bh=BSlvJaZIEigg4/zgh2dj8tvUI0OYo1Jgdv32F7KV+R0=;
b=odudE5W0ZzIZxJ3YAh9OwZm5uC3qjDt2WAtwiNt8csQ2wAGb2YkKqQSaqP3YOQ2kq/
2Wd/2+LfVSETCNwwyXXP1vvLoynfVxulMO0fqddbveSnuKQ7MB0JKAsdVeJ253Wl6+NU
HEKnOu6VygWJnaS3sEwkG8rcL8hokUTFTmdZI=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
b=be6K6Djqs4fwytARXt1FzUO/yFxVsqX0+CJm4E0dEGm9pTpTRba6aVkblKd1blrY7l
2RT9qC4v2jYOo1vqL3E6IIfbOrFM875mFdPnefd00YKy668upeVjkCa1c1Y/0EX6wTqa
lKaVsdxMn+12D+6tfx/vgQ9dwfpdMJ39hUAo0=
MIME-Version: 1.0
Received: by 10.231.15.6 with SMTP id i6mr1466898iba.12.1244771741732; Thu, 11
Jun 2009 18:55:41 -0700 (PDT)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
Date: Fri, 12 Jun 2009 02:55:41 +0100
Message-ID: <[email protected]>
Subject: Re: Your Compensatory Grant
From: Jas0n McNu1ty <[email protected]>
To: Merwyn Bogue <[email protected]>
Content-Type: multipart/alternative; boundary=00221532cb887e0f86046c1d01cb
Return-Path: [email protected]
X-OriginalArrivalTime: 12 Jun 2009 01:55:46.0950 (UTC) FILETIME=[E7473260:01C9EB00]

--00221532cb887e0f86046c1d01cb
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

16124 W3st Road, P1keville, TN 37352

RE: Your Compensatory Grant

Dear Sir/Madam:

My name is Jas0n McNu1ty, I'm the Account Officer assigned to your
transaction (EA####-910).

MODE OF PAYMENT: Western Union Money Transfer Network or Money Gram.

ESCROW OFFICER'S INFORMATION FOR PAYMENT OF $550.00 USD VIA THE WESTERN
UNION MONEY TRANSFER OR MONEY GRAM:
NAME: S0mer Shadw1ck
CITY: Pikeville
STATE: Tennessee
TEST QUESTION: Transaction Code
TEST ANSWER: ####

SENDERS FULL NAMES:
SENDERS FULL ADDRESS:

AMOUNT: $550.00

MTCN {Money Transfer Control Number}:
or
Reference Number:

The MTCN {10 Digit} is the confirmation number of the money sent if the fee
was sent via western union while the REFERENCE NUMBER {8 Digit} is the
confirmation number of the money sent if the fee was sent via money gram.

The confirmation of "Receipt" of the fee must be attached to the
disbursement of your funds for it to be accepted as a viable transaction.

Sincerely,

Jas0n McNu1ty
ACCOUNT OFFICER

CIT Bank Limited
16124 W3st Road, P1keville, TN 37352

*CONFIDENTIAL & PRIVILEGED COMMUNICATION*

This email and any files transmitted with it are confidential, may contain
privileged or copyright information, and are intended solely for the use of
the intended recipient. If you are not the intended recipient of this email,
you are require d to notify the sender immediately and delete this email
from your system. You may not copy, distribute or use this email or the
information contained in it for any purpose other than to notify the sender.
View user's profileSend private message
Ishkabibble
Wannabe Baiter


Joined: 29 Mar 2009
Posts: 89
Location: Canada


PostPosted: Tue Jun 16, 2009 1:09 am Reply with quoteBack to top

My US scammer has moved to China?!!

Actually he's changed his account from a Gmail one ("temporary problems" apparently) to Yahoo.cn.

How do I look at headers in the Gmail account I am receiving his notes into? I tried looking around Gmail but could not see it readily.

In the meantime, I've simply sent him an simple note asking for him to help me with doing the WU payment as I'm quite unawares of such things and appreciate his "professionalism".

It was to this that he replied from the Yahoo.cn account and simply reassured me to not tell anyone anything (or they might steal my money! Razz ) and that I had to notify him with the number right away.

Regards,


Last edited by Ishkabibble on Tue Jun 16, 2009 8:03 pm; edited 1 time in total
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



E-Mail Header Analysis


All Content © 2003 - 419Eater.com
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT