SmartFeedSmartFeed          

Porsche Hangout


WELCOME - YOU ARE CURRENTLY VIEWING 419EATER AS A GUEST

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

ScamWarners.com - Internet Anti-Fraud Center - now open!


 Just got a scam/phishing mail, what to reply with?

View next topic
View previous topic
 
Post new topicReply to topic
Author Message
KingOfQueens
Hello I'm New here!


Joined: 08 Feb 2010
Posts: 6


PostPosted: Mon Feb 08, 2010 11:48 am Reply with quoteBack to top

I just got a scamming mail from someone who is "interested in selling a laptop".
I got it by contacting the seller at a Norwegian craigslist-style website.

Mail goes as follows:

Hi,

Still for sale Dell laptop is new , unused, warranty 1 year international, come with receipt. I do not need it and i need the money that is the reason i am selling this laptop. I am in Spain, Barcelona now, delivery will be made from here, shipping costs will be suported by me if you want to make a deal. Come with original Windows 7 profesional dvd. I do not require payment up front, but i want to make this deal safe. So if you are interested get back to me so we can discuss regarding payment and delivery !
Thanks,
Strand
---------
Header says: X-Originating-IP: [172.129.67.174]
Traceroute says ip is American, though I suspect it's just proxied through some unknowing victim.
Also, the laptop he is selling is a laptop that never came with Windows 7 and Dell has never released Windows 7 drivers for it either.
Also, the little "personal" info that this scammer has left behind, last name Strand living at postal code so and so in Oslo, does not add up when searching for Strand in the online phonebook. There is no last name Strand at that address.
Also, googling his email address I found another computer he has for sale, this one on a GREEK website?! Also, a great offer, too good to be true.
I've reported this person to the website where he has put this laptop up for sale.

However, I would like to mail this person something that will make him sweat. Say, something like, "oh Barcelona! That's great! I have a friend there, maybe he could pick up the laptop for me, and he can bring the money as well."? Just something to pull his leg... Any tip please?
View user's profileSend private message
PsycheDelia_Smith
Baiting Guru


Joined: 30 Oct 2004
Posts: 3573
Location: Devon, UK


PostPosted: Mon Feb 08, 2010 1:22 pm Reply with quoteBack to top

The 172 range is often AOL servers, is he using an aol address? Look for the very last IP address in the header, rather than the X-Originating-IP, if possible. I think you've got the server's IP there.

You know what's important anyway, it's a con. If you're sure it is, then send him on some westie jaunts.

_________________
SATISFIED CLIENTS:
"I was forced to sell off my designers black suit to be able to return back to Ouagadougou and on my coming back here my wife
took me to the cyber cafe and showed me the site where my photographs of circumcision was put on the net."-'Tosser' 0gugu0

"I am now completely twatted and shagged and will obey all your instructions to the fullest."-"Tosser" Oguguo

Golden Pith "Frankily speaking,I wouldn't want to travel to the far east again."-Edward Smith, Lagos-Singapore (14600 miles round trip via Dubai)


9x Safari 4 x Lagos-Accra , 3x Port Harcourt - Ibadan, 1x Lagos-Singapore, 1x Burkina-Bamako
Netherlands Nigeria Ghana South Africa
Sand Timer'Ed', 3 yrs 8 mnths Sand Timer'Oguguo',6 years and 4 months
View user's profileSend private message
KingOfQueens
Hello I'm New here!


Joined: 08 Feb 2010
Posts: 6


PostPosted: Mon Feb 08, 2010 2:04 pm Reply with quoteBack to top

It's a hotmail address.

And that is the last IP in the header. The other IP's mentioned are:
Received: from 65.55.116.34 (EHLO blu0-omc1-s23.blu0.hotmail.com) (65.55.116.34)
Received: from BLU139-W20 ([65.55.116.9]) by blu0-omc1-s23.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959)

The X-Originating-IP is the only one that isn't a mail server.

I replied to him with:

Hi.

Ah, you’re not in Oslo? You’re not even in Norway?
The problem with sending it to Norway is that I have to pay toll and taxes for it. 25% just in VAT, add toll to that. Suddenly it’s not so cheap any more...
Let me know if it’s still for sale when you get back to Norway though. I might still be interested. : )
Best regards


--Surname Lastname

(Yeah, I mailed with my full name in my first mail. However, I live far from any criminals, in a small place between mountains, far out of his reach, I don't worry)

I'm curious about his reply to this. Will he let it go that easily or will he try to get me hooked somehow?
View user's profileSend private message
PsycheDelia_Smith
Baiting Guru


Joined: 30 Oct 2004
Posts: 3573
Location: Devon, UK


PostPosted: Mon Feb 08, 2010 4:09 pm Reply with quoteBack to top

It's an aol dialup server anyway, so his own IP is not visible. I'm betting he's somewhere due south though. When we had aol here many, many years ago when they were the only affordable option, our IP resolved to the 172 range too.

IP : 172.129.67.174
Host : ac8143ae.ipt.aol.com
Country : United States

_________________
SATISFIED CLIENTS:
"I was forced to sell off my designers black suit to be able to return back to Ouagadougou and on my coming back here my wife
took me to the cyber cafe and showed me the site where my photographs of circumcision was put on the net."-'Tosser' 0gugu0

"I am now completely twatted and shagged and will obey all your instructions to the fullest."-"Tosser" Oguguo

Golden Pith "Frankily speaking,I wouldn't want to travel to the far east again."-Edward Smith, Lagos-Singapore (14600 miles round trip via Dubai)


9x Safari 4 x Lagos-Accra , 3x Port Harcourt - Ibadan, 1x Lagos-Singapore, 1x Burkina-Bamako
Netherlands Nigeria Ghana South Africa
Sand Timer'Ed', 3 yrs 8 mnths Sand Timer'Oguguo',6 years and 4 months

Last edited by PsycheDelia_Smith on Mon Feb 08, 2010 4:14 pm; edited 2 times in total
View user's profileSend private message
KingOfQueens
Hello I'm New here!


Joined: 08 Feb 2010
Posts: 6


PostPosted: Mon Feb 08, 2010 4:10 pm Reply with quoteBack to top

Ah. And I just got the reply from him.

Hey
I advertise it on Norway because i was planning to come to norway by the end of this week, but i have a business here in Spain and something came up and i am not able to come until March. Delivery will be made as "gift" and declared value will be under 200 so that no extra fees should be paid on customs.Anyway if you are interested here how we can do the deal. I will make delivery of the laptop via International Courier ( http://courier-international.com ) and deposit the dell laptop to their custody. After they have the laptop you make payment to them. Money are kept by company until you receive and inspect the laptop. after you receive it and inspect it i will receive money from them. This way we are both protected.
Let me know your decision.
Thanks, Strand
--------------
Yeah, I know, courier international is some sort of fake thing where I never see my money again. Let's see... Any tip on what to reply to him with? I'll scan the forums to see if I can find any good inspirational stuff, but any help would be appriciated. : )

By the way, the sales ad he (still) has up is at:
http://www.finn.no/finn/bap/object?finnkode=20720138
for anyone curious about it.
View user's profileSend private message
PsycheDelia_Smith
Baiting Guru


Joined: 30 Oct 2004
Posts: 3573
Location: Devon, UK


PostPosted: Mon Feb 08, 2010 4:13 pm Reply with quoteBack to top

God, he's busy! If he cut back on the travel, he wouldn't need to sell the laptop. Wink

Edit: at least you got a fake courier site out of it. It'd be interesting to see if the email address you're told to contact is the same domain as the website. A complaint will be sent to the hoster from here, if it won't wreck your bait. Fake sites should always come down anyway of course.

_________________
SATISFIED CLIENTS:
"I was forced to sell off my designers black suit to be able to return back to Ouagadougou and on my coming back here my wife
took me to the cyber cafe and showed me the site where my photographs of circumcision was put on the net."-'Tosser' 0gugu0

"I am now completely twatted and shagged and will obey all your instructions to the fullest."-"Tosser" Oguguo

Golden Pith "Frankily speaking,I wouldn't want to travel to the far east again."-Edward Smith, Lagos-Singapore (14600 miles round trip via Dubai)


9x Safari 4 x Lagos-Accra , 3x Port Harcourt - Ibadan, 1x Lagos-Singapore, 1x Burkina-Bamako
Netherlands Nigeria Ghana South Africa
Sand Timer'Ed', 3 yrs 8 mnths Sand Timer'Oguguo',6 years and 4 months
View user's profileSend private message
PsycheDelia_Smith
Baiting Guru


Joined: 30 Oct 2004
Posts: 3573
Location: Devon, UK


PostPosted: Mon Feb 08, 2010 4:20 pm Reply with quoteBack to top

The hoster is Affinity, a US company, so getting it taken down should be ok.

[edit] Would you mind if I mailed him about the laptop too?

_________________
SATISFIED CLIENTS:
"I was forced to sell off my designers black suit to be able to return back to Ouagadougou and on my coming back here my wife
took me to the cyber cafe and showed me the site where my photographs of circumcision was put on the net."-'Tosser' 0gugu0

"I am now completely twatted and shagged and will obey all your instructions to the fullest."-"Tosser" Oguguo

Golden Pith "Frankily speaking,I wouldn't want to travel to the far east again."-Edward Smith, Lagos-Singapore (14600 miles round trip via Dubai)


9x Safari 4 x Lagos-Accra , 3x Port Harcourt - Ibadan, 1x Lagos-Singapore, 1x Burkina-Bamako
Netherlands Nigeria Ghana South Africa
Sand Timer'Ed', 3 yrs 8 mnths Sand Timer'Oguguo',6 years and 4 months

Last edited by PsycheDelia_Smith on Mon Feb 08, 2010 4:31 pm; edited 1 time in total
View user's profileSend private message
KingOfQueens
Hello I'm New here!


Joined: 08 Feb 2010
Posts: 6


PostPosted: Mon Feb 08, 2010 4:30 pm Reply with quoteBack to top

Hmmm... His second mail had two X-Originating-IP.

X-Originating-IP: [65.55.116.43]
Received: from 65.55.116.43 (EHLO blu0-omc1-s32.blu0.hotmail.com) (65.55.116.43)
by mta164.mail.ukl.yahoo.com with SMTP; Mon, 08 Feb 2010 15:26:14 +0000
Received: from BLU139-W23 ([65.55.116.7]) by blu0-omc1-s32.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 8 Feb 2010 07:26:14 -0800
Message-ID: <[email protected]>
Content-Type: multipart/alternative;
boundary="_b7d4c828-d443-4e97-b44c-b90e10fb0b1a_"
X-Originating-IP: [38.119.107.114]

I suspect the last one is the proxied one (since the first one is the hotmail server one).
Yah, seems like this person does know how to hide his tracks. Shame.
View user's profileSend private message
PsycheDelia_Smith
Baiting Guru


Joined: 30 Oct 2004
Posts: 3573
Location: Devon, UK


PostPosted: Mon Feb 08, 2010 4:35 pm Reply with quoteBack to top

Yes, I've coded a few email clients and getting the correct IP address from a header isn't always as clearcut as most people imagine. The best rule is the last one in the header, as mentioned earlier. Different servers configure their headers in different ways, and the only things that are always 100 percent reliable are the Subject and the FROM address, and of course that's dead easy to spoof.

_________________
SATISFIED CLIENTS:
"I was forced to sell off my designers black suit to be able to return back to Ouagadougou and on my coming back here my wife
took me to the cyber cafe and showed me the site where my photographs of circumcision was put on the net."-'Tosser' 0gugu0

"I am now completely twatted and shagged and will obey all your instructions to the fullest."-"Tosser" Oguguo

Golden Pith "Frankily speaking,I wouldn't want to travel to the far east again."-Edward Smith, Lagos-Singapore (14600 miles round trip via Dubai)


9x Safari 4 x Lagos-Accra , 3x Port Harcourt - Ibadan, 1x Lagos-Singapore, 1x Burkina-Bamako
Netherlands Nigeria Ghana South Africa
Sand Timer'Ed', 3 yrs 8 mnths Sand Timer'Oguguo',6 years and 4 months
View user's profileSend private message
KingOfQueens
Hello I'm New here!


Joined: 08 Feb 2010
Posts: 6


PostPosted: Mon Feb 08, 2010 4:44 pm Reply with quoteBack to top

LOL! I don't think it's hard to find the right IP address. Just like it says in the forums help section, it's most often the last one. Also, I like to nslookup and tracert the ip to see if I'm wrong. Also, if the scammer is somewhat smart (but then he'd have a job rather than be a criminal, right?) he could send fake x-originating-ip with his mail. So again, I like to check to make sure.

I'm surprised they are smart enough to know better than to let their IP stand out and glare at you. This person is obviously smart enough to learn how to do that, so why not just get a job instead? Hmh.
View user's profileSend private message
PsycheDelia_Smith
Baiting Guru


Joined: 30 Oct 2004
Posts: 3573
Location: Devon, UK


PostPosted: Mon Feb 08, 2010 4:50 pm Reply with quoteBack to top

Might not be hard to find it, but just try parsing it out of a header. That's harder than it sounds, since your code needs to look at the others to make sure they're irrelevant. A surprising number of people think it's the X-Originating-IP that counts.

Anyways, alright if I mail this lad? He sounds like a 'seller' I've met before a few years back....

BTW, he doesn't need to be smart. A aol dialup account will hide his ass for him, as will certain ISP webmail (including this lad's). Having said that, the lads at the top of the food chain tend to know their stuff, and he might even be a Vlad for all we know. That's why I'm curious to write to him myself...

_________________
SATISFIED CLIENTS:
"I was forced to sell off my designers black suit to be able to return back to Ouagadougou and on my coming back here my wife
took me to the cyber cafe and showed me the site where my photographs of circumcision was put on the net."-'Tosser' 0gugu0

"I am now completely twatted and shagged and will obey all your instructions to the fullest."-"Tosser" Oguguo

Golden Pith "Frankily speaking,I wouldn't want to travel to the far east again."-Edward Smith, Lagos-Singapore (14600 miles round trip via Dubai)


9x Safari 4 x Lagos-Accra , 3x Port Harcourt - Ibadan, 1x Lagos-Singapore, 1x Burkina-Bamako
Netherlands Nigeria Ghana South Africa
Sand Timer'Ed', 3 yrs 8 mnths Sand Timer'Oguguo',6 years and 4 months
View user's profileSend private message
KingOfQueens
Hello I'm New here!


Joined: 08 Feb 2010
Posts: 6


PostPosted: Mon Feb 08, 2010 5:00 pm Reply with quoteBack to top

Well, here's the full header from the first mail.

X-Apparently-To: @yahoo.no via 217.146.189.26; Mon, 08 Feb 2010 11:10:54 +0000
X-YahooFilteredBulk: 65.55.116.34
X-YMailISG: dwxw9q8WLDvcDXUauAeTSMJfYl1u0LyW3_yf1eQ4zdgOBZaomx7HpgLGtkWP8404JA_JBN4reSVgDcK2fI7wLlsI2GzYJBLRwl0riqlioNIeJxNDtmo5YykoDVsvfmNE1l9hEV3elHlcNtjNQBcCmbPf1H9nbGkGI2UO0138LJh7BTMYGxL7hAhtGzFcOwiwjjAKkqOr__yu9krDJAlXrZG.0f2FGgUUrsVXIwDgi45JueVL7fx2EqmpehqN0bS6yzDyakj0eFWdA4PAT2vTnqinuhaDAIfPysQK4PtGxAfHd7yO31SqXPPTUd0anG_SFGEjF6laoH9o1zX4ZnVZW0aiEn7rAU4b345An9SsBPDO2.ZqBdjH7_QVgbyhV6epLt6YlFCQAYDNChVOsZOE92E_trVQ6px1f_V7Fj9wpR3rVs2.orXCGjeQbuJKQiJLVlB4mYukUMInv0aaMG0btCK7yqWempemlsrT8Z4Y.MyXyHo5ssKuDAU2kQUjoKlZrMvB2o9YctiPUcEqubp8_dUEvegg.iWDruI.fiSWwJN7_ZP1E5U1jawP9dCwaHIJSdYnHjO1NH7qnsNsExkOiBf0mnKyObOCkxKtMyVPjfYvhhjoQHoZLM2GTG0i6HJgGVOd7i66B4ewyGm_d.vQU7MdkOcpr.OVPbs.CFYH_EOydhQXPMCgClVQ9uyBAYCpX6iLmSJrXapKmuwyY5grFl7o6Z2zt7ceSrI0oc64HioSXSNYL0gi6QuAP6i8LTXjCKXx_lXZUoLBUh_chEn8YFIZIivMz.E04hU9xmolb92cuBFPMajXCTY1vZ_vGZPk.pM1sfFG0DRNx5LBOB0y_cC5mtOYUgZL3.ETiV4gUw3jXjEAljZOZw3jBkXRIUy8COE88d_NWNfgYTQMjeJYiOwJj1aVDHkGeR6w_5WY0wUE2BkjlV51vj_aOw--
X-Originating-IP: [65.55.116.34]
Authentication-Results: mta143.mail.ird.yahoo.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)
Received: from 65.55.116.34 (EHLO blu0-omc1-s23.blu0.hotmail.com) (65.55.116.34)
by mta143.mail.ird.yahoo.com with SMTP; Mon, 08 Feb 2010 11:10:53 +0000
Received: from BLU139-W20 ([65.55.116.9]) by blu0-omc1-s23.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 8 Feb 2010 03:10:32 -0800
Message-ID: <[email protected]>
Content-Type: multipart/alternative;
boundary="_2008a606-e1ac-4b7e-823c-8c9a64a62a73_"
X-Originating-IP: [172.129.67.174]
From: R B <[email protected]>
To: <@yahoo.no>
Subject: RE: Dell laptop XPS M1730 (@yahoo.no)
Date: Mon, 8 Feb 2010 11:10:32 +0000
Importance: Normal
In-Reply-To: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
X-OriginalArrivalTime: 08 Feb 2010 11:10:32.0261 (UTC) FILETIME=[546C5750:01CAA8AF]

Second mails header:

X-Apparently-To: @yahoo.no via 217.146.189.26; Mon, 08 Feb 2010 15:26:14 +0000
X-YahooFilteredBulk: 65.55.116.43
X-YMailISG: soNuFFQWLDs9p_AGVvkMWdCYUkCoYv1AcR4g9TWYoBsPwZblnnGPCvCSn11CenLtkJKyOzRpDdsjaopMrRRuBYxZydl1RtMdOW0voRQzOW46YvNY9ld1RALlGxBSJvAGl.yef3d4BYiL5Sbc7H7FyAuDgmMKnRNjoYeiRl6ksXT.VCDqhj0fmuZlMfrI6AoKbOoXEeu.PT15M8gE1t34WQJAUFd9v.nbz1Ao7CxECxxqb4L_atJXm9EO0seTK2rupAh3OJVM7vuRYRaqT9mL_wz.K0ZZBAZq7lTDZ03hMc5DIDZQN9BIrZX3YVCuyxG_du5MLRygm5hj11R0N931LEUe4ukfHssA02XeTWLq4bxIzJUWv2BWTITRlq0XusDvHFSZwAyg.uEqDCYy6fjimdXcKJWFvjfYA..Jc6.bIfcmeME7KAdJ5yWZ1oH8an84kU.vy5v3VF9RAnEEhdlwS5BMiob8EMSxU.F9_Vw.5mFwmaDjdwAyz63YG.LoksEyXDbXqOFyBPMOpWZP.EpTHkDXzqUTxJePDAENL8_urc28LFlSS0wmNp6liLWwHZF58FIHQVNRB4sRl2NWNCMcqF3eAZnbUGsO4k0GW9415bFc8HRNM4METiR4ln5Jyuj9QaPyqipfW9adoQS_VfxNiPN0rYG60pDY_Hp8BIG8MdokK9upTiuTMyEUMkdMNG.4s.7WiHFunfZO2dUs5GzASu6G_VNaz42wrYMoerRK4euuDjWiCxAY38J0Wwy.x0P.oxlqZQEmPCAya63TYVora1TYnrcn6Yb.S8o4._R3hQSAW8zsEGAunx5_1P77.SZvIAckXmJqBit95TG1eem2_0ZoFQknjvMSXq.6ZWL9gz66eXtdPQ7pUXwXvAG6wf9oCqmbXq1gQlauSX6O.lnoFj1JtQERDtR6WdQt5ZPjGvzryxY-
X-Originating-IP: [65.55.116.43]
Authentication-Results: mta164.mail.ukl.yahoo.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)
Received: from 65.55.116.43 (EHLO blu0-omc1-s32.blu0.hotmail.com) (65.55.116.43)
by mta164.mail.ukl.yahoo.com with SMTP; Mon, 08 Feb 2010 15:26:14 +0000
Received: from BLU139-W23 ([65.55.116.7]) by blu0-omc1-s32.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 8 Feb 2010 07:26:14 -0800
Message-ID: <[email protected]>
Content-Type: multipart/alternative;
boundary="_b7d4c828-d443-4e97-b44c-b90e10fb0b1a_"
X-Originating-IP: [38.119.107.114]
From: R B <[email protected]>
To: <@yahoo.no>
Subject: RE: SV: Dell laptop XPS M1730 (@yahoo.no)
Date: Mon, 8 Feb 2010 15:26:14 +0000
Importance: Normal
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>,<[email protected]>
MIME-Version: 1.0
X-OriginalArrivalTime: 08 Feb 2010 15:26:14.0235 (UTC) FILETIME=[0CF3CAB0:01CAA8D3]
-----------------------------------
Go ahead, have a blast with him. I think you'll have to have a go to the sales ad he's put up. Unless you want to make him suspect something.
http://www.finn.no/finn/bap/object?finnkode=20720138
Click on "send epost" on the upper right hand side, where it also says "Strand R B", "fra epost" means "from e-mail" (where you want him to send his emails to), "melding til mottaker" means "message to recipient", "hilsen", means "regards" (what you want him to think your name is).

His sales ad as well as all his mails are in English. So no further knowledge of Norwegian is necessary. ; )
View user's profileSend private message
PsycheDelia_Smith
Baiting Guru


Joined: 30 Oct 2004
Posts: 3573
Location: Devon, UK


PostPosted: Mon Feb 08, 2010 5:04 pm Reply with quoteBack to top

Appreciate it, thanks. He's part of something quite well-organised, I'm just curious to see if he's with who I think he's with.

_________________
SATISFIED CLIENTS:
"I was forced to sell off my designers black suit to be able to return back to Ouagadougou and on my coming back here my wife
took me to the cyber cafe and showed me the site where my photographs of circumcision was put on the net."-'Tosser' 0gugu0

"I am now completely twatted and shagged and will obey all your instructions to the fullest."-"Tosser" Oguguo

Golden Pith "Frankily speaking,I wouldn't want to travel to the far east again."-Edward Smith, Lagos-Singapore (14600 miles round trip via Dubai)


9x Safari 4 x Lagos-Accra , 3x Port Harcourt - Ibadan, 1x Lagos-Singapore, 1x Burkina-Bamako
Netherlands Nigeria Ghana South Africa
Sand Timer'Ed', 3 yrs 8 mnths Sand Timer'Oguguo',6 years and 4 months
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



** Find out information about your IP address **


All Content © 2003 - 419Eater.com
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT