SmartFeedSmartFeed          

Porsche Hangout


WELCOME - YOU ARE CURRENTLY VIEWING 419EATER AS A GUEST

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

ScamWarners.com - Internet Anti-Fraud Center - now open!


 Strange IP

View next topic
View previous topic
 
Post new topicReply to topic
Author Message
Dharma
Baiting Guru


Joined: 11 Jun 2008
Posts: 2144
Location: The Empty Quarter


PostPosted: Tue Feb 23, 2010 2:14 am Reply with quoteBack to top

Quote:
Hello,



I have a good business proposal to share with you. Please let me hear =

from

you to enable me provide you with the necessary details for us to begin

the process.



Email: [email protected]



Thanks and Regards,



Tai






Well, checked the email address and it belongs to a lecturer at University of Abertay, Dundee, Scotland.


Some may suggest her email might have been hacked

guess what,the IP address goes back to University of Abertay, Dundee, Scotland!!!

Isn’t that weird?

Here are the headers
I removed the lecturer name

Whoever sent this email signed the email with different name than the real name of the real lecturer



X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtTQ0w9Mw==

X-Message-Status: n:0

X-Message-Info: 39b3kEZapmWVMVgMKzChvXw8biv4DWn+U2g6eTl4knD/Y6VMUTR0j06rnV0nVscfWepFqgrO5NI7E3RieQgu7Q==

Received: from UADHTS01.uad.ac.uk ([193.60.160.125]) by snt0-mc2-f4.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);

Mon, 22 Feb 2010 17:39:42 -0800

Received: from uadmta03.uad.ac.uk (193.60.160.134) by UADHTS01.uad.ac.uk

(193.60.160.125) with Microsoft SMTP Server id 8.2.213.0; Tue, 23 Feb 2010

01:39:27 +0000

X-MimeOLE: Produced By Microsoft Exchange V6.5

Content-Class: urn:content-classes:message

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----_=_NextPart_001_01CAB41A.D9C6AD99"

Subject: Business Proposal

Date: Mon, 22 Feb 2010 23:57:54 +0000

Message-ID: <[email protected]>

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

Thread-Topic: Business Proposal

Thread-Index: Acq0GtdVjX7iZxsBSpmOFHAp+HiOZA==

From: "******" <*****@abertay.ac.uk>

To: Undisclosed recipients:;

Return-Path: *****@abertay.ac.uk

X-OriginalArrivalTime: 23 Feb 2010 01:39:42.0308 (UTC) FILETIME=[120E8240:01CAB429]
------_=_NextPart_001_01CAB41A.D9C6AD99

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



Hello,



I have a good business proposal to share with you. Please let me hear =

from

you to enable me provide you with the necessary details for us to begin

the process.



Email: [email protected]



Thanks and Regards,



Tai



=20



------_=_NextPart_001_01CAB41A.D9C6AD99

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable


Last edited by Dharma on Tue Feb 23, 2010 2:45 am; edited 1 time in total
View user's profileSend private message
internationalchrysis
raging alcoholic


Joined: 19 Aug 2008
Posts: 3793
Location: Romancing the (Blood from a) stone!


PostPosted: Tue Feb 23, 2010 2:35 am Reply with quoteBack to top

Having two work colleagues lose their account to scammers fairly recently, I'm not all that surprised to hear this. Sounds like the lecturer clicked something he shouldn't have Sad

_________________
Proud "member" of "The Todger Club"!

Safari x1 (Senegal to Gambia)
"You can go now and f*ck yourself with a donkey or horse because you really need to be f*cked by a donkey or horse"
(George Michael's brother Frank/Frannypoo)

"You are a dead meat!"
(Léon the (Not so) Professional)

Closed lad accounts (19 in total:
x2 Léon the (not so) Professional. x4 Via Swindler's list. x4 Via Will and Grace the Law Firm. x3 *Hitman, x1 Hitman: The sequel!, , x1 Haiti scam, x1 The Bimbo (via Umbongo Chambers),
x1 Rita the ETA eater, x1 Via Team Doughnut, x1 Via Prince Emaka, x4 via the Nazis)
View user's profileSend private message
Dharma
Baiting Guru


Joined: 11 Jun 2008
Posts: 2144
Location: The Empty Quarter


PostPosted: Tue Feb 23, 2010 2:51 am Reply with quoteBack to top

Thanks internationalchrysis for the reply

I guess I’m going to call her tomorrow

But how hell he knew about my email, it’s not published anywhere Confused
View user's profileSend private message
sir scam alot
Baiting Guru


Joined: 19 Mar 2008
Posts: 5076
Location: Louisiana


PostPosted: Tue Feb 23, 2010 3:19 am Reply with quoteBack to top

Most likely it's a phished webmail account. Alot of lads phish accounts to bomb out massmails. Educational accounts are prized amongst the scumbags.

_________________
Safari = Rev. JB Johnson. Lome to Parakou "i thought it will just be a day jouney. unknowingly to me that it will last up to one week."
Safari2 = Harrison: Owerri, Nigeria to Cotonou, Benin and Accra, Ghana "i know ive been a sucker for twat "
Safari = (Group safari) Oy3nka Ch1dinma: Lagos to Cotonou: "Thank you so much for the embrassment."
Safari = Group safari - Dan Nkwerre: Port Harcourt to Abeche, Chad
Safari2 = Barr. Mustapha Marlick: Lome, Togo to Abuja Nigeria and Accra, Ghana.
pony Mortar x15 (some survived) Closed lad accounts x280 T.W.A.T Nurse Nastys Audi TT United States
<b>Have you kicked your lad today?<b>
Over $1 million USD in fake checks/money orders confiscated Easter Egg
View user's profileSend private message
r2d2
Master of Master Baiters


Joined: 19 Apr 2009
Posts: 796
Location: in a galaxy far far away


PostPosted: Tue Feb 23, 2010 9:16 am Reply with quoteBack to top

Quote:
the IP address goes back to University of Abertay, Dundee, Scotland
if you are using the apelord tool, there are reports that it is broken Sad

if you click on the whois button, it will give you the correct resolution of the ip address, which might be different.

a kosher academic institution in the uk should have email addresses end with .ac.uk - does the from: address match that?

_________________
United Kingdom Closed lad accounts x4
Climate Change for Dummies
Climate Sceptic Myths Debunked
View user's profileSend private messageSend e-mail
Bankster
Lab Rat


Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.


PostPosted: Tue Feb 23, 2010 9:34 am Reply with quoteBack to top

^^ 193.60.160.125 resolves to uadhts01.abertay.ac.uk and according to RIPE is registered to University of Abertay Dundee.

Maybe the sender account needn't even be hacked, depending on the network setup it might suffice to be anywhere inside the UAD network. At any rate the network admin may be interested in this.

_________________
Whoever said you can't touch happiness has never petted a dog.

Elite Ninja Team Member Easter Egg 2012 Goat Golden Goat Purple Flower Penguin
(United States United Kingdom Benin China Nigeria) x10 __ x?
View user's profileSend private messageSkype Name
thud419
Baiting Guru


Joined: 04 Jan 2006
Posts: 3193


PostPosted: Tue Feb 23, 2010 10:22 am Reply with quoteBack to top

^^^ Please do that, they will want to know. Be sure to include the full email with full headers, and don't censor it.

There is no Received line in those headers that points outside the university. That may be because it was webmail and the IP isn't recorded (like gmail does), or it could be an inside job - some student hacking staff email accounts. If the IT admin's logs are detailed enough or they can monitor activity, it is possible they could catch this lad. Arrest is too much to hope for, but expulsion may be on the cards.

_________________
Click here to feel warm and cozy.

I did not f**k your wife in any way -- Nike Akanbi
I don't know what else to do or do I continue filling and filling forms. -- Barr. Koloti
you has been dribbling me up and down but I will show some thing you have never seen before, I think you breath air wait and see. -- Sand Timer Barr. Cole
Cellphone x14
United States x 0.25 won from Reaper in a sucker's bet

Hello Kitty! pony Mortar x8 Closed lad accounts x several
View user's profileSend private messageSend e-mailVisit poster's website
wowwow
Elite Baiter


Joined: 14 Apr 2009
Posts: 1796
Location: Here is the picture of the cash in the boxes before we send it down to the company to deposited it


PostPosted: Tue Feb 23, 2010 1:02 pm Reply with quoteBack to top

It's also possible that these headers have been forged
Anywise, send the copy of the mail and full headers to [email protected]

_________________
Please do not contact anybody again expect me on here because they are many hijackers on internet SGT Tony Benson
OK IF THERE IS A BULLET IN YOUR HEAD IS THAT ENOUGH PROOF Devil Killer Squad
YOU CALL THE F B I BASTARDS. YOU WILL SUFFER FOR THIS. WE HAVE TRACED YOU WITH ALL YOUR DETAILS FBI WARNS
I am the person who owns the safe firm in UK but right now on sick bed for my heart surgery due to my heart failure M Efosa
Tell them to go to hell and burn to arches Prince Jerry Zulusofola
I don’t have job, I am a hacker, hacking jawing stick and Sachet water Udeh Ebuka
http://forum.419eater.com/forum/viewtopic.php?t=162469
Closed lad accounts x5 Easter Egg 2012
View user's profileSend private message
r2d2
Master of Master Baiters


Joined: 19 Apr 2009
Posts: 796
Location: in a galaxy far far away


PostPosted: Tue Feb 23, 2010 2:12 pm Reply with quoteBack to top

hmmm, i'm struggling to figure how i missed the headers when reading this thread the first time. Confused
maybe i didn't refresh the page and pick up the edit, or maybe i'm going slightly mad

_________________
United Kingdom Closed lad accounts x4
Climate Change for Dummies
Climate Sceptic Myths Debunked
View user's profileSend private messageSend e-mail
Dharma
Baiting Guru


Joined: 11 Jun 2008
Posts: 2144
Location: The Empty Quarter


PostPosted: Tue Feb 23, 2010 5:26 pm Reply with quoteBack to top

sir scam alot

r2d2

Bankster

thud419

wowwow


Thanks guys for your wonderful replies

This morning I phoned the School of Social and Health Sciences office and informed them about this. The lady told me that the whole mail system is down! Shocked

I emailed the full headers including the name of the lecturer to [email protected]

is it that easy to forge the headers?
View user's profileSend private message
Bankster
Lab Rat


Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.


PostPosted: Tue Feb 23, 2010 8:25 pm Reply with quoteBack to top

Quote:
is it that easy to forge the headers?

Yes, and no. It depends.

A correctly configured mail server will always add a "Received: from xxx by yyy" line at the top of the headers of any mail it processes. As a mail is passed on, each server will add their line, so that they will read...
Quote:
Received: From server2 by server3
Received: From server1 by server2
Received: From user-pc by server1


The last line in time (i.e. the one at the top, server3 in this example) is usually reliable, because it should have been added by the server on which your mailbox sits, and unless your ISP is spamming you you can assume that this server will tell you the truth.

It works pretty much the same way in real life. Imagine somebody writes you a nasty letter (on paper) and gives it to me, and I pass it on to your secretary. Let's assume your secretary is trustworthy and tells you that she's got the letter from me. Now you don't know me. I might or might not be trustworthy. I can tell you who's given me the letter, I can tell you that it was Osama bin Laden, or I can choose not to tell you anything at all. What I cannot lie about is that it was me who gave the letter to your secretary, because she's seen me.*

So as a rule of thumb, read the Received: lines from top to bottom to trace the way of an e-mail back through the internet. If there's anything dodgy in the "from XXX" part of a line, everything after that line may be forged.

(*Yes, in theory there's IP spoofing, but it's gotten increasingly impractical or downright impossible in the last few years.)


In your case, there are two Received: lines:
Quote:
Received: from UADHTS01.uad.ac.uk ([193.60.160.125]) by snt0-mc2-f4.Snt0.hotmail.com (blah blah blah)
Received: from uadmta03.uad.ac.uk (193.60.160.134) by UADHTS01.uad.ac.uk (blah blah blah)

The first line states that some Hotmail server (that's where your mailbox is) received the mail from a server that introduced itself as uadhts01.uad.ac.uk and had the IP address 193.60.160.125. Nowadays it is safe to assume that the IP address is correct under normal circumstances.
The second line states that uadhts01.uad.ac.uk received the mail from uadmta03.uad.ac.uk.
There is no third Received: line, which means that either uadmta03.uad.ac.uk was the origin of that mail, or that it's badly configured and doesn't add a Received: line itself, so you can't tell where it got the mail from.
In this case I suspect the latter because of the host name, "uadmta03".
UAD is the University of Abertay Dundee.
MTA may stand for "Mail Transfer Agent", i.e. a mail server.
03 would mean it's the third mail server.
If the server admin is not a total dolt (and unis usually have rather qualified sysadmins), they should still be able to see the origin of your mail in the server's logfiles.


(Edit for the sake of completeness: In this case uadmta03 appears to be an Exchange server, which doesn't generate a Received: line. Though technically speaking, Exchange is already covered in the part where I mention "badly configured servers". Razz )

_________________
Whoever said you can't touch happiness has never petted a dog.

Elite Ninja Team Member Easter Egg 2012 Goat Golden Goat Purple Flower Penguin
(United States United Kingdom Benin China Nigeria) x10 __ x?

Last edited by Bankster on Wed Feb 24, 2010 10:53 am; edited 2 times in total
View user's profileSend private messageSkype Name
Master of Puppets
Baiting Guru


Joined: 12 Mar 2009
Posts: 3295
Location: Pulling the Strings


PostPosted: Tue Feb 23, 2010 8:34 pm Reply with quoteBack to top

^That is one Very Clear explanation Wink Nice one Bankster!

_________________
Closed lad accounts x4 Goat Easter Egg
Oke: Todger club entry submission + T.W.A.T (Co-bait with Albator)
View user's profileSend private message
Bankster
Lab Rat


Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.


PostPosted: Tue Feb 23, 2010 8:38 pm Reply with quoteBack to top

^^ Thanks... always happy to help. Smile

If there's a general interest for a more elaborate rant on header analysis, just yell.

_________________
Whoever said you can't touch happiness has never petted a dog.

Elite Ninja Team Member Easter Egg 2012 Goat Golden Goat Purple Flower Penguin
(United States United Kingdom Benin China Nigeria) x10 __ x?
View user's profileSend private messageSkype Name
Dharma
Baiting Guru


Joined: 11 Jun 2008
Posts: 2144
Location: The Empty Quarter


PostPosted: Tue Feb 23, 2010 9:27 pm Reply with quoteBack to top

Bankster wrote:
Quote:
is it that easy to forge the headers?

Yes, and no. It depends.

A correctly configured mail server will always add a "Received: from xxx by yyy" line at the top of the headers of any mail it processes. As a mail is passed on, each server will add their line, so that they will read...
Quote:
Received: From server2 by server3
Received: From server1 by server2
Received: From user-pc by server1


The last line in time (i.e. the one at the top, server3 in this example) is usually reliable, because it should have been added by the server on which your mailbox sits, and unless your ISP is spamming you you can assume that this server will tell you the truth.

It works pretty much the same way in real life. Imagine somebody writes you a nasty letter (on paper) and gives it to me, and I pass it on to your secretary. Let's assume your secretary is trustworthy and tells you that she's got the letter from me. Now you don't know me. I might or might not be trustworthy. I can tell you who's given me the letter, I can tell you that it was Osama bin Laden, or I can choose not to tell you anything at all. What I cannot lie about is that it was me who gave the letter to your secretary, because she's seen me.*

So as a rule of thumb, read the Received: lines from top to bottom to trace the way of an e-mail back through the internet. If there's anything dodgy in the "from XXX" part of a line, everything after that line may be forged.

(*Yes, in theory there's IP spoofing, but it's gotten increasingly impractical or downright impossible in the last few years.)


In your case, there are two Received: lines:
Quote:
Received: from UADHTS01.uad.ac.uk ([193.60.160.125]) by snt0-mc2-f4.Snt0.hotmail.com (blah blah blah)
Received: from uadmta03.uad.ac.uk (193.60.160.134) by UADHTS01.uad.ac.uk (blah blah blah)

The first line states that some Hotmail server (that's where your mailbox is) received the mail from a server that introduced itself as uadhts01.uad.ac.uk and had the IP address 193.60.160.125. Nowadays it is safe to assume that the IP address is correct under normal circumstances.
The second line states that uadhts01.uad.ac.uk received the mail from uadmta03.uad.ac.uk.
There is no third Received: line, which means that either uadmta03.uad.ac.uk was the origin of that mail, or that it's badly configured and doesn't add a Received: line itself, so you can't tell where it got the mail from.
In this case I suspect the latter because of the host name, "uadmta03".
UAD is the University of Abertay Dundee.
MTA may stand for "Mail Transfer Agent", i.e. a mail server.
03 would mean it's the third mail server.
If the server admin is not a total dolt (and unis usually have rather qualified sysadmins), they should still be able to see the origin of your mail in the server's logfiles.






Bankster

Many thanks Smile

Your response was very insightful
I think I can understand the principle, but the question is how?

How could scammers exploit even the academic institutions?
View user's profileSend private message
Diana Prince
Master Baiter


Joined: 11 Nov 2008
Posts: 101
Location: in my invisible airplane


PostPosted: Tue Feb 23, 2010 10:55 pm Reply with quoteBack to top

@Bankster: if it's not too terribly late for a Valentine's Day thread: will you marry me?
Your ability to make clear explanations of complex matters to those of us less knowledgeable about mail server configurations is very attractive.
(Although, truth to tell, luckey was my first crush on Eater). Cool

@subway 1: thank you so much for following through on this circustance;
assuming that this person's account was in fact compromised,
the time and effort you invested by making that notification should prove to be an asset to the individual and his/her university. clapping clapping clapping

_________________
Mr Gomer-ette

Closed lad accountsEaster Egg
View user's profileSend private message
Bankster
Lab Rat


Joined: 22 Jun 2007
Posts: 2239
Location: Gone for a while.


PostPosted: Wed Feb 24, 2010 8:53 am Reply with quoteBack to top

^^
Aww, how sweet. I'm already with DW, but maybe we can secret lovers for the time being?
(Shsht, don't mention VD or SOOI will lock this thread. Repeatedly.)


subway 1 wrote:
How could scammers exploit even the academic institutions?

I'm not sure if I understand your question right, but basically a scammer is a spammer that sends you the opening letter of his format instead of penis enlargement ads. Technically it's the same.
A spammer will always want to employ a system that:

  • has a fast internet connection,
  • is hard to shut down / lock out by the systems that it spams,
  • can't be traced back to him.

The current tool of choice for the upper middle-class spammer is a botnet, but these aren't cheap to rent, so it may be more attractive to rent a server with a stolen credit card or find some vulnerable system.
Among the vulnerable systems, a uni network is ideal. Unis usually have fat internet connections and aren't blocked easily. The problem is that unis usually have competent sysadmins that make it hard to get inside. But once you are inside (e.g. as a student or with a stolen password) you've totally struck gold.

_________________
Whoever said you can't touch happiness has never petted a dog.

Elite Ninja Team Member Easter Egg 2012 Goat Golden Goat Purple Flower Penguin
(United States United Kingdom Benin China Nigeria) x10 __ x?
View user's profileSend private messageSkype Name
Rick Shaw
419Eater is my life


Joined: 10 Jan 2010
Posts: 497


PostPosted: Sun Feb 28, 2010 12:32 pm Reply with quoteBack to top

^^ I've had a couple of scams that have come from African universities. After reading the above I can see how they have probably got into the system to send out their scams. Interesting

_________________
Closed lad accounts X176
IyaNA UR MAMA BE THIS OH.... La ya e.e.....Mad man.. Dr Usman Ahmed

YOUR MOTHER TOTO DID YOU UNDERSTAND.OTU NNE GI UNDERSTAND.

YOUR MOTHER TOTO DID YOU UNDERSTAND.BYE FOR NOW.GUY. Victor Owusu.

Take care little odd friend - [email protected] L3wis

FOLL PUT THIS TO YOU FUCKING BIG HEAD. V1ctor OwusV

I never knew that a man who claim to have reputation could be so rude ,nasty and very barbaric like you did. (death cert faked) Dav1d Caruso

YOU ARE A BASTARD AND THE WORST AND WORST POOREST BASTARD ON THIS EARTH PLANET. GO TO HELL AND PUBLISH THE FUCKING PUSSY OF YOUR MOTHER AND YOUR FEMALE DAUGHTERS AND YOUR OCTOPUS LONG DICK. YOU SEE WEALTH COMING ON YOUR WAY ON A PLATTER OF GOLD AND YOUR REFUSE TO GRAB IT. M1chael Pyl3

Neither am i a nadger hunter Joe OmQ
View user's profileSend private message
Dharma
Baiting Guru


Joined: 11 Jun 2008
Posts: 2144
Location: The Empty Quarter


PostPosted: Thu Mar 04, 2010 4:31 pm Reply with quoteBack to top

Many thanks Bankster for the clarification Thumbs up

as a student myself, it’s frustrating to see some scumbags could take advantage of a unis system.

imagine receiving a scam email from your supervisor Laughing
View user's profileSend private message
firehouse5
Moderator


Joined: 09 Mar 2004
Posts: 4849
Location: swimming in Ogogoro


PostPosted: Thu Mar 04, 2010 4:52 pm Reply with quoteBack to top

There's also a huge number of phishing emails targeting users of university email systems. I work at a university and my email address is (widely) published - I probably receive 2-4 messages a day trying to lure me into revealing my login details.

Mostly "email quota exceeded" purporting to be from our IT department with misleading "from" addresses, "reply with username and pwd to automatically reset your quota" or something similar.

Word from those in the know is that just about every one of these messages manages to trick at least somebody in our institution into replying with their details (despite all sorts of efforts by the email team). So it's easy to see how and why spammers can get control of "legit" looking email addresses. We have some nice systems that identify suspicious outbound email traffic, and atypical account usage, to minimize the consequences of some idiot giving his details to a phisher, but many institutions do not....

Quote:
imagine receiving a scam email from your supervisor...


Emails from my boss look just like emails from mugus. But I can pay in person rather than WU.

_________________
Has a scammer sent you a bank account? please report it to me or any other moderator using the private message function.
GO PREMIUM!
Easter 2015Sand Timer Oct2004-Oct2016 12 years but Cheat alert: many silent months!
TV StarMortar dozens Closed lad accounts Not as many piggies as you.
The details you sent do not match, check your records and reply immediate. I have forced to wait in office for two hours with out eating
View user's profileSend private messageSend e-mail
Mat
Master Baiter


Joined: 26 Feb 2010
Posts: 102
Location: Travelling Time


PostPosted: Thu Mar 04, 2010 4:56 pm Reply with quoteBack to top

When i studied we had a forced chance of passwords every 2 weeks.
Had to change to a new password, with at least 8 letters/digits and not more than 4 of them was allowed to mach the excisting password.

Even tho some had their account compromised, it was just tempoary.

_________________
Back after 4 years in hiding.
Closed lad accounts x3
x42 - Mr. Coleman
View user's profileSend private message
SamCBaiter
Hello I'm New here!


Joined: 03 Dec 2009
Posts: 10
Location: Behind a proxy :)


PostPosted: Fri Mar 05, 2010 2:46 pm Reply with quoteBack to top

At college we could use the webmail service only from the internal network and we could configure the account to forward mails to an external address in case we wanted to receive notifications when not in the building. Worked fine Smile

_________________
Samuel C. Baiter

_____________

listen who is foolling who? - Tessy Boe
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



E-Mail Header Analysis


All Content © 2003 - 419Eater.com
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT