SmartFeedSmartFeed          

Porsche Hangout


WELCOME - YOU ARE CURRENTLY VIEWING 419EATER AS A GUEST

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

ScamWarners.com - Internet Anti-Fraud Center - now open!


 Scam email, possibly from UK university

View next topic
View previous topic
 
Post new topicReply to topic
Author Message
MidlandBlue2010
Not quite a Newb


Joined: 03 Sep 2010
Posts: 31


PostPosted: Fri Sep 03, 2010 9:44 am Reply with quoteBack to top

Hi,
I received what appears to be a scam email this morning.

On the face of it, it seems that it has been sent from a university account in the UK. The return path is a mailbox at that university but also the route in the email header seems to suggest that it did come from that university.

The only attempt to spoof a return address, seems to be the fact that the author of the email requests that responses are sent to a different webmail account.

Now, I have a little technical understanding, but not much, so it may well be that I have misunderstood the header information.

I have no idea whether this is actually an attempt to start a scam, or whether it is just a student messing about. My first instinct was to send the email header to the admins at the university, but I am struggling to find their contact details.

Just wondered if anybody here had any thoughts on what I should do, if anything.

I am happy to post the header here, but I am not sure if I am allowed to under the forum rules.

Any thoughts would be appreciated.
View user's profileSend private message
conga22
Baiting Guru


Joined: 08 Jul 2009
Posts: 2086
Location: Look Behind You


PostPosted: Fri Sep 03, 2010 9:49 am Reply with quoteBack to top

Hello Midlandblue2010 and welcome to eater Very Happy You can go ahead and post the headers here. Remember to take out YOUR personal info first. BTW I hope you are baiting Safely. Read the stickies, read eater uni and if you want apply for a mentor, kiss your free time goodbye but most of all have fun. Wink

_________________
PLEASE,WE DO NOT WANT ANY URGLY SITUATION IN THIS TRANSACTION
There is a lot of spaces in the receipt for them to put their stamp, so why do they put the stamp on the 10 digital codes, and you know that without the correct number ,western union here cannot issue out the payment. (I know Laughing)
When i tell you how to do things well you will do the opposite Why?-Joseph D1ar4
Closed lad accounts X60 X3
Tattoo Vcamerawatch video here Safari Lagos to Cotonou - thanks Mr. Grant

Mortar Japan Portugal United Kingdom x4 Easter Egg 2012
View user's profileSend private message
MidlandBlue2010
Not quite a Newb


Joined: 03 Sep 2010
Posts: 31


PostPosted: Fri Sep 03, 2010 10:07 am Reply with quoteBack to top

Thanks conga22.

Here is the header, I have removed a few IDs that I thought might possibly be traceable back to me (I replaced them with ***DELETED****), but other than that, this is the complete header and body.

---------------------------

X-Message-Delivery: ******DELETED*********
X-Message-Status: n:0
X-SID-PRA: Evans N. <[email protected]>
X-AUTH-Result: NONE
X-Message-Info: ******DELETED*********
Received: from laurel.swan.ac.uk ([137.44.1.237]) by
BAY0-MC4-F34.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 2
Sep 2010 21:33:36 -0700
Received: from [137.44.42.25] (helo=ccs-owa1.brynmill.swan.ac.uk) by
laurel.swan.ac.uk with esmtp (Exim 4.70) (envelope-from
<[email protected]>) id 1OrNy1-0000DC-L0; Fri, 03 Sep 2010 05:33:33 +0100
Received: from CCS-EXCHANGE1.brynmill.swan.ac.uk ([137.44.48.24]) by
ccs-owa1.brynmill.swan.ac.uk with Microsoft SMTPSVC(6.0.3790.4675); Fri, 3 Sep
2010 05:32:37 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CB4B21.08BC26BA"
Subject: read and respond
Date: Fri, 03 Sep 2010 05:32:36 +0100
Message-ID: <[email protected]>
Thread-Topic: read and respond
Thread-Index: ******DELETED*********
From: "Evans N." <[email protected]>
X-OriginalArrivalTime: 03 Sep 2010 04:32:37.0532 (UTC) FILETIME=[097C0DC0:01CB4B21]
Return-path: [email protected]

This is a multi-part message in MIME format.

------_=_NextPart_001_01CB4B21.08BC26BA
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I am Captain Bruce F Nickerson of the US Marine here in Iraq, I need =
your help in moving a huge amount of money out of Iraq.Please do contact =
via me on [email protected] only.

------_=_NextPart_001_01CB4B21.08BC26BA
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.5730.13" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV><FONT face=3DArial color=3D#000000 size=3D2>=0A=
<DIV><FONT face=3DArial color=3D#000000 size=3D2>I am Captain Bruce F =
Nickerson of the US Marine here in Iraq, I need </FONT><FONT =
face=3DArial color=3D#000000 size=3D2>your help in moving a huge amount =
of money out of Iraq.Please do </FONT><FONT face=3DArial color=3D#000000 =
size=3D2>contact via me on <A =
href=3D"mailto:[email protected]">[email protected]</A> =
only.</FONT></DIV></FONT></DIV></BODY></HTML>
------_=_NextPart_001_01CB4B21.08BC26BA--
View user's profileSend private message
Roycropper
Undead Moderator


Joined: 14 Nov 2005
Posts: 7993
Location: Luxury Coffin


PostPosted: Fri Sep 03, 2010 10:14 am Reply with quoteBack to top

Quote:
IP address [?]: 137.44.48.24 [Whois] [Reverse IP]
IP country code: GB
IP address country: United Kingdom
IP address state: Swansea
IP address city: Swansea
IP address latitude: 51.6333
IP address longitude: -3.9667
ISP of this IP [?]: Swansea University
Organization: Swansea University
Host of this IP: [?]: ccs-msclnode3.brynmill.swan.ac.uk [Whois] [Trace]


However, there are probably a lot of common use PCs at Swansea University. Looks like they have a resident lad though.

_________________
the European Union has bounced on our freckles
COULD YOU IMAGINE WHAT HAPPENED WHEN I WENT TO THE BANK
our Agent is Completely broke, pocketless and stranded
I WLL SEND AN AFRICA WITCH TO ATTACH YOU BASTARD
You go die like bird
i started shouting HALLELUJAGOBBLE but none of them notice me immediately police arrested me due to the shouting
f*ck u asshole ur damn mother will loose ur fcuking skull brain ur brain is nothing to compare with rat f*ck ur u
MY FRIEND ALEX WAS DETAINED IN POLICE STATION
I am not happy due to the question i answered at money office. Let me tell you do not play with me ok.
Pith Helmet 10
x4 United Kingdom New Zealand Mortar Closed lad accounts Sand Timer 6Yrs Tattoo x6 Flying Monkey
View user's profileSend private message
TheDane
Baiting Guru


Joined: 13 Aug 2010
Posts: 5068
Location: Meanwhile, somewhere else...


PostPosted: Fri Sep 03, 2010 11:49 am Reply with quoteBack to top

Someone sent me the same script, but my lad is in Nigeria:
Quote:
Delivered-To: [email protected]
Received: by 10.227.136.141 with SMTP id r13cs10784wbt;
Wed, 1 Sep 2010 01:04:17 -0700 (PDT)
Received: by 10.213.56.17 with SMTP id w17mr11258461ebg.76.1283328256589;
Wed, 01 Sep 2010 01:04:16 -0700 (PDT)
Return-Path: <[email protected]>
Received: from blu0-omc1-s38.blu0.hotmail.com (blu0-omc1-s38.blu0.hotmail.com [65.55.116.49])
by mx.google.com with ESMTP id w46si24019157eeh.87.2010.09.01.01.04.15;
Wed, 01 Sep 2010 01:04:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 65.55.116.49 as permitted sender) client-ip=65.55.116.49;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 65.55.116.49 as permitted sender) [email protected]
Received: from BLU148-W18 ([65.55.116.7]) by blu0-omc1-s38.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 1 Sep 2010 01:03:24 -0700
Message-ID: <[email protected]>
Return-Path: [email protected]
Content-Type: multipart/alternative;
boundary="_8060b119-dcd6-4ce7-99bd-e8575c87d0e9_"
X-Originating-IP: [41.219.254.5]From: Capt Bruce F Nickerson <[email protected]>
To: <[email protected]>
Subject: =?windows-1256?Q?Proceeding?= =?windows-1256?Q?_Email._Pr?=
=?windows-1256?Q?ovide_Requ?= =?windows-1256?Q?ested_Info?=
=?windows-1256?Q?rmation=FE=FE=FE?= =?windows-1256?Q?=FE=FE?=
Date: Wed, 1 Sep 2010 09:03:24 +0100
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 01 Sep 2010 08:03:24.0557 (UTC) FILETIME=[26DF6BD0:01CB49AC]

--_8060b119-dcd6-4ce7-99bd-e8575c87d0e9_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: 8bit


A little IP search reveals the location: http://www.ip-adress.com/ip_tracer/41.219.254.5
But it's probably just two lads using the same scripts.

_________________
Closed lad accounts x81 x3 Sand Timer x2 Vcamera x2 Easter Egg 2011 Goat Mortar Safari x13
Trafalgar Square 2013
Goat Milk Lad 2012-13:
Sand Timer T.W.A.T Santa Safari Lagos-Ouagadougou-Arbinda Safari Warri-Yaoundé

I AM A FOOL AND I AM SO DISAPPOINTED - Brother Okei AKA Goat Milk Lad
I do not wish my enemy what I have experienced and this humiliation you are putting me through - Rushforth (on behalf of Dharma & Dr Mike)

Last edited by TheDane on Mon Jun 18, 2012 2:15 pm; edited 1 time in total
View user's profileSend private message
Cougar
Elite Baiter


Joined: 16 Apr 2009
Posts: 1293
Location: Curled up on the doctor's chair.


PostPosted: Fri Sep 03, 2010 12:08 pm Reply with quoteBack to top

This really annoys me. I'm an administrator at an English university (not Swansea unfortunately) and if any of our students are found to be misusing their internet/email accounts they are disciplined. Actual consequences vary between universities but at ours they would be given a formal warning, then if they continued they would be expelled. If they're here on a student visa this would no longer be valid and they would have to return home/be deported. Twisted Evil

@OP - 2 ways to go with this. Bait and have fun, or contact the Uni system admins. Check the website, a quick phone call to the switchboard should give you a contact. Maybe check out what action would be taken before deciding how to act.
Positive - lad gets a nasty shock/kicked off the course/kicked out the country. Negative - we lose contact with lad, lad continues scamming elsewhere.

_________________
Goat Goat Pole Dancer Flying Monkey Easter Egg 2012 pony
View user's profileSend private message
evil_sheep
Compulsive Self Abuser


Joined: 15 Jul 2010
Posts: 1100
Location: 419eater Passport office.


PostPosted: Fri Sep 03, 2010 12:17 pm Reply with quoteBack to top

Quote:
Received: from [137.44.42.25] (helo=ccs-owa1.brynmill.swan.ac.uk) by
laurel.swan.ac.uk with esmtp (Exim 4.70) (envelope-from
<[email protected]>)


There's the clue - the "OWA" - Outlook Web Access.

Neil Evans has had his Unversity email account compromsed and the scammer is sending out 419's through the web based email system, that lets the Uni students log in from anywhere in the world.

It's not likely to be a student at Swansea who is actually sending this stuff out - if they had the money to come to Wales to study, then they wouldn't need to try to scam people.

_________________
Closed lad accounts x11 Thailand x3 Ghana Senegal United Kingdom Welsh Flag United Nations

"I thank you for your quick massage this morning. " - Prince Abdul Hakeem
"u lied. i know u as black man" - Timothy Fred
"Get out. If you mail me again, i will destroy your mailbox." - Clydesdale Bank PLC.
"picece of shit gett off here junkie" "arse hole like u" "u r a bullshit around the corner" "fuck off and die" "is that how you write ur father?" "do u need some crack from Brazil?" "please leave me alone" - Dr. Mohamed Gaza

FREE BEER!

"Baiting is like sex. If it does go pear-shaped, pull out, get a new email address and try again from a different angle." - Me
View user's profileSend private message
TheDane
Baiting Guru


Joined: 13 Aug 2010
Posts: 5068
Location: Meanwhile, somewhere else...


PostPosted: Fri Sep 03, 2010 12:47 pm Reply with quoteBack to top

I'd alert the owner of the comprimised mail addy right away.

_________________
Closed lad accounts x81 x3 Sand Timer x2 Vcamera x2 Easter Egg 2011 Goat Mortar Safari x13
Trafalgar Square 2013
Goat Milk Lad 2012-13:
Sand Timer T.W.A.T Santa Safari Lagos-Ouagadougou-Arbinda Safari Warri-Yaoundé

I AM A FOOL AND I AM SO DISAPPOINTED - Brother Okei AKA Goat Milk Lad
I do not wish my enemy what I have experienced and this humiliation you are putting me through - Rushforth (on behalf of Dharma & Dr Mike)
View user's profileSend private message
evil_sheep
Compulsive Self Abuser


Joined: 15 Jul 2010
Posts: 1100
Location: 419eater Passport office.


PostPosted: Fri Sep 03, 2010 12:51 pm Reply with quoteBack to top

And let it get deleted by the scammer? Wink

I'll give the Uni a ring - they are only down the road anyway Very Happy


Edit - I let the IT department know, who say they will look into it.

_________________
Closed lad accounts x11 Thailand x3 Ghana Senegal United Kingdom Welsh Flag United Nations

"I thank you for your quick massage this morning. " - Prince Abdul Hakeem
"u lied. i know u as black man" - Timothy Fred
"Get out. If you mail me again, i will destroy your mailbox." - Clydesdale Bank PLC.
"picece of shit gett off here junkie" "arse hole like u" "u r a bullshit around the corner" "fuck off and die" "is that how you write ur father?" "do u need some crack from Brazil?" "please leave me alone" - Dr. Mohamed Gaza

FREE BEER!

"Baiting is like sex. If it does go pear-shaped, pull out, get a new email address and try again from a different angle." - Me

Last edited by evil_sheep on Fri Sep 03, 2010 12:53 pm; edited 1 time in total
View user's profileSend private message
Slightlyoutofit
Baiting Guru


Joined: 13 Feb 2007
Posts: 14310
Location: Foraging for Nuts.


PostPosted: Fri Sep 03, 2010 12:51 pm Reply with quoteBack to top

evil_sheep wrote:


It's not likely to be a student at Swansea who is actually sending this stuff out - if they had the money to come to Wales to study, then they wouldn't need to try to scam people.


Wanna bet?
I've run into literally dozens of lads who have moved over here on student visas and scam in between lectures.
Having the money to move to the West means nothing - if a lad sees an easy buck, believe me, he'll take it.

@TheDane. Going through the uni admin is still the best bet.

_________________
Star pony pony pony Nurse Nastys Audi TT Purple Flower Whip
Safari Jolly Roger Mortar Closed lad accounts Cellphone United Kingdom

God will see you true for all this you have done to me you bastard. - Collins Kalu
MAY THE HAND THAT TYPE ON KEYBORD BECOME STRICKEN AND TRANSMIT VIRUS TO YOU ENTIRE BODY. - Dr Linda Akeem
oh what a mess its time cabbage punks like u will be expose for trully what they are. - David Cole
View user's profileSend private messageYahoo MessengerSkype Name
evil_sheep
Compulsive Self Abuser


Joined: 15 Jul 2010
Posts: 1100
Location: 419eater Passport office.


PostPosted: Fri Sep 03, 2010 12:57 pm Reply with quoteBack to top

The name "N Evans" isn't particularly Nigerian, but I agree, he could have left himself logged in "stupidly" in the library Wink


It is more likely to be a keylogged installed on a PC on which Mr Evans has logged in on, however.

_________________
Closed lad accounts x11 Thailand x3 Ghana Senegal United Kingdom Welsh Flag United Nations

"I thank you for your quick massage this morning. " - Prince Abdul Hakeem
"u lied. i know u as black man" - Timothy Fred
"Get out. If you mail me again, i will destroy your mailbox." - Clydesdale Bank PLC.
"picece of shit gett off here junkie" "arse hole like u" "u r a bullshit around the corner" "fuck off and die" "is that how you write ur father?" "do u need some crack from Brazil?" "please leave me alone" - Dr. Mohamed Gaza

FREE BEER!

"Baiting is like sex. If it does go pear-shaped, pull out, get a new email address and try again from a different angle." - Me
View user's profileSend private message
wowwow
Elite Baiter


Joined: 14 Apr 2009
Posts: 1796
Location: Here is the picture of the cash in the boxes before we send it down to the company to deposited it


PostPosted: Fri Sep 03, 2010 1:04 pm Reply with quoteBack to top

As a sys admin I would agree with evil sheep. Contact the I.T department and alert them to this and they can take the appropriate action. They can at least suspend the account until they can investigate. I know it's not policy to close scammer e-mail accounts but in this case it's more than likely a users account is being exploited.

_________________
Please do not contact anybody again expect me on here because they are many hijackers on internet SGT Tony Benson
OK IF THERE IS A BULLET IN YOUR HEAD IS THAT ENOUGH PROOF Devil Killer Squad
YOU CALL THE F B I BASTARDS. YOU WILL SUFFER FOR THIS. WE HAVE TRACED YOU WITH ALL YOUR DETAILS FBI WARNS
I am the person who owns the safe firm in UK but right now on sick bed for my heart surgery due to my heart failure M Efosa
Tell them to go to hell and burn to arches Prince Jerry Zulusofola
I don’t have job, I am a hacker, hacking jawing stick and Sachet water Udeh Ebuka
http://forum.419eater.com/forum/viewtopic.php?t=162469
Closed lad accounts x5 Easter Egg 2012
View user's profileSend private message
TheDane
Baiting Guru


Joined: 13 Aug 2010
Posts: 5068
Location: Meanwhile, somewhere else...


PostPosted: Fri Sep 03, 2010 1:12 pm Reply with quoteBack to top

wowwow wrote:
I know it's not policy to close scammer e-mail accounts but in this case it's more than likely a users account is being exploited.


My point exactly. It's not a scam-addy, but an ITP who's gotten his compromised. And going through the Uni Admin is of course every bit as good, if not better than notifying the guy himself (and risk alerting the scammer as well). Wink

_________________
Closed lad accounts x81 x3 Sand Timer x2 Vcamera x2 Easter Egg 2011 Goat Mortar Safari x13
Trafalgar Square 2013
Goat Milk Lad 2012-13:
Sand Timer T.W.A.T Santa Safari Lagos-Ouagadougou-Arbinda Safari Warri-Yaoundé

I AM A FOOL AND I AM SO DISAPPOINTED - Brother Okei AKA Goat Milk Lad
I do not wish my enemy what I have experienced and this humiliation you are putting me through - Rushforth (on behalf of Dharma & Dr Mike)
View user's profileSend private message
theblob
419Eater is my life


Joined: 31 May 2010
Posts: 255


PostPosted: Fri Sep 03, 2010 3:10 pm Reply with quoteBack to top

Doesn't anybody else find it strange he doesn't make use of his legit looking address in his script?
What I mean is, why doesn't he use it to pretend he's a student instead of an US Marine? Confused

_________________
OINK OINK ! > Closed lad accounts x16
View user's profileSend private message
Mr Tambourine Man
Baiting Guru


Joined: 06 Jun 2008
Posts: 3386
Location: Magic swirlin' ship


PostPosted: Fri Sep 03, 2010 4:04 pm Reply with quoteBack to top

It makes no sense to me either.

_________________

Closed lad accounts x 4
3 dead websites

is always Good when you have the zeal to be a hitwoman when you out of school,it makes you bold and reall and it makes you more high than any other of your friend.
you dont have a phone.that makes makes you joe butt. Fuck you and go find something to do man. Stop disturbing me please.
This is definitely why you will remain and die in poverty, ignorant of good things and easy acknowledgment of bad things and words. Shame on you, you wicked generation children.
i went you to no that this is not a cheld pray. i went you to get back to me
we are not scammer,we hate scammer as you do.scammer make out life harder and harder,a lot of people think we are scammer,in fact,we are not!! please trustt us
View user's profileSend private message
grimbleton
Not quite a Newb


Joined: 24 Aug 2010
Posts: 53
Location: dodging gridbugs


PostPosted: Fri Sep 03, 2010 6:03 pm Reply with quoteBack to top

Slightlyoutofit wrote:
I've run into literally dozens of lads who have moved over here on student visas and scam in between lectures.


i live in a "university town" in the US. and i concur with SOOI's summation. some of the most money-grubbing people i've ever had the misfortune to meet have been the ones that did it "just because".

the student could very well have been hacked and may very well be an innocent victim. but let's not rule out the possibility that he just might be an asshole.

cheers


grimbleton

_________________
"if i'm going to "go to hell" it might as well be for something that's fun or funny." -- grimbleton
View user's profileSend private message
Rick Shaw
419Eater is my life


Joined: 10 Jan 2010
Posts: 497


PostPosted: Tue Sep 07, 2010 4:43 am Reply with quoteBack to top

This is not the first time this has happened and there other posts on here about similar situations.

_________________
Closed lad accounts X176
IyaNA UR MAMA BE THIS OH.... La ya e.e.....Mad man.. Dr Usman Ahmed

YOUR MOTHER TOTO DID YOU UNDERSTAND.OTU NNE GI UNDERSTAND.

YOUR MOTHER TOTO DID YOU UNDERSTAND.BYE FOR NOW.GUY. Victor Owusu.

Take care little odd friend - [email protected] L3wis

FOLL PUT THIS TO YOU FUCKING BIG HEAD. V1ctor OwusV

I never knew that a man who claim to have reputation could be so rude ,nasty and very barbaric like you did. (death cert faked) Dav1d Caruso

YOU ARE A BASTARD AND THE WORST AND WORST POOREST BASTARD ON THIS EARTH PLANET. GO TO HELL AND PUBLISH THE FUCKING PUSSY OF YOUR MOTHER AND YOUR FEMALE DAUGHTERS AND YOUR OCTOPUS LONG DICK. YOU SEE WEALTH COMING ON YOUR WAY ON A PLATTER OF GOLD AND YOUR REFUSE TO GRAB IT. M1chael Pyl3

Neither am i a nadger hunter Joe OmQ
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



** Find out information about your IP address **


All Content © 2003 - 419Eater.com
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT