SmartFeedSmartFeed          

Porsche Hangout


WELCOME - YOU ARE CURRENTLY VIEWING 419EATER AS A GUEST

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

ScamWarners.com - Internet Anti-Fraud Center - now open!


 Email header Analysis help for newbie please

View next topic
View previous topic
 
Post new topicReply to topic
Author Message
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Mon Aug 01, 2011 5:39 pm Reply with quoteBack to top

Hi, complete newbie to baiting here, but with a 35+ year technical IT career mainly as a Sysprog behind me & time now on my hands to play!

I've gone through all the hints & tips, Baiter university & read hundreds of excellent classic baits.
I've fallen in love with the site & principals behind it & I am ready to go!

So, the first interesting mail in my catcher is:

ROBERT MUELLER III.
EXECUTIVE DIRECTOR FBI.
FEDERAL BUREAU OF INVESTIGATION FBI.WASHINGTON D.C.
FEDERAL BUREAU OF INVESTIGATION SEEKING TO WIRETAP INTERNET.

ATTENTION: BENEFICIARY, blah blah blah.


Written in typical "ladeese" English, so I would have bet a large sum it came from e.g. Nigeria; But surprise surprise.....

Here's the header.....................

From Robert Mueller Fri Jul 29 04:15:40 2011
X-Apparently-To: CATCHER_NAME@XXX.CO.YY via 77.238.189.162; Fri, 29 Jul 2011 03:15:43 +0000
Return-Path: <gskaxb@att.net>
X-YahooFilteredBulk: 98.139.213.158
Received-SPF: none (domain of att.net does not designate permitted sender hosts)
X-YMailISG: JUlMhD0WLDuY1hfN0wml4iJcZB82jQt0tCxBtsfx3WwRKv0_
N.<snip>
X-Originating-IP: [98.139.213.158]
Authentication-Results: mta1096.mail.ird.yahoo.com from=att.net; domainkeys=neutral (no sig); from=att.net; dkim=pass (ok)
Received: from 127.0.0.1 (HELO nm2-vm1.bullet.mail.bf1.yahoo.com) (98.139.213.158)
by mta1096.mail.ird.yahoo.com with SMTP; Fri, 29 Jul 2011 03:15:43 +0000
Received: from [98.139.212.152] by nm2.bullet.mail.bf1.yahoo.com with NNFMP; 29 Jul 2011 03:15:40 -0000
Received: from [98.139.213.11] by tm9.bullet.mail.bf1.yahoo.com with NNFMP; 29 Jul 2011 03:15:40 -0000
Received: from [127.0.0.1] by smtp111.mail.bf1.yahoo.com with NNFMP; 29 Jul 2011 03:15:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.net; s=s1024; t=1311909340; bh=8ptLaTNHck/T1ZEz3JfU/3z8bRn3KYYFM1hrHHqrA0I=; h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Reply-To:From:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE; b=t<snip>
X-Yahoo-Newman-Id: 551351.46019.bm@smtp111.mail.bf1.yahoo.com
Message-ID: <551351.46019.bm@smtp111.mail.bf1.yahoo.com>
X-Yahoo-Newman-Property: ymail-5
X-YMail-OSG: <snip>
Received: from User (gskaxb@66.255.63.182 with login)
by smtp111.mail.bf1.yahoo.com with SMTP; 28 Jul 2011 20:15:40 -0700 PDT
Reply-To: <sanlamido131@aol.com>
From: "Robert Mueller"<gskaxb@att.net>
Subject: AS A MATTER OF URGENCY
Date: Thu, 28 Jul 2011 23:15:40 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Length: 5674

A quick trip to IpTRACKERonline shows:

ipTRACKERonline.com wrote:
Header Analysis Quick Report<br>Originating IP: 66.255.63.182<br>Originating ISP: KNOXVILLE ORAL & MAXILLOFACIAL SURGERY<br> City: Knoxville<br>Country of Origin: United States<br>* For a complete report on this email header goto ipTRACKERonline


If I read this right, it originates in Sunnyvale, CA (potentially, though that's probably an AT&T Point of Presence) from an AT&T account through a US based ISP that is also a dental surgery!

I'm a bit suspicous of the "domain of att.net does not designate permitted sender hosts" warning... Does AT&T not publish SPF records for it's mail servers?

Alternatively, is AT&T email web based (think Yahoo) thus accessible from any server? If so, the SPF warning explains itself.

Also, detailed analysis shows:

Originating hostname: uslec-66-255-63-182.cust.uslec.net which is shown as KNOXVILLE ORAL & MAXILLOFACIAL SURGERY. I can't see where this info comes from as WHOIS for USLEC.NET shows
an expired domain, & web site shows as PAETEC, which as far as I can tell is the domain registration service trying to get you to reuse the site.


The reply to address is an AOL one, which again confirms the US link... I'm a bit confused & any help untangling things is welcome.

I might well reply using Spyp1g & try to nail return address down geographically before I play any more.

Regards,
willewontee

snipped keys due to forum blowout-dorothy
View user's profileSend private message
419muguhunter
Not quite a Newb


Joined: 15 Jul 2011
Posts: 20


PostPosted: Mon Aug 01, 2011 6:58 pm Reply with quoteBack to top

Hi there!

Welcome to the forums, i'm a noobie too but am really behind the site.

I've had something similar recently checked the headers got a new york ip. Spypig confirmed it. Didn't know what to make of that one so knocked it on the head.

Just wanted to say try spypig or who read me, one of the forum memebers pointed me to these two sites recently.

Happy Baiting!
View user's profileSend private message
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Mon Aug 01, 2011 7:21 pm Reply with quoteBack to top

Hi thanks for the welcome & welcome yourself. I will try a Spypig on it, but a bit odd getting a typical W. African scam from a US address. Think I will leave it alone if it is a US address.

Regards,

willewontee
View user's profileSend private message
Seamless
Baiting Guru


Joined: 16 Apr 2009
Posts: 5798
Location: Paradise


PostPosted: Mon Aug 01, 2011 8:21 pm Reply with quoteBack to top

Welcome to 419eater willewontee and 419muguhunter
Always 'Bait Safely' = Never use your Real Life information or email in a bait.

Take a look around Eater University. Read the Stickys. Sign up for the Cherrie Mentor Program.
Most of all have Fun!!

_________________
419Eater wastes their time - <a href="http://scamwarners.com/"target="_blank">Scamwarners</a> exposes their crimes

"You are a destinated Idiot. a fibol element, a rebel against humanity.

You are a goat. And very stupid. I will deal with you very soon, just wait, I have all your contact address, and I will trace you very soon, for insulting me, all evidence of your insult to me has been filed.

Lawyer M4nu3l told me that you could be one of this terrorist in the usa. and I later find out on my research on you, that you are one of the bastards in wherever you are. not even in usa."


Closed lad accounts

Safari< S4NI S4LISU Ghana to Togo
Safari< St3lla J0nta Cote d'Ivoire to Ghana
Easter Egg Penguin Mortar Purple Flower Purple Flower Killer Baiter
View user's profileSend private message
vonpaso xlura
Different and Distinctive


Joined: 10 Apr 2011
Posts: 11838
Location: Bertcad, Lojbanistan


PostPosted: Mon Aug 01, 2011 8:34 pm Reply with quoteBack to top

It's possible that the original sender exploited a bug in a computer at the oral surgeon to send the message. Send a reply and see where the reply to that comes from.

_________________
Easter Egg 2012 United Kingdom×12 United States×3 Russia×3 CanadaNigeriaGermanyMalaysiaNetherlandsAustraliaTogo
United KingdomUnited KingdomCanada unwashed
Closed lad accounts×75
×110
Safari Accra - SH Cotonou
This is very frustrating ... their said they is know transaction ... I feel very ebasared right now ... I feel very dissapoited again
YOU CAN'T EVEN KEEP YOUR BULLSHIT SCAM STORIES STRAIGHT!! YOU AREN'T EVEN A SMART CRIMINAL!! YOU ARE GOING TO PRISON!!
E NO GO BETTER FOR YOUR MAMA NAA ME U DEY WYNE ABI GOD PUNISHED YOU AND YOUR GENERATION
you are a fake people so do not ever write to me again.
Am mad at you right now ... Am tired of your questions ... Am sick and tire you and your bank
Nigerian pig . go swallow a grenade idiot. Boko Haram will solve your problem idiot .
View user's profileSend private messageSend e-mail
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Mon Aug 01, 2011 8:51 pm Reply with quoteBack to top

I've just been notified by Spypig my reply was opened:

Recipient Location: San Francisco, California, United State

The accuracy is approximately 98% on the country level and 70% on the city level for US cities,so I guess it's in the USA.

Let's see if I get a reply....

Regards,

Willewontee
View user's profileSend private message
Morgain Le Fay
Pistol-packin' Mama


Joined: 14 Oct 2010
Posts: 5800
Location: Taking my new .38 special to the range


PostPosted: Tue Aug 02, 2011 1:33 pm Reply with quoteBack to top

Quite a few scammers phish or hack into universities email account and it sounds like some how the KNOXVILLE ORAL & MAXILLOFACIAL SURGERY has had it happen to also. I am in receipt of one who phished or hacked or something into the Republican Party of Pennsylvania.

_________________
Closed lad accounts X42 Easter Egg 2011 United Kingdom Mc Fry
Safari Nash and 6 friends 488 Km within Ghana - bait with Agda (2012)
Safari Safari Philip Ghana-Benin (bait w/Agda) 2013
Mortar x5
TV Star
.edu's 260 reported
Click here to support 419Eater.com
US Dropbox

"You people are all Junks" - Miss E. Kabx

"Maybe you are insane as your so called sat..." Barrister Insane

The website below is available for Eater folks to use.
Film & Production Needs
View user's profileSend private messageSkype Name
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Tue Aug 02, 2011 6:21 pm Reply with quoteBack to top

Just done some futher analysis on the Spypig notification, what it seems to be doing is detecting the email leaving the last random TOR node rather than someone actually opening the email, so it looks like SPYPIG does not work with TOR.

Regards,

Willewontee
View user's profileSend private message
evil_sheep
Compulsive Self Abuser


Joined: 15 Jul 2010
Posts: 1100
Location: 419eater Passport office.


PostPosted: Tue Aug 02, 2011 9:48 pm Reply with quoteBack to top

Tor will hide you quite well.
In my opinion, if you host an exit node, you are technically exposing your internet account to be used for illegal purposes (amongst other things).

Unless you are monitoring both the incoming and outgoing packets from the exit node, it's nigh impossible to work out which requests came from each IP. If you can monitor in and out going packets, it is possible to work out which requests are going to and from each connection.

Most lads wouldn't have a clue what Tor is, however.

_________________
Closed lad accounts x11 Thailand x3 Ghana Senegal United Kingdom Welsh Flag United Nations

"I thank you for your quick massage this morning. " - Prince Abdul Hakeem
"u lied. i know u as black man" - Timothy Fred
"Get out. If you mail me again, i will destroy your mailbox." - Clydesdale Bank PLC.
"picece of shit gett off here junkie" "arse hole like u" "u r a bullshit around the corner" "fuck off and die" "is that how you write ur father?" "do u need some crack from Brazil?" "please leave me alone" - Dr. Mohamed Gaza

FREE BEER!

"Baiting is like sex. If it does go pear-shaped, pull out, get a new email address and try again from a different angle." - Me
View user's profileSend private message
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Tue Aug 02, 2011 10:36 pm Reply with quoteBack to top

Yes, it does hide one quite well as you say.

I agree about hosting a node... I had the same thoughs about it & so decided to just use it as a smoke screen.
Today I have been mailing from USA, GB, South Africa, Canada, Greenland, etc... 3 random in & 3 random out nodes.
I might look at setting a fixed exit node somewhere far away from me in case I hit a lad with enough savvy to interpret an email header.

It surprised me where Spypig seems to think email is being opened, seemingly it's reporting now at every TOR node it goes through, but not once it exits TOR .... great way to trace TOR nodes, but not what I want. I will see if I can find out how Spypig actually works & maybe try some different notifiers.

I tried for some easy piggies with ASEM on about 100 likely lads picked from Baiters hot list, but no one wanted to play.

I'm playing straight baiting with about 20 odd various modality lads on the go now, to get my hand in, going well so far & some promising looking ones in there.

What surprised me as a newbie is even though "I" am 74 years old & deaf as a post, about a quarter of the lads will not come out to play unless I ring them first.

Regards,
Willewontee
View user's profileSend private message
Mr Tambourine Man
Baiting Guru


Joined: 06 Jun 2008
Posts: 3386
Location: Magic swirlin' ship


PostPosted: Tue Aug 02, 2011 10:37 pm Reply with quoteBack to top

Quote:
X-Originating-IP: [98.139.213.158]

That's Sunnyvale. Yahoo is based there, and is mentioned in the headers. I'm not sure what is happening here.

_________________

Closed lad accounts x 4
3 dead websites

is always Good when you have the zeal to be a hitwoman when you out of school,it makes you bold and reall and it makes you more high than any other of your friend.
you dont have a phone.that makes makes you joe butt. Fuck you and go find something to do man. Stop disturbing me please.
This is definitely why you will remain and die in poverty, ignorant of good things and easy acknowledgment of bad things and words. Shame on you, you wicked generation children.
i went you to no that this is not a cheld pray. i went you to get back to me
we are not scammer,we hate scammer as you do.scammer make out life harder and harder,a lot of people think we are scammer,in fact,we are not!! please trustt us
View user's profileSend private message
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Tue Aug 02, 2011 10:47 pm Reply with quoteBack to top

The opinion seems to be it's a bit odd & indicitive of someone hacking a server & email addresses. I took advice from more experienced baiters including Morgain Le Fay & have contacted the relevant organisations & reported all email addresses & servers involved.
I've not had anything back yet

Regards,
Willewontee
View user's profileSend private message
Jeannette
Distinctly Average


Joined: 21 Oct 2006
Posts: 2096
Location: Antarctica - well, not quite.


PostPosted: Wed Aug 03, 2011 7:43 am Reply with quoteBack to top

Late to the party, but I just noticed "NNFMP" in the header. That means the scammer is using a nifty device to hide his location.

_________________
Easter Egg 2011 Netherlands United Kingdom Closed lad accounts X 2 X 25
Sister I was even filling the form with pains - Mariam Abacha
star
View user's profileSend private messageSkype Name
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Wed Aug 03, 2011 8:18 am Reply with quoteBack to top

All I can find (authoritively) about NNFMP (from Yahoo themselves):

NNFMP is an internal protocol not recognised by IANA or the RFC's. Yahoo uses this protocol to internally route e-mail traffic across their network. The acronym stands for "Newman No-Frills Mail Protocol". It's a simple, high-performance protocol comparable to QMTP.

So it is not neccessarily indicitive of fraud.

Regards,

Willewontee
View user's profileSend private message
Jeannette
Distinctly Average


Joined: 21 Oct 2006
Posts: 2096
Location: Antarctica - well, not quite.


PostPosted: Wed Aug 03, 2011 9:26 am Reply with quoteBack to top

Of course not. Very Happy I'ts just something lads love to use.

_________________
Easter Egg 2011 Netherlands United Kingdom Closed lad accounts X 2 X 25
Sister I was even filling the form with pains - Mariam Abacha
star
View user's profileSend private messageSkype Name
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Wed Aug 03, 2011 10:39 am Reply with quoteBack to top

So yes, just another pointer to a potential lad & it all adds up Very Happy
View user's profileSend private message
willewontee
Hello I'm New here!


Joined: 22 Jul 2011
Posts: 15


PostPosted: Wed Aug 03, 2011 1:16 pm Reply with quoteBack to top

Well, would you believe it, after all the reports I got from Spypig that turned out to be TOR nodes,
it's eventually reported the mail being opened at another IP address...
116.203.102.186 which shows as India, but no more detail available.

So the trail seems to have left the US & gone somewhere where their "ladeese" written opening script seems more believable.

Regards,
Willewontee
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



E-Mail Header Analysis


All Content © 2003 - 419Eater.com
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT