Well, after a long hiatus, some scammer has targeted me again. "Hey! He's got a bite some day!!" So, I just today got another e-mail scam and I've decided to publish this one, examine it with a fine-toothed comb, and write some commentary on it.
To start with, here's the e-mail received in KMail, headers and all with my own Cox e-mail (the final destination) X'd out:
Return-Path: <email@example.com>Ok, next I did a reverse lookup from my home machine of the X-Originating-IP shown to be 126.96.36.199:
Received: from eastrmimpi02.cox.net ([188.8.131.52]) by eastrmmtai08.cox.net
(InterMail vM.6.01.06.01 201-2131-130-101-20060113) with ESMTP
for <XXXXXXX@cox.net>; Mon, 21 Aug 2006 14:22:08 -0400
Received: from eforward4.name-services.com ([184.108.40.206])
by eastrmimpi02.cox.net with IMP
Mon, 21 Aug 2006 14:17:29 -0400
Received: from c9mailgw24.amadis.com ([220.127.116.11]) by eforward4.name-services.com with Microsoft SMTPSVC(6.0.3790.211);
Mon, 21 Aug 2006 11:20:39 -0700
Received: from smtp-s4.antel.net.uy (smtp-s4.antel.net.uy [18.104.22.168])
by c9mailgw24.amadis.com (Postfix) with ESMTP id 2F62B163806
for <firstname.lastname@example.org>; Mon, 21 Aug 2006 11:17:27 -0700 (PDT)
Received: from fe-ps02 (192.168.2.202) by smtp-s4.antel.net.uy (7.2.072.1) (authenticated as email@example.com)
id 4474803E01820289; Mon, 21 Aug 2006 14:59:40 -0300
Received: from [22.214.171.124] by www.adinet.com.uy via http; Mon Aug 21 14:59:40 UYT 2006
Date: Mon, 21 Aug 2006 14:59:40 -0300 (UYT)
From: steve Bastiaan <firstname.lastname@example.org>
Subject: from steve
X-OriginalArrivalTime: 21 Aug 2006 18:20:39.0808 (UTC) FILETIME=[818A4000:01C6C54E]
I am Steve Bastiaan,a merchant in Dubai, in the U.A.E.I have been
with Esophageal Cancerwhich was discovered very late, due to my laxity
caringfor my health. It has defiled all forms of medicine, and right
have only abouta few months to live, according to medical experts.
I have not particularly lived my life so well, as I never really
cared for anyone not even myself but my business. Though I am very
wasnever generous, I was always hostile to people and only focused on
business as that was the only thing I cared for. But now I regret all
as I now know that there is more to life than just wanting to have or
all themoney in the world.
I believe when God gives me a second chance to
come to this world I would live my life a different way from how I
have lived it.
Now that God has called me, I want God to be merciful to me and accept
soul and so, I have decided to give alms to charity organizations and
succour and confort to the less priviledged in our societies, as I
to be one of the last good deeds I do on earth.
Now that my health has deteriorated so badly, I cannot do this my self
anymore.The last of my money which no one knows of is the huge cash
of ten million dollars($10M) that I have in Europe for safe keeping. I
want you to help me collect this deposit and disburse it to some
organizations and to the less priviledged.
Please send me a mail to indicate if you will assist me in this
disbursement.I hav e set aside 10% for you for your time and patience.
you can email me at: email@example.com
While I await to hear from you, may God be with you and your entire
; <<>> DiG 9.3.1 <<>> -x 126.96.36.199Since the name server for that IP, the originating IP, which conveniently has no pointer (PTR) record, is located in South Korea, indicated by the .kr top-level geographic domain of the name servers.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60580
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;188.8.131.52.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
245.125.in-addr.arpa. 900 IN SOA g.dns.kr. inverse.nida.or.kr. 2006062614 21600 900 604800 43200
;; Query time: 30 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Tue Aug 22 01:04:59 2006
;; MSG SIZE rcvd: 106
The fact that this IP lacks a pointer record, which for the uninitiated means no way to do an exact reverse IP lookup and obtain the machine name within the domain hierarchy in question, and usually (but not always) is indicative of an ethically-challenged ISP or IP spoofing. Only a start of authority (SOA) record is returned, listing only authoritative name servers, as we see here.
Next, the supposed sender firstname.lastname@example.org, which is most definitely a fake, naturally, shows adinet.com.uy, an entity (adinet.com) in Uruguay as the source of this e-mail. The following line in the header:
Received: from [184.108.40.206] by www.adinet.com.uy via http; Mon Aug 21 14:59:40 UYT 2006seems to indicate some sort of Java-based web-based e-mail app. When we then go to www.adinet.com.uy, we indeed see a web e-mail page in which the e-mail app itself is probably written in Java and served up on Java server pages.
Anyway, not to get into too much technical psychobabble, if you read the Received: header lines from the bottom (start) to the top (end), it's quite apparent that the person who sent this probably resides in South Korea, logged into a webmail at www.adinet.com.uy located in Uruguay, and sent this gem to my Cox e-mail (via Enom's forwarding I set up through dixiedog AT dixiebill.com) among a plethora of other "undisclosed- recipients," one or more of whom will without a doubt, unfortunately, fall for this garbage.
One wishes they could reach out and touch these basta'ds sometimes. BUT, I deal ;).