Tuesday, August 22, 2006

E-mail scams....sigh

I have over the years received many scam e-mails and, yes, they usually have something to do with some Nigerian aristocrat desiring safe passage for millions of dollars of dough to this country. You probably know of the various scams (i.e. the 419 scam), as well; I've heard from some sources that they do indeed still manage to find suckers every single day. Gee, will folk ever get a clue?

Well, after a long hiatus, some scammer has targeted me again. "Hey! He's got a bite some day!!" So, I just today got another e-mail scam and I've decided to publish this one, examine it with a fine-toothed comb, and write some commentary on it.

To start with, here's the e-mail received in KMail, headers and all with my own Cox e-mail (the final destination) X'd out:
Return-Path: <steveb555@adinet.com.uy>
Received: from eastrmimpi02.cox.net ([68.1.16.118]) by eastrmmtai08.cox.net
(InterMail vM.6.01.06.01 201-2131-130-101-20060113) with ESMTP
id <20060821182208.TPPI10570.eastrmmtai08.cox.net@eastrmimpi02.cox.net>
for <XXXXXXX@cox.net>; Mon, 21 Aug 2006 14:22:08 -0400
Received: from eforward4.name-services.com ([64.74.96.246])
by eastrmimpi02.cox.net with IMP
id CiHS1V05l5Jwc000000000
Mon, 21 Aug 2006 14:17:29 -0400
Received: from c9mailgw24.amadis.com ([216.163.188.220]) by eforward4.name-services.com with Microsoft SMTPSVC(6.0.3790.211);
Mon, 21 Aug 2006 11:20:39 -0700
Received: from smtp-s4.antel.net.uy (smtp-s4.antel.net.uy [200.40.30.233])
by c9mailgw24.amadis.com (Postfix) with ESMTP id 2F62B163806
for <dixiedog@dixiebill.com>; Mon, 21 Aug 2006 11:17:27 -0700 (PDT)
Received: from fe-ps02 (192.168.2.202) by smtp-s4.antel.net.uy (7.2.072.1) (authenticated as steveb555@adinet.com.uy)
id 4474803E01820289; Mon, 21 Aug 2006 14:59:40 -0300
Received: from [125.245.186.132] by www.adinet.com.uy via http; Mon Aug 21 14:59:40 UYT 2006
Message-ID: <12276098.1156183180746.JavaMail.tomcat@fe-ps02>
Date: Mon, 21 Aug 2006 14:59:40 -0300 (UYT)
From: steve Bastiaan <steveb555@adinet.com.uy>
Reply-To: steve_b2222@uymail.com
Subject: from steve
MIME-Version: 1.0
Content-Type: text/plain;
charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 125.245.186.132
To: undisclosed-recipients:;
X-CTASD-RefID: str=0001.0A090216.44E9F8C4.0028,ss=1,fgs=0
X-CTASD-IP: 200.40.30.233
X-CTASD-Sender: steveb555@adinet.com.uy
x-ctasd: uncategorized
x-ctasd-vod: uncategorized
x-ctasd-station:
Return-Path: steveb555@adinet.com.uy
X-OriginalArrivalTime: 21 Aug 2006 18:20:39.0808 (UTC) FILETIME=[818A4000:01C6C54E]
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:

Dear Friend
,
I am Steve Bastiaan,a merchant in Dubai, in the U.A.E.I have been
diagnosed
with Esophageal Cancerwhich was discovered very late, due to my laxity
in
caringfor my health. It has defiled all forms of medicine, and right
now I
have only abouta few months to live, according to medical experts.

I have not particularly lived my life so well, as I never really
cared for anyone not even myself but my business. Though I am very
rich, I
wasnever generous, I was always hostile to people and only focused on
my
business as that was the only thing I cared for. But now I regret all
this
as I now know that there is more to life than just wanting to have or
make
all themoney in the world.
I believe when God gives me a second chance to
come to this world I would live my life a different way from how I
have lived it.
Now that God has called me, I want God to be merciful to me and accept
my
soul and so, I have decided to give alms to charity organizations and
give
succour and confort to the less priviledged in our societies, as I
want this
to be one of the last good deeds I do on earth.
Now that my health has deteriorated so badly, I cannot do this my self
anymore.The last of my money which no one knows of is the huge cash
deposit
of ten million dollars($10M) that I have in Europe for safe keeping. I
will
want you to help me collect this deposit and disburse it to some
charity
organizations and to the less priviledged.

Please send me a mail to indicate if you will assist me in this
disbursement.I hav e set aside 10% for you for your time and patience.
you can email me at: steve_b2222@uymail.com

While I await to hear from you, may God be with you and your entire
family.
Remain blessed,
Steve Bastiaan.
Ok, next I did a reverse lookup from my home machine of the X-Originating-IP shown to be 125.245.186.132:
; <<>> DiG 9.3.1 <<>> -x 125.245.186.132
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60580
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;132.186.245.125.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
245.125.in-addr.arpa. 900 IN SOA g.dns.kr. inverse.nida.or.kr. 2006062614 21600 900 604800 43200

;; Query time: 30 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Tue Aug 22 01:04:59 2006
;; MSG SIZE rcvd: 106
Since the name server for that IP, the originating IP, which conveniently has no pointer (PTR) record, is located in South Korea, indicated by the .kr top-level geographic domain of the name servers.

The fact that this IP lacks a pointer record, which for the uninitiated means no way to do an exact reverse IP lookup and obtain the machine name within the domain hierarchy in question, and usually (but not always) is indicative of an ethically-challenged ISP or IP spoofing. Only a start of authority (SOA) record is returned, listing only authoritative name servers, as we see here.

Next, the supposed sender steveb555@adinet.com.uy, which is most definitely a fake, naturally, shows adinet.com.uy, an entity (adinet.com) in Uruguay as the source of this e-mail. The following line in the header:
Received: from [125.245.186.132] by www.adinet.com.uy via http; Mon Aug 21 14:59:40 UYT 2006
Message-ID: <12276098.1156183180746.JavaMail.tomcat@fe-ps02>
seems to indicate some sort of Java-based web-based e-mail app. When we then go to www.adinet.com.uy, we indeed see a web e-mail page in which the e-mail app itself is probably written in Java and served up on Java server pages.

Anyway, not to get into too much technical psychobabble, if you read the Received: header lines from the bottom (start) to the top (end), it's quite apparent that the person who sent this probably resides in South Korea, logged into a webmail at www.adinet.com.uy located in Uruguay, and sent this gem to my Cox e-mail (via Enom's forwarding I set up through dixiedog AT dixiebill.com) among a plethora of other "undisclosed- recipients," one or more of whom will without a doubt, unfortunately, fall for this garbage.

One wishes they could reach out and touch these basta'ds sometimes. BUT, I deal ;).