Signs of a scam email enquiry, and tracking IP addresses.
Posted: Sat Sep 30, 2006 8:55 am
Hi,
Here is a list of a few things that should start your bells ringing as to whether you are about to be scammed. It is by no means definitive, and I would ask any other members to contribute any other telltail signs. Some of the points have been covered but I just thought it might be useful to have it all in one place.
Bad spelling and grammar
The email all in caps
Vague emails ie I want to rent your house/appartment/hotel/ villa in your area
Anything that is too good to be true ie a 2 month booking out of season
Payment by a sponsor, Or a someone else paying for a honeymoon.
Nigerian Clergy or Dr's from any African state.
Payment, after all this is all they are interested in. No Western Union payments, no overpayments
They will try to cut to the chase when it comes to money, with little regard for anthing else.
Don't get involved with any requests for mobile phones or computers to be bought and placed at the property for their arrival. They will give you a stolen credit card number and you will get nicked, or if it's not reported they will change their mind and ask for it to be posted onto them
Anything that feel out of the ordinary, trust your own feelings
Tel numbers - you can get a legit UK phone number over the net and have it diverted to a mobile, so just because they look real you could be talking to someone on a pay-as-you-go in Lagos.
IP locator:
http://www.ip-to-location.com/free.asp - try to get to grips with this, it will tell you where the email really came from. If you don't like this one there are plenty of other free ones on the web, follow the instuctions below:-
I have nicked this from www.419eater.com
Reading Email Headers
(a public service announcment from 419weasel, who would like to remind you to "bait safe")
Here is the answer to what is probably THE most asked question when it comes to baiting, "How can I find thier IP address?".
The answer is very simple. Since most scammers use Yahoo!, finding their IP address is fairly simple. First, we will look at a typical header from an email sent to my gmail account from a scammer using Yahoo!. (email addresses have been replaced with "xxxscammer@yahoo.com or xxxbaiter@gmail.com" to prevent box killing)
X-Gmail-Received: 3aea05e30c6ec9798d6c51537eaebadfa6d600fd
Delivered-To: xxxbaiter@gmail.com
Received: by 10.64.27.17 with SMTP id a17cs505121qba;
Fri, 8 Sep 2006 12:02:49 -0700 (PDT)
Received: by 10.70.29.7 with SMTP id c7mr737346wxc;
Fri, 08 Sep 2006 12:02:48 -0700 (PDT)
Return-Path: <xxxscammer@yahoo.com>
Received: from web57215.mail.re3.yahoo.com (web57215.mail.re3.yahoo.com [216.252.111.231])
by mx.gmail.com with SMTP id h40si3005666wxd.2006.09.08.12.02.47;
Fri, 08 Sep 2006 12:02:48 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of xxxscammer@yahoo.com designates 216.252.111.231 as permitted sender)
DomainKey-Status: good (test mode)
Received: (qmail 92842 invoked by uid 60001); 8 Sep 2006 19:02:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-
Version:Content-Type:Content-Transfer-Encoding;
b=FW475h+KQ0l5uOS0HzHoOAYdM5Z3
+htGaFFzrlKhR6BI0ezNCSaB/JfK8fGO
jlwwXSu5gm/kH4R3IpBPImhJLFUqoIfQeA
UdAIQq7nDjsipcFcdw/PdSocGWbe2
DLeSDLiva0hm+KVakxSeSITHHENjF06k4IsndnXsrsqICyXg= ;
Message-ID: <20060908190247.92840.qmail@web57215.mail.re3.yahoo.com>
Received: from [209.159.166.122] by web57215.mail.re3.yahoo.com via HTTP; Fri, 08 Sep 2006 12:02:47 PDT
Date: Fri, 8 Sep 2006 12:02:47 -0700 (PDT)
From: XXX Scammer <xxxscammer@yahoo.com>
Subject: MY IP ADDRESS IS NAKED AS A NEWBORN BABY!
To: XXX Baiter <xxxbaiter@gmail.com>
In-Reply-To: <1a7adfd70609070650y227ac44al796b19033acbcc30@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1932846235-1157742167=:91815"
Content-Transfer-Encoding: 8bit
--0-1932846235-1157742167=:91815
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
When reading a header to find the IP address, start from the bottom and work your way up. The sender's IP address is usually the first one from the bottom, sometimes the second. In the case of this header, the sender's IP address is 209.159.166.122.
Now that we have the scammer's IP address, let's see where he is. Copy that IP address and go to http://www.dnsstuff.com . Choose an option that fits your IP (or domain name) tracing needs, paste it in the field and click the button. This will usually show you who OWNS the IP address block. If you are looking for a geographic location, try http://www.ip2location.com/free.asp ...
No IP address lookup is 100% accurate. In the case of this particular scammer, the IP address is located in Nigeria and his ISP is "Direct On PC". However, sometimes this can be deceiving. Alot of scammers use satellite internet providers, which will make them appear to be in Australia, Isreal, Utah and several other locations. Please remember, scammers can come from any country or any walk of life and are just as able to trace IP addresses, which is why it is VERY important to BAIT SAFE!
_________________
If you are on Gmail (and maybe other email services work the same way), be aware that if you reply to a scammer his or her email address will automatically be added to your address book. So if you do a mailout they will receive it aswell and are more likely to come back to you sounding even more convincing.
As I said this list is not definitive, and it's too early in the morning for me! Feel free to chip in with any other advice, but could we please keep it on topic!
That's it for me, I am off to my local WU office.
Here is a list of a few things that should start your bells ringing as to whether you are about to be scammed. It is by no means definitive, and I would ask any other members to contribute any other telltail signs. Some of the points have been covered but I just thought it might be useful to have it all in one place.
Bad spelling and grammar
The email all in caps
Vague emails ie I want to rent your house/appartment/hotel/ villa in your area
Anything that is too good to be true ie a 2 month booking out of season
Payment by a sponsor, Or a someone else paying for a honeymoon.
Nigerian Clergy or Dr's from any African state.
Payment, after all this is all they are interested in. No Western Union payments, no overpayments
They will try to cut to the chase when it comes to money, with little regard for anthing else.
Don't get involved with any requests for mobile phones or computers to be bought and placed at the property for their arrival. They will give you a stolen credit card number and you will get nicked, or if it's not reported they will change their mind and ask for it to be posted onto them
Anything that feel out of the ordinary, trust your own feelings
Tel numbers - you can get a legit UK phone number over the net and have it diverted to a mobile, so just because they look real you could be talking to someone on a pay-as-you-go in Lagos.
IP locator:
http://www.ip-to-location.com/free.asp - try to get to grips with this, it will tell you where the email really came from. If you don't like this one there are plenty of other free ones on the web, follow the instuctions below:-
I have nicked this from www.419eater.com
Reading Email Headers
(a public service announcment from 419weasel, who would like to remind you to "bait safe")
Here is the answer to what is probably THE most asked question when it comes to baiting, "How can I find thier IP address?".
The answer is very simple. Since most scammers use Yahoo!, finding their IP address is fairly simple. First, we will look at a typical header from an email sent to my gmail account from a scammer using Yahoo!. (email addresses have been replaced with "xxxscammer@yahoo.com or xxxbaiter@gmail.com" to prevent box killing)
X-Gmail-Received: 3aea05e30c6ec9798d6c51537eaebadfa6d600fd
Delivered-To: xxxbaiter@gmail.com
Received: by 10.64.27.17 with SMTP id a17cs505121qba;
Fri, 8 Sep 2006 12:02:49 -0700 (PDT)
Received: by 10.70.29.7 with SMTP id c7mr737346wxc;
Fri, 08 Sep 2006 12:02:48 -0700 (PDT)
Return-Path: <xxxscammer@yahoo.com>
Received: from web57215.mail.re3.yahoo.com (web57215.mail.re3.yahoo.com [216.252.111.231])
by mx.gmail.com with SMTP id h40si3005666wxd.2006.09.08.12.02.47;
Fri, 08 Sep 2006 12:02:48 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of xxxscammer@yahoo.com designates 216.252.111.231 as permitted sender)
DomainKey-Status: good (test mode)
Received: (qmail 92842 invoked by uid 60001); 8 Sep 2006 19:02:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-
Version:Content-Type:Content-Transfer-Encoding;
b=FW475h+KQ0l5uOS0HzHoOAYdM5Z3
+htGaFFzrlKhR6BI0ezNCSaB/JfK8fGO
jlwwXSu5gm/kH4R3IpBPImhJLFUqoIfQeA
UdAIQq7nDjsipcFcdw/PdSocGWbe2
DLeSDLiva0hm+KVakxSeSITHHENjF06k4IsndnXsrsqICyXg= ;
Message-ID: <20060908190247.92840.qmail@web57215.mail.re3.yahoo.com>
Received: from [209.159.166.122] by web57215.mail.re3.yahoo.com via HTTP; Fri, 08 Sep 2006 12:02:47 PDT
Date: Fri, 8 Sep 2006 12:02:47 -0700 (PDT)
From: XXX Scammer <xxxscammer@yahoo.com>
Subject: MY IP ADDRESS IS NAKED AS A NEWBORN BABY!
To: XXX Baiter <xxxbaiter@gmail.com>
In-Reply-To: <1a7adfd70609070650y227ac44al796b19033acbcc30@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1932846235-1157742167=:91815"
Content-Transfer-Encoding: 8bit
--0-1932846235-1157742167=:91815
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
When reading a header to find the IP address, start from the bottom and work your way up. The sender's IP address is usually the first one from the bottom, sometimes the second. In the case of this header, the sender's IP address is 209.159.166.122.
Now that we have the scammer's IP address, let's see where he is. Copy that IP address and go to http://www.dnsstuff.com . Choose an option that fits your IP (or domain name) tracing needs, paste it in the field and click the button. This will usually show you who OWNS the IP address block. If you are looking for a geographic location, try http://www.ip2location.com/free.asp ...
No IP address lookup is 100% accurate. In the case of this particular scammer, the IP address is located in Nigeria and his ISP is "Direct On PC". However, sometimes this can be deceiving. Alot of scammers use satellite internet providers, which will make them appear to be in Australia, Isreal, Utah and several other locations. Please remember, scammers can come from any country or any walk of life and are just as able to trace IP addresses, which is why it is VERY important to BAIT SAFE!
_________________
If you are on Gmail (and maybe other email services work the same way), be aware that if you reply to a scammer his or her email address will automatically be added to your address book. So if you do a mailout they will receive it aswell and are more likely to come back to you sounding even more convincing.
As I said this list is not definitive, and it's too early in the morning for me! Feel free to chip in with any other advice, but could we please keep it on topic!
That's it for me, I am off to my local WU office.