Analysis of email header data by one who knows?

Post scam emails to warn other rental owners, or if you are not sure if an enquiry is genuine, put it up here and see what others think.
Post Reply
User avatar
Mountain Goat
Posts: 6070
Joined: Wed Apr 19, 2006 1:31 pm
Location: Leysin, Alpes Vaudoises, Switzerland
Contact:
Contact Mountain Goat

Analysis of email header data by one who knows?

Post by Mountain Goat »

I'm clinging on a bit with my fingernails here, knowledge-wise, but my friendly rental site owner who's clued up on spam and scams, has sent another round-robin info email today to home owners on his list, showing one way of picking the meat of a possible suspicious enquiry email.

You may not gel with the personal slant and it's a bit heavy going, but it's useful as I think he knows what he's talking about:

I do not believe this is a genuine enquiry - was the initial opinion of the owner

In view of your concerns that it might not be genuine, I looked at the
header of the email first. I am going to take you through the process: if
any of you have worries like this and want my help - this is one of the
things that I'm here for. Actually I love emails rather than form generated
enquiries as I can tell much more from an email about the psychology of the
sender than a sterilised form enquiry reveals.

The header is easily visible with Eudora but with Microsoft Express you
might have to right-click and go to properties or something to see it. It's
the "junk" at the top - and is all important. The header describes the
story of the journey undertaken by the email to reach you.

The header gets added to upwards. So the stuff at the top is the most
recent and you read the journey backwards:

>Received: from srv01.info-world.com (root@localhost)
> by antibes.co.uk (8.11.6/8.11.6) with ESMTP id l4E1WLv25280
> for <orbo@antibes.co.uk>; Mon, 14 May 2007 02:32:21 +0100

This is an internal path through the server

>X-ClientAddr: 65.54.246.211

That's where our server received the email from

>Received: from bay0-omc3-s11.bay0.hotmail.com
>(bay0-omc3-s11.bay0.hotmail.com [65.54.246.211])
> by srv01.info-world.com (8.11.6/8.11.6) with ESMTP id l4E1WH425200
> for <orbo@antibes.co.uk>; Mon, 14 May 2007 02:32:17 +0100

This is saying the above all over again

>Received: from BAY101-W6 ([64.4.56.106]) by bay0-omc3-s11.bay0.hotmail.com
>with Microsoft SMTPSVC(6.0.3790.2668);

That says that hotmail received it from somewhere . . . then we get the
time and the ID and type of content of the email:

> Sun, 13 May 2007 18:37:44 -0700
>Message-ID: <BAY101-W6B59B0DD871B7E46730E1E53E0@phx.gbl>
>Content-Type: multipart/alternative;
> boundary="_347f3c89-a840-4de2-a1d0-0f469614823c_"

Then EUREKA!

>X-Originating-IP: [89.243.85.99]

This is the network from which it came. We plug the number into our browser
after
http://www.dnsstuff.com/tools/whois.ch?ip=
- so http://www.dnsstuff.com/tools/whois.ch?ip=89.243.85.99
and we find that the sender is a subscriber to Opal Telecom based in the UK
in Manchester. No mention of satellite systems serving shady characters in
remote corners of the world nor government spies . . .

>From: °°° § a ¡ m a °°° *
> <saima_wyma@ >
>To: < @antibes.co.uk>
>Subject: Rent Enquiry
>Date: Mon, 14 May 2007 01:37:44 +0000

The way of dressing up the screen name "°°° § a ¡ m a °°° *" is
interesting. It says that this is a female who is very self conscious and
has a lot of time for and is very concerned by self presentation. Teenager?

Then we see the enquiry:
>Hi
>
>I am interested in renting out your apartment from 18 June 2007 - 23 June
>2007. Is it available at that time? Also can you give me a price quote, as
>I am looking around for the best deal. There will be myself and one other
>person so a total of two people and we don't have any cleaning
>requirements, as I read there will be more cost for that. Please do let me
>know what you can offer us.
>
>Many thanks.
>
>Saima
>
>P.S: this is the website I got your contact details from:
><http://www.costa-blanca.inspain.co.uk/c ... ://www.cos
>ta-blanca.inspain.co.uk/costa.blanca/orbo.php

I may be wrong but this looks like a young unmarried couple on the lowest
of budgets. Young, whether irresponsible or not most likely inexperienced.
Whether one can rely on them to do their own cleaning . . .

A genuine enquiry, I'm sure (was the rental site owner's final comment)

The email addresses above have been doctored.

MG
Top
User avatar
Big Sis..
Posts: 8059
Joined: Mon Feb 19, 2007 5:31 pm
Location: Torrevieja and Norfolk
Contact:
Contact Big Sis..

Post by Big Sis.. »

OOEER...MG.. :)

Very useful advice as usual :wink:
...trouble is you know what a clutz I am..and you lost me half way down..
but Im sure the others will understand....

Anyway Ive got a foolproof solution if I want to check any Im sent..do you want to hear it.........

Im gonna send any dodgy looking ones to you to decide....as you seem to be the master at this..
[good plan Eh :wink: ] :D
Top
Post Reply

Return to “Scam email enquiries”