News:

Ramadan Mubarak!

I pray that we get the full blessings of Ramadan and may Allah (SWT) grant us more blessings in the year to come.
Amin Summa Amin.

Ramadan Kareem,

Main Menu

419 Email and my response

Started by NewEte, February 19, 2007, 03:30:55 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Janwuya

Well, after tracing the originating IP address I file a formal complain with the ISP to alert them as to the activities of the fraudsters. The probs is that some ISP's hardly bother to do anything about it. I traced one fraudster to NITEL Internet once but I didn't bother to find out who was assigned that IP address.

gogannaka

You should work with EFCC janwuya.

How do you trace the IP?
Surely after suffering comes enjoyment

Janwuya

There are softwares that allow u to trace the route email took to reach u, in anycase the IP is always embedded in the email header so all u have to do is view header and pick up from there...almost anybody can do it with little determination, its fun. If u like, I can post a tutorial on it.

HUSNAA

Ghafurallahi lana wa lakum

Janwuya


Janwuya

#35
Well...finally I got a scam mail from one dumb "scammer" below, so let use it to trace where it really came from using free online resources. The mail read...

From hopeline smith Thu Jun 28 10:45:
X-Apparently-To:   myemail@yahoo.com via 209.73.178.69; Thu, 28 Jun :45:
X-Originating-IP:   [66.196.100.69]
Return-Path:   <hopeline_smith@yahoo.com>
Authentication-Results:   mta104.mail.re3.yahoo.com from=yahoo.com; domainkeys=pass (ok)
Received:   from 66.196.100.69 (HELO web57502.mail.re1.yahoo.com) (66.196.100.69) by mta104.mail.re3.yahoo.com with SMTP; Thu, 28 Jun :45:
Received:   (qmail 25997 invoked by uid 60001); 28 Jun :45:
DomainKey-Signature:   a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=SGemfvi6Sj0cTJZJa+U5L3vVqKFHyIEes08pb7R0ZBRhEwQHOEUbbOcMms3vm/cq2egMGKVAIqfOJGL46x/lM5eGJOWAj2bXXU7K/GnE8ysLxakPWKiJxC5VdrZB8EU6I8nRV6SOeL6Puim0Ir5e0xdfjTE7hUype+geG9rpMbk=;
X-YMail-OSG:   Z3XOW4kVM1nSgkrlu73O3yeDBC4oe0QARJRwTz8iC8gEop7FgieCRYieKWRmcpNnGQ--
Received:   from [196.207.248.31] by web57502.mail.re1.yahoo.com via HTTP; Thu, 28 Jun :45:47 PDT
Date:   Thu, 28 Jun :45: (PDT)
From:   Send an Instant Message "hopeline smith" <hopeline_smith@yahoo.com>  Add to Address BookAdd to Address Book
Yahoo! DomainKeys has confirmed that this message was sent by yahoo.com. Learn more
Subject:   ALL ABOUT ME AND MY PICTURES
To:   "Myname" <myemail@yahoo.com>
In-Reply-To:   <.7653.qm@web60011.mail.yahoo.com>
MIME-Version:   1.0
Content-Type:   multipart/mixed; boundary="-=:25687"
Content-Transfer-Encoding:   8bit
Message-ID:   <.25687.qm@web57502.mail.re1.yahoo.com>
Content-Length:   14179
HELLO DEAR,

COMPPLIMENTS OF THE DAY,HOW ARE YOU TODAY, I HOPE YOU ARE FINE.
MY NAME IS HOPELINE SMITH, I AM THE ONLY DAUGHTER OF MY FATHER. MY FATHER IS GENEERAL WILLIAM SMITH THE FORMER DIRECTOR OF COCOA EXPORT IN MY COUNTRY(COTE D' IVOIRE) WHO IS NOW DEAD.
I AM WRITING TO SOLICIT YOUR ASSISTANCE IN HELPING ME KEEP AND INVEST IN YOUR COUNTRY THE SUM OF $5.5MILLION U.S DOLLARS.THIS MONEY DEPOSITED BY MY LATE FATHER IN FINANCE FIRM IN DAKAR SENEGAL, UNDER MY NAME. THIS MONEY WAS REALISED FROM COCOA EXPORT. JUST  A COUPLE OF WEEKS  AGO, I WAS INFORMED ABOUT THIS FUND  BY THE FINANCE FIRM WHERE MY FATHER DEPOSITED IT. I HAVE VISITED THE FINANCE FIRM HERE IN SENEGAL TO ACCRETION THE JENUITY  OF THE FUND.

HOWEVER, THE FINANCE COMPANY COULD NOT RELEASE THE FUND TO ME ON THE CONDITION THAT I HAVE TO PROVIDE SOMEBODY WHO IS UP TO 30YRS WHO CAN STAND AS A TRUSTEE ,SO THAT THEY CAN BE ABLE TO HAND THE PERSON OVER THE MONEY FOR SAFE KEEPING AND INVESTMENT UNTIL I AM UP TO 30YRS SINCE I AM ONLY 26YRS OR I HAVE TO WAIT UNTIL I AM UP 30YRS BEFORE THEY CAN RELEASE THE BOX TO ME. AT THE MOMENT, I AM FINANCIALLY HANDICAPPED THAT I CAN NOT AFFORD TO WAIT FOR THE NEXT  4YRS BEFORE THE MONEY COULD BE RELEASED TO ME. THAT IS WHY I WRITE TO REQUEST FROM YOU IF YOU WILL BE DISPOSED IN HELPING ME KEEP AND INVEST THIS MONEY WITHOUT THE KNOWLEDGE OF ANYBODY.
I WILL OFFER YOU A REASONABLE % OUT OF THIS MONEY  OR WE CAN ENTER INTO PARTNERSHIP AT THE END OF THE DAY.

MY REGARDS,

HOPELINE  SMITH.

Need a vacation? Get great deals to amazing places on Yahoo! Travel.
Attachments    

Photos:       
   Scan and Save to Computer
001.jpg (3k) [View]
   
   Scan and Save to Computer
002.jpg (4k) [View]

The photos attached were of one "Lepa shandy" hoping that will make me respond positively.....don't mind them.

First we display Full Headers of the email, thats how we got what look like lines of code at the beginning of the email (I substituted my actual email address) next we look for the Received row that display the actual I.P address...

Received: from [196.207.248.31] by web57502.mail.re1.yahoo.com via HTTP; Thu, 28 Jun :45:47 PDT

The actual IP address used is 196.207.248.31, so we begin by tracing it via a free resource website http://tools-on.net/net.shtml (Leader's Whois). The result will look like....
   
[ Leader's Whois ]


INVESTIGATION REPORT

Note: network slowdown can hopple to get results in reasonable max. wait time. So you can try to revisit this page a bit later if you see no results.

Don't forget to visit my leader.ru server.

Warning:
The code of this module is in beta again (since 09/06/2004).
Some information will be incomplete untill the new version is done. 

General Information
Hostname
Cannot be resolved
IP 196.207.248.31

Network Information
Owner
OrgName: RIPE Network Coordination Centre
Location
OrgID: RIPE, Address: P.O. Box 10096, City: Amsterdam, StateProv: PostalCode: 1001EB, Country: NL
Contact Information
196.200.0.0 - 196.207.255.255, CIDR: 196.200.0.0/13, NetName: RIPE-ERX-196-200-0-0, NetHandle: NET-196-200-0-0-1, Parent: NET-196-0-0-0-0, NetType: Early Registrations, Transferred to RIPE NCC, Comment: These addresses have been further assigned to users in, Comment: the RIPE NCC region. Contact information can be found in, Comment: the RIPE database at http://www.ripe.net/whois, RegDate: , Updated:

Leader's Whois module v 4.0 (C) by Alexander K. Yezhov,
admin@tools-on.net
   
Copyright ©  Alexander K. Yezhov


The search couldn't resolve the IP but the Comment gave us a link to query for the name of the organization using the IP address range which is http://www.ripe.net/whois so we go to that page and search for the IP 196.207.248.31 Our search result will look like...

Next Section     

Query the RIPE Database
Search for         
Switch to the RIPE TEST Database

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '196.207.192.0 - 196.207.255.255'

inetnum:         196.207.192.0 - 196.207.255.255
org:             ORG-AFNC1-RIPE
netname:         AFRINIC-NET-TRANSFERRED-
descr:           This network has been transferred to AFRINIC
remarks:         These IP addresses are assigned in the AFRINIC region.
remarks:         Authoritative registration information for this network
remarks:         is available for query and modification in
remarks:         the AFRINIC whois database: whois.afrinic.net or
remarks:         web site: http://www.afrinic.net
remarks:         The routing registry information (route(6) objects)
remarks:         may be published in any Routing Registry, including
remarks:         RIPE Whois Database
country:         EU # country is really somewhere in African Region
admin-c:         AFRI-RIPE
tech-c:          AFRI-RIPE
status:          ALLOCATED PA "status:" definitions
mnt-by:          RIPE-NCC-HM-MNT
mnt-routes:      RIPE-NCC-RPSL-MNT
source:          RIPE # Filtered

organisation:    ORG-AFNC1-RIPE
org-name:        African Internet Numbers Registry
org-type:        RIR
address:         see http://www.afrinic.net
e-mail:          bitbucket@ripe.net
admin-c:         AFRI-RIPE
tech-c:          AFRI-RIPE
remarks:         For more information on AFRINIC assigned blocks, use
remarks:         AFRINIC's whois database, whois.afrinic.net.
mnt-ref:         RIPE-NCC-HM-MNT
mnt-by:          RIPE-NCC-HM-MNT
source:          RIPE # Filtered

role:            The African Internet Numbers Registry
org:             ORG-AFNC1-RIPE
address:         AFRINIC, see http://www.afrinic.net
admin-c:         AFRI-RIPE
tech-c:          AFRI-RIPE
nic-hdl:         AFRI-RIPE
e-mail:          bitbucket@ripe.net
remarks:         For more information on AFRINIC assigned blocks, connect
remarks:         to AFRINIC's whois database, whois.afrinic.net.
mnt-by:          RIPE-NCC-HM-MNT
source:          RIPE # Filtered


From our search result we now know that the IP is assigned to an organization "country: EU # country is really somewhere in African Region" and we got another lead from there to query for the actual address, which is the site whois.afrinic.net Again we query it and bingo the following result....

% This is the AfriNIC Whois server.

% Information related to '196.207.248.0 - 196.207.248.63'

inetnum:      196.207.248.0 - 196.207.248.63
netname:      ADSL-REGIONS
descr:        Pool ADSL DSLAM Koungueul
country:      SN
admin-c:      SBT7-AFRINIC
tech-c:       MN1281-AFRINIC
tech-c:       SBT7-AFRINIC
status:       ASSIGNED PA
notify:       sbthiam@sentoo.sn
mnt-by:       SMM-MNT
mnt-lower:    SMM-MNT
changed:      sbthiam@sentoo.sn
source:       AFRINIC
parent:         196.207.248.0 - 196.207.248.255

person:       Seydou Bocar THIAM
address:      SOCIETE NATIONALES DES TELECOMMUNICATIONS
address:      Direction des Reseaux
address:      6 Rue Wagane DIOUF
address:      BP 69 Dakar
address:      SENEGAL
phone:       
fax-no:       
e-mail:       sbthiam@sentoo.sn
nic-hdl:      SBT7-AFRINIC
notify:       modyndiaye@sentoo.sn
changed:      modyndiaye@sentoo.sn
changed:      hostmaster@afrinic.net
remarks:      data has been transferred from RIPE Whois Database
source:       AFRINIC

person:       Mody Ndiaye
address:      SOCIETE NATIONALES DES TELECOMMUNICATIONS
address:      Sonatel
address:      Dakar
address:      Senegal
e-mail:       modyndiaye@sentoo.sn
phone:       
fax-no:       
nic-hdl:      MN1281-AFRINIC
notify:       modyndiaye@sentoo.sn
mnt-by:       SMM-MNT
changed:      modyndiaye@sentoo.sn
remarks:      data has been transferred from RIPE Whois Database
source:       AFRINIC


From the result we now know the person actually send the mail from SENEGAL using Internet access provided by the above address (to probably a cyber cafe). If it's a serious fraud then the above can be contacted and they'll be able to provide info as to which service provider (or cybercafe) was used including the computer itself. The authorities can be able to take it up from there coz they have the power to look into it.

I'll be available for any questions or clarification....Barkan ku Yan'uwa. Sorry for taking too long to put this up...I guess we've all been busy lately  :)

Janwuya

Salam....in addition to the practical example above, the website http://spamlinks.net/track-trace.htm is a very good resource in spam tracing. Check it out.

neozizo

I got this e-mail and i dont know how for-real it is........
Does anyone know bout it?[/
size]

TO ALL OUR CUSTOMERS NATIONWIDE       We want to use this medium to wish all our customers both new and old ones a very prosperous season and also to assure you that Interswitch Nigeria Limited have been and will always give your ATM card (s) the maximum security that you will expect from us.                       Therefore, due to high rate of internet fraud complaints we are receiving from some of our customers like using of their ATM card details to make transaction via the internet without their notice because they have one way or the other disclose their Interswitch ATM card detail to fraudsters, It is our pleasure introducing to you our new security plan called "MAXI-SECURE",  It is a security plan designed to assign our customer's ATM card Internet Personal Identification number (iPin) different from the present personal identification number (pin) they use for their cash withdrawal with their Interswitch ATM card. This pin will only be used whenever you wish to use your Interswitch ATM card for online transactions while you use your present pin for cash withdrawal from any of the ATM machine of Interswitch bank nationwide only.
      The main objective of the this security plan is to secure your account whenever you by any mistake disclose your Interswitch ATM card detail to fraudsters. This means that if you by any mistake, disclose your Interswitch ATM card detail you use for cash withdrawal to fraudsters that payment will not authorize from your account via the internet unless the fraudsters have knowledge of your maxi-secure security ipin.
     This will be effective starting from 29th of June 2008. To securely register your Interswitch ATM card to this security plan: CLICK HERE, which after twenty four (24) hours of your ATM card registration to this security plan, your Interswitch maxi-secure security ipin will be sent to you via email.                                                 N/B:: 
        Please note that starting from 29th June 2008 is only registered Interswitch ATM card to this security plan can only withdraw money from any of the ATM machines of Interswitch bank nationwide or make transaction via the internet using their Interswitch ATM card (s).
::SCAM ALERT::
        To prevent scam always ensure that:
1) Any email you receive from our company is been sent via our official mailing identity: (info@interswitchng.com)2)The registration of your Interswitch ATM card (s) to this security plan is done via the link provided in our email  and not via email or sms.
       Also you can always help us fight fraud by forwarding any Interswitch scam email you receive via this mailing address:(fraudalert@interswitchng.com) for other customers awareness and eradication. Kind Regards.
INTERSWITCH NIGERIA LIMITED
PLOT 1648C OKO-AWO CLOSE
VICTORIA ISLAND CITY
LAGOS STATE
NIGERIA.                                                              For more information about our company visit : www.interswitchng.com
                                                                               
                                        Copyright©2008. InterSwitch Limited. Al

gogannaka

NA fraud o! Zizo
Interswitch and participating banks have embarked on an awareness campaign
that enlighten card users not to respond to such mails.

Interswitch will at no time ask you to reveal your PIN to them or any of their
staff.
Its all an act of fraud. Don't mind the bogey websites,they look like interswitch's
but check properly you'll see funny ads somewhere.
Surely after suffering comes enjoyment

Muhsin

SHELL INTERNATIONAL LTD
SHELL FOUNDATION, NIGERIA SE1 7NA.
Date: 19th June 2008


Dear Donation Beneficiary,

                                         NOTIFICATION OF YOUR WINNING

The Shell Foundation Nigeria is glad to inform you that you have been approved a lump sum pay of US$500,000.00 (FIVE HUNDRED THOUSAND DOLLARS) in cash credit file ref: ILP/HW 46704/08 from the total cash prize shared amongst eight lucky winners in this category.

All participants were selected through a computer balloting system drawn from Nine hundred thousand E-mail addresses from Canada, Australia, United States, Asia, Europe, Middle East, Africa and Oceania as part of our international promotions program which is conducted annually. This Lottery was promoted and sponsored by a conglomerate of some multinational companies as part of their social responsibility to the citizens in the communities where they have operational base.

To celebrate the 7th anniversary Programme, the Shell Foundation Nigeria, in conjunction with some multi national companies and other relevant bodies is giving out a yearly donation of US$500,000.00 (FIVE HUNDRED THOUSAND DOLLARS) to eight lucky recipients.

These specific Donations/Grants will be awarded to recipients worldwide, in different categories for their personal business development and enhancement of their educational plans. Kindly note that you will only be chosen to receive the donation once, which means that subsequent yearly donation will not get to you again.

You were selected among the lucky recipients to receive the award sum of US$500,000.00 (FIVE HUNDRED THOUSAND DOLLARS) as charity donations/aid from the Shell Foundation Nigeria in accordance with the enabling act of Parliament.

To file for your claim, Please contact our Claims Agent through the following information below.

Contact Person: Rudolph John
Phone: +234 803-670-1853
Email: agent.rudolph_john4@yahoo.co.uk

Quote your cash credit file number ILP/HW 46704/08, and also your phone number for easy communication.

For security reasons, we advice all winners to keep this information confidential from the public until your claim is processed and your prize released to you. This is part of our security protocol to avoid double claiming and unwarranted taking advantage of this programme by non-participant or unofficial personnel. All information is strictly confidential and will only be used for the purpose to which it is been requested.

Finally, their respective beneficiaries should claim all funds, not later than 28 days after notification. Failure to do so will result to outright cancellation.

On behalf of the entire Board, I say Congratulations!!

Best Regards,
Mr. Mohammed Abdulaziz
Grants Coordinator

ANY BREACH OF CONFIDENTIALITY ON THE PART OF THE WINNERS WILL RESULT TO DISQUALIFICATION.
Get to know [and remember] Allah in prosperity & He will know  [and remember] you in adversity.

neozizo

Thnx gogannaka. THE E-MAIL had the interswitch logo & all the works........how do these people do it.

Muhsin, make u no forget us when you they spend all that $$$$,
funny how they dont mention the beneficiary by name.

HUSNAA

If anyone receives anything from anywhere that he/she knows hasnt written to, doesnt know, hasnt been in contact with, dont even open it, just delete it. That way, the spammer will believe that the email was a red herring, otherwise u give him/her an idea that the email is genuine and the spammer becomes more of a nuisance thereafter.
Ghafurallahi lana wa lakum

IBB

What an interesting discussion goin on here. These scarmers hmn I wish I have time I would have relate to you how they operate. M here with a RETIRED SCARMER he once told me their stories, how they operate and all that. They are dangerouse believe me dont bother replying their mails. They operate in levels. They have smart men at every certain level that handle clients based on the progress of the engagement. Those top crooks come into play after the level one guys secure a response.

Check these out. Just for laugh
http://www.youtube.com/watch?v=-8ToPFtyOEY&feature=related
http://www.youtube.com/watch?v=u7kJ8CovsNY&feature=related
IHS

Muhsin

Get to know [and remember] Allah in prosperity & He will know  [and remember] you in adversity.

Jack Fulcher

This is a very interesting discussion.  These scams are ubiquitous and are apparently successful, given their persistence.  It's sad that some people are actually taken in by these emails, but it's sad that people are taken in by con men at all.  It's a sad commentary on how lonely and gullible some are, and I'm glad that law enforcement has taken a keen interest in tracking down these people.  I only wish that the ISP industry would do a better job - if they don't, they may find that some countries will pass laws they don't want and they may find the police auditing their accounts regularly.  It's better to police their own industry first.

It's hard to imagine that someone can read one of these letters and believe that someone picked them at random to make them rich.  However, you hear stories about how people lose thousands to these scams every day.  I'm glad the folks on this board are so sharp.  J ;)