[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scam warning (FW: IMPORTANT)



on Thu, Jan 03, 2002 at 05:26:37PM -0500, dman (dsh8290@rit.edu) wrote:
> 
> I just got this message.  Looks like the scammers are getting smarter
> -- sent directly to me with no trail in the Received: headers (all the
> received headers are my school accounts forwarding to other school
> accounts and eventually to my house).  Just beware :-).

It's a spoofed origin packet.  It appears to find a host on your network
and claim to be coming from it, when in fact it's not.  In your case and
mine, the host is the primary MX server for the domain (mine came
through mx00.ix.netcom.com).  I got the same spam.

> Funny, as I snipped out most of the noise, I noticed that james wants
> a "trust wordy" partner.  Hehe.
> 
> -D
> 
> ----- Forwarded message from james langa <james100nig@yahoo.com> -----
> 
> Received: from pony-express.cs.rit.edu ([129.21.30.24])
> 	by localhost with esmtp (Exim 3.33 #1 (Debian))
> 	id 16MGB3-0000i7-00
> 	for <dman@dman.ddts.net>; Thu, 03 Jan 2002 17:17:33 -0500
> Received: from vms4.rit.edu (vms4.isc.rit.edu [129.21.3.15])
> 	by pony-express.cs.rit.edu (8.9.3/8.9.3) with ESMTP id RAA03543
> 	for <dsh8290@cs.rit.edu>; Thu, 3 Jan 2002 17:10:06 -0500 (EST)
> Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #40294)
>  id <01KCN4HCIEPCD2QKN1@ritvax.isc.rit.edu> for dsh8290@cs.rit.edu
>  (ORCPT rfc822;dsh8290@rit.edu); Thu, 3 Jan 2002 17:10:06 EST
> Received: from ritvax.isc.rit.edu by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
>  id <01KCN4HCD15UCVGFBS@ritvax.isc.rit.edu> for dsh8290@cs.rit.edu
>  (ORCPT rfc822;dsh8290@rit.edu); Thu, 03 Jan 2002 17:10:05 -0500 (EST)
> Received: from conversion.ritvax by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
>  id <01KCN4HBECZ4CVH0Z0@ritvax.isc.rit.edu> for dsh8290@ritvax.isc.rit.edu
>  (ORCPT rfc822;dsh8290@rit.edu); Thu, 03 Jan 2002 17:10:04 -0500 (EST)
> Received: from vmsmx.rit.edu ([64.110.64.19])
                                 ^^^^^^^^^^^^
That's not an rit.edu address.  

Note that the "Received:" line host is whatever the remote MTA says it
wants to be.  A well-tuned mailserver will do some fancy stuff like a
reverse lookup or auth to see if names match.

Here's your spammer, looks like this Nigeria spam's actually from
Nigeria:

    $ host 64.110.64.19
    Name: host-64-110-64-19.interpacket.net
    Address: 64.110.64.19

    InterPacket Group, Inc. (NETBLK-INTERPACKET4) INTERPACKET4
						       64.110.0.0 - 64.110.191.255
    Bacom Communications Ltd. (NETBLK-IPG4-64-16-20000717) IPG4-64-16-20000717
						       64.110.64.16 - 64.110.64.31

    To single out one record, look it up with "!xxx", where xxx is the
    handle, shown in parenthesis following the name, which comes first.

    $ whois \!NETBLK-IPG4-64-16-20000717
    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.


    Bacom Communications Ltd. (NETBLK-IPG4-64-16-20000717)
       11, Abagbon Close
       Off Ologun - Agbaje St.
       Victoria Island, 
       NG

       Netname: IPG4-64-16-20000717
       Netblock: 64.110.64.16 - 64.110.64.31

       Coordinator:
	  Ogunsola, Saheed  (SO139-ARIN)  saogunsola@yahoo.com
	  +2616 035

       Record last updated on 18-Jul-2000.
       Database last updated on  3-Jan-2002 19:56:04 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.


>  by ritvax.isc.rit.edu (PMDF V5.2-32 #41784)
>  with SMTP id <01KCN4H5LV4UCYZ3R7@ritvax.isc.rit.edu> for
>  dsh8290@ritvax.isc.rit.edu (ORCPT rfc822;dsh8290@rit.edu); Thu,
>  03 Jan 2002 17:10:04 -0500 (EST)
> Date: Thu, 03 Jan 2002 23:02:27
> From: james langa <james100nig@yahoo.com>
> Subject: IMPORTANT
> To: dsh8290@ritvax.rit.edu
> Message-id: <01KCN4H6NBU8CYZ3R7@ritvax.isc.rit.edu>
> X-VMS-To: IN%"dsh8290@ritvax.isc.rit.edu"
> MIME-version: 1.0
> Content-type: text/plain; charset=iso-8859-1
> Content-transfer-encoding: 7BIT
> 
> FROM: COL. JAMES LANGA.
> DEMOCRATIC REPUBLIC OF CONGO.
> jamesemeka@hotmail.com
> Dear Sir,

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?              Home of the brave
  http://gestalt-system.sourceforge.net/                    Land of the free
We freed Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire                      http://kmself.home.netcom.com/resume.html

Attachment: pgpDucyct7UGk.pgp
Description: PGP signature


Reply to: