How to ID origin in email headers?

How to ID origin in email headers?

Post by Ohmste » Thu, 06 Dec 2007 05:07:53



I am sure this may be the wrong place for this question but you guys know a
lot about header information so could someone please direct me to the
appropriate newsgroup to ask this question in?

I am trying to rent a room and places some ads online like craigslist and
have gotten a few replies from overseas that seem very sincere but never
amount to anything other than email chat on yahoo or hotmail email
accounts. They show a genuine interest in renting, write back and forth,
and are either supposed to be the UK or the other one is in Benin Republic.
I can find no way in the hotmail or yahoo mail to trace the origin of such
emails. I had thought that the Date line would give it away as the both of
them show lines like:
Date: Tue, 4 Dec 2007 10:05:46 -0800 (PST)
But my brother is in Panama and when he writes through yahoo, it is the
same thing and Panama sure is not -8 Hrs, Pacific Standard Time.

Is there anyway to track the origin of a hotmail or yahoomail email through
the headers or can it not be done? I am sorry to ask this question in this
group, please direct me to the appropriate newsgroup if I am off base here.
Thank you for your time.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.

 
 
 

How to ID origin in email headers?

Post by Vilmos Sot » Thu, 06 Dec 2007 05:28:45



> I am sure this may be the wrong place for this question

Yes...

Quote:> but you guys know a
> lot about header information so could someone please direct me to the
> appropriate newsgroup to ask this question in?

> Is there anyway to track the origin of a hotmail or yahoomail email through
> the headers or can it not be done?

Other than the very first Received: line, you cannot really trust
anything else. The header *MIGHT* contain something like
"X-Original-IP" or similar, but even that cannot be trusted.

Vilmos

 
 
 

How to ID origin in email headers?

Post by Moe Tr » Thu, 06 Dec 2007 11:38:51


On Tue, 4 Dec 2007, in the Usenet newsgroup comp.os.linux.networking, in


>I can find no way in the hotmail or yahoo mail to trace the origin of such
>emails.

I haven't accepted mail from either domain in several years, but then they
did include a set of "Received:" headers that were realistic. I'm not
sure these two sites are valid, but check

   http://www.codecutters.org/spam/smtpheaders.html
   http://www.stopspam.org/email/headers.html

which explain them. Else, read RFC2821 (or the older RFC0821) which are the
specs for SMTP.

Quote:>I had thought that the Date line would give it away as the both of
>them show lines like:
>Date: Tue, 4 Dec 2007 10:05:46 -0800 (PST)

Probably because the two domains are both in the Pacific time zone
(California and Washington state).

Quote:>Is there anyway to track the origin of a hotmail or yahoomail email through
>the headers or can it not be done? I am sorry to ask this question in this
>group, please direct me to the appropriate newsgroup if I am off base here.
>Thank you for your time.

Looking up the IP addresses may give clues. Start with
http://www.iana.org/assignments/ipv4-address-space  which tells you the
RIR to look at.  You mention the UK, and they've got a shedload of blocks
(3236 from ARIN, APNIC and RIPE). Benin only has 3 allocations (all from
AFRINIC):

[compton ~]$ zgrep -h BJ IP.ADDR/stats/[ALR]*
BJ 41.223.248.0 255.255.252.0 allocated af
BJ 81.91.224.0 255.255.240.0 allocated af
BJ 196.46.152.0 255.255.252.0 allocated af
[compton ~]$

but the person there could be using a satellite link to another country.
IP address-to-country mapping is notoriously inaccurate.

        Old guy

 
 
 

How to ID origin in email headers?

Post by Ohmste » Thu, 06 Dec 2007 21:32:41



> On Tue, 4 Dec 2007, in the Usenet newsgroup comp.os.linux.networking, in


> >I can find no way in the hotmail or yahoo mail to trace the origin of such
> >emails.

> I haven't accepted mail from either domain in several years, but then they
> did include a set of "Received:" headers that were realistic. I'm not
> sure these two sites are valid, but check

>    http://www.codecutters.org/spam/smtpheaders.html
>    http://www.stopspam.org/email/headers.html

> which explain them. Else, read RFC2821 (or the older RFC0821) which are the
> specs for SMTP.

> >I had thought that the Date line would give it away as the both of
> >them show lines like:
> >Date: Tue, 4 Dec 2007 10:05:46 -0800 (PST)

> Probably because the two domains are both in the Pacific time zone
> (California and Washington state).

> >Is there anyway to track the origin of a hotmail or yahoomail email through
> >the headers or can it not be done? I am sorry to ask this question in this
> >group, please direct me to the appropriate newsgroup if I am off base here.
> >Thank you for your time.

> Looking up the IP addresses may give clues. Start withhttp://www.iana.org/assignments/ipv4-address-space which tells you the
> RIR to look at.  You mention the UK, and they've got a shedload of blocks
> (3236 from ARIN, APNIC and RIPE). Benin only has 3 allocations (all from
> AFRINIC):

> [compton ~]$ zgrep -h BJ IP.ADDR/stats/[ALR]*
> BJ 41.223.248.0 255.255.252.0 allocated af
> BJ 81.91.224.0 255.255.240.0 allocated af
> BJ 196.46.152.0 255.255.252.0 allocated af
> [compton ~]$

> but the person there could be using a satellite link to another country.
> IP address-to-country mapping is notoriously inaccurate.

>         Old guy

I have to reply with google groups, for some reason, my server will
not accept this post. Says posting, done, waiting on confirmation
forever and it never goes up to Usenet.



> On Tue, 4 Dec 2007, in the Usenet newsgroup comp.os.linux.networking,

>>I can find no way in the hotmail or yahoo mail to trace the origin of
>>such emails.

> I haven't accepted mail from either domain in several years, but then
> they did include a set of "Received:" headers that were realistic. I'm
> not sure these two sites are valid, but check

>    http://www.codecutters.org/spam/smtpheaders.html
>    http://www.stopspam.org/email/headers.html

The codecutters site does not come up but stopspam does. Thanks Moe.

Quote:> which explain them. Else, read RFC2821 (or the older RFC0821) which
> are the specs for SMTP.

>>I had thought that the Date line would give it away as the both of
>>them show lines like:
>>Date: Tue, 4 Dec 2007 10:05:46 -0800 (PST)

> Probably because the two domains are both in the Pacific time zone
> (California and Washington state).

I am sure I was incorrect about that assumption.

Quote:>>Is there anyway to track the origin of a hotmail or yahoomail email
>>through the headers or can it not be done? I am sorry to ask this
>>question in this group, please direct me to the appropriate newsgroup
>>if I am off base here. Thank you for your time.

> Looking up the IP addresses may give clues. Start with
> http://www.iana.org/assignments/ipv4-address-space  which tells you
> the RIR to look at.  You mention the UK, and they've got a shedload of
> blocks (3236 from ARIN, APNIC and RIPE). Benin only has 3 allocations
> (all from AFRINIC):

Will do.

Quote:> [compton ~]$ zgrep -h BJ IP.ADDR/stats/[ALR]*
> BJ 41.223.248.0 255.255.252.0 allocated af
> BJ 81.91.224.0 255.255.240.0 allocated af
> BJ 196.46.152.0 255.255.252.0 allocated af
> [compton ~]$

> but the person there could be using a satellite link to another
> country. IP address-to-country mapping is notoriously inaccurate.

>         Old guy

The headers are too long to paste into a post, they wrap terribly and
the servers won't accept them if they are badly wrapped. Here are the
headers for you to see:
http://www.ohmster.com/~ohmster/email/

I tried checking them with this email checker and it appears both
originate in Nigeria.
http://www.ip2location.com/emailtracer.aspx

What do you think, do you believe it Old Guy?
--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.

 
 
 

How to ID origin in email headers?

Post by Moe Tr » Fri, 07 Dec 2007 04:49:55


On Wed, 5 Dec 2007, in the Usenet newsgroup comp.os.linux.networking, in


>I have to reply with google groups, for some reason, my server will
>not accept this post. Says posting, done, waiting on confirmation
>forever and it never goes up to Usenet.

I don't see it here either. Lessee, you were unhappy with the comcast
(giganews) server for some reason.

Quote:>>    http://www.codecutters.org/spam/smtpheaders.html
>>    http://www.stopspam.org/email/headers.html

>The codecutters site does not come up but stopspam does. Thanks Moe.

OK - I'll strike them off the list.

Quote:>> IP address-to-country mapping is notoriously inaccurate.
>The headers are too long to paste into a post, they wrap terribly and
>the servers won't accept them if they are badly wrapped. Here are the
>headers for you to see:
>http://www.ohmster.com/~ohmster/email/

I also saw the post in comp.mail.sendmail

Quote:>I tried checking them with this email checker and it appears both
>originate in Nigeria.
>http://www.ip2location.com/emailtracer.aspx

As noted above - "IP address-to-country mapping is notoriously inaccurate"

Looking at the ~ohmster/email web page you listed, here's a quick one

]Received: from imta22.emeryville.ca.mail.comcast.net ([76.96.30.39])

]X-Originating-IP: [76.96.30.39]

You asked about that in comp.mail.sendmail - something weird put on there
by comcast.  OK

]Received: from n4.bullet.ukl.yahoo.com ([217.146.182.181])
   by IMTA22.emeryville.ca.mail.comcast.net

Comcast claims to have received it from 'Yahoo! Europe'

]Received: from [217.12.4.215] by n4.bullet.ukl.yahoo.com

]Received: from [216.252.122.217] by t2.bullet.ukl.yahoo.com

]Received: from [69.147.65.182] by t2.bullet.sp1.yahoo.com

]Received: from [127.0.0.1] by omp301.mail.sp1.yahoo.com with NNFMP; 05
   Dec 2007 10:39:10 -0000

Seems to be bouncing around yahoo servers - I see no obvious reason to
disbelieve this, but "do you trust yahoo?".

]Received: from [196.220.4.134] by web45406.mail.sp1.yahoo.com via HTTP;
   Wed, 05 Dec 2007 02:39:10 PST

Yahoo claims to have received this (and the timestamps don't look
completely unreasonable) from IP space owned by Netcom Africa Ltd in
Lagos, and netcomng.com says that the IP is part of a /30 (4 addresses)
that has been sub-assigned to Skye Communications Surulere Lagos.  If
you google for the first three words, you hit

   Web  Results 1 - 10 of about 138 for Skye Communications Surulere.
   (0.31 seconds)

Your call.

]This is supposed to come from the Benin Republic, that is in Africa, off
   the coast of Nigeria.

No, Benin is the next country to the West of Nigeria - formerly called
Dahomey. It has a coastline of about 60-70 miles, and I'm not aware of
any significant islands off it's coast.

]Received: by 10.141.52.7

]Received: by 10.115.23.12

No clue, but context suggests google internal servers.  Your call.

]Received: from n8.bullet.mail.tp2.yahoo.com
   (n8.bullet.mail.tp2.yahoo.com [203.188.202.89])
   by mx.google.com with SMTP id j6si1937378wah.2007.12.03.11.25.26;
   Mon, 03 Dec 2007 11:25:35 -0800 (PST)

]Received: from [202.43.196.225] by n8.bullet.mail.tp2.yahoo.com

Those two match up to yahoo blocks in Taiwan.

]Received: from [217.12.4.215] by t2.bullet.tpe.yahoo.com

]Received: from [216.252.122.216] by t2.bullet.ukl.yahoo.com

]Received: from [69.147.65.157] by t1.bullet.sp1.yahoo.com

]Received: from [127.0.0.1] by omp405.mail.sp1.yahoo.com

As above. I'm GUESSING that the 216.252 and 69.147 are not in Sunnyvale
where 'whois' identifies them, as that is about 11000 feet as the crow
flies from google in Mountain View, and there wouldn't be a very good
reason to route the packets half way around the world instead of just
following the perimeter fence around Moffett Field.

]Received: from [41.223.24.125] by web44913.mail.sp1.yahoo.com via HTTP;
   Mon, 03 Dec 2007 11:25:17 PST

41.223.24.0/22 is a block allocated to "Best Communications Ltd" in
Lagos, Nigeria.  Hitting google again, I see

   Web  Results 1 - 10 of about 406 for "Best Communications Ltd". (0.29
   seconds)

Your call.

Comment: I don't know Lagos that well (haven't been there since the mid
1970s) but this doesn't smell ANYTHING like freshly caught seafood.

        Old guy

 
 
 

How to ID origin in email headers?

Post by Ohmste » Fri, 07 Dec 2007 11:50:18




Quote:> Same shit, cannot even post to comcast now, posted, waiting on
> confirmation, it does not come. Switching to slrn with Comcast to see if
> I get better results. Don't want to rewrite the entire follow-up, will
> try to past response in here and see if it works. Wish me luck.
> (Eventually Xnews just hung on the post with the word "Stopped")
[..]
> Now slrn/Comcast does not like my signature, wants it kept to 4 lines
> which it is. ...sigh. Using vim and slrn and I can pull in a sig with the
command
>:r ~/sig (symlinked to .sigature) Always worked before.

Yeah, it worked. Jesus, I cannot even post with Xnews anymore. It has
gotten corrupted, I cannot save config changes anymore, have to edit the
ini file directly and now this. Time to dump Xnews and redo from scratch
and I had it setup so good too with a beautiful score file. <Sob>

Trying one more time, posting with Xnews and Comcast.
--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.

 
 
 

How to ID origin in email headers?

Post by Ohmste » Fri, 07 Dec 2007 11:52:02




Quote:>> Same shit, cannot even post to comcast now, posted, waiting on
>> confirmation, it does not come. Switching to slrn with Comcast to see
>> if I get better results. Don't want to rewrite the entire follow-up,
>> will try to past response in here and see if it works. Wish me luck.
>> (Eventually Xnews just hung on the post with the word "Stopped")
> [..]
>> Now slrn/Comcast does not like my signature, wants it kept to 4 lines
>> which it is. ...sigh. Using vim and slrn and I can pull in a sig with
>> the
> command
>>:r ~/sig (symlinked to .sigature) Always worked before.

> Yeah, it worked. Jesus, I cannot even post with Xnews anymore. It has
> gotten corrupted, I cannot save config changes anymore, have to edit
> the ini file directly and now this. Time to dump Xnews and redo from
> scratch and I had it setup so good too with a beautiful score file.
> <Sob>

> Trying one more time, posting with Xnews and Comcast.

It posted just fine, not sure if it is the server or just trying to post
large articles. Go figure.
Thanks Moe.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.

 
 
 

How to ID origin in email headers?

Post by Ohmste » Fri, 07 Dec 2007 11:58:31




>> I am sure this may be the wrong place for this question

> Yes...

True.

Quote:>> but you guys know a
>> lot about header information so could someone please direct me to the
>> appropriate newsgroup to ask this question in?

>> Is there anyway to track the origin of a hotmail or yahoomail email
>> through the headers or can it not be done?

> Other than the very first Received: line, you cannot really trust
> anything else. The header *MIGHT* contain something like
> "X-Original-IP" or similar, but even that cannot be trusted.

> Vilmos

Agreed, but I did find an online email location checker that seems to be
dead on accurate every time, even with hotmail and yahoo. You try it and
see if you think it works or not. I am pleased beyond belief but you
guys know a *lot* more than I do and I would appreciate your evaluation
on this email tracer page as I intend to put it into my network toolbox
if it meets all of your approvals.
http://www.ip2location.com/emailtracer.aspx

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is MESSAGE BODY, not Subject!)
to pass my spam filter.

 
 
 

How to ID origin in email headers?

Post by Moe Tr » Sat, 08 Dec 2007 04:50:32


On Wed, 05 Dec 2007, in the Usenet newsgroup comp.os.linux.networking, in


>I hear that. Really add this one, it seems to work with amazing
>accuracy. I wish you would test it and see if you think it is as good as
>I do. I could be way off base here but it seems amazing in the way it
>deciphers email headers. I tried it on email, including yahoo, from
>people all over the globe and it seems to have gotten the point of
>origin dead on accurate. My brother in Panama uses yahoomail and it
>pegged him dead on as Panama. If this tool is as good as I think it is,
>I really need this to weed out scammers.

Like Dave, I don't tend to use user-level tools. I've been a network
admin for a few years, and can usually get all the information I need
from existing local files, and common Unix networking tools like whois
and friends.

Quote:>I need to rent this room soon and these Nigerian nuts are tying me up,
>asking questions, saying for sure they want the room, send a deposit
>any day, can I see pictures, etc., and all they are doing is preventing
>me from putting up signs and getting more local ads out there.

I don't know the local situation, but is just seems odd to be renting
to overseas visitors sight unseen.

Quote:>If you are buying or selling goods or a service on the Web - take care
>(especially if you advertise something on CraigsList or Loot ).

I'll buy a limited variety of things on the net, but never bothered to
try to sell anything there.

Quote:>The criminals are likely to make you an offer! They will send you stolen
>or forged cheques. You will spot some strange requests for shipping and
>payment. They are using "Alert Pay" and "AlertPay International Money
>Order" in their mail. Let the writer know if you are in doubt, but a
>request for movement of funds via  Western Union will strongly indicate
>a fraud attempt .

There's another reason I don't sell over the net.

        Old guy

 
 
 

How to ID origin in email headers?

Post by Ohmste » Sat, 08 Dec 2007 08:58:25




[..]

Quote:> I don't know the local situation, but is just seems odd to be renting
> to overseas visitors sight unseen.

>>If you are buying or selling goods or a service on the Web - take care
>>(especially if you advertise something on CraigsList or Loot ).

> I'll buy a limited variety of things on the net, but never bothered to
> try to sell anything there.

>>The criminals are likely to make you an offer! They will send you
stolen
>>or forged cheques. You will spot some strange requests for shipping and
>>payment. They are using "Alert Pay" and "AlertPay International Money
>>Order" in their mail. Let the writer know if you are in doubt, but a
>>request for movement of funds via  Western Union will strongly indicate
>>a fraud attempt .

> There's another reason I don't sell over the net.

>         Old guy

I found out today what is up today, Old Guy. Check my headers page:
http://www.ohmster.com/~ohmster/email/

I only munged my own name and email address, it does not affect the IP
lookup. This service pegged the origin of all these mails from Nigeria:
http://www.ip2location.com/emailtracer.aspx

The "UK Lady" sent me a check today for rent on the room, except it was
like $3,000 way too much money. You can see the check and the email on
the email page at my site. What am I supposed to do, refund her the
overpayment with real money or something? I took the check to Wachovia
where it was drawn on, I also have a Wachovia account. They pegged the
check as fraud in less than one minute. The lady is supposed to be from
the UK, her email headers indicate that she writes from Nigeria, on a
dial up account, no less. The check comes DHL Express from a woman's
address in California, and I end up with a fake $4,150.00 check and "she
will be here this weekend to come and live in her rented room". I gave
the check, the headers, the IP traces and the DHL envelope to the
sheriff's office for their fraud unit to deal with. I told the lady that
the police took away the check and all the papers and would have taken
her away too had she been here when I took that check to the bank.

Aren't you the one that said "this doesn't smell ANYTHING like freshly
caught seafood."? Well, it sure don't. That is why I asked for all of
your help in figuring this out. She was a Nigerian scammer after all. Dam
them Nigerians!

Thanks for your help Old Guy. You guys rock, man.
--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.

 
 
 

How to ID origin in email headers?

Post by Moe Tr » Sat, 08 Dec 2007 12:21:56


On Thu, 06 Dec 2007, in the Usenet newsgroup comp.os.linux.networking, in


>I only munged my own name and email address, it does not affect the IP
>lookup. This service pegged the origin of all these mails from Nigeria:
>http://www.ip2location.com/emailtracer.aspx

Ah, yes.

Quote:>The "UK Lady" sent me a check today for rent on the room, except it was
>like $3,000 way too much money. You can see the check and the email on
>the email page at my site. What am I supposed to do, refund her the
>overpayment with real money or something?

Of course.  A variation on this scam has been going on for at least
six years.  A similar scam involves receiving a check for "lottery
winnings" (perhaps even a certified check), and only after you
deposit it are you supposed to send a check elsewhere to pay taxes
on the winnings. The sucker gets quite frowny when the certified
check bounces, and your bank charges you for the bounce as well as
honoring your check for the 'taxes' (which was cashed RIGHT NOW!).

Quote:>I took the check to Wachovia where it was drawn on, I also have a
>Wachovia account. They pegged the check as fraud in less than one
>minute. The lady is supposed to be from the UK, her email headers
>indicate that she writes from Nigeria, on a  dial up account, no less.

That may or may not be true. It could be another windoze zombie,
though I'll admit it's not very likely. A large number of Nigerian
scams are actually run out of Amsterdam.  Big problem is that they are
"there", and the chance of prosecution on a criminal complaint is less
than nil.

Quote:>The check comes DHL Express from a woman's address in California, and I
>end up with a fake $4,150.00 check and "she will be here this weekend to
>come and live in her rented room". I gave the check, the headers, the IP
>traces and the DHL envelope to the sheriff's office for their fraud unit
>to deal with.

Party pooper.    ;-)   Hopefully you filed a criminal complaint. If the
Broward County sheriff wants to do anything about it, of course.

Quote:>I told the lady that the police took away the check and all the papers
>and would have taken her away too had she been here when I took that
>check to the bank.

Oh, you should have told here it was forwarded via the Riggs National
Bank[1] in Washington DC, for return to her London address.  Something
about UK Tax problems.  ;-)

Quote:>Aren't you the one that said "this doesn't smell ANYTHING like freshly
>caught seafood."? Well, it sure don't. That is why I asked for all of
>your help in figuring this out. She was a Nigerian scammer after all.

As mentioned, this kind of fraud has been well documented in the press,
and on-line.  The classic 419 scam is a bit less common, but suckers are
still falling for it.

Quote:>Dam them Nigerians!

Actually, the river is called the Niger, and the dam is about 250 miles
NNE of Lagos. Closer to the sea, it's not very good dam country, as the
land is relatively low and swampy.   ;-)

        Old guy

[1] For years, the Riggs Bank was used by the CIA and FBI as an innocent
sounding place to write checks from. It's actually a well known local
bank in DC.

 
 
 

How to ID origin in email headers?

Post by Ohmste » Sun, 09 Dec 2007 11:18:39




> On Thu, 06 Dec 2007, in the Usenet newsgroup comp.os.linux.networking, in


[..]

Again I gotta post with google groups. What is wrong with my NNTP
server?!

Quote:>>The "UK Lady" sent me a check today for rent on the room, except it was
>>like $3,000 way too much money. You can see the check and the email on
>>the email page at my site. What am I supposed to do, refund her the
>>overpayment with real money or something?

> Of course.  A variation on this scam has been going on for at least
> six years.  A similar scam involves receiving a check for "lottery
> winnings" (perhaps even a certified check), and only after you
> deposit it are you supposed to send a check elsewhere to pay taxes
> on the winnings. The sucker gets quite frowny when the certified
> check bounces, and your bank charges you for the bounce as well as
> honoring your check for the 'taxes' (which was cashed RIGHT NOW!).

Oh there is more... I'll get to it in a bit. :)

Quote:>>I took the check to Wachovia where it was drawn on, I also have a
>>Wachovia account. They pegged the check as fraud in less than one
>>minute. The lady is supposed to be from the UK, her email headers
>>indicate that she writes from Nigeria, on a  dial up account, no less.

> That may or may not be true. It could be another windoze zombie,
> though I'll admit it's not very likely. A large number of Nigerian
> scams are actually run out of Amsterdam.  Big problem is that they are
> "there", and the chance of prosecution on a criminal complaint is less
> than nil.

Yeah, these people are pretty well insulated. If they come here, they
would be dead meat but if someone is stupid enough to put a four
thousand dollar check into their account and then wire back real money
for the overypayment, they are in like Flynn!

Quote:>>The check comes DHL Express from a woman's address in California, and I
>>end up with a fake $4,150.00 check and "she will be here this weekend to
>>come and live in her rented room". I gave the check, the headers, the IP
>>traces and the DHL envelope to the sheriff's office for their fraud unit
>>to deal with.

> Party pooper.    ;-)   Hopefully you filed a criminal complaint. If the
> Broward County sheriff wants to do anything about it, of course.

I would have loved to but the sherrif has seen this so many times that
they didn't even want it at first. Then I showed the sherrif lady the
IP address, the full email headers, the header trace from origin to
here in Pompano Beach, the return address on the DHL envelope, and all
of the investigation that went into this that I had done and told her
that this is what her forensic department would've done with it, she
was impressed and asked if she could please have all of that material
for ongoing investigations. Sure, I got copies and don't need it and
gave it to her. I could not file charges because it was not my account
that was compromised and I had not lost anything, I was smart and did
not cash the check. I did call the people who's check it was, a
country club here in Florida and they knew all about it. They closed
the account already and told me to just give the check to local law
enforcement.

Quote:>>I told the lady that the police took away the check and all the papers
>>and would have taken her away too had she been here when I took that
>>check to the bank.

> Oh, you should have told here it was forwarded via the Riggs National
> Bank[1] in Washington DC, for return to her London address.  Something
> about UK Tax problems.  ;-)

Yeah, that would have been good, especially if she had given me a real
UK address. :)

Quote:>>Aren't you the one that said "this doesn't smell ANYTHING like freshly
>>caught seafood."? Well, it sure don't. That is why I asked for all of
>>your help in figuring this out. She was a Nigerian scammer after all.

> As mentioned, this kind of fraud has been well documented in the press,
> and on-line.  The classic 419 scam is a bit less common, but suckers are
> still falling for it.

[..]

Actually, I got another fraud check in the mail again today, this time
with no note or email or anything. This one made out to me for
$3,750.00. It was from the "Independent Bank-South MIchigan" and the
first "I" and last "n" in the bank name failed to print. Must've
forgot to run out to Office Depot for more ink or something. Looks
aweful real though. I took it to the bank for them to check it and
they couldn't this time because it was not their bank that issued the
check. They did tell me to call the woman who's name and telephone
number was on the check and I did, right there on speakerphone in
front of the bank officer. The lady said hello and I asked for her by
name. She asked me if I had gotten a check from her and I said yes.
She flipped and said don't cash it, it is fraud and you will be in so
much trouble, the FBI is on this case, blah, blah, blah, and I had to
tell her I was on her side and was calling to notify her of the fraud
check from the bank. She had her identity stolen and is in deep shit
now, she asked if the bank would please fax a copy of the check to her
and I said sure and we sent it to her. Now I am stuck with another
fake check, will call the sherrif again and see if they want it.

Get a load of this, another out of stater wants to rent my room and
wants "her company to send me a check, please take out the $1,200 for
the room and just Western Union the rest of the money from the check
to her to pay for her airfare.". I just about choked on that one, what
kind of an idiot does she think I am?! The sherrif lady said to just
tell them the room is rented already and they will stop bothering me
and so I did.

Now if they are not local, can call on the phone, come and see the
place and pay for it for real, I am not biting on it. This is just too
much bullshit. They even kicked her off myspace.com because someone
must've pegged her as a scammer or spammer so she is gone now. Want to
see the outrageous email? Get a load of this:
-----------------------------------------------------------------------------
Thanks for your quick updating Ohmster...
A little more about me...

Body Style: Athletic/Fit
Activity Level: Active
Physique: Moderate
Smoking: No
Drinking: No
Marital Status: Single
Children: I have no kids
Languages I speak: English
Ethnicity: Caucasian/White
Religion: Christianity
Tattoos: None
Grew up in: Europe
Education: MCSA/MCSE
Occupation:Professional

I dont know what got wrong with my myspace profile and someone here
told me it b'cos of the IP address here and that why i got deleted
from the website.To answer your question,Yes i think the website
indicates
However,  based on your mail since i'll be making a payment of
$1,200.00 to move in as you mentioned in your mail.I must confess i'm
comfortable with the cost and its quite reasonable and affordable. My
company here has promise to settle my room rent and my flight to USA
like i said earlier and we have discused about it here so we agreed on
my company clinet to issue you a check,Due to this i will need your
full name and address to forward it to my client to issue you a check
or for my payment from which i will like you to deduct the fee for my
room and you will help me send down the balance through Western Union
to my international traveling agent for him to book my a flight ticket
to the states,okay?
don't forget Ohmster i will need your full name and home address to
send to him so as to prepare you the check .
Also i would like to know the nearest airport to the house . I am
looking forward to hear from you soon..

The things i will be moving in are as follow:
My Mercedes (C-class 2006 model) metallic green.suite case containing
my books my 26' DELL PLASMA TV and DVD Home theater my clothes in
three luggages my Laptop (DELL)  and pieces of furnitures.
Hope to hear from you soon
Thanks and have a good time.
  Tracey...
-----------------------------------------------------------------------------
These Nigerians are too much man. Headers for this one are at the
bottom of my email page, you can see them if you want to, I checked
with the IP checker and same thing, 41.223.24.125 Nigeria.
http://www.ohmster.com/~ohmster/email/

Quote:>         Old guy

Thanks again Old Guy.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.

 
 
 

How to ID origin in email headers?

Post by Charle » Sun, 09 Dec 2007 14:15:17




> Again I gotta post with google groups. What is wrong with my NNTP
> server?!

In general, or alphabetical order?
 
 
 

How to ID origin in email headers?

Post by Moe Tr » Mon, 10 Dec 2007 05:20:57


On Fri, 7 Dec 2007, in the Usenet newsgroup comp.os.linux.networking, in


> (Moe Trin) wrote
>Again I gotta post with google groups. What is wrong with my NNTP
>server?!

You'd have to look at the errors - we can't see them from here. I
can't recall what distribution you are using (though I thought
Xnews was windoze only), but for slrn in an rpm based distro, try

     rpm -V slrn

and see what the package manager sees as having changed.  If you are
using a Debian bases distro, the 'debsums' command is a similar tool.

Quote:>> Big problem is that they are "there", and the chance of prosecution
>> on a criminal complaint is less than nil.

>Yeah, these people are pretty well insulated.

As mentioned, the Dutch police busted a ring of Nigerian scammers in
Amsterdam some time ago. As far as the Nigerian criminal system is
concerned, "good luck" (though there have been reports of some
convictions there).

Quote:>If they come here, they would be dead meat but if someone is stupid
>enough to put a four thousand dollar check into their account and
>then wire back real money for the overypayment, they are in like Flynn!

The Internet is free. If they find one in a million who will even talk
to them, that's still a large number.   As for the scam, what does it
cost them - a couple bucks for a courier service?

Quote:>> Hopefully you filed a criminal complaint. If the Broward County
>> sheriff wants to do anything about it, of course.

>I would have loved to but the sherrif has seen this so many times that
>they didn't even want it at first. Then I showed the sherrif lady the
>IP address, the full email headers, the header trace from origin to
>here in Pompano Beach, the return address on the DHL envelope, and all
>of the investigation that went into this that I had done and told her
>that this is what her forensic department would've done with it, she
>was impressed and asked if she could please have all of that material
>for ongoing investigations. Sure, I got copies and don't need it and
>gave it to her. I could not file charges because it was not my account
>that was compromised and I had not lost anything, I was smart and did
>not cash the check. I did call the people who's check it was, a
>country club here in Florida and they knew all about it. They closed
>the account already and told me to just give the check to local law
>enforcement.

Probably to many fingerprints on the check (and envelope), but that
likely should be of interest to the FBI due to the inter-state
nature.

Quote:>Actually, I got another fraud check in the mail again today, this time
>with no note or email or anything. This one made out to me for
>$3,750.00.

Geez, the money just keeps rolling in.

Quote:>It was from the "Independent Bank-South MIchigan" and the first "I"
>and last "n" in the bank name failed to print. Must've forgot to run
>out to Office Depot for more ink or something. Looks aweful real though.

Watermark paper and all?  Virtually every check I've seen in the past
few years has several pretty obvious security features.  And there are
not _that_ many companies producing checks for banks and businesses.

Quote:>She had her identity stolen and is in deep shit now, she asked if the
>bank would please fax a copy of the check to her and I said sure and
>we sent it to her. Now I am stuck with another fake check, will call
>the sherrif again and see if they want it.

If the check is out-of-state, that's a Federal problem.

Quote:>Get a load of this, another out of stater wants to rent my room and
>wants "her company to send me a check, please take out the $1,200 for
>the room and just Western Union the rest of the money from the check
>to her to pay for her airfare.". I just about choked on that one,
>what kind of an idiot does she think I am?!

Oh, the standard "run of the mill" variety.  Honestly, there are quite
a number of idiots out there who would comply.

Quote:>The sherrif lady said to just tell them the room is rented already
>and they will stop bothering me and so I did.

>Now if they are not local, can call on the phone, come and see the
>place and pay for it for real, I am not biting on it. This is just
>too much bullshit.

I know that you get a lot of snow-birds there (we do too), but you
aren't a large enough entity to be doing out-of-state (never mind
out-of-country) business. Doesn't the local visitors bureau handle
this any more?

Quote:>They even kicked her off myspace.com because someone must've pegged
>her as a scammer or spammer so she is gone now.

nym-shifting  makes that of little use.

Quote:>Want to see the outrageous email? Get a load of this:
>Body Style: Athletic/Fit

Are you renting a room, or looking for a *?   Wait, don't
answer that.    ;-)

Quote:>Education: MCSA/MCSE

That should be a huge red flag

Quote:>Occupation:Professional

"Professional" what?    Or maybe I don't want to know that.

Quote:>Also i would like to know the nearest airport to the house .

Why that would be Pompano Beach, or Boca Raton of course.

Quote:>The things i will be moving in are as follow:
>My Mercedes (C-class 2006 model) metallic green.suite case containing
>my books my 26' DELL PLASMA TV and DVD Home theater my clothes in
>three luggages my Laptop (DELL)  and pieces of furnitures.

Hmmm, get all of that into a C Class, huh?

        Old guy

 
 
 

1. -R$ORIGIN and -z origin

I've looked at the Linker and Libraries Guide and ld and ld.so.1 man pages,
but there are a few things I don't understand. The platform is Solaris 7
and up.

Say I want to link libA.so which depends on libB.so like this (some
flags which are not relevant here omitted):

ld -G -o libA.so *.o -R$ORIGIN -z lazyload -lB -z nolazyload -lc

Both libA and libB are some general-purpose libraries, but applications
use libA as a wrapper and they never use libB directly. libA doesn't
invoke chdir(2). Some applications might do it prior to loading libB.

ld.so.1 man page says:

     LD_ORIGIN The immediate processing of $ORIGIN can be triggered by
               setting the environment variable LD_ORIGIN to any non-
               null value. This may be useful for applications that
               invoke chdir(2) prior to locating dependencies that
               employ the $ORIGIN string token.

I don't know how exactly is $ORIGIN handled by the run-time linker, but
the paragraph above implies it has to do something with the CWD of
the process in question. Which is kind of strange, since the binary
is usually not in the CWD when it's started, so I don't see why would
CWD be important. Except if it's only important in case when the binary
really is in the CWD (because of auxv handling).

Questions:
1. what does ld.so.1 do when it encounters $ORIGIN?
2. what exactly happens if the application invokes chdir(2) prior to
   $ORIGIN processing?
3. Does it affect my libraries and should I use -z origin when linking libA?
4. Are there any performance penalties associated with the use of -zorigin?
5. If the answer to the previous question is no, why is -zorigin an option?
   Is there any "creative" use of chdir(2) and $ORIGIN?

--
 .-.   .-.    I don't work for my employer.
(_  \ /  _)


2. KDE2.1.1 Redhat 7.0 rpms?

3. Email Problems: Null's before the header of emails

4. Modprobe errors?

5. Headers, Headers, whos got the Headers

6. Use of AuthUserFile

7. Can anyone id this tape header

8. sol2.6 - symbios question

9. udp, sendmsg() and IP header ID field

10. Help about the diff btw MIME's Content-ID and Content-Location header

11. Bad message-ids (was PINE, please don't generate headers)

12. RCS ID srtings in header files.

13. HELP! Why no fully qualified ID in header?