Beware of "Help, I'm on Vacation, Got Robbed & Need you to send money" emails

Beware of emails like this!

I just got one of these (keep reading after for myadvice):


Date: Wed, 15 Jun 2011 05:51:58 -0700 (PDT)
From: pokermonsta
Subject: Vacation Problem!!!!!!!!!!!!!!!
To: undisclosed recipients: ;

I'm writing this with tears in my eye, my family and I came down here to Scotland for a short vacation and got mugged at the park of the hotel we stayed, all our cash, credit card and Cell Phone were stolen off us at GUN POINT but luckily for us we still have our passports with us but don't have enough money to sort the bills so we can get out of here.

We've been to the embassy and the police here but they're not helping issues at all and our flight leaves soon but we're having problems settling the hotel bills, and the hotel manager won't let us leave until we settle the bills, I'm freaked out at the moment and wondering if you could help us with a quick loan, I promise I'll refund it once we get back. Please write me so i can send you the info for the wire of the money to save me from the embarrassment of not being able to cover the bills.

I'm freaked out at the moment..



My friend's name is really Glenn and the Yahoo account in the from line looks suspiciously like his, although his is from I traced the email back to Nigeria (those darned Nigerian scammers). How did I do this? I'm going to show you, so that if you get something like this, you can file the proper complaints to the right ISP(s):

You usually see TO, FROM, DATE & SUBJECT lines in what are called the headers. What you need to do is "show full headers" in your email program. There a list of the most popular email programs with instructions on how to do this at the WHO@ web site:

When I got the full headers, they looked like this:

Delivery-date: Wed, 15 Jun 2011 07:51:45 -0500
Received: from ([]:48638)
by with smtp (Exim 4.69)
(envelope-from )
id 1QWpZR-0004Dg-77
for; Wed, 15 Jun 2011 07:51:45 -0500
Received: from [] by with NNFMP; 15 Jun 2011 12:51:59 -0000
Received: from [] by with NNFMP; 15 Jun 2011 12:51:59 -0000
Received: from [] by with NNFMP; 15 Jun 2011 12:51:59 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 35652 invoked by uid 60001); 15 Jun 2011 12:51:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1308142319; bh=VTrCcX9uPSZEAPmvP1bgcj2LDDwTGI+BCaMSllq5Vjs=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=sGSZ62oQDiPS6gcCUnDArtJzPwR9GRcEbZwm+Fj/oiW5MQXJWAGytJCVMs6MJHbwJRmceS8Z1FG5ZrAx+gWIQMmXrEdr04iG3GBw8quK0gm04giW4TUjdLvrd6d8yNhclu2OUnDCndINq0ZtCYy/TZJ6cHuJV9ZBUjGnXkqEmO8=
Message-ID: <>
X-YMail-OSG: SuLa.ecVM1nXt2p27Jbi9pbDOwsXWg3_ByLTYFBmqM7l472
Received: from [] by via HTTP; Wed, 15 Jun 2011 05:51:58 PDT
X-Mailer: YahooMailClassic/14.0.1 YahooMailWebService/
Date: Wed, 15 Jun 2011 05:51:58 -0700 (PDT)
From: pokermonsta
Subject: Vacation Problem!!!!!!!!!!!!!!!
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-190512440-1308142318=:35596"
X-Spam-Status: No, score=2.8
X-Spam-Score: 28
X-Spam-Bar: ++
X-Spam-Flag: NO

See all the extra hidden info there? Now, working from the bottom up, and usually the first Received: from line, you'll see a series of numbers, usually in brackets. This is the IP address, which is four sets of numbers with 1-3 numerals each. In this case, it's

Next, go to a WHOIS search engine (I use, put in the IP address and tada! It shows that the numbers trace back to Visafone in Nigeria and gives you the email addresses to report this to. I also noticed an email address,, which was the real email address.

To report this, you need to highlight the email, with the complete full headers and body of the email (the message) and open a blank email, then paste all of this into that email. Address it to and as well as (for and

In the Subject line, write: Scammer using your services, then send it. You probably won't get a reply, but at least you filed the complaint. Then email your friend at their real address and let them know their account has most likely been hacked by a virus/trojan they unwittingly opened and to change their password immediately.

Please repost/share this and stay safer online!


Popular posts from this blog

Beware of Craigslist Text Scams

Our Marlboro Ranch/Crazy Mountain Ranch Adventure - June 28-July 1, 2013

Craigslist Scam Involving Google Voice - Don't Fall For It!