Beware of "Help, I'm on Vacation, Got Robbed & Need you to send money" emails
Beware of emails like this!
I just got one of these (keep reading after for myadvice):
----------------------------------------
Date: Wed, 15 Jun 2011 05:51:58 -0700 (PDT)
From: pokermonsta
Subject: Vacation Problem!!!!!!!!!!!!!!!
To: undisclosed recipients: ;
I'm writing this with tears in my eye, my family and I came down here to Scotland for a short vacation and got mugged at the park of the hotel we stayed, all our cash, credit card and Cell Phone were stolen off us at GUN POINT but luckily for us we still have our passports with us but don't have enough money to sort the bills so we can get out of here.
We've been to the embassy and the police here but they're not helping issues at all and our flight leaves soon but we're having problems settling the hotel bills, and the hotel manager won't let us leave until we settle the bills, I'm freaked out at the moment and wondering if you could help us with a quick loan, I promise I'll refund it once we get back. Please write me so i can send you the info for the wire of the money to save me from the embarrassment of not being able to cover the bills.
I'm freaked out at the moment..
Glenn
-------------------------------
My friend's name is really Glenn and the Yahoo account in the from line looks suspiciously like his, although his is from AOL.com. I traced the email back to Nigeria (those darned Nigerian scammers). How did I do this? I'm going to show you, so that if you get something like this, you can file the proper complaints to the right ISP(s):
You usually see TO, FROM, DATE & SUBJECT lines in what are called the headers. What you need to do is "show full headers" in your email program. There a list of the most popular email programs with instructions on how to do this at the WHO@ web site: http://www.haltabuse.org/help/headers/index.shtml
When I got the full headers, they looked like this:
Return-path:
Envelope-to: awriter@jahitchcock.com
Delivery-date: Wed, 15 Jun 2011 07:51:45 -0500
Received: from nm11.access.bullet.mail.mud.yahoo.com ([66.94.237.212]:48638)
by gator260.hostgator.com with smtp (Exim 4.69)
(envelope-from)
id 1QWpZR-0004Dg-77
for awriter@jahitchcock.com; Wed, 15 Jun 2011 07:51:45 -0500
Received: from [66.94.237.194] by nm11.access.bullet.mail.mud.yahoo.com with NNFMP; 15 Jun 2011 12:51:59 -0000
Received: from [66.94.237.121] by tm5.access.bullet.mail.mud.yahoo.com with NNFMP; 15 Jun 2011 12:51:59 -0000
Received: from [127.0.0.1] by omp1026.access.mail.mud.yahoo.com with NNFMP; 15 Jun 2011 12:51:59 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 541937.57493.bm@omp1026.access.mail.mud.yahoo.com
Received: (qmail 35652 invoked by uid 60001); 15 Jun 2011 12:51:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1308142319; bh=VTrCcX9uPSZEAPmvP1bgcj2LDDwTGI+BCaMSllq5Vjs=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=sGSZ62oQDiPS6gcCUnDArtJzPwR9GRcEbZwm+Fj/oiW5MQXJWAGytJCVMs6MJHbwJRmceS8Z1FG5ZrAx+gWIQMmXrEdr04iG3GBw8quK0gm04giW4TUjdLvrd6d8yNhclu2OUnDCndINq0ZtCYy/TZJ6cHuJV9ZBUjGnXkqEmO8=
Message-ID: <994176.35596.qm@web88103.mail.re2.yahoo.com>
X-YMail-OSG: SuLa.ecVM1nXt2p27Jbi9pbDOwsXWg3_ByLTYFBmqM7l472
jKdxccvVNwyYf3qGRO9gu0jXJ2A8NsJ554IqE6.bjDWYqg4TLSM8D2zi5tQz
EFUth3fGMgT03ffgzwD7OdbVsgDNqzpAxnlK9BbJYKaXuetF1D.eJL1Vwe6D
1NotiWe8Ae.rAATmaryTWn9JJezIOFg0wPaXo1Jq6w6SEeGJ_HK_wXLV7jRw
wq0HayJ0Cj3Ew.lhpLBSA9Ng.t9cZodCTHK4BDMJOkGZqtdi4H1iO2Fuj6Lu
RQh.wSqGurebIbjMzdM54ytvk7YA8Pt7kIC7CkY7vTgqmovNBwDVDycNI2kl
S1UhZwjVay7LbomN1C6nQqScE5RHS3QirKE3JPNJVQS2aiO_aQfkkNkLO0B7
_Bq2dHAUCQMN4QxetvhpYxitUBL02pvKzKVXGWgbIuyCbEpkycS3Tjqakq12
mdie4McvyVxlguO1jAjVs2XkK_Vdp_RgMkXAbxnWIvuRBES5H4doXlGz5eDS
d4bc-
Received: from [41.71.148.14] by web88103.mail.re2.yahoo.com via HTTP; Wed, 15 Jun 2011 05:51:58 PDT
X-RocketYMMF: christinerichard@rogers.com
X-Mailer: YahooMailClassic/14.0.1 YahooMailWebService/0.8.111.304355
Date: Wed, 15 Jun 2011 05:51:58 -0700 (PDT)
From: pokermonsta
Reply-To: pokerrmonsta@yahoo.com
Subject: Vacation Problem!!!!!!!!!!!!!!!
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-190512440-1308142318=:35596"
X-Spam-Status: No, score=2.8
X-Spam-Score: 28
X-Spam-Bar: ++
X-Spam-Flag: NO
---------------------------------
See all the extra hidden info there? Now, working from the bottom up, and usually the first Received: from line, you'll see a series of numbers, usually in brackets. This is the IP address, which is four sets of numbers with 1-3 numerals each. In this case, it's 41.71.148.14.
Next, go to a WHOIS search engine (I use whois.sc), put in the IP address and tada! It shows that the numbers trace back to Visafone in Nigeria and gives you the email addresses to report this to. I also noticed an email address, christinerichard@rogers.com, which was the real email address.
To report this, you need to highlight the email, with the complete full headers and body of the email (the message) and open a blank email, then paste all of this into that email. Address it to spamalert@visafone.com.ng and fred.young@cybaaspace.net as well as abuse@mtsallstream.com (for rogers.com) and abuse@yahoo.com.
In the Subject line, write: Scammer using your services, then send it. You probably won't get a reply, but at least you filed the complaint. Then email your friend at their real address and let them know their account has most likely been hacked by a virus/trojan they unwittingly opened and to change their password immediately.
Please repost/share this and stay safer online!
I just got one of these (keep reading after for myadvice):
----------------------------------------
Date: Wed, 15 Jun 2011 05:51:58 -0700 (PDT)
From: pokermonsta
Subject: Vacation Problem!!!!!!!!!!!!!!!
To: undisclosed recipients: ;
I'm writing this with tears in my eye, my family and I came down here to Scotland for a short vacation and got mugged at the park of the hotel we stayed, all our cash, credit card and Cell Phone were stolen off us at GUN POINT but luckily for us we still have our passports with us but don't have enough money to sort the bills so we can get out of here.
We've been to the embassy and the police here but they're not helping issues at all and our flight leaves soon but we're having problems settling the hotel bills, and the hotel manager won't let us leave until we settle the bills, I'm freaked out at the moment and wondering if you could help us with a quick loan, I promise I'll refund it once we get back. Please write me so i can send you the info for the wire of the money to save me from the embarrassment of not being able to cover the bills.
I'm freaked out at the moment..
Glenn
-------------------------------
My friend's name is really Glenn and the Yahoo account in the from line looks suspiciously like his, although his is from AOL.com. I traced the email back to Nigeria (those darned Nigerian scammers). How did I do this? I'm going to show you, so that if you get something like this, you can file the proper complaints to the right ISP(s):
You usually see TO, FROM, DATE & SUBJECT lines in what are called the headers. What you need to do is "show full headers" in your email program. There a list of the most popular email programs with instructions on how to do this at the WHO@ web site: http://www.haltabuse.org/help/headers/index.shtml
When I got the full headers, they looked like this:
Return-path:
Envelope-to: awriter@jahitchcock.com
Delivery-date: Wed, 15 Jun 2011 07:51:45 -0500
Received: from nm11.access.bullet.mail.mud.yahoo.com ([66.94.237.212]:48638)
by gator260.hostgator.com with smtp (Exim 4.69)
(envelope-from
id 1QWpZR-0004Dg-77
for awriter@jahitchcock.com; Wed, 15 Jun 2011 07:51:45 -0500
Received: from [66.94.237.194] by nm11.access.bullet.mail.mud.yahoo.com with NNFMP; 15 Jun 2011 12:51:59 -0000
Received: from [66.94.237.121] by tm5.access.bullet.mail.mud.yahoo.com with NNFMP; 15 Jun 2011 12:51:59 -0000
Received: from [127.0.0.1] by omp1026.access.mail.mud.yahoo.com with NNFMP; 15 Jun 2011 12:51:59 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 541937.57493.bm@omp1026.access.mail.mud.yahoo.com
Received: (qmail 35652 invoked by uid 60001); 15 Jun 2011 12:51:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1308142319; bh=VTrCcX9uPSZEAPmvP1bgcj2LDDwTGI+BCaMSllq5Vjs=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=sGSZ62oQDiPS6gcCUnDArtJzPwR9GRcEbZwm+Fj/oiW5MQXJWAGytJCVMs6MJHbwJRmceS8Z1FG5ZrAx+gWIQMmXrEdr04iG3GBw8quK0gm04giW4TUjdLvrd6d8yNhclu2OUnDCndINq0ZtCYy/TZJ6cHuJV9ZBUjGnXkqEmO8=
Message-ID: <994176.35596.qm@web88103.mail.re2.yahoo.com>
X-YMail-OSG: SuLa.ecVM1nXt2p27Jbi9pbDOwsXWg3_ByLTYFBmqM7l472
jKdxccvVNwyYf3qGRO9gu0jXJ2A8NsJ554IqE6.bjDWYqg4TLSM8D2zi5tQz
EFUth3fGMgT03ffgzwD7OdbVsgDNqzpAxnlK9BbJYKaXuetF1D.eJL1Vwe6D
1NotiWe8Ae.rAATmaryTWn9JJezIOFg0wPaXo1Jq6w6SEeGJ_HK_wXLV7jRw
wq0HayJ0Cj3Ew.lhpLBSA9Ng.t9cZodCTHK4BDMJOkGZqtdi4H1iO2Fuj6Lu
RQh.wSqGurebIbjMzdM54ytvk7YA8Pt7kIC7CkY7vTgqmovNBwDVDycNI2kl
S1UhZwjVay7LbomN1C6nQqScE5RHS3QirKE3JPNJVQS2aiO_aQfkkNkLO0B7
_Bq2dHAUCQMN4QxetvhpYxitUBL02pvKzKVXGWgbIuyCbEpkycS3Tjqakq12
mdie4McvyVxlguO1jAjVs2XkK_Vdp_RgMkXAbxnWIvuRBES5H4doXlGz5eDS
d4bc-
Received: from [41.71.148.14] by web88103.mail.re2.yahoo.com via HTTP; Wed, 15 Jun 2011 05:51:58 PDT
X-RocketYMMF: christinerichard@rogers.com
X-Mailer: YahooMailClassic/14.0.1 YahooMailWebService/0.8.111.304355
Date: Wed, 15 Jun 2011 05:51:58 -0700 (PDT)
From: pokermonsta
Reply-To: pokerrmonsta@yahoo.com
Subject: Vacation Problem!!!!!!!!!!!!!!!
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-190512440-1308142318=:35596"
X-Spam-Status: No, score=2.8
X-Spam-Score: 28
X-Spam-Bar: ++
X-Spam-Flag: NO
---------------------------------
See all the extra hidden info there? Now, working from the bottom up, and usually the first Received: from line, you'll see a series of numbers, usually in brackets. This is the IP address, which is four sets of numbers with 1-3 numerals each. In this case, it's 41.71.148.14.
Next, go to a WHOIS search engine (I use whois.sc), put in the IP address and tada! It shows that the numbers trace back to Visafone in Nigeria and gives you the email addresses to report this to. I also noticed an email address, christinerichard@rogers.com, which was the real email address.
To report this, you need to highlight the email, with the complete full headers and body of the email (the message) and open a blank email, then paste all of this into that email. Address it to spamalert@visafone.com.ng and fred.young@cybaaspace.net as well as abuse@mtsallstream.com (for rogers.com) and abuse@yahoo.com.
In the Subject line, write: Scammer using your services, then send it. You probably won't get a reply, but at least you filed the complaint. Then email your friend at their real address and let them know their account has most likely been hacked by a virus/trojan they unwittingly opened and to change their password immediately.
Please repost/share this and stay safer online!
Comments