This is going to take a while
So I get this STRICTLY CONFIDENTIAL message:
Status: U
Return-Path:
Received: from ok61133.com ([192.116.107.92])
by killdeer (EarthLink SMTP Server) with SMTP id 19L924dW3NZFlr0
for ; Fri, 8 Aug 2003 08:19:55 -0700 (PDT)
From: "Barrister Bassey Owo."
Reply-To: [email protected]
To: [email protected]
Date: Fri, 8 Aug 2003 16:16:58 +0200
Subject: STRICTLY CONFIDENTIAL
X-Mailer: Microsoft Outlook Express 5.00.2919.6900 DM
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200308080819.19L924dW3NZFlr0@killdeer>
X-PMFLAGS: 34078848 0 1 P694A0.CNM
DEAR SIR=2C
WE WOULD LIKE TO DEVELOP BUSINESS RELATIONS WITH YOU
BY ESTABLISHING A TRUST AGREEMENT WHEREBY YOU SHALL
HOLD=2C MANAGE INVEST AND DISTRIBUTE ALL ASSESTS
RECEIVED FROM US IN TRUST AND THE PROCEEDS THEREFROM=2C
UNDER THE TERMS OF THE TRUST AGREEMENT=2E
I AM AN ATTORNEY & CONSULTANT TO AN INFLUENTIAL
POLITICIAN=2C CURRENTLY A FEDERAL MINISTER IN THE
FEDERAL REPUBLIC OF NIGERIA WHO HAS BEEN ABLE TO USE
HIS DIPLOMATIC STATUS TO MOVE THE SUM OF
US$60MILLION OVERSEAS =28NAME OF COUNTRY WITH HELD UNTIL
YOU ARE READY TO DO BUSINESS=29 AND PRESENTLY
DEPOSITED IN A PRIVATE SECURITY COMPANY FOR SAFE
KEEPING=2E THESE BOXES OF MONEY WERE AIRFEIGHTED AS
ARTIFACTS AND PHOTOGRAPHIC MATERIALS=2E
MY CLIENT=2C BECAUSE OF HIS PRESENT STATUS IN GOVERNMENT
CANNOT BE PHYSICALLY INVOLVE IN THE MANAGEMENT OF THE
MONEY=2C HENCE HE DO THIS BY WAY OF PROXY AND FIDUCIARY
AGENT IN ORDER TO AVOID ANY PROBE BY THE PRESENT
DEMOCRATIC GOVERNMENT OF NIGERIA=2E
I AM REQUESTING YOUR ASSISTANCE AS MY COLLEAGUE AND
LEARNED FRIEND TO HELP SECURE INVESTMENT OUTLETS
WHEREBY THIS FUNDS ARE INVESTED IN GOVERNMENT TREASURY
BILLS AND BONDS AND IN SECURE FIRST MORTGAGES
SUPPORTED BY YOUR COUNTRIES REAL ESTATE AND OTHER
ATTRACTIVE INVESTMENT PROGRAMS AVAILABLE=2E
MANAGE THE COMPLETE PROCESS & ESCORT OUR FIDUCIARY
AGENT THROUGH THE VARIOUS PROCEDURES=2E
IF THE ABOVE IS WORKABLE FOR YOU & YOUR ASSOCIATE=2C I
WOULD BE GLAD TO FORWARD OUR STANDARD DISCRETIONARY
ASSET MANAGEMENT AGREEMENT FOR YOU TO LOOK AND MAKE
ANY NECESSARY AMENDMENT=2E IF ANY=2C THIS AGREEMENT WE
HOPE WILL HELP TO ASSURE THE SAFETY OF THE FUNDS AND
CONSOLIDATE THE RELATIONSHIP=2EPRIOR TO HANDING OVER THE
FUNDS TO YOU & YOUR ASSOCIATES=2C WE HOPE TO ARRANGE FOR
A PRELIMINARY MEETING WITH YOU ON A NEUTRAL GROUND
WHERE THE ORIGINAL OF THE AGREEMENT WILL BE SIGNED BY
YOU & OUR FIDUCIARY AGENT=2F MYSELF=2E
TO ENSURE THE SUCCESS OF THIS TRANSACTION AND
GUARANTEE THIS UNIQUE RELATIONSHIP=2C KINDLY TREAT
AS CONFIDENTIALITY=2E SEND YOUR PRIVATE TELEPHONE AND FAX
NUMBERS TO ENABLE US TALK ON ONE ON ONE BASIS=2EI
AWAIT YOUR URGENT RESPONSE=2CTHANKS AND STAY BLESSED=2E
BEST REGARDS=2E
BARR=2E BASSEY OWO=2E"COLLEAGUE AND LEARNED FRIEND," forsooth. Ah, what to do...
First, check whois.net to find the abuse coordinator's address for the Reply-To address in the header,
[email protected]. Let lawyer.com know they've got a scammer using their address by forwarding the full message, with headers intact. This way they can trace it back via the Message ID fields and take whatever action they deem appropriate. Ignore the From address, which is based in Honk Kong, since that's as good as free text.
However, the SMTP servers assign IP addresses in the header. So though the Received: domain name can be (and is) spoofed, the IP can be trusted. In this case, (per ARIN) the address range has been assigned to the RIPE NCC region. And I hop on over to
their whois database and find:
inetnum: 192.116.105.0 - 192.116.107.255
netname: GILAT-SATCOM-BLOCK-6-33-36
descr: SKY2Net ltd
country: GB
admin-c: AH935-RIPE
tech-c: AH935-RIPE
status: ASSIGNED PA
mnt-by: AS3339-MNT
mnt-lower: AS3339-MNT
changed:
[email protected] 20030604
source: RIPE
route: 192.116.64.0/18
descr: ATT-ISRAEL-BLOCK4
origin: AS3339
mnt-by: AS3339-MNT
changed:
[email protected] 19991212
source: RIPE
person: Amit Hoomash
address: Gilat Satcom
address: 1651 Old Meadow Rd.
address: Mclean,VA 22102 USA
phone: +972 3 9255000
fax-no: +972 3 9255005
e-mail:
[email protected]nic-hdl: AH935-RIPE
mnt-by: AS3339-MNT
changed:
[email protected] 20020410
source: RIPE
So my COLLEAGUE is in Mclean, VA, using an IP address range belonging to ATT Israel, and (it would seem) specifically assigned to Gilat Satcom:
Gilat Satcom Ltd. is a global communication service provider. Founded in 1992, Gilat Satcom has been providing satellite-based communication services including private networks communication services in Israel, international communication services and Internet access services to companies and organizations world-wide, based on satellite technologies or other technologies. Gilat Satcom is wholly owned by Gilat Satcom Systems Ltd.
a public company traded on Tel Aviv Stock Exchange.
Even the contact phone numbers are in the range for Gilat Satcom.
Not everyone is so easily played, you little shit.
posted by Prometheus 6 at 8/8/2003 06:03:04 PM |
Posted by P6 at August 8, 2003 06:03 PM
| Trackback URL: http://www.prometheus6.org/mt/mt-tb.cgi/21
I also received a Nigerian scam. This was the email header:
Received: from 216.200.145.37 (EHLO omta06.mta.everyone.net) (216.200.145.37) by mta189.mail.scd.yahoo.com with SMTP; Fri, 05 Dec 2003 08:24:06 -0800
Received: from sitemail.everyone.net (unknown [216.200.145.29]) by omta06.mta.everyone.net (Postfix) with ESMTP id 0ED6D4030D; Fri, 5 Dec 2003 08:24:06 -0800 (PST)
Received: by sitemail.everyone.net (Postfix, from userid 99) id E096EE4B9; Fri, 5 Dec 2003 08:24:05 -0800 (PST)
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Date: Fri, 5 Dec 2003 08:24:03 -0800 (PST)
From: michael williams
To: [email protected]
Subject: URGENT MESSAGE.
Reply-To: [email protected]
X-Originating-Ip: [192.116.135.158]
Message-Id:
Content-Length: 1446
Running the IP addresses through various Whois lookups, I ended up at the Ripe db and found this same Amit Hoomash character. He returns quite a few hits on Google.