Scams operating under the guise of a charity.
#189890 by blanky78 Tue Feb 04, 2014 8:53 am
Hi all, I'm new here :)

Has anybody heard of this scammer? Claims to be dying of cancer and asks me to distribute their funds. Here is the header, I'm not sure if I have done it right. Just wanted to add their email address to the list :)

Received: by with SMTP id mq1csp197675pdb;
Tue, 4 Feb 2014 04:25:12 -0800 (PST)
X-Received: by with SMTP id qx4mr13643293pab.141.1391516712587;
Tue, 04 Feb 2014 04:25:12 -0800 (PST)
Received: from ( [])
by with ESMTPS id i8si24468467pav.74.2014.
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 04 Feb 2014 04:25:12 -0800 (PST)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of ) client-ip=;
spf=neutral ( is neither permitted nor denied by best guess record for domain of smtp.mail=
Received: from [] by id 09/2E-11237-12CD0F25; Tue, 04 Feb 2014 12:25:05 +0000
X-Originating-IP: []
X-StarScan-Version: 6.9.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 6992 invoked from network); 4 Feb 2014 12:25:05 -0000
Received: from (HELO (
by with AES128-SHA encrypted SMTP; 4 Feb 2014 12:25:05 -0000
Received: from JSAPC201001 ( by
( with Microsoft SMTP Server id 8.3.342.0; Tue, 4 Feb 2014
12:25:02 +0000
Subject: FW: Suspicious - SPAM: My name is Paul Sanders
Date: Tue, 4 Feb 2014 12:22:04 +0000
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac7SKmZVGwz2hPltRBOpA6+3m8cpzhPeUZJQ
Content-Language: en-gb

-----Original Message-----
From: Paul Sanders [mailto:[email protected]]=20
Sent: Friday, October 25, 2013 2:06 PM
To: Recipients
Subject: Suspicious - SPAM: My name is Paul Sanders

My name is Paul Sanders.I know you don't know me, but I got your e-mail =
address from a really big list.I recently was diagnosed with cancer and =
the doctors don't give me that much time. am not looking for pity, but I =
am looking for help.
I would like to distribute my funds to charity organizations in your =
country through someone that I can trust.If you would be interested in =
such an opportunity, please respond and I can send you further details.
Best Regards,

I think I'm doing something wrong, because I have forwarded the emails from my work email, where I receive them, so maybe its not working? My work account seems to have no view header option, so im having to forward to my gmail account

#189896 by blanky78 Tue Feb 04, 2014 10:30 am
Received: from ( by ( with Microsoft SMTP Server id
8.3.327.1; Sat, 26 Oct 2013 10:04:38 +0100
Received: from [] by id
9A/77-12926-6A58B625; Sat, 26 Oct 2013 09:04:38 +0000
Received: (qmail 16169 invoked from network); 26 Oct 2013 09:04:38 -0000
Received: from (HELO ( by with SMTP; 26 Oct 2013 09:04:38 -0000
Received: from ( []) by (Symantec Messaging Gateway) with SMTP id
A8.FA.03480.EBF2C625; Sun, 27 Oct 2013 02:40:22 +0530 (IST)
Received: from ([]) by
with Microsoft SMTPSVC(6.0.3790.4675); Fri, 25 Oct 2013 18:28:12 +0530
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Fri, 25 Oct
2013 18:21:24 +0530
From: Paul Sanders <[email protected]>
To: Recipients <[email protected]>
Date: Fri, 25 Oct 2013 14:06:20 +0100
Subject: Suspicious - SPAM: My name is Paul Sanders
Thread-Topic: Suspicious - SPAM: My name is Paul Sanders
Thread-Index: Ac7SKmZVGwz2hPltRBOpA6+3m8cpzg==
Message-ID: <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Accept-Language: ja-JP, en-GB
Content-Language: ja-JP
X-MS-Exchange-Organization-AuthAs: Anonymous
x-starscan-version: 6.9.12; banners=-,-,-
x-originating-ip: []
x-spamreason: Yes, hits=50.0 required=7.0 tests=signatures: [SVR]
spamhp.radar.scam.102717298,[SVR] spam signature:
x-env-sender: [email protected]
x-viruschecked: Checked
x-originalarrivaltime: 25 Oct 2013 12:51:24.0370 (UTC)
x-spam-flag: YES
x-auditid: c0a800a5-b7fd16d000000d98-38-526c2fbe1f0b
x-spaminfo: spam detected heuristically
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
#189911 by jolly_roger Tue Feb 04, 2014 12:16 pm
The first e-mail header is looking decidedly sus. The line where it says, Received: from JSAPC201001 is strange. Apparently that host is non-existant and should not be in the header. Part of the header would have been forged and a legitimate person would have no need to perform such a task.
#189917 by blanky78 Tue Feb 04, 2014 12:53 pm
I am wondering wheather or not the JSAPC isnt because I forwarded it from my work email, JSA is my company name. The second time I posted, i posted the original email without forwarding it to my other account.
#189999 by jolly_roger Wed Feb 05, 2014 1:41 am
Yep, all understood there. Was not aware that happened and that is probably the reason?
However the 2nd header that has been posted is looking equally suspicious. It looks as if a relay point has been used somewhere in the transmission by the sender.

Who is online

Users browsing this forum: No registered users and 3 guests