Scams operating under the guise of a charity.
#189890 by blanky78 Tue Feb 04, 2014 8:53 am
Hi all, I'm new here :)

Has anybody heard of this scammer? Claims to be dying of cancer and asks me to distribute their funds. Here is the header, I'm not sure if I have done it right. Just wanted to add their email address to the list :)


Delivered-To:
Received: by 10.70.125.129 with SMTP id mq1csp197675pdb;
Tue, 4 Feb 2014 04:25:12 -0800 (PST)
X-Received: by 10.66.139.100 with SMTP id qx4mr13643293pab.141.1391516712587;
Tue, 04 Feb 2014 04:25:12 -0800 (PST)
Return-Path:
Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com. [195.245.231.145])
by mx.google.com with ESMTPS id i8si24468467pav.74.2014.02.04.04.25.11
for
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 04 Feb 2014 04:25:12 -0800 (PST)
Received-SPF: neutral (google.com: 195.245.231.145 is neither permitted nor denied by best guess record for domain of ) client-ip=195.245.231.145;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 195.245.231.145 is neither permitted nor denied by best guess record for domain of smtp.mail=
Received: from [85.158.139.51:4693] by server-9.bemta-5.messagelabs.com id 09/2E-11237-12CD0F25; Tue, 04 Feb 2014 12:25:05 +0000
X-Msg-Ref: server-7.tower-180.messagelabs.com!1391516701!23070300!4
X-Originating-IP: [83.217.235.134]
X-StarScan-Received:
X-StarScan-Version: 6.9.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 6992 invoked from network); 4 Feb 2014 12:25:05 -0000
Received: from outlook.xe2hosting.net (HELO outlook.xe2hosting.net) (83.217.235.134)
by server-7.tower-180.messagelabs.com with AES128-SHA encrypted SMTP; 4 Feb 2014 12:25:05 -0000
Received: from JSAPC201001 (195.157.189.76) by outlook.xe2hosting.net
(83.217.235.211) with Microsoft SMTP Server id 8.3.342.0; Tue, 4 Feb 2014
12:25:02 +0000
Subject: FW: Suspicious - SPAM: My name is Paul Sanders
Date: Tue, 4 Feb 2014 12:22:04 +0000
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac7SKmZVGwz2hPltRBOpA6+3m8cpzhPeUZJQ
Content-Language: en-gb



-----Original Message-----
From: Paul Sanders [mailto:[email protected]]=20
Sent: Friday, October 25, 2013 2:06 PM
To: Recipients
Subject: Suspicious - SPAM: My name is Paul Sanders

Hello,
=20
My name is Paul Sanders.I know you don't know me, but I got your e-mail =
address from a really big list.I recently was diagnosed with cancer and =
the doctors don't give me that much time. am not looking for pity, but I =
am looking for help.
=20
I would like to distribute my funds to charity organizations in your =
country through someone that I can trust.If you would be interested in =
such an opportunity, please respond and I can send you further details.
=20
Best Regards,
=20
Paul

I think I'm doing something wrong, because I have forwarded the emails from my work email, where I receive them, so maybe its not working? My work account seems to have no view header option, so im having to forward to my gmail account
Advertisement

#189896 by blanky78 Tue Feb 04, 2014 10:30 am
Received: from mail6.bemta5.messagelabs.com (195.245.231.135) by
outlook.xe2hosting.net (83.217.235.211) with Microsoft SMTP Server id
8.3.327.1; Sat, 26 Oct 2013 10:04:38 +0100
Received: from [85.158.139.35:39226] by server-9.bemta-5.messagelabs.com id
9A/77-12926-6A58B625; Sat, 26 Oct 2013 09:04:38 +0000
Received: (qmail 16169 invoked from network); 26 Oct 2013 09:04:38 -0000
Received: from nhai.org (HELO mail02.nhai.com) (203.197.203.215) by
server-2.tower-179.messagelabs.com with SMTP; 26 Oct 2013 09:04:38 -0000
Received: from nhaimail.nhai.com (nhaimail.nhai.com [192.168.0.34]) by
mail02.nhai.com (Symantec Messaging Gateway) with SMTP id
A8.FA.03480.EBF2C625; Sun, 27 Oct 2013 02:40:22 +0530 (IST)
Received: from nhaifrontmail.nhai.com ([192.168.30.82]) by nhaimail.nhai.com
with Microsoft SMTPSVC(6.0.3790.4675); Fri, 25 Oct 2013 18:28:12 +0530
Received: from schserver.intranet.schweizer.hu ([178.210.251.126]) by
nhaifrontmail.nhai.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 25 Oct
2013 18:21:24 +0530
From: Paul Sanders <[email protected]>
To: Recipients <[email protected]>
Date: Fri, 25 Oct 2013 14:06:20 +0100
Subject: Suspicious - SPAM: My name is Paul Sanders
Thread-Topic: Suspicious - SPAM: My name is Paul Sanders
Thread-Index: Ac7SKmZVGwz2hPltRBOpA6+3m8cpzg==
Message-ID: <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Accept-Language: ja-JP, en-GB
Content-Language: ja-JP
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: XE2UK1CAS01.xe2hosting.net
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-starscan-version: 6.9.12; banners=-,-,-
x-msg-ref: server-2.tower-179.messagelabs.com!1382778277!25812813!1
x-originating-ip: [203.197.203.215]
x-spamreason: Yes, hits=50.0 required=7.0 tests=signatures: [SVR]
spamhp.radar.scam.102717298,[SVR] spam signature:
spamhp.radar.scam.102717298
x-env-sender: [email protected]
x-viruschecked: Checked
x-originalarrivaltime: 25 Oct 2013 12:51:24.0370 (UTC)
FILETIME=[E97E2320:01CED180]
x-brightmail-tracker:
H4sIAAAAAAAAA+NgFjrIIsWRmVeSWpSXmKPExsVyYAWDku4+/Zwgg88rDS0OLF7LZrHmt7nF
04O7WC0aXx1ituhduZrdYu3WJSwWDQ8vsFlsXPWPzeLv7U+MFlt2rWWx2LprA7vF6Q1dbBY7
Tzxgtpj65SKLRUdvN7PF3gOzGC1OLF/NYvF2Uye7xe07WRaX5lY4iHgcW7af2ePh+ydsHh9v
bWfxWDFjH4vHorN/2Dwmrp/O6rFs90wWj8c9Z9g8dna3MnksanrO7PHm6AR2j/4FVh57bi1i
93h4rIvd4/frfI9pCx8wBohEcdmkpOZklqUW6dslcGX0Hl/AWNDDUnHqzV72BsZ+5i5GTg4J
AROJM12XWSFsMYkL99azdTFycQgJ7GOU2PTlECOEM41R4vnbD6wQzjJGiT2TbwM5HBzMApoS
63fpg3TzCghKnJz5hAXEZhbQlli28DUzRImaxNeuEpCwsICCRM/av4wgtghQ+MnWe2CL2YCm
XNq0jR3EZhFQlXj88RlYXEhARmLJlfXMELaSxPEDXawQqxwkdi3+zQ5xdLBEw8dZzBMYBWch
HDQLyUGzkBw0C+GgBYwsqxj5cxMzcwyM9PIyEjP1kvNzNzFCon3pDsb5nywPMQpwMCrx8Hqo
5QQJsSaWFVfmHmKU4GBWEuFVzssOEuJNSaysSi3Kjy8qzUktPsTIxMEp1cDI8Wz/9397HsYo
FuWcSi7QTMp8ecou90PUl9NCzw9vWbT72dnU4yImtSu+fMsptOA3WCoTKlfLZGPU+t4rLiOl
TWJ90P/N84RiON9ynnBgEyty8dg3e5mfhBlT4z0W+ewLH/zFj1T6nE1uixI/uXuFWYbbts1f
qtIenTK1Ye/JrDL2kLg1/5wSS3FGoqEWc1FxIgDHdZld1AIAAA==
x-spam-flag: YES
x-auditid: c0a800a5-b7fd16d000000d98-38-526c2fbe1f0b
x-spaminfo: spam detected heuristically
x-starscan-received:
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
#189911 by jolly_roger Tue Feb 04, 2014 12:16 pm
The first e-mail header is looking decidedly sus. The line where it says, Received: from JSAPC201001 is strange. Apparently that host is non-existant and should not be in the header. Part of the header would have been forged and a legitimate person would have no need to perform such a task.
#189917 by blanky78 Tue Feb 04, 2014 12:53 pm
I am wondering wheather or not the JSAPC isnt because I forwarded it from my work email, JSA is my company name. The second time I posted, i posted the original email without forwarding it to my other account.
#189999 by jolly_roger Wed Feb 05, 2014 1:41 am
Yep, all understood there. Was not aware that happened and that is probably the reason?
However the 2nd header that has been posted is looking equally suspicious. It looks as if a relay point has been used somewhere in the transmission by the sender.

Who is online

Users browsing this forum: No registered users and 4 guests