07 April 2007

nutty nigerians still googling for suckers

it's been awhile since we did a 419 post and as luck would have it we received one this morning and since its cold and windy here today and this one is just too easy to pass up we thought this would be a good time to post another one.

notice the ip number for this hit: 80.78.16.172

click pictures to enlarge
search.yahoo.com search string: 2007 EMAIL ADDRESSES OF MR/MRS Robinson
====

so we wait a few minutes then check the old inbox...sure enough nigerian 419 spammer scammers never fail to disappoint - at least as far as sending the spam goes...

====
email header:

Delivered-To: wesawthat@gmail.com
Received: by 10.100.252.8 with SMTP id z8cs276303anh;
Sat, 7 Apr 2007 05:55:17 -0700 (PDT)
Received: by 10.35.50.1 with SMTP id c1mr7238005pyk.1175950516847;
Sat, 07 Apr 2007 05:55:16 -0700 (PDT)
Return-Path: barr_miltonchambers2@hotmail.com
Received: from bay0-omc3-s17.bay0.hotmail.com (bay0-omc3-s17.bay0.hotmail.com [65.54.246.217])
by mx.google.com with ESMTP id f51si5592694pyh.2007.04.07.05.55.16;
Sat, 07 Apr 2007 05:55:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of barr_miltonchambers2@hotmail.com designates 65.54.246.217 as permitted sender)
Received: from hotmail.com ([207.46.10.110]) by bay0-omc3-s17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Sat, 7 Apr 2007 05:55:07 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sat, 7 Apr 2007 05:55:07 -0700
Message-ID: BAY121-F30AF072333F7877756DB0EBD5B0@phx.gbl
Received: from 207.46.10.123 by by121fd.bay121.hotmail.msn.com with HTTP;
Sat, 07 Apr 2007 12:55:03 GMT
X-Originating-IP: [80.78.16.172]
X-Originating-Email: [barr_miltonchambers2@hotmail.com]
X-Sender: barr_miltonchambers2@hotmail.com
Reply-To: milton_walters2@yahoo.co.uk
From: "BARRISTER MILTON WALTERS" barr_miltonchambers2@hotmail.com
Bcc:
Subject: URGENT ATTN.
Date: Sat, 07 Apr 2007 07:55:03 -0500
Mime-Version: 1.0
Content-Type: text/html; format=flowed
X-OriginalArrivalTime: 07 Apr 2007 12:55:07.0827 (UTC) FILETIME=[F82B3830:01C77913]
Return-Path: barr_miltonchambers2@hotmail.com

see in the line: X-Originating-IP: [80.78.16.172] same ip number as our hit...

so we put that number in our trace route to find out who the internet service provider for that ip number is:

====
we can also trace the ip number this way: (last few hops redacted for our privacy)

====
our email response:

Reply-To: wesawthat@gmail.com
From: wesawthat@gmail.com
To: abuse@constellationnetcorp.com,report_spam@hotmail.com,
abuse@yahoo-inc.com,TBright@Kuzola.com
Cc: "spam @ uce.gov" spam@uce.gov
Subject: Fw: URGENT ATTN.
Date: Sat, 7 Apr 2007 08:03:20 -0500
Organization: www.wesawthat.blogspot.com

CONSTELLATIONETCORP.COM / TBRIGHT: this advance fee (419) fraud spam came from an a ip address that you host please would you terminate service to:

80.78.16.172

HOTMAIL.COM: this advance fee (419) fraud spam references an email account that you host please would you terminate service to:

barr_miltonchambers2@hotmail.com

YAHOO.COM: this advance fee (419) fraud spam references an email account that you host please would you terminate service to:

milton_walters2@yahoo.co.uk
====

EXTERNAL LINK