Spyware Warrior :: View topic - [419er] For your urgent attention

Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances

FAQ :: Search :: Memberlist :: Usergroups :: Register

Profile :: Log in to check your private messages :: Log in

[419er] For your urgent attention

Spyware Warrior Forum Index -> Spam

View previous topic :: View next topic

Author

Message

olliver
Expert Developer

Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

Posted: Mon Oct 15, 2007 10:21 am Post subject: [419er] For your urgent attention

One would think "Nigeria" mentioned in a spam should be warning enough...

Headers:

Quote:

Return-Path: <jeomoyeni@poczta.onet.pl>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 12 Oct 2007 17:54:22 -0000
Received: from smtp27.poczta.onet.pl (EHLO smtp27.poczta.onet.pl) [213.180.130.98]
by mx0.gmx.net (mx032) with SMTP; 12 Oct 2007 19:54:22 +0200
Received: from [41.204.246.50] ([41.204.246.50]:13364 "EHLO
smtp.poczta.onet.pl" rhost-flags-FAIL-FAIL-OK-FAIL)
by ps27.test.onet.pl with ESMTPA id S184561862AbXJLRyVWjL1n (ORCPT
<rfc822;<spamtrap>>); Fri, 12 Oct 2007 19:54:21 +0200
Reply-To: <jeadomoyeni@yahoo.com>
From: "JEREMIAH OMOYENI" <jeomoyeni@poczta.onet.pl>
Subject: For your urgent attention
Date: Fri, 12 Oct 2007 10:54:20 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <S184561862AbXJLRyVWjL1n/20071012175421Z+7485@ps27.test.onet.pl>

The mail was sent via a poczta.onet.pl account, therefore we can even trust the 2nd received line which reveals the scammer's ip address (41.204.246.50) to us:

Quote:

inetnum: 41.204.240.0 - 41.204.255.255
netname: DIRECTONPC-Wireless-ISP-NETBLK
descr: Dynamic IP pools for Direct on PC Ltd Fixed wireless broadband
descr: wireless Internet services for Lagos.
country: NG
admin-c: SD4-AFRINIC
tech-c: SD4-AFRINIC
status: ASSIGNED PA
mnt-by: DOPCNG-MNT
mnt-lower: DOPCNG-MNT
source: AFRINIC # Filtered
parent: 41.204.224.0 - 41.204.255.255

person: Saroj Dey
address: Direct On PC Ltd
Plot B,
Block 1,
Ilupeju Industrial Avenue,
Ilupeju,
Lagos,
Nigeria
phone: +23412701700
fax-no: +23412713554
e-mail: Whois Privacy and Spam Prevention by DomainTools.com
nic-hdl: SD4-AFRINIC
source: AFRINIC # Filtered

Lagos, Nigeria is consistent with the scenery described in the scam email and SORBS have already put this address on their blocklists. The only disturbing things that remain are the fake ehlo, the Cyrillic charset (Windows-1251) and the fake OE express UA string. My guess is the scammer's spamware was responsible for that, just with the difference of using an existing user account with proper user authentification in order to raise the probability of getting the scam delivered (compromised servers tend to be blacklisted fast, so that's not a sensible road to go if the scammer needs to get responses from recipients).

Mail body:

Quote:

From:Chief Jeremiah Omoyeni
Wema Bank Plc
54 Marina Street,Lagos-Nigeria
TEL:234-703-922 4638

Attn:Category "A" Beneficiary

Dear Sir,

This is to draw your attention for the very last time that your contract/inheritance sum is still lying in suspense account of Wema Bank Plc. which the Central Bank of Nigeria and the President authorize and empower us to transfer directly into your account on behalf of the Federal Government of Nigeria.

But two days ago,the Wema Bank Plc dictated some irregularities and descripancies as a result of a sudden visit by one Mr. Peter Baker from your country in the company of one Lawyer from Nigeria to the administrative block of the bank saying that you delegated them to claim your contract sum on your behalf as a result of a fatal motor accident you had recently which rendered you incapacitated and inability to do anything again.

Please reconfirm immediately and let us know whether you sent Mr Peter Baker or any other person to our Foreign Payment Department with an application that you authorised your fund to be paid into the account in BANK OF AMERICA(BOA)in United States of America with account number 005490-1385-90 which is total different from the one submitted by the Office of the Presidency for your payment.

Infact,after processing the application from Mr Peter Baker which he made us to know that he came from you,he succeeded in paying all the bank charges that you are supposed to pay so as to make sure that we effect this transfer as quickly as possible without delay.Note that the duplicate copies of all the payments receipts he made is attached to your file.He has paid up-front all the miscellaneous fees and sundries charges.

The delay in the transfer is from us now just because we requested for a POWER OF ATTORNEY from you which authorizes him to pursue this payment on your behalf.He asked us for a week so as to enable him submit the documents but uptil this moment,we have not received any of the documents nor heard anything from any of you.Why?You should please forward to us the POWER OF ATTORNEY immediately by a return fax/Email or you can call me on my direct phone so that we can re-direct and advice for the immediate remmittance into your authentic nominated bank account.

Thanks for cooperation while we look forward to your prompt response.

Chief Jeremiah Omoyeni
Director,International Remittance Office

This is the "misdirected letter" variant of the usual $huge_amount_of_bucks scam, aiming at people who see this as an unique opportunity to snatch a pile of money for nothing. Note that again the motif of "there's a large amount of money nobody seems to be missing" is reoccuring here, probably meant to assure the recipient that this is not really theft, thus acceptable. Of course this "unique opportunity" will soon turn out to be quite expensive and put the victim in a very inconvenient position (being scammed for attempting to commit a crime, thus not able to inform the authorities without getting into trouble too).

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.

Display posts from previous:

	Spyware Warrior Forum Index -> Spam	All times are GMT - 8 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum