Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

419 scams 'R' us..

419 scams 'R' us..

  • Comments 22

I'm a bit fragged today (up too late working on a school project with Daniel) so instead of something technical, I thought I'd share an email I just received...

FROM: Sgt. Mark Ed
Important Message
To President / Managing Director..

Good day,

My name is Mark Ed, I am an American soldier, I am serving in the military of the 1st Armoured Division in Iraq, As you know we are being attacked by insurgents everyday and car bombs.We managed to move funds belonging to Saddam Hussien's family.

We want to move this money to you, so that you may invest it for us and keep our share for banking.We will take 50%, my partner and I. You take the other 50%. no strings attached, just help us moveit out of Iraq, Iraq is a warzone. We plan on using diplomatic courier and shipping the money out in one large silver box, using diplomatic immunity.

If you are interested I will send you the full details, my job is to find a good partner that we can trust and that will assist us. Can I !

trust you? When you receive this letter,kindly send me an e-mail signifying your interest including your most confidential telephone/fax numbers for quick communication also your contact details. This business is risk free. The box can be shipped out in 48hrs.

Respectfully,

Sgt. Mark Ed

you can EMAIL ME AT.mark_ed_solder@<removed to protect  others>

Man, the nerve of some people.

Oh, and for the sake of completeness, here are the email headers (edited somewhat):

Microsoft Mail Internet Headers Version 2.0
Received: from mrson2427.com ([157.54.6.67]) by
 df-imc-01.exchange.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.1289);
  Tue, 18 Jan 2005 09:58:00 -0800
From: "Sgt. Mark Ed" <mark_ed_solder@somewhere>
Reply-To: mark_ed_solder@somewhere
Date: Tue, 18 Jan 2005 21:58:00 +0400
Subject: FROM Sgt. Mark Ed
X-Priority: 1
X-Mailer: Microsoft Outlook Express 5.00.2919.6900 DM
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
BCC:
Return-Path: mark_ed_solder@somewhere
Message-ID: <DF-IMC-015BBBVhyemY00002efb@df-imc-01.exchange.corp.microsoft.com>
X-OriginalArrivalTime: 18 Jan 2005 17:58:00.0704 (UTC) FILETIME=[3FDC7000:01C4FD87]

mrson2427.com isn't registered, and the IP address is actually owned by Microsoft, which implies that the real originating ip address got lost somewhere in Exchange - I'll have to follow up with the Exchange team to find out what happened to the rest of the headers.

 

 

  • Looks like Nigerians got replaced by soldiers :)
  • Hey if you can talk to the folks on Exchnage here is a peeve I have with most mails systems:

    they trust the headers to be real!

    but spamers forge them to be bogus!

    the side effect is for example a server gets a spam finds that the target email box is not valid and sends out a message to postmaster that some address was not found ...

    but it's sending the delivery failure to a forged message to a mail server that never sent the messge !

    so I get a bunch of junk that is telling me about some spamers failuers...

    the thing is I can read the full headers on email of this kind and see that the recived and from and re-to are all jacked and can't be trusted.

    so have mail servers do a basic check and if the headers do not pass some basic tests then don't try and send messages to outside mail servers ... just handle the spam.
  • Exchange trusts email headers like every other email system trusts the headers.

    What kind of header forgery is Exchange not detecting that other email systems detect?

  • Oh, and you can read the full headers on Exchange - if you're using Outlook as your client, you do View/Options with the message open and the email headers are displayed.

    With other clients, there are other ways (OE uses View/Properties IIRC)
  • Duh, only Canadians and Europeans have "armoured" divisions!
  • You can only see headers on outside e-mail (as in delivered through SMTP). Not on local Exchange messages.
  • As always, when they say they're Nigerian, these people are just pricks, but when they pretend to be US soldiers... OMG, the NERVE! How DARE they?
  • Jerry, that's not the case post E2K. On the current set of Exchange machines, for some reason the firewall is cutting the list off at the firewall.

    I'm trying to figure out why..
  • Uh, my first guess would be that that message originated *inside* the firewall, on someone's zombied machine. I'd hazard that Exchange isn't configured to perform reverse DNS lookups, so Exchange SMTP is simply recording the HELO from the zombie client.

    That's also why its Message-ID is @df-imc-01.exchange.corp.microsoft.com. The originating server writes the Message-ID.
  • My first thought, but it's not true, the problem's in the edge server connecting our internal exchange system and the outside world.

    You would be right normally though. In this case, my guess is that the machine came into the edge machine without a Message-ID, so the edge server rewrote the header to add a Message-ID header (which is why it's the name of the edge server).


    Also, there are two other issues with the "zombied machine" theory: #1 - nobody could control the zombie, since it sits behind a LOT of firewalls, and #2 - a zombied machine on our corpnet would be caught REALLY quickly - we've got some fairly aggressive probes that run effectively nonstop on our corp network - infected machines don't last much more than an hour or so (I've found this out the hard way in the past).

  • You have to see the extent that these people will do trick unsuspecting people out of their money. They make arrangments with people to come do to a certain country where they rob, kidnap and kill them. You guys have to check out www.419eater.com . The whole site is dedicated to duping the scammers by scam baiting them and making them do rediculous/hilarious things, even scamming the Scammers for money and donating it to charity. There are some funny stories on that site.
  • I just hope it is no joke, If it isn't then
    this is another example of the scum that are robbing oxygen from decent people in this world.
  • I bet this scam will be a 'winner', since it plays to people's greed, PLUS it's not wrong (hey, we're stealing from Saddam!), and it helps a soldier. If people are still falling for Nigerian ones, they'll go head over heels for this one...
  • Is 157.54.6.67 a firewall machine and the Exchange server believed that the mail came from (instead of through) the firewall? If so then reconfigure the firewall to forward the actual IP address of the outside peer instead of replacing it by the firewall's own IP address.

    Otherwise, 157.54.6.67 is the spammer.

    By the way a long time ago I received few enough spams that I could report things like this to the administrators of domains used by spammers, for example the administrators of the domain name that you replaced by "somewhere". Responsible administrators would kill the e-mail address and maybe contact law enforcement. Spam administrators would help their spammers continue. Of course networks administered by spam administrators need to be added to blacklists -- unfortunately operators such as RBL didn't understand that and they told me to blacklist myself instead. Anyway I no longer have time for that stuff.
  • Norman,
    157.54.6.67 is the IP address of one of the edge servers, we understand how the Received: headers got set to the way they were, we just don't understand why (since it removes diagnosability of routing issues).

    I'm still talking to the Exchange people about it.
Page 1 of 2 (22 items) 12