...making Linux just a little more fun!
Mike Orr [sluggoster at gmail.com]
---------- Forwarded message ----------
From: Chris Giles <Chris.Giles@merton.gov.uk> To: TAG <tag@lists.linuxgazette.net> Date: Mon, Jan 17, 2011 at 6:44 AM Subject: United Nations Confirmation Notice To: info at un.org
You have been compensated by the United Nations with the sum of $850,000.00USD,for being a scam victim. Contact Mr Raymond Carter?with /Name/Country/Occupation/Mobile No/sex/Address/Age.**Note: All replies ,queries or questions concerning your claims should be sent to raymondcarterun006 at live.com ----------------------------------------------------------------- Reduce waste - please do not print this message unless you need to. This email and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. This email may contain information that is confidential and may contain sensitive or protectively marked information up to RESTRICTED and should be handled accordingly. This communication may be subject to recording and/or monitoring in accordance with relevant legislation. If you have received this email in error you must not copy, disclose or make any further use of the information contained within it. Instead we request that you notify the system manager. Postmaster at merton.gov.uk http://www.merton.gov.uk -----------------------------------------------------------------
How do I contact Mr Raymond Carter when he didn't give his address?
And why would a message about UN compensation be sent to info at un.gov? The United Nations is compensating the United Nations?
-- Mike Orr <sluggoster at gmail.com>
Ben Okopnik [ben at linuxgazette.net]
On Tue, Jan 18, 2011 at 08:14:59AM -0800, Mike Orr wrote:
> ---------- Forwarded message ---------- > From: Chris Giles <Chris.Giles at merton.gov.uk> > Date: Mon, Jan 17, 2011 at 6:44 AM > Subject: United Nations Confirmation Notice > To: info at un.org > > > You have been compensated by the United Nations with the sum of > $850,000.00USD,for being a scam victim. Contact Mr Raymond Carter?with > /Name/Country/Occupation/Mobile No/sex/Address/Age.**Note: All replies > ,queries or questions concerning your claims should be sent to > raymondcarterun006 at live.com > ----------------------------------------------------------------- > Reduce waste - please do not print this message unless you need to. > This email and any files transmitted with it are intended solely for > the use of the individual or entity to whom they are addressed. This > email may contain information that is confidential and may contain > sensitive or protectively marked information up to RESTRICTED and > should be handled accordingly. This communication may be subject to > recording and/or monitoring in accordance with relevant legislation. > If you have received this email in error you must not copy, disclose > or make any further use of the information contained within it. > Instead we request that you notify the system manager. > Postmaster at merton.gov.uk > http://www.merton.gov.uk > ----------------------------------------------------------------- > > > How do I contact Mr Raymond Carter when he didn't give his address?
It's this email thing they have nowadays. You just put the mouse cursor
on the little square that says 'Reply' in your Outlook Express, and go
"clicky-clicky"... 
> And why would a message about UN compensation be sent to > info at un.gov? The United Nations is compensating the United Nations?
Well, they know that you're just going to want to contribute every penny of that toward world peace, and what better way than to give it to the UN? They're just streamlining the process, that's all.
I do have to say, that's pretty slick on the spammer's part: the 'From:' address is easy to fake, but I didn't know you could fiddle with the 'To:' and still have it delivered correctly. I wonder what they did - but without the headers, that's not happening.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Mike Orr [sluggoster at gmail.com]
On Tue, Jan 18, 2011 at 8:24 AM, Ben Okopnik <ben at linuxgazette.net> wrote:
> On Tue, Jan 18, 2011 at 08:14:59AM -0800, Mike Orr wrote: > I do have to say, that's pretty slick on the spammer's part: the > 'From:' address is easy to fake, but I didn't know you could fiddle with > the 'To:' and still have it delivered correctly. I wonder what they did > - but without the headers, that's not happening.
Here are the headers.
Delivered-To: friendly LG person at gmail.com
Received: by 10.231.36.7 with SMTP id r7cs138792ibd;
Mon, 17 Jan 2011 06:48:07 -0800 (PST)
Received: by 10.227.144.9 with SMTP id x9mr4133720wbu.103.1295275685767;
Mon, 17 Jan 2011 06:48:05 -0800 (PST)
Return-Path: <chris.giles at merton.gov.uk>
Received: from mailout.merton.gov.uk (mailout.merton.gov.uk [212.85.21.203])
by mx.google.com with ESMTP id r3si6479964wbr.80.2011.01.17.06.48.05;
Mon, 17 Jan 2011 06:48:05 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
chris.giles at merton.gov.uk designates 212.85.21.203 as permitted
sender) client-ip=212.85.21.203;
Authentication-Results: mx.google.com; spf=pass (google.com: best
guess record for domain of chris.giles at merton.gov.uk designates
212.85.21.203 as permitted sender) smtp.mail=chris.giles at merton.gov.uk
X-ASG-Debug-ID: 1295275514-52b9d8d70001-eYtrI1
Received: from mailx.merton.gov.uk ([10.132.200.93]) by
mailout.merton.gov.uk with ESMTP id K4vBNFWUBNEhAe5W; Mon, 17 Jan 2011
14:45:14 +0000 (GMT)
X-Barracuda-Envelope-From: chris.giles at merton.gov.uk
Received: from exchange13.merton.gov.uk (unknown [10.130.200.13])
by mailx.merton.gov.uk (Postfix) with ESMTP id 8B885178005;
Mon, 17 Jan 2011 14:42:11 +0000 (GMT)
Received: from exchange12.merton.gov.uk ([10.130.200.12]) by
exchange13.merton.gov.uk with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 17 Jan 2011 14:44:56 +0000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CBB655.1BB78415"
X-ASG-Orig-Subj: United Nations Confirmation Notice
Subject: United Nations Confirmation Notice
Date: Mon, 17 Jan 2011 14:44:56 -0000
Message-ID: <93D3D52243A1CA4186395552E46C2B090114AC66 at exchange12.merton.gov.uk>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: United Nations Confirmation Notice
Thread-Index: Acu2VRtJe0vL/IhvQpSXr8KlLuwoGA==
From: "Chris Giles" <Chris.Giles@merton.gov.uk>
To: TAG <tag@lists.linuxgazette.net>
To: <info at un.org>
X-OriginalArrivalTime: 17 Jan 2011 14:44:56.0828 (UTC)
FILETIME=[1BFDBBC0:01CBB655]
X-MailScanner-ID: 8B885178005.5F43E
X-MERTON-GOV-UK-MailScanner: Found to be clean
X-MERTON-GOV-UK-MailScanner-From: chris.giles at merton.gov.uk
X-Spam-Status: No
X-Barracuda-Connect: UNKNOWN[10.132.200.93]
X-Barracuda-Start-Time: 1295275514
X-Barracuda-URL: http://172.16.1.203:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at merton.gov.uk
-- Mike Orr <sluggoster at gmail.com>
Ben Okopnik [ben at okopnik.com]
On Tue, Jan 18, 2011 at 10:26:01AM -0800, Mike Orr wrote:
> On Tue, Jan 18, 2011 at 8:24 AM, Ben Okopnik <ben at linuxgazette.net> wrote: > > On Tue, Jan 18, 2011 at 08:14:59AM -0800, Mike Orr wrote: > > I do have to say, that's pretty slick on the spammer's part: the > > 'From:' address is easy to fake, but I didn't know you could fiddle with > > the 'To:' and still have it delivered correctly. I wonder what they did > > - but without the headers, that's not happening. > > Here are the headers. > > `` > Delivered-To: friendly LG person at gmail.com^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[blink] I kinda doubt that.
The rest of it, though, says that Chris Giles (a Youth Offending Team manager out of Morden, it seems) did indeed send this - perhaps via someone having infected his system with a spam server.
> Received-SPF: pass (google.com: best guess record for domain of > chris.giles at merton.gov.uk designates 212.85.21.203 as permitted > sender) client-ip=212.85.21.203; > Authentication-Results: mx.google.com; spf=pass (google.com: best > guess record for domain of chris.giles at merton.gov.uk designates > 212.85.21.203 as permitted sender) smtp.mail=chris.giles at merton.gov.uk
The only suspicious part that I see is this:
> Received: from exchange13.merton.gov.uk (unknown [10.130.200.13]) > by mailx.merton.gov.uk (Postfix) with ESMTP id 8B885178005; > Mon, 17 Jan 2011 14:42:11 +0000 (GMT) > Received: from exchange12.merton.gov.uk ([10.130.200.12]) by > exchange13.merton.gov.uk with Microsoft SMTPSVC(6.0.3790.4675); > Mon, 17 Jan 2011 14:44:56 +0000
10.130.200.13 is an RFC1918 address - i.e., reserved for private networks - and it doesn't seem to me like a mail server would have one of those listed as part of the mail transport chain... but then, as has been noted elsewhere, over 50% of the world's mail servers are misconfigured, so who knows.
> X-Barracuda-Connect: UNKNOWN[10.132.200.93]
Seems like Barracuda (anti-spam hardware system, as I recall) thinks about it much as I do. Suspicious. But overall, they've done a pretty slick job on it.
Ben
--
OKOPNIK CONSULTING
Custom Computing Solutions For Your Business
Expert-led Training | Dynamic, vital websites | Custom programming
443-250-7895 http://okopnik.com http://twitter.com/okopnik
Ben Okopnik [ben at linuxgazette.net]
On Tue, Jan 18, 2011 at 10:26:01AM -0800, Mike Orr wrote:
> > Here are the headers. > > `` > Delivered-To: friendly LG person at gmail.com > Received: by 10.231.36.7 with SMTP id r7cs138792ibd; > Mon, 17 Jan 2011 06:48:07 -0800 (PST) > Received: by 10.227.144.9 with SMTP id x9mr4133720wbu.103.1295275685767; > Mon, 17 Jan 2011 06:48:05 -0800 (PST) > Return-Path: <chris.giles at merton.gov.uk> > Received: from mailout.merton.gov.uk (mailout.merton.gov.uk [212.85.21.203]) > by mx.google.com with ESMTP id r3si6479964wbr.80.2011.01.17.06.48.05; > Mon, 17 Jan 2011 06:48:05 -0800 (PST)
Oh, right - I just got it. The headers are out of order; the only ones that are real are the ones above the 'Return-Path: ' header. That's a private network that's got a heavily-tweaked mail server which sends out absolutely minimal headers; the only way you're going to get who they are is at SMTP time, when you can see their actual IP. The rest of it is just glued on. Clever.
I'd have been able to see that if you'd included the actual 'From ' header; I'd lost track of who does what and in what order without it.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *