Mailserver – Page 17

Antnio Guterres GOOD NEWS swhale800@gmail.com 11 28 2017

From: "Antnio Guterres"<lily@tinysoft.com.cn> Reply: <swhale800@gmail.com> Date: Tue, 28 Nov 2017 23:12:33 +0100 Subject: GOOD NEWS; swhale800@gmail.com 11/28/2017

United Nations Headquarters
760 United Nations Plaza,
New York 10017, U.S.A
Tel: (646)350-2124

Dear Beneficiary,

It has come to my knowledge that the over-due contract/Inheritance/Winning sum,of some of our beneficiaries, which

unfortunately includes YOU,that had been placed on HOLD by the United State Government due to lack of proper documentations,

will be released to you within 24hrs from now. This unfortunate delay occurred due to the exit of former Secretary General of

the United Nation Ban Ki-moon,US Treasury Secretary Jacob Joseph "Jack" Lew and the sudden exit of the former FBI director

James Comey.

The fund in the value of $5,352.000.00 will be ready to transfer from the Federal Reserve Bank, as soon as you pay the re-

processing fee of $187.00 only through our fiduciary agent,John Garza.Agent John Garza will get the duty fee certified and

paid on your behalf at the IRS office and then the Federal Reserve Bank will be authorized to transfer the fund to your Bank

Account.

In the lieu of this, it is imperative that you give a response to this email,kindly providing your bank account details for a

bank wire transfer from the Federal Reserve Bank New-York.Also,if for ease of access,you wish for an electronic card payment

instead,it can be processed and delivered to you.

The following information are required and adviced to be sent through our secured email servers.

FULL NAME.
HOME ADDRESS.
MOBILE/HOME TELEPHONE Number.

Note: You are to Send your response via email to my secure email (swhale800@gmail.com )

You are also adviced to place a Call to the above dedicacted mobile number,as soon as you get this email.

Yours sincerely,

Antnio Guterres
Secretary General UN

GORD CH INFO

From: "GORD CH"<info@ziroda.hu> Reply: <changgordon61@yahoo.com.hk> Date: Tue, 21 Nov 2017 10:44:24 +0900 Subject: INFO!

I have important transaction for you as next of kin to claim US$8.37m email me at changgordon61@yahoo.com.hk so I can send you more details

Technical Analysis

This one suddenly flagged itself up as “interesting” as a result of a couple of comments being made, more on that later.

The Email itself is pretty basic text only, not pretending to look like anything official. It lacks details of why this person is contacting you but I am not here to evaluate the scammers Emailing abilities.

The contact address changgordon61@yahoo.com.hk can be found elsewhere on line, such as Anti-Fraud International where this chap, Gordon Chang, seems to have a page all to himself, albeit with a variety of Email addresses. There is a match with ours at the bottom of the page, an Email dating back to June 2017.

The Email we received was from info@ziroda.hu and appears to have genuinely been sent via their mail servers. This would indicate that this is a hacked account being using by the spammers. Note that they have added a “reply-to” address. This is the address used when the receiver clicks “reply” and it is not immediately obvious that they are replying to a Yahoo address.

The Spammer left us a few clues to his identity. They generated the Email from their local PC. They used Outlook Express 6, indicating that they are still on Windows XP, possibly Windows Me, 2000 or even 98!

The IP address indicates a Japan origin. Although they could have been using a VPN, the time zone of the Email backs up the Japanese origin.

Then we had a couple of comments. They used two different Email addresses, one was a Yahoo, the other was Bank of China, probably to make it appear that they were comments from two independent people. They sent both comments from the same IP, which happened to be a US based address. I suspect this would be a VPN as USA would be have been during the early hours of the morning when the comments were posted.

Click here for the baiting

Mail Server Perfect one

From: Mail Server <hiva_hoseini@yahoo.com> Reply: Mail Server <hiva_hoseini@yahoo.com> Date: Sun, 2 Jul 2017 06:48:31 +0000 (UTC) Subject: Perfect one

Attachments

532.jpg

What I am seeking is a woman as laid out in Proverbs 31. A woman who is
strong (but not overbearing), loyal, respectful, kind and sweet. That
carry herself like the Queen she is in all situations. That arouse my
intellect as well as physical desires. Looking forÂ Â that somebody that I
can share my entire self with. Somebody that is not afraid to be loved
as well express love .. I seek for a serious and long term
relationship,Someone I can spend the rest of my Life with. Well I will
like to tell> u that am a sensitive man, am honest, Kind,caring, and truthful .. I
Love reading, Singing, Watching tv, going to beach, Sports,Swimming,
Outdoors, Camping,and Fishing .. My turn on is someone who is
Honest,truthful,friendly and someone who can make me happy, My turn off
is : I don't like someone who lies,someone that love talking dirty
online,someone who is just looking for a sex online..So far so good i
must confess that i can definitely love a good woman till the end of my
Life…………….honey it took me time to write these to you ..pls kindly reply back..too

American Express Suspicious sign in detected from unknown browser

From: "American Express" <service@efox-shop.com> Date: Mon, 10 Apr 2017 13:50:51 -0700 Subject: Suspicious sign in detected from unknown browser

Dear American Express Customer:
We detected something unusual about a recent sign-in to the American Express.
To help keep you safe, we required an extra security challenge.
If you’re not sure this was you, a malicious user might have your password. Please review your recent activity and we’ll help you take corrective action.
Kindly download the attached file below for your safety.

If you aren’t enrolled in Paperless Statements and think you’ve received this message in error, please call our Customer Support team immediately, using the phone number on the “Contact Us” page on American Express.
If this was you, then you can safely ignore this email.
Please don’t reply directly to this automatically-generated e-mail message.
Sincerely,

Technical Analysis

Analysis of the IP addresses contained within the header reveals that the Email has come from the IT systems of efox. Efox is a legitimate company based in China. The domain was originally created in 2008, so they are well established. Their mail servers are appearing on many spam blacklists so it is likely that they unfortunately succumbed to a hacking or are hosting a viral spambot in their system. (At the time of this EMail – April 2017)

It would appear that their service@efox-shop.com is the address that has been infiltrated, although it may just be a generic name being used. Note that the sender name appears as “American Express”, which is what most Email clients will display. A handy tip to spot fake Emails is to compare the human readable and the Email address of the sender – a mismatch is a giveaway (Compare “American Express” with “service@efox-shop.com” ) – but do not assume a match indicates a good Email.

The Email we received was multipart, the part we do not publish for obvious reasons was an HTML form.

The form is designed to look like its from American Express, even using genuine American Express links to display images and download the CSS files. Instead of posting the form with all your secure details to American Express, the fake form sends the captured data to a Dutch registered domain.

The usual method for a hacker is to place the form processing script onto a breached site, although in this case, it looks like the perpetrator created an account with a hosting company. The domain name was just some random consonants and the domain now shows a “account suspended message”.

Moral of the story: Unless you have actually ordered something from efox-shop.com, any Emails from them are likely to be suspect. Generally, never trust an Email and never click on an Email link. (The only exception is when you request a password reset and the Email arrives seconds later.

Match.com WARNING YOUR ACCOUNT WILL BE SHUTDOWN CANCEL DE-ACTIVATION

From: Match.com <email@emailserver.inc> Reply: email@emailserver.inc Date: Mon, 19 Dec 2016 10:43:48 +0000 (GMT) Subject: WARNING YOUR ACCOUNT WILL BE SHUTDOWN CANCEL DE-ACTIVATION

Server Message

Dear nigel@brendinghat.com

Our record indicates that you recently made a request to shutdown your email (nigel@brendinghat.com ). And this request will be processed shortly. If this request was made accidentally and you have no knowledge of it, you are advised to cancel the request now

Cancel De-activation

However, if you do not cancel this request, the your account will be shutdown shortly and all your email data will be lost permanently.

Regards.
Email Administrator

————————-

This message is auto-generated from E-mail security server, and
replies sent to this email can not be delivered.
This email is meant for: nigel@brendinghat.com

Nathan Sheets Please respond

From: "Nathan Sheets"<info@treasury.gov> Reply: <info@usa-treasury.twomini.com> Date: Sat, 29 Oct 2016 01:35:35 +0800 Subject: Please respond !!!

Dear Beneficiary,
I am Nathan Sheets, Under Secretary for International Affairs, the U.S. Department of the Treasury. You can get more details about me here;
https://www.treasury.gov/about/organizational-structure/Pages/Under-Secretary-for-International-Affairs.aspx
I have been saddled with the responsibility of liaising with beneficiaries regarding all previously unpaid/unclaimed funds and be sure all such funds are paid before the end of the fiscal year 2016. Disbursement of all funds have recently just commenced.

An agreement was recently reached between the Treasury Department and International Monetary Fund for us to settle all outstanding payments accrued to individuals/corporations with respect to local and overseas contract payment, debt re-scheduling and outstanding compensation payment. Fortunately, you have been selected alongside a few other beneficiaries to receive your own payment of $850,000 (Eight Hundred and Fifty Thousand United States Dollars only).

We have been notified that you are yet to receive your fund valued at $850,000. This money will hence be transferred to your nominated bank account.
You are advised to kindly reply this email with the below details enclosed to help us process your payment;

(1) Full Names:
(2) Residential Address:
(3) Age:
(4) Phone/Cell Number:
(5) Occupation:

Yours faithfully,
Nathan Sheets
Under Secretary for International Affairs
(U.S. Department of the Treasury)

Note: If you received this message in your SPAM/JUNK folder, it is because of the restrictions implemented by your Internet Service Provider, we urge you to treat it genuinely. The information contained in this e-mail is private & confidential and may also be legally privileged. If you are not the intended recipient, please notify us, preferably by e-mail.

Technical Analysis

According to Wikipedia, D. Nathan Sheets is an American economist and currently the Under Secretary of the Treasury for International Affairs. The treasury.gov Email would be a feasible contact address. Of course the reply-to address info@usa-treasury.twomini.com is where any reply would go.

twomini.com is a free webhosting company for those who just want a site or an Email address using a subdomain of twomini.com This scammer has created an account “usa-treasury”, although it appears to have now been disabled.

The scammer sent the Email via Outlook Express 6, which would be running under Windows XP. It was sent to a blind mailing list, rather than individual Emails. They logged into the PC using the account “User”. The originating IP address indicates the Email was sent via the Aliyun Computing Ltd network, based in China. They have relayed the message via possibly hacked, or an open relay, mail server belonging to the domain keyagent.co.uk