[nsp-sec] Google/Gmail - gmail in use for hitman 419 scam

Chris Morrow morrowc at ops-netman.net
Wed May 28 00:52:33 EDT 2008 


On Tue, 27 May 2008, RuthAnne Bevier wrote:

> Yes, by all means.  I can send you the full message if that's
> helpful as well.  It appears only one of our people received this,
> fwiw (thus far at least).  Thank you, Chris!

don't think the whole message matters as much but the explanation saves me 
typing :)

>
>     --RuthAnne
>
> On Wed, May 28, 2008 at 12:41:13AM -0400, Chris Morrow wrote:
>> I'll have the account shut (might take til morning) can I send you
>> explanation though along with this?
>>
>> -Chris
>> (google-security-person)
>>
>> On Tue, 27 May 2008, RuthAnne Bevier wrote:
>>
>>> ----------- nsp-security Confidential --------
>>>
>>> I'm not sure who to send this to at Gmail to get this shut down and
>>> maybe investigated.  One of our users received a 419 variant known
>>> at the "hit man" scam, in which the sender claims he is a hit man
>>> contracted to kill the recipient, but for a price he will not carry
>>> out the murder.  Full headers are below (with recipient's username
>>> supressed by request).  The user has also reported this to the FBI.
>>>
>>> The message demands that the recipient send a response to
>>> "final.bulletpoint360 at gmail.com".
>>>
>>> -------- Original Message --------
>>> Return-Path:    <redbulletpoint.1 at klikni.cz>
>>> X-Original-To:  xxx at caltech.edu
>>> Received:       from fire-dog.its.caltech.edu (fire-dog
>>> [192.168.1.4]) by
>>> earth-ox-postvirus (Postfix) with ESMTP id C4F0B1BC77 for
>>> <xxx at caltech.edu>; Tue, 27 May 2008 03:42:01 -0700 (PDT)
>>> Received:       from ag-out-0708.google.com (ag-out-0708.google.com
>>> [72.14.246.248]) by water-ox.its.caltech.edu (Postfix) with ESMTP id
>>> EFAD21BA77 for <xxx at caltech.edu>; Tue, 27 May 2008 03:41:58 -0700
>>> (PDT)
>>> Received:       by ag-out-0708.google.com with SMTP id
>>> 8so2985600agc.0 for
>>> <xxx at caltech.edu>; Tue, 27 May 2008 03:41:58 -0700 (PDT)
>>> Received:       by 10.90.103.3 with SMTP id
>>> a3mr1414933agc.112.1211884870218;
>>> Tue, 27 May 2008 03:41:10 -0700 (PDT)
>>> Received:       by 10.90.83.5 with HTTP; Tue, 27 May 2008 03:41:10
>>> -0700 (PDT)
>>> Message-ID:
>>> <ced2a0070805270341v10ce85a2q78e8396c8d2cadbd at mail.gmail.com>
>>> Date:   Tue, 27 May 2008 12:41:10 +0200
>>> From:   ANTHONIO BENITO <redbulletpoint.1 at klikni.cz>
>>> Subject:        SOMEONE YOU CALL YOUR FRIEND, WANTS YOU DEAD.
>>> MIME-Version:   1.0
>>> Content-Type:   multipart/alternative;
>>> boundary="----=_Part_12012_15314810.1211884870212"
>>> To:     undisclosed-recipients:;
>>> X-Spam-Scanned:         at Caltech-ITS on fire-dog by amavisd-2.4.5
>>> X-Spam-Score:   2.996
>>> X-Spam-Level:   **
>>> X-Spam-Status:  No, score=2.996 tagged_above=-10000 required=5
>>> tests=[DK_POLICY_SIGNSOME=0.001, HTML_10_20=0.945,
>>> HTML_MESSAGE=0.001,
>>> SUBJ_ALL_CAPS=1.166, UNDISC_RECIPS=0.883]
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> RuthAnne Bevier
>>> Information Security
>>> California Institute of Technology
>>> 626-395-2671
>>> ruthanne at caltech.edu
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
>>>
>
> --
> RuthAnne Bevier
> Information Security
> California Institute of Technology
> 626-395-2671
> ruthanne at caltech.edu
>

More information about the nsp-security mailing list