[nsp-sec] Gmail address used in "representative scam"

RuthAnne Bevier ruthanne at caltech.edu
Sun Nov 22 00:37:29 EST 2009 

Google folks, an international student here corresponded briefly 
with a scammer running the "representative scam", although 
fortunately he did realize something was wrong and backed out before
things got too far.  The scammer then tried threatening to report
him to the FBI (!).  Apparently this is a documented variant of the
scam, including the particular company name they used ("JOHN
PHILIP'S ARTS & DECORS"), but the Gmail address is clearly in active
use for two-way communication, so I thought you would like to know 
about it.

Full headers from a recent message:

Return-Path: <patanders884 at gmail.com>
X-Original-To: xxx at caltech.edu
Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])
     by earth-doxen-postvirus (Postfix) with ESMTP id BD86966E4917
     for <xxx at caltech.edu>; Sat, 21 Nov 2009 07:58:47 -0800
(PST)
X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: 1.807
X-Spam-Level: *
X-Spam-Status: No, score=1.807 tagged_above=-10000 required=5
     tests=[DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001,
DK_SIGNED=0.001,
     HTML_MESSAGE=0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.806]
     autolearn=disabled
Received: from mail-iw0-f121.google.com (mail-iw0-f121.google.com
[209.85.223.121])
     by earth-doxen-external (Postfix) with ESMTP id 85DA766E428A
     for <xxx at caltech.edu>; Sat, 21 Nov 2009 07:58:46 -0800
(PST)
Received: by iwn27 with SMTP id 27so296337iwn.8
     for <xxx at caltech.edu>; Sat, 21 Nov 2009 07:58:46 -0800
(PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
     d=gmail.com; s=gamma;
     h=domainkey-signature:mime-version:received:date:message-id:subject
     :from:content-type;
     bh=4J07losn1Q5bohwVPzt9ffl89u8JNrKMFxNV03kOssM=;
     b=bwFMDgnEZQ77/HK9u0YHuOZzXV1fmOlb7k5QqqHu4mAEu6tzuFqe9njKL1qV1K4g/f
     lcRzYamIz71utQCNUHD1wRB/T+l4e+0zM8ZILDxugqvwOvY8lSnkP91AeJRKQAlfyv2H
     md9OklqsiOjl8W5hi/u5jenp01bKyt7W09f5w=
DomainKey-Signature: a=rsa-sha1; c=nofws;
     d=gmail.com; s=gamma;
     h=mime-version:date:message-id:subject:from:content-type;
     b=qImu2Y+OvIzrWzT25xkRR9VplU8BjZs8nHiHgKDEzUnQDJJc6cleaq5wt3dP9bBFj/
     1XbQYVxaSNZq5Oge0M+S5K14WPvBr+tYlehaQvb0ms7WFK425TkF6QoFcqwUY7p3f8Nt
     TOZ6Z5M9osRFQS27srdyQljNMhIlOm+buQhjs=
MIME-Version: 1.0
Received: by 10.231.158.205 with SMTP id
g13mt7569066ibx.30.1258819121122;
     Sat, 21 Nov 2009 07:58:41 -0800 (PST)
Date: Sat, 21 Nov 2009 16:58:41 +0100
Message-ID:
<c878bcd30911210758t500fd0efo57b6fb62b455f223 at mail.gmail.com>
Subject: RESPOND OF F.B.I WILL COME KNOCKING AT YOUR DOOR
From: Patrick Anderson <patanders884 at gmail.com>
Content-Type: multipart/alternative;
boundary=00504501416dd97ef20478e3aa72
To: undisclosed-recipients:;

Message body:

---------------------------- Original Message ----------------------------
Subject: RESPOND OF F.B.I WILL COME KNOCKING AT YOUR DOOR
From:    "Patrick Anderson" <patanders884 at gmail.com>
Date:    Sat, November 21, 2009 7:58 am
To:      undisclosed-recipients:;
--------------------------------------------------------------------------

Hello,

I t has come to my notice that you have received my package that
arrived via
UPS and you have never minded to get back to me with the update, i
would
inform the FBI if i dont hear from you in the next 48 hours

No thanks

Patrick

____________________________



 
-- 
RuthAnne Bevier
Information Security
California Institute of Technology   
626-395-2671
ruthanne at caltech.edu

More information about the nsp-security mailing list