[nsp-sec] Gmail address used in "representative scam"

Peter Moody pmoody at google.com
Sun Nov 22 13:30:30 EST 2009 

ack, sent along for application of the righteous fists of fury.

Cheers,
/peter

On Sat, Nov 21, 2009 at 9:37 PM, RuthAnne Bevier <ruthanne at caltech.edu> wrote:
> ----------- nsp-security Confidential --------
>
> Google folks, an international student here corresponded briefly
> with a scammer running the "representative scam", although
> fortunately he did realize something was wrong and backed out before
> things got too far.  The scammer then tried threatening to report
> him to the FBI (!).  Apparently this is a documented variant of the
> scam, including the particular company name they used ("JOHN
> PHILIP'S ARTS & DECORS"), but the Gmail address is clearly in active
> use for two-way communication, so I thought you would like to know
> about it.
>
> Full headers from a recent message:
>
> Return-Path: <patanders884 at gmail.com>
> X-Original-To: xxx at caltech.edu
> Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])
>     by earth-doxen-postvirus (Postfix) with ESMTP id BD86966E4917
>     for <xxx at caltech.edu>; Sat, 21 Nov 2009 07:58:47 -0800
> (PST)
> X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: 1.807
> X-Spam-Level: *
> X-Spam-Status: No, score=1.807 tagged_above=-10000 required=5
>     tests=[DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001,
> DK_SIGNED=0.001,
>     HTML_MESSAGE=0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.806]
>     autolearn=disabled
> Received: from mail-iw0-f121.google.com (mail-iw0-f121.google.com
> [209.85.223.121])
>     by earth-doxen-external (Postfix) with ESMTP id 85DA766E428A
>     for <xxx at caltech.edu>; Sat, 21 Nov 2009 07:58:46 -0800
> (PST)
> Received: by iwn27 with SMTP id 27so296337iwn.8
>     for <xxx at caltech.edu>; Sat, 21 Nov 2009 07:58:46 -0800
> (PST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>     d=gmail.com; s=gamma;
>     h=domainkey-signature:mime-version:received:date:message-id:subject
>     :from:content-type;
>     bh=4J07losn1Q5bohwVPzt9ffl89u8JNrKMFxNV03kOssM=;
>     b=bwFMDgnEZQ77/HK9u0YHuOZzXV1fmOlb7k5QqqHu4mAEu6tzuFqe9njKL1qV1K4g/f
>     lcRzYamIz71utQCNUHD1wRB/T+l4e+0zM8ZILDxugqvwOvY8lSnkP91AeJRKQAlfyv2H
>     md9OklqsiOjl8W5hi/u5jenp01bKyt7W09f5w=
> DomainKey-Signature: a=rsa-sha1; c=nofws;
>     d=gmail.com; s=gamma;
>     h=mime-version:date:message-id:subject:from:content-type;
>     b=qImu2Y+OvIzrWzT25xkRR9VplU8BjZs8nHiHgKDEzUnQDJJc6cleaq5wt3dP9bBFj/
>     1XbQYVxaSNZq5Oge0M+S5K14WPvBr+tYlehaQvb0ms7WFK425TkF6QoFcqwUY7p3f8Nt
>     TOZ6Z5M9osRFQS27srdyQljNMhIlOm+buQhjs=
> MIME-Version: 1.0
> Received: by 10.231.158.205 with SMTP id
> g13mt7569066ibx.30.1258819121122;
>     Sat, 21 Nov 2009 07:58:41 -0800 (PST)
> Date: Sat, 21 Nov 2009 16:58:41 +0100
> Message-ID:
> <c878bcd30911210758t500fd0efo57b6fb62b455f223 at mail.gmail.com>
> Subject: RESPOND OF F.B.I WILL COME KNOCKING AT YOUR DOOR
> From: Patrick Anderson <patanders884 at gmail.com>
> Content-Type: multipart/alternative;
> boundary=00504501416dd97ef20478e3aa72
> To: undisclosed-recipients:;
>
> Message body:
>
> ---------------------------- Original Message ----------------------------
> Subject: RESPOND OF F.B.I WILL COME KNOCKING AT YOUR DOOR
> From:    "Patrick Anderson" <patanders884 at gmail.com>
> Date:    Sat, November 21, 2009 7:58 am
> To:      undisclosed-recipients:;
> --------------------------------------------------------------------------
>
> Hello,
>
> I t has come to my notice that you have received my package that
> arrived via
> UPS and you have never minded to get back to me with the update, i
> would
> inform the FBI if i dont hear from you in the next 48 hours
>
> No thanks
>
> Patrick
>
> ____________________________
>
>
>
>
> --
> RuthAnne Bevier
> Information Security
> California Institute of Technology
> 626-395-2671
> ruthanne at caltech.edu
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Network Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list