Nigeria-scam - Western Union Bidpay

Låt dig inte luras av nedanstående scam !

Fri, 9 Sep 2005 15:52:33 -0700
Received: from localhost (localhost [127.0.0.1])
by mail01.anytimenow.com (Postfix) with ESMTP
id 58F97448172; Fri, 9 Sep 2005 23:59:23 +0100 (BST)
Received: from mail01.anytimenow.com ([127.0.0.1])
by localhost (mail01.anytimenow.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 01157-09; Fri, 9 Sep 2005 23:59:21 +0100 (BST)
Received: from anytimenow.com (unknown [81.19.56.130])
by mail01.anytimenow.com (Postfix) with ESMTP
id 08002448181; Fri, 9 Sep 2005 23:59:20 +0100 (BST)
Received: from baldrick [127.0.0.1] by anytimenow.com
(SMTPD32-8.03) id A3C8271029E; Fri, 09 Sep 2005 23:59:20 +0100
To: <xxx@hotmail.com>
From: =?iso-8859-1?B?V2VzdGVybiBVbmlvbiBCaWRwYXmu?= <Bidpay@westernunion.com>
Subject: WESTERN UNION BIDPAY ORDER APPROVAL::(92736437463)
Date: Fri, 9 Sep 2005 22:59:20 +0000
Cc: <smithcole30@coolgoose.com>
MIME-Version: 1.0
Message-Id: <432213C8.00020D.19136@baldrick.anytimenow.com>
X-Mailer: www.anytimenow.com
Content-Type: Multipart/Mixed;
boundary="------------Boundary-00=_WUNKCFCUUGIPJEDD7TH0"
X-Virus-Scanned: by amavisd-new at anytimenow.com
Return-Path: Bidpay@westernunion.com
X-OriginalArrivalTime: 09 Sep 2005 22:52:33.0862 (UTC) FILETIME=[2A8BD660:01C5B591]

--------------Boundary-00=_WUNKCFCUUGIPJEDD7TH0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Western Union Auction Payments

Dear Nisse Hulth,

Western Union Auction Payments hereby congratulate you and at the same time informs you once again that the Money OrderSM sent to you from Smith Cole has been Approved. MoneyOrderSM :6.600.00 SEK Western Union.

Classified Item/s : Canon EOS-1 Proffskamera

Please verify that the following address (as entered by the buyer) is correct .

Name : Nisse Hulth
Address : Lurendrejeri-gatan. 8
; 212 12 Malmö

Country : Sweden

Order Details
********************************************************************************************************
Your order number : 92736437463

Classified Item Amount Plus Shipping : 6.600.00 SEK
Total Amount : 6.600.00 SEK
*********************************************************************************************************

This order has been approved, we will send the above address payment in 2-3 business day of our receiving your proof of shipment.You can now send the items to the buyer now. And if you have any question, feel free to contact our customer service (bidpay_accts@accountant.com) .

Immediately you mail the tracking number/receipt of postage used to our customer care centre, you will receive a notification letter which will inform of the date your money order (Sweden Customers) is going to arrive.

***Note that payment can be sent to the seller only if the item purchased has been sent to the buyer.***

Thank you for using Western Union Auction Payments. We look forward serving your online auction payment needs in the future.

Sincerely,

Western Union Auction Payments

--------------Boundary-00=_WUNKCFCUUGIPJEDD7TH0--

Om man analyserar mailet så blir resultatet följande;

Received: from mail01.anytimenow.com ([81.19.56.134]) by mc10-f27.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 9 Sep 2005 15:52:33 -0700

81.19.56.134 found
host 81.19.56.134 (getting name) = mail01.anytimenow.com.
mail01.anytimenow.com is 81.19.56.134
Possible spammer: 81.19.56.134
Received line accepted

Received: from localhost (localhost [127.0.0.1]) by mail01.anytimenow.com (Postfix) with ESMTP id 58F97448172; Fri, 9 Sep 2005 23:59:23 +0100 (BST)

127.0.0.1 found
host 127.0.0.1 = localhost (cached)
localhost is 127.0.0.1
81.19.56.134 not listed in dnsbl.njabl.org
81.19.56.134 not listed in cbl.abuseat.org
81.19.56.134 not listed in dnsbl.sorbs.net
81.19.56.134 is not an MX for mc10-f27.hotmail.com
81.19.56.134 is an MX for anytimenow.com

127.0.0.1 discarded

Received: from mail01.anytimenow.com ([127.0.0.1]) by localhost (mail01.anytimenow.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01157-09; Fri, 9 Sep 2005 23:59:21 +0100 (BST)

127.0.0.1 discarded

Received: from anytimenow.com (unknown [81.19.56.130]) by mail01.anytimenow.com (Postfix) with ESMTP id 08002448181; Fri, 9 Sep 2005 23:59:20 +0100 (BST)

81.19.56.130 found
host 81.19.56.130 (getting name) no name
81.19.56.134 not listed in dnsbl.njabl.org
81.19.56.134 not listed in cbl.abuseat.org
81.19.56.134 not listed in dnsbl.sorbs.net
81.19.56.134 is not an MX for mc10-f27.hotmail.com
81.19.56.134 is an MX for anytimenow.com
Possible spammer: 81.19.56.130
host mail01.anytimenow.com (checking ip) = 81.19.56.134
81.19.56.134 not listed in dnsbl.njabl.org
81.19.56.134 not listed in cbl.abuseat.org
81.19.56.134 not listed in dnsbl.sorbs.net
Chain test:mail01.anytimenow.com =? mail01.anytimenow.com
mail01.anytimenow.com and mail01.anytimenow.com have same hostname - chain verified
Possible relay: 81.19.56.134
81.19.56.134 not listed in relays.ordb.org.
81.19.56.134 has already been sent to relay testers
Received line accepted

Received: from baldrick [127.0.0.1] by anytimenow.com (SMTPD32-8.03) id A3C8271029E; Fri, 09 Sep 2005 23:59:20 +0100

127.0.0.1 found
host 127.0.0.1 = localhost (cached)
localhost is 127.0.0.1
81.19.56.130 not listed in dnsbl.njabl.org
81.19.56.130 not listed in cbl.abuseat.org
81.19.56.130 not listed in dnsbl.sorbs.net
81.19.56.130 is not an MX for mail01.anytimenow.com
ips are close enough
81.19.56.130 is close to an MX (81.19.56.134) for anytimenow.com

127.0.0.1 discarded

Cached whois for 81.19.56.130 : abuse@qubenet.net murray.keig@qube-networks.co.uk ripe@qube-networks.co.uk
Using abuse net on abuse@qubenet.net
No abuse net record for qubenet.net
Using best contacts abuse@qubenet.net
81.19.56.130 not listed in dnsbl.njabl.org
81.19.56.130 not listed in dnsbl.njabl.org
81.19.56.130 not listed in cbl.abuseat.org
81.19.56.130 not listed in dnsbl.sorbs.net
81.19.56.130 not listed in relays.ordb.org.
81.19.56.130 not listed in accredit.habeas.com
81.19.56.130 not listed in plus.bondedsender.org
81.19.56.130 not listed in iadb.isipp.com

Finding links in message body

Recurse multipart:
Parsing HTML part

Resolving link obfuscation

http://www.bidpay.com/
   host www.bidpay.com (checking ip) = 216.66.211.251
   host 216.66.211.251 = FDCDENWUAPWEB01 (cached)
http://us.f514.mail.yahoo.com/ym/compose?to=accts_bidpay@accountant.com
   host us.f514.mail.yahoo.com (checking ip) = 206.190.38.192
   host 206.190.38.192 (getting name) = f514.mail.yahoo.com.
   Masking email address in link:http://us.f514.mail.yahoo.com/ym/compose?to=x
http://www.bid%20pay.co%20m/
   Percent unescape: http://www.bid
   host www.bid (checking ip) ip not found ; www.bid discarded as fake.
   host www.bid (checking ip) ip not found ; www.bid discarded as fake.
http://www.fbi.gov/
   host www.fbi.gov (checking ip) ip not found ; www.fbi.gov discarded as fake.
http://mail.yahoo.com/config/login?/__javascript:go('info/oscomparepayment.asp')
   host mail.yahoo.com (checking ip) = 216.109.127.60
   host 216.109.127.60 = login1.login.vip.dcn.yahoo.com (cached)

Tracking link: http://www.fbi.gov/

No recent reports, no history available
ISP does not wish to receive report regarding gov

www.fbi.gov hosted by akamai - no reports

Cannot resolve http://www.fbi.gov/

Tracking link: http://www.bidpay.com/

Resolves to 216.66.211.251
Routing details for 216.66.211.251 Cached whois for
216.66.211.251 : david.leitzel@firstdatacorp.com
Using last resort contacts david.leitzel@firstdatacorp.com
david.leitzel@firstdatacorp.com bounces (8 sent : 6 bounces)

Using david.leitzel#firstdatacorp.com@devnull.spamcop.net for statistical tracking.

No recent reports, no history available
ISP does not wish to receive report regarding mail.yahoo.com
Resolves to 216.109.127.60

Report routing for 216.109.127.60: yahoo@admin.spamcop.net

ISP does not wish to receive reports regarding http://mail.yahoo.com/config/login?/__javascript:go('info/oscomparepayment.asp') - no date available

http://mail.yahoo.com/config/login?/__javascript:go('info/oscomparepayment.asp') has been appealed previously.

No recent reports, no history available

Cannot resolve http://www.bid

No recent reports, no history available
ISP does not wish to receive report regarding mail.yahoo.com
Resolves to 206.190.38.192
Routing details for 206.190.38.192 Cached whois for
206.190.38.192 : netblockadmin@yahoo-inc.com
Using abuse net on netblockadmin@yahoo-inc.com
abuse net yahoo-inc.com = postmaster@yahoo-inc.com
Using best contacts postmaster@yahoo-inc.com
postmaster@yahoo-inc.com redirects to yahoo@admin.spamcop.net

ISP does not wish to receive reports regarding http://us.f514.mail.yahoo.com/ym/compose?to=x - no date available

http://us.f514.mail.yahoo.com/ym/compose?to=x has been appealed previously.

From: =?iso-8859-1?B?V2VzdGVybiBVbmlvbiBCaWRwYXmu?= <Bidpay@westernunion.com> (WESTERN UNION BIDPAY ORDER APPROVAL::(92736437463) )
--------------Boundary-00=_WUNKCFCUUGIPJEDD7TH0
Content-Type: text/html; charset="iso-8859-1"

Efter ovanstående mail skickar den fiktiva personen "Smith Cole" följande mail;

----- Original Message -----
From: "smith" smithcole30@coolgoose.com
Sent: Friday, September 09, 2005 1:52 AM
Subject: thanks

thanks alot for the mail these is the address to send the item to ok. bidpay will bring the money to your house and you will be the only one to sign and collected by you ok just follow there instruction and you will have your money at once ok. so you will be send a confirmation email about the payment ok

NAME : ABEKHE PAUL
ADDRESS:NO 8 BALOGUN STREET(BEHIND ITT BUILDING)
MOKOLA, IBADAN
OYO STATE,
NIGERIA 2342
i will make the payment tomorrow ok ,kindly send your name and address so that i can make the payment ok.
hope to read from you
thanks

Sedan skickar dessa sällsynt korkade amatörer följande mail;

BidPay Payments Department hereby congratulates you and at the same time reminding you once again that the Money OrderSM sent to you from "Mr Smith Cole" to Nisse Hylth through UnitedState BIDPAY service has been Verified and Approved.

This order of 1 Camera has been approved, and you are expected to shipout the item once you recieve the Money OrderSM approval from our department hich you haven't done so.

You are now given the rigth to make the shipment and send the reciept of the shipment of the packages to us because . Your Money have been issued out and it will be delivered to your full contact informations as stated in the Money OrderSM approval sent to you.

Thank you for using BidPay Money Order.

We look forward to serve your Business Relationship needs in the future.

Sincerely,
Customers Payment Department.

___________________________________________________________
Sign-up for Ads Free at Mail.com
http://www.mail.com/?sr=signup

Notera t.ex. att dessa ljushuvuden inte kan engelska och de kan inte stava, och att de mail de förväntar sig man ska lita på är skickade från en gratis e-post adress.

Dessutom är html-koden skriven på ett väldigt amatörmässigt sätt och de inlänkade bilderna är minst lika amatörmässigt gjorda.

Bredband / ADSL - Sanningen om Sveriges internetleverantörer !

Nigeria-scam - Western Union Bidpay

Låt dig inte luras av nedanstående scam !

Dear Nisse Hulth,

Om man analyserar mailet så blir resultatet följande;

Efter ovanstående mail skickar den fiktiva personen "Smith Cole" följande mail;

Sedan skickar dessa sällsynt korkade amatörer följande mail;

Thank you for using BidPay Money Order.

We look forward to serve your Business Relationship needs in the future. Sincerely, Customers Payment Department.

We look forward to serve your Business Relationship needs in the future.

Sincerely,
Customers Payment Department.