Edit: Apparently indiatimes is genuine. (sorry! India Times) must've been just a webmail account. Couldn't see half the site from home. Oh well. Maybe this isn't so exciting then. -4/12/03
------------------------------------------
Thought I'd do some detective work today.
This is a bit of an obtuse one, but here goes anyway.
I received a copy of the negeria scam via email (Appendix 1).
Facts:
source IP address: 192.116.66.219
spam sourced using a http://www.nyc.com/ mail account
reply address 1: vinobi2000@go.com
reply address 2: applefamily@indiatimes.com
Analysis:
Interesting trace, the source IP Address is owned by SKY2Net ltd. (GILAT-SATCOM-BLOCK-31-32-40-46)
Are the spammers using satellite technology to avoid being tracked down?
I had a look at nyc.com and it appears to have a valid web-mail service
https://nyc-mail.nyc.com/cgi-bin/signup/signup.pl
Think I sent them a mail to their abuse section.
Go.com is valid and provides a web based email service which can be gained online
https://register.go.com/go/register
I looked at http://www.indiatimes.com/
There's a reasonably convincing first page (plenty of adverts - if we can't be conned then I suppose a bit of advertising kick-back will do!), however you can't get many other pages and the "site" quickly looks flaky. I reckon this was set up by the spammers to convince people the address was valid.
The site seems to exists on multiple IP addresses. See: http://uptime.netcraft.com/up/graph?site=www.indiatimes.com where all the IP addresses seem to be listed. Which address you get changes regularly (minutes apart) - see Appendix 6
Appendix 3 contains one of the traces, which finishes with an unreachable domain name. Very odd.
looking up the MX records reveals the mail server to be smtp.indiatimes.com (Appendix 4)
smtp.indiatimes.com (203.199.93.5) seems to work but is hosted somewhere else, couldn't get any useful info out of tracert or ripe.net. (Appendices 2 and 5)
Conclusions?
None
I hate people who exploit other people. Through whatever means & medium.
Appendices:
1) The received email (with headers)
From: - Tue Nov 25 07:46:47 2003
X-UIDL: <1618.192.116.66.219.1069698616.squirrel@mail-nyc.nyc.com>
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
Return-Path: <mabacha@nyc.com>
Received: from nyc-mail.nyc.com ([66.111.12.66]) by mta6-svc.business.ntl.com (InterMail vM.4.01.03.37
201-229-121-137-20020806) with SMTP id <20031124183749.KMRS21828.mta6-svc.business.ntl.com@nyc-mail.nyc.com> for
<t.abell@virgin.net>; Mon, 24 Nov 2003 18:37:49 +0000
Received: (qmail 45052 invoked by uid 79); 24 Nov 2003 18:30:17 -0000
Received: from 192.116.66.219 (NYC.com Mail authenticated user mabacha@nyc.com) by mail-nyc.nyc.com with HTTP; Tue, 25
Nov 2003 02:30:16 +0800 (SGT)
Message-ID: <1618.192.116.66.219.1069698616.squirrel@mail-nyc.nyc.com>
Date: Tue, 25 Nov 2003 02:30:16 +0800 (SGT)
Subject: REPLY URGENTLY
From: Muhammed <mabacha@nyc.com>
To: applefamily@indiatimes.com
User-Agent: NYC.com Mail/1.4.2
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
VERY URGENT AND STRICTLY CONFIDENTIAL BUSINESS PROPOSAL.
PLEASE I WANT YOU TO RELPY ME THIS MAIL TO MY ALTERNATIVE EMAIL ADDRESSES
vinobi2000@go.com and applefamily@indiatimes.com
Dear Sir,
I am MR. MOHAMMED ABACHA the son of the late Gen. Sani Abacha, former head
of State of Nigeria who died on 8th June 1998 while in office. Since the
death of my father the present Government of Chief Olusegun Obasanjo has
been tormenting members of the Abachas family including family friends.
All businesses and property owned by the Abachas have been confiscated by
the Government and all our Bank Account in Nigeria and abroad have been
frozen. A quick reference of Newsweek publication of March 13th 1999 were
88million dollars was taken from us will give you an insight of what I
have gone through. After a short while I was arrested and detained in
prison custody, the government came up with a trump up charge against me
and honestly speaking I have been in detention since November 1999 and I
was only released on Thursdays (11-07-02) by the supreme court of Nigeria
who passed judgment in my favor.
During the reign of my father as the president of this country, an
Aluminum Smelter Company of Nigeria (Alscom) contract was revealed. The
contract was for the construction of plant, at Ikuta Abasi in Akwa Ibom
State of Nigeria, for production of ingots and billets required as raw
material for Aluminum and Allied Industries, Reynolds Incorporated of
America, Phoenix and M&F Companies of Switzerland conducted the
feasibility studies. The contract was awarded to Ferrostall AG of Germany.
However, after the revaluation of the contract, Ferrostall AG collected
its own share of the increment in project cost, while my father's share of
fifty-eight Million U.S. Dollars (US$58,000,000:00) was deposited on my
name with a security company here in Nigeria for safety keep and I know
that my father was planning of how to send this money abroad before his
sudden death in June 8 1998. Since then the money has been with the
security company up till date. This US$58M was secretly packaged in a
trunk box and the certificate of deposit where on my name and is still in
my possession.
Hence all plane is to ship this money abroad through a diplomatic means
without the knowledge of anybody from outside knowing my involvement in
this money, to avoid be seized due to my presently situation and also I am
handicapped as what next to do since I am not conversant with
international monitory policies. Hence I am contacting you as a reputable
and trustworthy person, with a well experience and able hand to help. This
was to bit the security system in Nigeria Because I want you to claim the
money on my behalf. I have declared to the security company that the
consignment belongs to (YOU) as my foreign business partners. Actually I
got your contact from a reliable source, and also I believe you are in a
good position to assist me to transfer this fund for good investment.
Upon receipt of your willingness to assist me claim this money I will then
contact my personal attorney to draft a power of attorney that will
authorize you as the beneficially of this money so that you can handle
this transaction on my behalf. And as soon as this money leaves Nigeria I
will travel out to seek asylum either in Europe or America. My contract
with APEX FINANCE AND SECURITIES GROUP remains few weeks to expire and I
am down broke to renew the duration with the Security Company.
As a matter of urgency, I will like you to send to me immediately your
telephone and fax number. I shall send you all the clearance documents by
fax. I will then forward your name as the beneficiary and my foreign
business partner to the Security Company. You will be entitled to 20% of
the total sum involved for your assistance, 5% will be set aside for
reimbursement to you for any incidental expenses that may be incurred in
the course of the transaction. Your URGENT response is needed. I want you
to call my Attorney Mr. Lawrence Daniel on 234 1 7765468 for more detailed
directives information and the nest required step of how we have to make
move immediately as i have told him about you and he is to handle all the
processing with you on my behalf. All your REPLY must go through these
our family private email address: vinobi2000@go.com and
applefamily@indiatimes.com , I will also need your private and direct
telephone and fax number for easy reach.
Please this is a very confidential matter, you don't disclose to anybody
for us to have success.
Best regard
MR MOHAMMED ABACHA
2) The smtp server ehlo
telnet smtp.indiatimes.com 25
ehlo me
220 Sat, ESMTP 29 Nov 2003 19:49:07 +0530
250-localhost.localdomain Hello 81-86-251-237.dsl.pipex.com [81.86.251.237], pleased to meet you
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250 HELP
3) A trace route to www.indiatimes.com (one of a varying set)
C:\>tracert www.indiatimes.com
Tracing route to indiatime.speedera.net [195.50.97.131]
over a maximum of 30 hops:
1 21 ms <10 ms 10 ms my.router [192.168.1.1]
2 20 ms 20 ms 10 ms 81-86-240-1.dsl.pipex.com [81.86.240.1]
3 * * * Request timed out.
4 20 ms 20 ms 20 ms POS4-0.GW1.LND9.ALTER.NET [146.188.63.105]
5 20 ms 20 ms 20 ms so-3-0-0.xr1.lnd9.alter.net [158.43.150.141]
6 20 ms 20 ms 20 ms so-0-1-0.TR1.LND9.ALTER.NET [146.188.15.33]
7 20 ms 20 ms 20 ms POS1-0.BR1.LND9.ALTER.NET [146.188.7.242]
8 20 ms 20 ms 20 ms 146.188.68.210
9 10 ms 10 ms 20 ms ge-7-0.ipcolo1.London1.Level3.net [212.187.131.131]
10 20 ms 20 ms 20 ms 195.50.117.22
11 20 ms 20 ms 30 ms www.crone-corkhill.co.uk [195.50.97.131]
Trace complete.
4) mx nslookup of indiatimes.com
C:\>nslookup
Default Server: cache0005.ns.eu.uu.net
Address: 158.43.240.3
> set type=mx
> indiatimes.com
Server: cache0005.ns.eu.uu.net
Address: 158.43.240.3
Non-authoritative answer:
indiatimes.com MX preference = 5, mail exchanger = smtp.indiatimes.com
indiatimes.com nameserver = timesgate2.toi.co.in
indiatimes.com nameserver = ulka.timesgroup.com
indiatimes.com nameserver = ethome.dhakdhak.com
indiatimes.com nameserver = timesgate.toi.co.in
timesgate2.toi.co.in internet address = 203.200.77.20
ulka.timesgroup.com internet address = 203.199.42.201
ethome.dhakdhak.com internet address = 203.199.70.133
timesgate.toi.co.in internet address = 203.200.107.162
>
5) Trace to smtp.indiatimes.com server
C:\>tracert smtp.indiatimes.com
Tracing route to smtp.indiatimes.com [203.199.93.5]
over a maximum of 30 hops:
1 20 ms <10 ms <10 ms my.router [192.168.1.1]
2 10 ms 20 ms 20 ms 81-86-240-1.dsl.pipex.com [81.86.240.1]
3 * * * Request timed out.
4 20 ms 30 ms 20 ms POS5-0.GW2.LND9.ALTER.NET [146.188.56.101]
5 20 ms 20 ms 21 ms so-4-0-0.xr1.lnd9.alter.net [158.43.150.157]
6 * 20 ms 30 ms so-0-1-0.TR1.LND9.ALTER.NET [146.188.15.33]
7 101 ms 100 ms 90 ms so-6-0-0.IR1.NYC12.ALTER.NET [146.188.15.50]
8 100 ms 91 ms 100 ms 0.so-0-0-0.IL1.NYC9.ALTER.NET [152.63.23.57]
9 100 ms 90 ms 90 ms 0.so-3-0-0.TL1.NYC9.ALTER.NET [152.63.9.246]
10 90 ms 100 ms 100 ms 0.so-7-0-0.XL1.NYC4.ALTER.NET [152.63.10.21]
11 101 ms 100 ms 90 ms POS7-1.IG3.NYC4.ALTER.NET [152.63.24.41]
12 350 ms 361 ms 350 ms vsnlnetin-gw.customer.alter.net [208.192.183.150]
13 350 ms * 351 ms LVSB-VSB-stm-3.Bbone.vsnl.net.in [202.54.2.10]
14 350 ms 351 ms 360 ms 203.199.112.34
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
C:\>
6) Repeated pings to www.indiatimes.com
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:03
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [195.50.97.132] with 32 bytes of data:
Reply from 195.50.97.132: bytes=32 time=40ms TTL=55
Ping statistics for 195.50.97.132:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 40ms, Maximum = 40ms, Average = 40ms
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:03
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [195.50.97.132] with 32 bytes of data:
Reply from 195.50.97.132: bytes=32 time=40ms TTL=55
Ping statistics for 195.50.97.132:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 40ms, Maximum = 40ms, Average = 40ms
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:03
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [195.50.97.132] with 32 bytes of data:
Reply from 195.50.97.132: bytes=32 time=40ms TTL=55
Ping statistics for 195.50.97.132:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 40ms, Maximum = 40ms, Average = 40ms
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:04
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [195.50.97.131] with 32 bytes of data:
Reply from 195.50.97.131: bytes=32 time=40ms TTL=55
Ping statistics for 195.50.97.131:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 40ms, Maximum = 40ms, Average = 40ms
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:05
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [195.50.97.131] with 32 bytes of data:
Reply from 195.50.97.131: bytes=32 time=40ms TTL=55
Ping statistics for 195.50.97.131:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 40ms, Maximum = 40ms, Average = 40ms
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:05
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [195.50.97.131] with 32 bytes of data:
Reply from 195.50.97.131: bytes=32 time=50ms TTL=55
Ping statistics for 195.50.97.131:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 50ms, Average = 50ms
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:05
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [195.50.97.131] with 32 bytes of data:
Request timed out.
Ping statistics for 195.50.97.131:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:07
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [80.15.238.69] with 32 bytes of data:
Reply from 80.15.238.69: bytes=32 time=40ms TTL=56
Ping statistics for 80.15.238.69:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 40ms, Maximum = 40ms, Average = 40ms
C:\>it
C:\>date
Sat 29/11/2003
C:\>time
14:10
C:\>ping www.indiatimes.com -n 1
Pinging indiatime.speedera.net [80.15.238.71] with 32 bytes of data:
Reply from 80.15.238.71: bytes=32 time=50ms TTL=56
Ping statistics for 80.15.238.71:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 50ms, Average = 50ms
C:\>
-end-