Nigerian email scam!

Post by **Rookie One.pl** » Thu Jul 06, 2006 12:40 pm

I think it's one guy using some proxy servers, possibly like Tor.

Yeah, I still wonder what is he exactly trying to cheat me at.

Anyway, let's wait and see.

If he wants me to go to London, I'll send him a fake plane ticket bill.

superturk · Post by **superturk** » Thu Jul 06, 2006 2:15 pm

this is going to be funny rook lol

i cant wait to hear his reply

Ophisâ„¢ · Post by **Ophisâ„¢** » Thu Jul 06, 2006 6:48 pm

He does want you to go to london, only he stated that you must pay for your own travel there. So i dowt that would work.

( PM'd you about adding me to your msn! )

Post by **Rookie One.pl** » Thu Jul 06, 2006 7:40 pm

I know he does.

I'm not stupid enough to go there, though!

Thanks, I'll add you tomorrow.

Post by **Rookie One.pl** » Sat Jul 08, 2006 6:04 pm

Bump!

Got another e-mail from our Zimbabwean farmer:

Od: Richard Duke <mr_richardduke>
Do: Adam Rybacki <arybacki>
Kopia do:
Temat: Update
Data: 7 lipca 2006 10:57

Adam,

My lawyer has drafted the Power of attorney and he says it will be ready by Monday . so as soon as it is ready I will contact you . Meanwhile I need you to advise me on a good investments that is very lucrative in Poland , because I need you to help me invest most of the fund in Country , so pls help me with a good idea on a good business which you can help me invest most of my fund as soon as you claim the box from London .

Also am still waiting for you phone no. and also your passport photo pls forward them to me .

Regards,
Richard

It's also from Iran:

Code: Select all

Received: from [217.219.224.69] by web27701.mail.ukl.yahoo.com via HTTP; Fri, 07 Jul 2006 09:57:21 BST

Note that the IP is exactly the same as the one the previous email came from. This means that he either:

had been in Nigeria and currently is in Iran,
had been using a Nigerian proxy server and now switched to Iranian one,
is using a system like Tor and was lucky enough to get to use the same proxy again (not very likely).

I'm getting a little bored of this game. I think I'll wait till Monday and see if he sends the stuff, and if not I'll just send him a message telling him all my suspicions. We'll see what he'll say to that.

Meanwhile I'm still not honouring him with an e-mail.

Ophisâ„¢ · Post by **Ophisâ„¢** » Sat Jul 08, 2006 6:45 pm

Why not email him saying something like...

"Wait a minute? are you trying to con me? dam-it your just like me. i got your email and thourght i could con you but your doing the same trick i use on my victims!!! How often does it work for you? I usally bad a fair few a year!! Sorry if i've wasted your time thinking you had one in the bag!"

Something along those lines would surely confuse him! And hopefully give us a last email to laugh at too.

Post by **Rookie One.pl** » Sat Jul 08, 2006 10:50 pm

Hmm. I've been doing some hacker-ish research on the guy. Well, all I can say is he knows his stuff, but made a mistake anyway.

First, I've been pinging the Iranian IP on various times of the day. Turns out it's up 24/7. So I went further and did a little port scanning on it:

Code: Select all

Interesting ports on 217.219.224.69:
Not shown: 1675 filtered ports
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet?
80/tcp   open  http-proxy NetApp NetCache http proxy 5.5R2
514/tcp  open  login      Cisco router logind
1025/tcp open  tcpwrapped
3128/tcp open  http-proxy NetApp NetCache http proxy 5.5R2

There's a HTTP proxy running on it, and it's public and it works. I'm connecting through it right now.

Therefore, my assumption that he used a proxy to conceal himself seems to be right. He's clever.

Remember the Nigerian IP? I probed it as well, and it only responds to pings at various times of the day, which makes me think it's the guy's computer itself. I guess he forgot to switch to the proxy when sending that first e-mail. Not very clever.

I'll try and see if I can gather any more info about him.

Tod001 · Post by **Tod001** » Sat Jul 08, 2006 10:57 pm

Sh1t,
Use telnet and scan his hdrive!!!

Post by **Rookie One.pl** » Sat Jul 08, 2006 10:58 pm

Heh, even if he has a telnet server running, he's probably got it passworded.

And the Iranian proxy's telnet refuses all connections from outside of its LAN.
<EDIT>Hah, I just found it on a public server list. He wasn't that clever after all.

</EDIT>

Tod001 · Post by **Tod001** » Sat Jul 08, 2006 11:09 pm

Good job Rook!

Ophisâ„¢ · Post by **Ophisâ„¢** » Sun Jul 09, 2006 12:28 am

Can we not get him found now then? by sending this info to some sort of authorty who might deal with these things. Cos its clear he is trying to con you and you now have basicly the info that leads to where hes sat right now!

lizardkid · Post by **lizardkid** » Sun Jul 09, 2006 3:29 am

could be a multi-server proxy system, which seems reasonable.

waht i want to know is how did you do your little port scan trick? i know how to ping(duh) but what program/system feature did you use?

Tod001 · Post by **Tod001** » Sun Jul 09, 2006 3:52 am

There are many scanning programs out there, some you can even set to scan a whole series of IP's, instead of just one.
I have several, want one?

Post by **Rookie One.pl** » Sun Jul 09, 2006 8:06 am

@Lizard: Nope, when using a multi-proxy system (like Tor) the probability of getting to use the same end point is extremely low. And I used nmap under my lovely Slackware Linux. <3

micro$oft borked raw sockets on purpose in wincrap xp sp2, so you'd have a hard time using the win32 nmap build.

@Snake: no, he hasn't made a request for money or anything just yet. But hey, I'm on it, I'm trying to find out as much about him as possible right now!

lizardkid · Post by **lizardkid** » Sun Jul 09, 2006 8:20 am

i was thinking too fast, i meant the router could be hooked with multiple proxy boxes, or even side computers if the company owning it only had one outside connection.