PDA

View Full Version : Email header experts - need help!


speculative
18th August 2004, 01:41 PM
So, this guy sends me an email saying he is from Citibank and asking for my credit card #/pin #. This is illegal impersonation and also fraud and I'd like to report him to his ISP. Here's the header - how do I figure out who to send the email to??? :confused:


speculative@yahoo.com via 66.163.170.250; Tue, 17 Aug 2004 21:38:20 -0700
X-Originating-IP: [24.174.14.246]
Return-Path: <valeryeeperjesy.citi_staff@citicards.com>
Received: from 24.174.14.246 (HELO cs2417414-246.houston.rr.com) (24.174.14.246) by mta145.mail.re2.yahoo.com with SMTP; Tue, 17 Aug 2004 21:38:20 -0700
Date: Wed, 18 Aug 2004 04:22:37 +0000
From: "Citibank" <ValeryeEperjesy.citi_staff@citicards.com> Add to Address Book
To: speculative@yahoo.com
Subject: Citibank e-mail verification - sp eculative@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----------4683F83C67133A47F539C9EAE3"
Content-Length: 10209

lechumbl
18th August 2004, 01:52 PM
Hi Spec,

Make the fraudulent email an attachment and send the whole thing to the Fraud Devision of the FBI.
They have a department just for this type of thing.

Take care..........

Meadmaker
18th August 2004, 02:09 PM
Right on Lee - we have a similar facility here in the UK for reporting such emails.

Tweety
18th August 2004, 02:12 PM
I'd agree with the above speaker...:D Migth also be a good idea to include a copy of that same e-mail to Citibank... customer support e-mail or such...

Squeaky
18th August 2004, 03:09 PM
I delete so many of these :mad: only yesterday I had mail from spoof bank and spoof isp. I can only imagine the number of people who click the links, the ISP mail looked particularly authentic, but the headers obviously give it away. Can someone post the links for reporting these?

wombat
18th August 2004, 03:17 PM
Right on Lee - we have a similar facility here in the UK for reporting such emails.
We do I get loads of these all the time where would I report them to. They are starting to anoy me. :D

and Speculative is this lot any help :eek:

Spam Header
This page may be saved for future reference:
http://www.spamcop.net/sc?id=z611074040zdc7a4b5609876c0f35950ef9d305933dz (http://www.spamcop.net/sc?id=z611074040zdc7a4b5609876c0f35950ef9d305933dz )
Skip to Reports (http://www.spamcop.net/sc?id=z611074040zdc7a4b5609876c0f35950ef9d305933dz #report)
X-Originating-IP: [24.174.14.246] Return-Path: <valeryeeperjesy.citi_staff@citicards.com> Received: from 24.174.14.246 (HELO cs2417414-246.houston.rr.com) (24.174.14.246) by mta145.mail.re2.yahoo.com with SMTP; Tue, 17 Aug 2004 21:38:20 -0700 Date: Wed, 18 Aug 2004 04:22:37 +0000 From: "Citibank" <ValeryeEperjesy.citi_staff@citicards.com> Add to Address Book To: x Subject: Citibank e-mail verification - sp eculative@yahoo.com MIME-Version: 1.0 Content-Type: multipart/related; boundary="----------4683F83C67133A47F539C9EAE3" Content-Length: 10209 View entire message (http://www.spamcop.net/sc?id=z611074040zdc7a4b5609876c0f35950ef9d305933dz&action=display)
Parsing header:

Received: from 24.174.14.246 (HELO cs2417414-246.houston.rr.com) (24.174.14.246) by mta145.mail.re2.yahoo.com with SMTP; Tue, 17 Aug 2004 21:38:20 -0700
24.174.14.246 found
host 24.174.14.246 = cs2417414-246.houston.rr.com (cached)
host cs2417414-246.houston.rr.com (checking ip) = 24.174.14.246
Possible spammer: 24.174.14.246
Received line accepted

Tracking message source: 24.174.14.246:
Routing details for 24.174.14.246 (http://www.spamcop.net/sc?action=showroute&ip=24.174.14.246&typecodes=17)
[refresh/show] (http://www.spamcop.net/sc?action=rcache&ip=24.174.14.246) Cached whois for 24.174.14.246 : abuse@rr.com
Using abuse net on abuse@rr.com
abuse net rr.com = abuse@rr.com
Using best contacts abuse@rr.com
Message is 10 hours old
24.174.14.246 not listed in dnsbl.njabl.org
24.174.14.246 not listed in dnsbl.njabl.org
24.174.14.246 listed in cbl.abuseat.org ( 127.0.0.2 )
24.174.14.246 is an open proxy
24.174.14.246 not listed in query.bondedsender.org
24.174.14.246 not listed in iadb.isipp.com

No body provided, check format of submission
If reported today, reports would be sent to:


Re: 24.174.14.246 (Administrator of network where email originates)

abuse@rr.com (abuse@rr.com)

.

speculative
18th August 2004, 03:29 PM
Went to the FBI site and then though, "Hmm... they won't need to search my computer and find those questionable pics of Shania Twain scantily clad will they?" :mg:

Thought about emailing Citibank, then thought, "They won't accuse me of being part of this scam will they?" :mg:

Then I thought, "I could report this email to the administrator, but what if they are in on the scam?" :mg:

Annoying, all around. Guess I'll report it to the FBI and if they need to poke around I'll say my HD crashed in a horrible overclocking accident... :D

-spec

lechumbl
18th August 2004, 03:32 PM
Hi Spec,

Send me those pics of Shania for safe keeping. :D
I won't let the FBI see them. :p :p

Take care.........

wombat
18th August 2004, 03:35 PM
I will look after those pictures for you if you are woried the FBI might find them.

if I was you I would report it to any one that would listen, you want to include the body of the email with the header though. :)

edit looks like we had the same idea about the pics lechumbl :)

Meadmaker
18th August 2004, 04:07 PM
I think Spec should share them with us all actually. :nod:

Perhaps if he uploaded them into the Gallery? :whistle:

speculative
18th August 2004, 05:52 PM
Lol... :D

Anyways, here is what I got back via auto-response:


************************************************** ***********
==DO NOT REPLY DIRECTLY TO THIS MESSAGE==
==ROAD RUNNER WILL NOT SEE ANY REPLY SENT TO THIS MESSAGE==
************************************************** ***********

This is an automatic reply to confirm that your message has been
received by Road Runner Security (abuse@rr.com) describing an incident
of alleged service abuse. You will only receive this message once per
day.

All complaints regarding Earthlink High Speed Users (*.mindspring.com)
should be directed to abuse@abuse.earthlink.net - Road Runner DOES NOT
handle abuse issues dealing with Earthlink customers.

If you are a Road Runner subscriber, writing to complain about spam
sent
*TO* your Road Runner account, please visit
http://security.rr.com/help.htm


************************************************** **********************
****
* If your message contains obscenities, abusive, or threatening
language
*
* directed at our abuse staff, it will be discarded without further
action.*
* Please remember that the people who read complaints at this address
are *
* working to assist you with addressing your issue - RR Security
*

************************************************** **********************
****

If you sent your message to an address other than
abuse/security/fraud@rr.com, please be aware that your message was
automatically forwarded to our centralized location at the address
abuse@rr.com. You may wish to use abuse@rr.com, security@rr.com, or
fraud@rr.com for all future issues.

Road Runner is dedicated to ensuring that its service is used in a
manner that is consistent with the policies set forth in its Terms of
Service Agreement and Acceptable Use Policy, a copy of which can be
found at http://security.rr.com. Road Runner takes all reported abuse
complaints seriously, and will handle them in accordance with the above
policies in a timely and efficient manner. Should we require further
information regarding your complaint, we will contact you.

Please note, although it is not always possible for us to provide a
direct human response to your complaint, we do investigate *all*
complaints. As such, please do not interpret a lack of response as a
lack of action taken. If we find that a customer is in violation of our
policies, we will take the necessary action to stop the activity in
question.

Thank you for taking the time to contact Road Runner.


---Your Original Message Is Below---
I received this email from your servers - it is a
fraudulent email and needs to be looked into by your
administrators.


Note: forwarded message attached.

lechumbl
18th August 2004, 06:50 PM
Hi Spec,

That is the most polite run around I have ever heard.
Their legal department should be proud of the wording.

I may be hard to get along with, but if I received that response, I would be furious at the lack of response in the response.

Time to go shopping for a different ISP, me thinks?

Take care..........

Chelle
18th August 2004, 07:02 PM
Maybe you should have attached the Shania pics Spec, would get their attention more :D

That acutally looks like a generic, automated response... but they claim they do investigate all complaints.

I'd seriously get in touch with Citibank though, they might want to put out a bulletin to their customers to alert them to the scam.

speculative
18th August 2004, 07:04 PM
Yup - of course it sure works slick for this criminal. :D I am on qwest.net, Road Runner is the ISP of the sender of the email.

I have received 3 more just this afternoon, and am forwarding each one. Guess I'll eventually be charged with spamming if this keeps up? :rolleyes:

-spec

speculative
18th August 2004, 07:16 PM
I went to Citibank's web site and on this page:

http://www.citibank.com/domain/contact/?BVE=http://web.da-us.citibank.com&BVP=/cgi-bin/citifi/scripts/&M=S&US&_u=visitor

it talks about contacting them in case of email fraud. I submitted the email to them with header info.

-spec

lechumbl
18th August 2004, 07:18 PM
Hi Spec,

I agree, chances are, you will get more action from CitiBank than anyone else.
Since it is their reputation at stake, they will go out of their way to solve this.

Take care.....

speculative
18th August 2004, 07:33 PM
True; unfortunately I think many of these emails originate from outside the U.S.'s jurisdiction. Many of them contain obvious mis-spellings and grammar errors. We have an international war crimes tribunal; how hard would it be to get countries on the same page about Internet crime?

-spec

speculative
19th August 2004, 03:02 PM
Road Runner can KMA... They sent me an auto-response that basically said, we are not responsible for anything at all ever, because someone can spoof our ip. :rolleyes:

-spec

lechumbl
19th August 2004, 03:17 PM
Hi Spec,

Like I said, drop them and get someone with a little class and morals.

Take care.......