Linux
Apache
MySQL
PHP

CSS
XHTML1.1
XML/RSS

Creative Commons

2009-08-28 22:00:08

My Encounter With A CraigsList Scammer

It was a dark and dreary day in Johnstown. I sit in my cubicle, soaking wet from my recent trek to the doctor's office. I notice that my GMail tab in Firefox shows 1 new message, so I go and see that it's a reply to a post I made on CraigsList trying to sell one of my camera lenses. I open the email and read this:
Hello, I'm interested in your item. I will like to know if it's still available for sale. If yes, let me know the price including next day delivery to Boise, ID. Payment will be by paypal. Thanks, Alan
The email was from Generic Stores <genericstores@googlemail.com>. This immediately tripped my brain's scam sensor for a couple reasons:
  1. The name is Generic Stores
  2. The domain is googlemail.com instead of gmail.com
    • Even though googlemail.com is valid for GMail, no one uses it
  3. The wording seems odd
I showed this email to a coworker and he noticed that the second sentence uses the word "will" instead of "would". I didn't notice that at first, but now I really think this is a scammer. But, I give this "Alan" the benefit of the doubt. He might just be a retard. I don't know. So I perform my own little turing test by sending him an email with a question/statement that a bot probably wouldn't answer too well.
Alan, The lens costs $100 and is still available.  I will have to calculate the next day shipping charges and get back to you.  Let me know if this is ok. Kevin
His reply was actually good. It was clear that this was an actual human and not some bot. So, continuing to give this person the benefit of the doubt, we work out how much next day shipping would cost and I sent him a money request from Paypal. Within minutes, I get this email in my inbox:
Spoofed email

Now, at the time of me receiving this email, I was at the chiropractor so I was working off of my phone. And even on a large screen, this email looks dead on. This guy took his time. My mail client even showed service@paypal.com as the sender. Ok, I'm a little more convinced. But, I'm not completely convinced. I called PayPal support and asked them to confirm that the payment was made. They said that it was not. So I emailed "Alan" back, told him that the payment wasn't made yet, and asked him to make the payment before I ship the lens.
Twice we go back and forth with him saying I should have the confirmation email in my inbox and me saying it's not there. Some time passed; I ate supper with my family and finally made my way home. I got on my desktop, opened the email, and checked out the headers:
Delivered-To: kevinslonka@gmail.com Received: by 10.239.137.203 with SMTP id m11cs319458hbm; Fri, 28 Aug 2009 13:41:36 -0700 (PDT) Received: by 10.216.88.195 with SMTP id a45mr308148wef.63.1251492095950; Fri, 28 Aug 2009 13:41:35 -0700 (PDT) Received-SPF: softfail (google.com: best guess record for domain of transitioning paymentnotice@inbox.com does not designate 64.135.83.40 as permitted sender) client-ip=64.135.83.40; Received: by 10.16.169.4 with POP3 id r4mf239349gve.29; Fri, 28 Aug 2009 13:41:35 -0700 (PDT) X-Gmail-Fetch-Info: slonkak@kevinslonka.com 1 mail.kevinslonka.com 110 slonkak@kevinslonka.com Return-Path: <paymentnotice@inbox.com> Delivered-To: virtual-kevinslonka_com-slonkak@kevinslonka.com Received: (qmail 15233 invoked from network); 28 Aug 2009 20:31:14 -0000 Received: from unknown (HELO WM40.inbox.com) (64.135.83.40) by ns108.webmasters.com with SMTP; Fri, 28 Aug 2009 16:31:14 -0400 Received: from inbox.com (127.0.0.1:25) by inbox.com with [InBox.Com SMTP Server] id <908281231004.WM40> for <slonkak@kevinslonka.com> from <paymentnotice@inbox.com>; Fri, 28 Aug 2009 12:31:45 PM -0800 Mime-Version: 1.0 Date: Fri, 28 Aug 2009 12:31:45 -0800 Message-ID: <5F2A3E70EEA.00000C24paymentnotice@inbox.com> From: "service@paypal.com" <paymentnotice@inbox.com> Subject: ***NOTIFICATION OF AN INSTANT PAYMENT*** To: slonkak@kevinslonka.com X-Mailer: INBOX.COM X-Originating-IP: 41.184.9.28 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-IWM-ACU: MR-7yYx1yRdosBKTpvAluOAVEzbaUnc_WhS_LjuXXOvJEqIBVG7qLpNhwDIy SsuRxpIIx9qiYAJ43EfZftHUlYfd1c75os1Zr7xuzb8gMW5dxnCER327b4d1 w-QL7WeFMZMGQFzL4z7ljvzI@
So, I was looking for where this message originated. If this was a real email from PayPal saying that the payment was sent the first (bottom-most) "Received" line in the headers should be a PayPal email server. This email came from a loopback address, which is impossible:
Received: from inbox.com (127.0.0.1:25)
Since I didn't think that looked right, I looked for the next server in the loop:
Received: from unknown (HELO WM40.inbox.com) (64.135.83.40)
So this guy didn't cover his tracks well at all. It's obvious that the email did NOT originate from PayPal, but from inbox.com, which I have never heard of before. It was at this point that I was 100% sure this entire charade was a scam and I sent "Alan" this email:
Now that I am in front of a real computer, I checked out the "confirmation" that was sent and verified that you spoofed it. The email originated at: Received: from unknown (HELO WM40.inbox.com) (64.135.83.40) Not Paypal's email servers. Thanks for playing.  Go fuck yourself.
Here's the lesson. If I wasn't a "computer guy" and understood how email works, I would have been fooled by this. Everything looked 100% legit. If you're dealing with selling an item through CraigsList to someone who is not local, be careful. If you have any thoughts that something might be wrong, find someone who knows what they're doing to examine the emails.

NOTE: Yes, the footer of the "confirmation" email telling me to get 5GB of email from inbox.com should have given it away that it was a scam, however I was on my phone at the time and didn't see that. If you get these emails on your computer, look at the entire message for odd things like this.

Back

9 comments


2009-08-29 06:07:43


Rhuel says...
Good job not getting hosed. In addition to the "will" instead of "would", check out the wording at the bottom of the "PayPal" confirmation...completely scammer written. "It had been credit but won't be visible..." and "You can go ahead and finalize..." and "The money is unreversable..." PayPal doesn't use any of that verbiage...EVER. All dead give aways, but calling Paypal and checking headers is proof to back up your suspicion.

2009-08-29 09:31:15


Dave Southard says...
I had the same thing happen to me through ebay. I received fake notifications from both ebay and paypal that the payment had been made, yet no payment showed up in my account, so I waited for a few days, until eventually the scammer got very pushy with me to ship the item. I then sent the e-mails to ebay and paypal's confirmation service (to make sure that they didn't actually originate there) and sure enough, they were fake.. I then went through a long line of customer service agents before finally getting the user banned, but this is becoming a big problem. Almost every time I sell something on ebay, I'm confronted with at least one person who's pretending to be the buyer and have me ship the item to some strange address with a different person's name..

2009-08-31 09:26:51


Anonymous says...
From: "service@paypal.com" <paymentnotice@inbox.com>

Looks like a 'loophole' in:
http://gmailblog.blogspot.com/2008/07/fighting-phishing-with-ebay-and-paypal.html

Maybe it wouldn't have fooled:
http://gmailblog.blogspot.com/2009/07/new-in-labs-super-trustworthy-anti.html

LOL @ "APPROVED" for credition

2009-08-31 09:52:50


slonkak says...
Yeah, I guess the loophole in the first link is that only the display name is @paypal.com, the email is not, so it skips "verification".

I'll have to turn on the super authentication and see how that works.

2009-10-26 08:46:21


Nick says...
Craigslist is NOT for selling long distance that is what Ebay is for, only sell locally on Craigslist everyone else is just a scammer.

2010-01-07 12:26:02


Todd says...
I just received an email from Alan requesting a quote on some parts on my online store. I do not know why but my scam bell went off, so I tried searching his company and email, which brought me to your blog. I was happy to see it.
I thought I would pla with "Alan" and requested his company info. Here is what he sent me:
Company: GENERIC STORES INC

Company phone number and fax number
(208) 608-5004; NO FAX

Shipping address
5716 SITES DR.
BOISE, ID, 83705

So if anyone want to call him, they can. I googled mapped the address and it looks like a home in Boise.

2010-01-07 12:29:52


Todd says...
I just called his number and somone answered but the connection was bad. What is even funnier is that "Alan" sent an email shortly after that and said that our connection was bad. By his voice, he has a foreign accent.

Not sure what I am going to do next......

2010-01-07 13:01:34


slonkak says...
Todd, I'm glad my post was helpful. You did more than I was willing to do (calling him). I wish there were a way to report him and get him in trouble.

2010-01-25 22:29:07


Einstien says...
I love taking these scammers for a ride. When in doubt, always check the source or thread as to the source of the message. Also do a very good job of making sure that the original phished address AKA Paypal is really the correct domain and not some close approximation.

If you look close, you may also see where alan gets his addresses. He got mine from one of my clients mail servers. Many of these fraudulent messages come from Windows computers that were compromised, big surprise.

Post a comment!

Name:
Comment: