email domains

[greengrass]

emails a friend has received two emails that we know are scams 419 and the Fraud squad has been informed. The question is can one identify the country of origin with ones ending in for example .ie .jp and . fr the last I've been told [.fr] is either France or Birkina Faso west Africa as it is or was under French rule and the language is French.
Is there a website that lists such email domains.

Greengrass

 

[dave.m]

Greengrass,
The last letters of the email address indicate where the email server is based but not where the email originates from.
I live in Lancashire but have a Yahoo Canada email address which ends .ca

If you are using OE, right click the email header and select -> Properties -> Details, you can find its route from originator to you.
dave

 

[happypig]

How to find a location from email headers :

1. The domain is irrelevant, you can sign up for a free yahoo(or others) account from anywhere.
2. here is a typical scam :

Sahin Serhat Gurbuz
Kuwait Gulf Oil Company (K.G.O.C.)
P.O.Box 9919
61010 Ahmadi - Kuwait
C.R. 877

Good day to you.

This is to bring to your knowledge a business transaction that will be of mutual benefit to you and I. I am Sahin Serhat Gurbuz, I am an accountant at the Kuwait Gulf Oil Company(K.G.O.C.) in Kuwait. It was established February 10, 2002.I report directly to the Chairman of the company Ustaz Abdul Hadi Marzouk AL-Awad.

The chairman Ustaz Abdul Hadi Marzouk AL-Awad has a "dollar safe" which I have access to. I have secretely been able to package the sum of US$120Million as consignment via one of our diplomatic ship to a Finance/security firm for safekeeping.

I am presently in our London branch, hence this is the right time to have this done for me. I want you to assist me in handling this money as I am still in active duty.I want you to know that this is a top secrete and you should keep it to yourself.

Let me know if you will be able to handle this amount on my behalf and also let me know the taxation rate in your country.Please send me a response to let me know if you will be able to invest this money on my behalf in real estate in your country. You should send your full names,contact telephone number and contact address.

We will discuss the sharing modalities when I hear from you.
I will let you know more about this as soon as I hear from you.Once again keep this as a secrete whether you want to help me or not.
Regards,
Sahin Serhat Gurbuz,

The sender purports to be from Kuwait but is using a yahoo.com address.
Showing the headers (with my details removed) gives

Delivered-To: [email protected]
Received: by 10.78.142.16 with SMTP id p16cs216790hud;
Fri, 16 Nov 2007 08:22:55 -0800 (PST)
Received: by 10.141.161.6 with SMTP id n6mr716783rvo.1195230174398;
Fri, 16 Nov 2007 08:22:54 -0800 (PST)
Return-Path: <[email protected]>
Received: from n3b.bullet.mail.tp2.yahoo.com (n3b.bullet.mail.tp2.yahoo.com [203.188.202.110])
by mx.google.com with SMTP id l27si800310rvb.2007.11.16.08.22.51;
Fri, 16 Nov 2007 08:22:54 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 203.188.202.110 as permitted sender) client-ip=203.188.202.110;
DomainKey-Status: good (test mode)
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 203.188.202.110 as permitted sender) [email protected]; domainkeys=pass (test mode) [email protected]
Received: from [202.43.196.225] by n3.bullet.mail.tp2.yahoo.com with NNFMP; 16 Nov 2007 16:22:51 -0000
Received: from [68.142.230.29] by t2.bullet.tpe.yahoo.com with NNFMP; 16 Nov 2007 16:22:50 -0000
Received: from [66.196.97.133] by t2.bullet.re2.yahoo.com with NNFMP; 16 Nov 2007 16:22:50 -0000
Received: from [127.0.0.1] by omp106.mail.re3.yahoo.com with NNFMP; 16 Nov 2007 16:22:50 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: [email protected]
Received: (qmail 10613 invoked by uid 60001); 16 Nov 2007 16:22:50 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Receivedate:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
b=JjYuI09+YTgfjhfXVX97OJ/sXOt+ICcjHebZuw7gmghwrnRSE2uoCg/BigwEoFeojv7XSXvE/4Ocz0aurPS8RSQFVPf8jnzy/kYIraK33mJFKZoEdOzbdA9ETRbVLtvsfcP6n8q
LGDhJZETN6dr2P35ZCuHcwDz0xf+UIFcTuW4=;
X-YMail-OSG: yRZJTyQVM1kqkxYTkqJRkEwbJ3._xX06E3Fbhc3AxkNqvUfD69nkKfDlyfhZ4rGrm92U8ynikMZ6QRjbl3FtEsGNdOyfUOrZpv3NmHT_ksc_br84z0P9Lg--
Received: from [213.136.117.38] by web57416.mail.re1.yahoo.com via HTTP; Fri, 16 Nov 2007 08:22:50 PST
Date: Fri, 16 Nov 2007 08:22:50 -0800 (PST)
From: Mr Sahin Serhat <[email protected]>
Reply-To: [email protected]
Subject: Dear Respectful One
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-2078015075-1195230170=:10571"
Content-Transfer-Encoding: 8bit
Message-ID: <[email protected]>

--0-2078015075-1195230170=:10571
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

this line is the interesting one :

Received: from [213.136.117.38] by web57416.mail.re1.yahoo.com via HTTP; Fri, 16 Nov 2007 08:22:50 PST

as it tells us his originating IP - 213.136.117.38 - and also that he posted using HTTP so it was sent via a webmail interface.

If I now go to http://www.dnsstuff.com/ and look up the IP information, it gives me

IP address: 213.136.117.38
Reverse DNS: [No reverse DNS entry per ns-pri.ripe.net.]
Reverse DNS authenticity: [Unknown]
ASN: 29571
ASN Name: CITelecom-AS (Ci Telecom Autonomous system number)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): CI [Cote D'Ivoire]
Country Currency: Unknown
Country IP Range: 213.136.96.0 to 213.136.127.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): CI [Cote D'Ivoire]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 213.136.117.38

So our scammer is actually in the Ivory Coast. There's little point in reporting it to the police in the UK as they are well aware of these scams but unless the scammer is in the UK, there's nothing they can do.

There are people who "bait" these scammers in order to waste thier time and prevent them from getting real victims so I'd also advise against reporting the address to yahoo and getting it busted as it's only a minute's work for the scammer to open a new box and it could interfere with a bait.

If you want to see some baiting fun, have a look at http://www.419eater.com

Now, I must get on, there's a Nigerian barrister just itching for my attention

 

[greengrass]

emails a friend has received two emails that we know are scams 419 and the Fraud squad has been informed. The question is can one identify the country of origin with ones ending in for example .ie .jp and . fr the last I've been told [.fr] is either France or Birkina Faso west Africa as it is or was under French rule and the language is French.
Is there a website that lists such email domains.

Greengrass

Many thanks to all