419 scams ‘R’ us..

I’m a bit fragged today (up too late working on a school project with Daniel) so instead of something technical, I thought I’d share an email I just received…

FROM: Sgt. Mark Ed
Important Message
To President / Managing Director..

Good day,

My name is Mark Ed, I am an American soldier, I am serving in the military of the 1st Armoured Division in Iraq, As you know we are being attacked by insurgents everyday and car bombs.We managed to move funds belonging to Saddam Hussien’s family.

We want to move this money to you, so that you may invest it for us and keep our share for banking.We will take 50%, my partner and I. You take the other 50%. no strings attached, just help us moveit out of Iraq, Iraq is a warzone. We plan on using diplomatic courier and shipping the money out in one large silver box, using diplomatic immunity.

If you are interested I will send you the full details, my job is to find a good partner that we can trust and that will assist us. Can I !

trust you? When you receive this letter,kindly send me an e-mail signifying your interest including your most confidential telephone/fax numbers for quick communication also your contact details. This business is risk free. The box can be shipped out in 48hrs.


Sgt. Mark Ed

you can EMAIL ME AT.mark_ed_solder@<removed to protect  others>

Man, the nerve of some people.

Oh, and for the sake of completeness, here are the email headers (edited somewhat):

Microsoft Mail Internet Headers Version 2.0
Received: from mrson2427.com ([]) by
 df-imc-01.exchange.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.1289);
  Tue, 18 Jan 2005 09:58:00 -0800
From: “Sgt. Mark Ed” <mark_ed_solder@somewhere>
Reply-To: mark_ed_solder@somewhere
Date: Tue, 18 Jan 2005 21:58:00 +0400
Subject: FROM Sgt. Mark Ed
X-Priority: 1
X-Mailer: Microsoft Outlook Express 5.00.2919.6900 DM
MIME-Version: 1.0
Content-Type: text/plain; charset=”us-ascii”
Content-Transfer-Encoding: quoted-printable
Return-Path: mark_ed_solder@somewhere
Message-ID: <DF-IMC-015BBBVhyemY00002efb@df-imc-01.exchange.corp.microsoft.com>
X-OriginalArrivalTime: 18 Jan 2005 17:58:00.0704 (UTC) FILETIME=[3FDC7000:01C4FD87]

mrson2427.com isn’t registered, and the IP address is actually owned by Microsoft, which implies that the real originating ip address got lost somewhere in Exchange – I’ll have to follow up with the Exchange team to find out what happened to the rest of the headers.



Comments (22)

  1. Anonymous says:

    Looks like Nigerians got replaced by soldiers 🙂

  2. Anonymous says:

    Hey if you can talk to the folks on Exchnage here is a peeve I have with most mails systems:

    they trust the headers to be real!

    but spamers forge them to be bogus!

    the side effect is for example a server gets a spam finds that the target email box is not valid and sends out a message to postmaster that some address was not found …

    but it’s sending the delivery failure to a forged message to a mail server that never sent the messge !

    so I get a bunch of junk that is telling me about some spamers failuers…

    the thing is I can read the full headers on email of this kind and see that the recived and from and re-to are all jacked and can’t be trusted.

    so have mail servers do a basic check and if the headers do not pass some basic tests then don’t try and send messages to outside mail servers … just handle the spam.

  3. Anonymous says:

    Exchange trusts email headers like every other email system trusts the headers.

    What kind of header forgery is Exchange not detecting that other email systems detect?

  4. Anonymous says:

    Oh, and you can read the full headers on Exchange – if you’re using Outlook as your client, you do View/Options with the message open and the email headers are displayed.

    With other clients, there are other ways (OE uses View/Properties IIRC)

  5. Anonymous says:

    Duh, only Canadians and Europeans have "armoured" divisions!

  6. Anonymous says:

    You can only see headers on outside e-mail (as in delivered through SMTP). Not on local Exchange messages.

  7. Anonymous says:

    As always, when they say they’re Nigerian, these people are just pricks, but when they pretend to be US soldiers… OMG, the NERVE! How DARE they?

  8. Anonymous says:

    Jerry, that’s not the case post E2K. On the current set of Exchange machines, for some reason the firewall is cutting the list off at the firewall.

    I’m trying to figure out why..

  9. Anonymous says:

    Uh, my first guess would be that that message originated *inside* the firewall, on someone’s zombied machine. I’d hazard that Exchange isn’t configured to perform reverse DNS lookups, so Exchange SMTP is simply recording the HELO from the zombie client.

    That’s also why its Message-ID is @df-imc-01.exchange.corp.microsoft.com. The originating server writes the Message-ID.

  10. Anonymous says:

    My first thought, but it’s not true, the problem’s in the edge server connecting our internal exchange system and the outside world.

    You would be right normally though. In this case, my guess is that the machine came into the edge machine without a Message-ID, so the edge server rewrote the header to add a Message-ID header (which is why it’s the name of the edge server).

    Also, there are two other issues with the "zombied machine" theory: #1 – nobody could control the zombie, since it sits behind a LOT of firewalls, and #2 – a zombied machine on our corpnet would be caught REALLY quickly – we’ve got some fairly aggressive probes that run effectively nonstop on our corp network – infected machines don’t last much more than an hour or so (I’ve found this out the hard way in the past).

  11. Anonymous says:

    You have to see the extent that these people will do trick unsuspecting people out of their money. They make arrangments with people to come do to a certain country where they rob, kidnap and kill them. You guys have to check out http://www.419eater.com . The whole site is dedicated to duping the scammers by scam baiting them and making them do rediculous/hilarious things, even scamming the Scammers for money and donating it to charity. There are some funny stories on that site.

  12. Anonymous says:

    I just hope it is no joke, If it isn’t then

    this is another example of the scum that are robbing oxygen from decent people in this world.

  13. Anonymous says:

    I bet this scam will be a ‘winner’, since it plays to people’s greed, PLUS it’s not wrong (hey, we’re stealing from Saddam!), and it helps a soldier. If people are still falling for Nigerian ones, they’ll go head over heels for this one…

  14. Anonymous says:

    Is a firewall machine and the Exchange server believed that the mail came from (instead of through) the firewall? If so then reconfigure the firewall to forward the actual IP address of the outside peer instead of replacing it by the firewall’s own IP address.

    Otherwise, is the spammer.

    By the way a long time ago I received few enough spams that I could report things like this to the administrators of domains used by spammers, for example the administrators of the domain name that you replaced by "somewhere". Responsible administrators would kill the e-mail address and maybe contact law enforcement. Spam administrators would help their spammers continue. Of course networks administered by spam administrators need to be added to blacklists — unfortunately operators such as RBL didn’t understand that and they told me to blacklist myself instead. Anyway I no longer have time for that stuff.

  15. Anonymous says:

    Norman, is the IP address of one of the edge servers, we understand how the Received: headers got set to the way they were, we just don’t understand why (since it removes diagnosability of routing issues).

    I’m still talking to the Exchange people about it.

  16. Anonymous says:

    Denny: Isn’t that the point of SPF (Sender Policy Framework), so that the receiving server can query the DNS of the sending domain and get a list of servers that are allowed to send mail for that domain?

  17. Anonymous says:

    What about telneting to port 25 and running raw SMTP commands? They have a way of fudging headers and making it impossible to figure out at times (through my own weird testing). Since MX machines typically allow access from anywhere, it’s quite possible the user made a direct connection to it. It’s unlikely since HELO usually returns their IP address but they may have telneted to another box that routed the message.

    MX machines only accepting mail from other MX records would be the more ideal solution, eliminating mail from non-existent domains. That means everyone would have to use ISP email or something but for the most part it would curb a lot of this crap (while pissing off a lot more). SMTP is a pretty old spec that could use a renovation or 50. I know it’s extremely difficult since so much relies on it but it’s starting to be more trouble than email is worth. When personal email addresses get more spam than regular email I usually find other alternatives and that’s just plain sad.

    Good luck finding the culprit. Gonna be a toughie.


  18. Anonymous says:

    Jeremy, it’s actually easy to find the culpret – we look at the IIS logs on our edge servers and find the message.

    What I’m trying to do is to understand why the Exchange team stripped off this useful diagnostic data – Exchange up to 2000 provided it.

  19. Anonymous says:

    Btw, we figured this one out. The outmost facing Exchange server wasn’t directly on the internet (for a variety of reasons, none of which had anything to do with the suitability of Exchange as an edge server), but was instead was sitting behind an ISA firewall proxy in firewall mode. As a result, the SMTP traffic came into the ISA server, which redirected it to the Exchange server, which correctly logged the incoming IP address as being the IP address of the ISA server, and not the IP address of the originator of the email.

    Our IT admins are working to fix this configuration issue.