by Faizan Docherty
Thu Aug 22, 2013 1:54 pm
Here is a typical leave scam in a 419 advance fee format. These emails are between a recent victim and the scammer. The "military" is claiming that it will cost to go on leave (vacation), but the charges will be refunded later. Something that should go off like a loud siren is the AOL.COM part of the email. THE US GOVERNMENT DOES NOT USE AOL FOR THEIR OFFICIAL OR UNOFFICIAL COMMUNICATIONS! You can read a more in-depth look at this at this thread: http://www.scamwarners.com/forum/viewtopic.php?f=13&t=6527
And a pitiful excuse as to why is cost so much to "BUY" a vacation for a military member is this follow-up email:
And another follow-up email to suck the victim in even more:
And yet another follow-up email to reinforce the scam:
And what ALWAYS ends up happening is an email from the victim to the scammer like this one.....
ipTRACKERonline.com wrote:Header Analysis Quick Report
Originating IP: 64.12.183.108
Originating ISP: America Online
City: n/a
Country of Origin: United States
* For a complete report on this email header goto ipTRACKERonline
X-Apparently-To: <snipped> via 98.138.211.179; Tue, 23 Oct 2012 02:04:52 -0700
Return-Path: <[email protected]>
Received-SPF: pass (domain of aol.com designates 205.188.91.96 as permitted sender)
X-YMailISG: <snipped>
X-Originating-IP: [205.188.91.96]
Authentication-Results: mta1499.mail.mud.yahoo.com from=aol.com; domainkeys=neutral (no sig); from=mx.aol.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO imr-db02.mx.aol.com) (205.188.91.96)
by mta1499.mail.mud.yahoo.com with SMTP; Tue, 23 Oct 2012 02:04:51 -0700
Received: from mtaomg-db02.r1000.mx.aol.com (mtaomg-db02.r1000.mx.aol.com [172.29.51.200])
by imr-db02.mx.aol.com (Outbound Mail Relay) with ESMTP id CF9BF1C0000B6
for <snipped>; Tue, 23 Oct 2012 05:04:50 -0400 (EDT)
Received: from core-dnb005b.r1000.mail.aol.com (core-dnb005.r1000.mail.aol.com [172.29.214.17])
by mtaomg-db02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 7C43FE000082
for <snipped>; Tue, 23 Oct 2012 05:04:50 -0400 (EDT)
References: <[email protected]>
To: <snipped>
Subject: Leave Details
In-Reply-To: <[email protected]>
X-MB-Message-Source: WebUI
MIME-Version: 1.0
From: [email protected]
X-MB-Message-Type: User
Content-Type: multipart/mixed;
boundary="--------MB_8CF7F1497595486_17B0_B3B4E_webmail-m025.sysops.aol.com"
X-Mailer: AOL Webmail 37105-STANDARD
Received: from 208.53.159.109 by webmail-m025.sysops.aol.com (64.12.183.108) with HTTP (WebMailUI); Tue, 23 Oct 2012 05:04:49 -0400
Message-Id: <[email protected]>
X-Originating-IP: [208.53.159.109]
Date: Tue, 23 Oct 2012 05:04:50 -0400 (EDT)
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/84979
X-AOL-VSS-CODE: clean
DKIM-Signature: <snipped>
X-AOL-SCOLL-SCORE: 0:2:329124800:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33c850865db213d3
Content-Length: 865706
Headquarters
Department of the Army
Washington, D.C. 20314-1000
JACOB JACK LEW
General, United States Army chief of staff
Hello <snipped>
We got your request for the private leave of your husband Captain Philip Robert who left Kabul Afghanistan to Libya on a spacial mission, we have looked in our record to see that your husband can now go for a six months leave as you have applied for him and ready to pay for his flight fee and other expenses and you will definitely be reimbursted as the officer applied for refundable expenses while in service before his deployment. The R&R Program will not pay for the traveler to fly from the APOD to the commercial airport nearest to the approved leave address and back. Any movement by ground transportation will also be paid for by the traveler. Currently designated APODS are Frankfurt (R Hein Main Air Base), Hartsfield International Airport,Orlando International Airport (MCO), Atlanta, DFW in Dallas, Ft. Worth, San Diego-Lindbergh Field Airport, Elmendorf Air Force Base in Anchorage, AK and Wheeler-Sack Army Airfield in Fort Drum NY.
Moreover, we have looked into the records of the troopers in his unit and realize that Captain Philip Robert is entitled to an R&R leave been on a 6-month order and considering operational requirements. You can get back to us if you are ready to take charge of the cost of flight and everything this will cost as the troops has no access to their funds here. In addition, the fee spend on the Leave will definitely be reimbursted as the officer applied for refundable expenses while in service before his deployment. We will send you the list of the information you need to provide afterward and we have attached the leave request form containing the cost of the fees including the flight and admin charges. In addition, you don’t need to make flight arrangements cause we will put everything in place. You can plan the R&R Leave for any time from a week before the date of take off as you already have the leave approval.
Thanks for your anticipated co-operation and congratulations in advance on the approval of the partner's leave
Yours faithfully,
Processing officer,
Col. Smith Army Str-ong .
And a pitiful excuse as to why is cost so much to "BUY" a vacation for a military member is this follow-up email:
ipTRACKERonline.com wrote:Header Analysis Quick Report
Originating IP: 205.188.91.209
Originating ISP: America Online
City: n/a
Country of Origin: United States
* For a complete report on this email header goto ipTRACKERonline
X-Apparently-To: <snipped> via 98.138.211.178; Sat, 27 Oct 2012 11:37:02 -0700
Return-Path: <[email protected]>
Received-SPF: pass (domain of aol.com designates 205.188.105.147 as permitted sender)
X-YMailISG: <snipped>
X-Originating-IP: [205.188.105.147]
Authentication-Results: mta1306.mail.gq1.yahoo.com from=aol.com; domainkeys=neutral (no sig); from=mx.aol.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO imr-da05.mx.aol.com) (205.188.105.147)
by mta1306.mail.gq1.yahoo.com with SMTP; Sat, 27 Oct 2012 11:37:01 -0700
Received: from mtaomg-da02.r1000.mx.aol.com (mtaomg-da02.r1000.mx.aol.com [172.29.51.138])
by imr-da05.mx.aol.com (8.14.1/8.14.1) with ESMTP id q9RIaxX4023590
for <snipped>; Sat, 27 Oct 2012 14:36:59 -0400
Received: from core-dnb005b.r1000.mail.aol.com (core-dnb005.r1000.mail.aol.com [172.29.214.17])
by mtaomg-da02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 388DDE000088
for <snipped>; Sat, 27 Oct 2012 14:36:59 -0400 (EDT)
References: <50884298.000060.07776@PC>
To: <snipped>
Subject: Leave Request
In-Reply-To: <50884298.000060.07776@PC>
X-MB-Message-Source: WebUI
MIME-Version: 1.0
From: [email protected]
X-MB-Message-Type: User
Content-Type: multipart/alternative;
boundary="--------MB_8CF82892EBC740E_209C_F1BD4_webmail-d060.sysops.aol.com"
X-Mailer: AOL Webmail 37105-STANDARD
Received: from 63.141.230.54 by webmail-d060.sysops.aol.com (205.188.91.209) with HTTP (WebMailUI); Sat, 27 Oct 2012 14:36:58 -0400
Message-Id: <[email protected]>
X-Originating-IP: [63.141.230.54]
Date: Sat, 27 Oct 2012 14:36:59 -0400 (EDT)
x-aol-global-disposition: G
DKIM-Signature: <snipped>
X-AOL-SCOLL-SCORE: 0:2:347905184:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d338a508c29cb28ac
Content-Length: 14348
Department of the Army
Washington, D.C. 20314-1000
JACOB JACK LEW
General, United States Army
chief of staff
Hello <snipped>
We have been waiting for your reply and need you to fill out the form the department sent to you. We are about to terminate your husband's Leave Request due to the last letter you sent to the department about if this was a scam .....I want you to know this Leave department Section 1 is not a general address for all Officers , its for Senior Officers who are on Special Mission. Capt Philip Robert is an active and disciplined Officer , is a good material for the US Army Command.For you to request for his leave will cost us so much because we need a good and competent Officer like him to take is Job up as soon as possible ......
You should also be informed that all Leave request will be closed on the 3rd of November 2012, so you are advice to take a quick action because all application closes 3rd of November 2012 .......
We also need your Information (Name , Address , Date of birth , Occupation ) . You need to fill out the MoneyBack form as follow....
Thanks for your anticipated co-operation and congratulations in advance on the approval of the partner's leave
Yours faithfully,
Processing officer,
Col.Steve Smith, Army Str-ong
General, United States Army
chief of staff
And another follow-up email to suck the victim in even more:
ipTRACKERonline.com wrote:Header Analysis Quick Report
Originating IP: 64.12.101.82
Originating ISP: America Online
City: n/a
Country of Origin: United States
* For a complete report on this email header goto ipTRACKERonline
X-Apparently-To: <snipped> via 98.138.211.179; Tue, 30 Oct 2012 02:08:06 -0700
Return-Path: <[email protected]>
Received-SPF: pass (domain of aol.com designates 64.12.206.40 as permitted sender)
X-YMailISG: <snipped>
X-Originating-IP: [64.12.206.40]
Authentication-Results: mta1253.mail.sk1.yahoo.com from=aol.com; domainkeys=neutral (no sig); from=mx.aol.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO imr-ma02.mx.aol.com) (64.12.206.40)
by mta1253.mail.sk1.yahoo.com with SMTP; Tue, 30 Oct 2012 02:08:06 -0700
Received: from mtaomg-db02.r1000.mx.aol.com (mtaomg-db02.r1000.mx.aol.com [172.29.51.200])
by imr-ma02.mx.aol.com (Outbound Mail Relay) with ESMTP id D23051C00009D
for <snipped>; Tue, 30 Oct 2012 05:08:05 -0400 (EDT)
Received: from core-dnb005b.r1000.mail.aol.com (core-dnb005.r1000.mail.aol.com [172.29.214.17])
by mtaomg-db02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 9379AE000081
for <snipped>; Tue, 30 Oct 2012 05:08:05 -0400 (EDT)
References: <508EE884.00019F.04808@PC>
To: <snipped>
Subject: Re: capt.Philip Robert
In-Reply-To: <508EE884.00019F.04808@PC>
X-MB-Message-Source: WebUI
MIME-Version: 1.0
From: [email protected]
X-MB-Message-Type: User
Content-Type: multipart/alternative;
boundary="--------MB_8CF849534A5375D_1CAC_16031B_webmail-m050.sysops.aol.com"
X-Mailer: AOL Webmail 37105-STANDARD
Received: from 108.62.51.33 by webmail-m050.sysops.aol.com (64.12.101.82) with HTTP (WebMailUI); Tue, 30 Oct 2012 05:08:05 -0400
Message-Id: <[email protected]>
X-Originating-IP: [108.62.51.33]
Date: Tue, 30 Oct 2012 05:08:05 -0400 (EDT)
x-aol-global-disposition: G
DKIM-Signature: <snipped>
X-AOL-SCOLL-SCORE: 0:2:388494144:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33c8508f98f560a6
Content-Length: 2745
Hello <snipped> ..
Good to read from you again .....Am ready to help because Capt Philip Robert and i have a good relationship and He explain some things to me consigning you relationship .Like i said , So many people have requested for the leave and we have just few to grant and i will be happy if he succeeded with the leave permit.... I explain how he can make this processing fast .I think it will be better if you send the money directly to him (Capt Philip Robert) and he will get it to me so i can monitor the processing myself ......
Am doing this because of the relationship i have with him so please try and make this between me , you and Him so things can work out ....
Col Steve Smith
And yet another follow-up email to reinforce the scam:
ipTRACKERonline.com wrote:Header Analysis Quick Report
Originating IP: 205.188.58.129
Originating ISP: America Online
City: n/a
Country of Origin: United States
* For a complete report on this email header goto ipTRACKERonline
X-Apparently-To: <snipped> via 98.138.211.181; Thu, 01 Nov 2012 03:56:33 -0700
Return-Path: <[email protected]>
Received-SPF: pass (domain of aol.com designates 205.188.91.95 as permitted sender)
X-YMailISG: <snipped>
X-Originating-IP: [205.188.91.95]
Authentication-Results: mta1426.mail.mud.yahoo.com from=aol.com; domainkeys=neutral (no sig); from=mx.aol.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO imr-db01.mx.aol.com) (205.188.91.95)
by mta1426.mail.mud.yahoo.com with SMTP; Thu, 01 Nov 2012 03:56:32 -0700
Received: from mtaomg-db02.r1000.mx.aol.com (mtaomg-db02.r1000.mx.aol.com [172.29.51.200])
by imr-db01.mx.aol.com (Outbound Mail Relay) with ESMTP id 0C2963800021A
for <snipped>; Thu, 1 Nov 2012 06:56:32 -0400 (EDT)
Received: from core-dnb005b.r1000.mail.aol.com (core-dnb005.r1000.mail.aol.com [172.29.214.17])
by mtaomg-db02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id DE56AE000081
for <snipped>; Thu, 1 Nov 2012 06:56:31 -0400 (EDT)
References: <509212DB.00009F.05608@PC>
To: <snipped>
Subject: Re: Capt.PhilipRobert Leave
In-Reply-To: <509212DB.00009F.05608@PC>
X-MB-Message-Source: WebUI
MIME-Version: 1.0
From: [email protected]
X-MB-Message-Type: User
Content-Type: multipart/alternative;
boundary="--------MB_8CF8636AFBF2477_1A50_15F307_webmail-d149.sysops.aol.com"
X-Mailer: AOL Webmail 37105-STANDARD
Received: from 108.62.51.248 by webmail-d149.sysops.aol.com (205.188.58.129) with HTTP (WebMailUI); Thu, 01 Nov 2012 06:56:31 -0400
Message-Id: <[email protected]>
X-Originating-IP: [108.62.51.248]
Date: Thu, 1 Nov 2012 06:56:31 -0400 (EDT)
x-aol-global-disposition: G
DKIM-Signature: <snipped>
X-AOL-SCOLL-SCORE: 0:2:303924960:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33c85092555f5fd5
Content-Length: 2206
Hello <snipped>
I got all the information , and the processing will commence immediately you make the payment .....You may not need to mail the department anymore .....You can drop all payment details with Capt Philip Robert and he will get to me and i will work on the leave ....I promise never to fail you Madam .....
Col Steve Smith
And what ALWAYS ends up happening is an email from the victim to the scammer like this one.....
Dear COL Steve Smith,
I don't know whats is going on but I didn't get my husband. And I don't understand why? But if u are not going to send him to me than I want my money back. Cause I need it back. So can u please help me get it back !!! But if u are going to send me my husband than please do fast I need him home with me. Please!!!!
<snipped>
Please DO NOT tell a scammer that he has been posted here!
If you wish you can email me at
faizandocherty @ scamwarners [dot] com
How do I find email headers???
How to analyze an email header.
If you wish you can email me at
faizandocherty @ scamwarners [dot] com
How do I find email headers???
How to analyze an email header.
