Scammers replying to ads posted on motoseller.com

I received another scam email via motoseller.com. Although the email headers are not useful because the message is relayed through motoseller, information is given in the message to let the receiver discover that this is a scam. The IP address of the "buyer" provided by motoseller.com resolves to Nigeria.

The email address that the lad uses is: bbob1960@gmail.com
The phone number given is also used by a "make cash fast" scam.

If I had replied, I am fairly certain that I would have received a spoofed email from "paypal" that funds had been transfered to my account (which I don't have). I would assume that some kind of "overpayment" would have been involved, and I would be asked to send the extra amount back via WU or MG.

Here is the core of the email. I removed the link that identifies me.

===========================================================
BUYERS COMMENTS
===========================================================

Hello, i want to know if you really want to sell this car as am interested in buying it outrightly.how much are going to be offering for the Car I will be paying with my credit card via my paypal account.so please do reply me asap with your paypal account(paypal e-mail address) including your phone #, so i can effect payment to you rightaway and do get back to me so we can arrange for pick up as i will like the Car to be picked,so no shipping included I await your reply, so that we can discuss more on this.

Name:Bob Phone:801 454 0005

===========================================================
Click on the link below to view your ad details:

===========================================================
NOTE: Sell safely! These links will show you what country the enquiry originated from or the ISP being used.
http://whois.domaintools.com/196.3.183.72 (ISP)
http://aruljohn.com/track.pl?host=196.3.183.72 (Users Location)
Buyers IP Address: 196.3.183.72 | en-gb,en;q=0.5
Buyers ISP: 196.3.183.72

Thank You for posting this information carseller.

It will alert and save others from falling for scams like this. Well Done

I received yet another scam email via motoseller.com. Again, the email headers are not useful because the message is relayed through motoseller. I searched for the message text in google and the first two links that popped up contained the same text, word for word, in a warning that this was a scam.

This one is a little different than the others I have reported here. I recognize '44' as the U.K. country code (I used to live there). I know that '70' is a redirect number (probably out of the country). However, the ISP and Users Location resolve to the U.S., specifically Houston, Texas. Is the lad using a proxy to appear to be somewhere else? Or is this lad really in Texas?

Here is the body of the message with the link to my ad removed:

===========================================================
BUYERS COMMENTS
===========================================================

Just viewed listing and will like to purchase it .
plz email me the full condition.


FRED!!!!!!!!!!!!!

Name:fred wayse
Phone: 447024014619

===========================================================
Click on the link below to view your ad details:

===========================================================
NOTE: Sell safely! These links will show you what country the enquiry originated from or the ISP being used.
http://whois.domaintools.com/70.84.84.48 (ISP)
http://aruljohn.com/track.pl?host=70.84.84.48 (Users Location)
Buyers IP Address: 70.84.84.48 | en-us,en;q=0.5
Buyers ISP: 30.54.5446.static.theplanet.com

Hi Carseller.

Thank you once again for posting, on teh phone number you are completely right, 4470 numbers are Uk redirect numbers which are used extensively by African scammers so they can appear to be in the UK.

On the IP, there are a number of reasons for the IP to resolve to Houston, the most likely being a manipulated IP, depending on teh scammers email provider it may also be the IP of his email provider or the IP of the website the email came through.

Oops, I forgot to include the email address that the scammer was using.

fredwayse@gmail.com

Now, about the IP address. It does not matter what email provider they are using since motoseller.com uses a web form. So, if the lad is in Africa, they would have to use an HTTP proxy to spoof their location. I didn't think they were that smart. I just found it odd that they would spoof the phone number to make me think they were in the U.K. and spoof their IP to make me think they were in the U.S. It is doubly funny to me, since I am in neither of those countries.

We are seeing more and more scammers who do know how to manipulate their IP, many Russian scammers have known for years and teh Africans are catching on.

I should also point out that emails sent though gmail will always display as being from the US

Here's another scam email via motoseller.com. Again, the email headers are not useful because the message is relayed through motoseller. All the standard mistakes are there, with a few things that should make a North American resident laugh. Oddly enough, the IP resolves to a cable modem user in Markham, Ontario. I wonder if they know they are running an HTTP proxy.

The email address used by the lad is: tevnash@gmail.com
The phone number is an obvious fake.

Here is the body of the message with the link to my ad removed:

===========================================================
BUYERS COMMENTS
===========================================================

I will like to get more information regarding to your item for sells. Please get back to me with the best offer and the pictures of the item and information to it.

I wish to hear from you as soon as possible.

Best Regards
Steve

Name:Steve Nash
Phone:6051552528

===========================================================
Click on the link below to view your ad details:

===========================================================
NOTE: Sell safely! These links will show you what country the enquiry originated from or the ISP being used.
http://whois.domaintools.com/99.247.33.107 (ISP)
http://aruljohn.com/track.pl?host=99.247.33.107 (Users Location)
Buyers IP Address: 99.247.33.107 | en-US,en;q=0.8
Buyers ISP: CPE00096b3afd4d-CM00140456a628.cpe.net.cable.rogers.com

Here's another scam email via motoseller.com. Although I received four (4) copies of the scam email for 4 very different vehicles (making it REALLY obvious that it was a scam), the text was identical. As usual, the email headers are not useful because the message is relayed through motoseller. All the standard mistakes are there. The IP resolves to the U.K., but the phone number is Nigerian.

The email address used by the lad is: david_mark300046@yahoo.com

Here is the body of the messages with the link to my ad removed:

Hello How are you doing today?i will like to know if you are the owner of the items place for sale on the website.I will like to know the present condition and the final price you are selling it and and send me some pictures.Get back to me so that we can proceed.
Best regards

Name:david mark
Phone:2347025291652

===========================================================
Click on the link below to view your ad details:

===========================================================
NOTE: Sell safely! These links will show you what country the enquiry originated from or the ISP being used.
http://whois.domaintools.com/83.138.172.72 (ISP)
http://aruljohn.com/track.pl?host=83.138.172.72 (Users Location)
Buyers IP Address: 83.138.172.72 | en-us,en;q=0.5
Buyers ISP: vanadium.onspeed.com

Here's another scam email via motoseller.com. As usual, the email headers are not useful because the message is relayed through motoseller. All the standard mistakes are there, plus a few humourous extras. The IP resolves to Krasnoyarsk, Russia. This is my first vlad.

The email address used by the lad is: natejose@yahoo.com

Here is the body of the message with the link to my ad removed:

===========================================================
BUYERS COMMENTS
===========================================================

I am Alice McQuaide,I saw the ad you placed on eBay in which you stated that you have this vehicle for sale,I have been looking for this type of vehicle for so long Please kindly get back to me if it's still unsold, I would also like to know your price,I am willing to pay what is good for you as am new to buying stuffs online.I would have loved to have a proper look and test drive,but I'm now off for work on the east coast of Brisbane(Australia) sailing,(i am an oceanographer),my method of payment for the item will be through my
PayPal,because that is the only method of payment i have access to here on sea, about the pick-up I think you do not have to bother yourself, i have contacted my pickup company,they will be the ones to come for the pickup at your desired pickup location after I might have sent in the funds into your PayPal.kindly get back to me with a
request for payment from your PayPal to send money as soon as possible.kindly send some pictures of it and remove the advert.

Name:Alice McQuaide

===========================================================
Click on the link below to view your ad details:

===========================================================
NOTE: Sell safely! These links will show you what country the enquiry originated from or the ISP being used.
http://whois.domaintools.com/94.73.203.233 (ISP)
http://aruljohn.com/track.pl?host=94.73.203.233 (Users Location)
Buyers IP Address: 94.73.203.233 | en-us,en;q=0.5
Buyers ISP: 233.203.73.94.ip.orionnet.ru

Thank you for posting, carseller! As you said, it is a definite scam.

The only thing that is unusual is the IP you got. I'm wondering if it is a proxy, as the type of mistakes in the writing are clearly African, not Russian.

For the benefit of anybody who doesn't know, "vlad" is a term used by those who deal with internet scammers for "Russian Scammer".

I agree with Dotti, the scam format and the writing is typical of an African, it is possible that a Russian has used an African's format to try his hand at this type of scam but I think that would be highly unlikely..

@Carseller,
Could you please take another look at that header where there is a good chance you would find either one of the following;

NNFMP

IN SOME CASES Yahoo use a special protocol "NNFMP" to denote sender MAY be in a list of known scammers, or is using special software to hide their own IP address and details.

or
The Bat

If you find NNFMP it will be a good indication that the IP has been manipulated using an IP address known to have been used by scammers.

If you find "The Bat" it will be almost certain that it's a Russian your dealing with

@Ralph,

As I mention in the warnings, the email headers do not provide any information. The lad just fills in a form on the motoseller.com website. The email that I get always originates from Vancouver. Motoseller.com is the only advertising website that I use that is kind enough to provide the IP address of the interested party. I wish others would follow their example.

@Dotti,

If it isn't a vlad, then perhaps it is a lad using TOR or, as you wrote, some other proxy.

Thanks Carseller,

I have an idea that may just get me a location, I will report back any findings.

Edit
That would only have been possible if his email address was still working.

No doubt this same scammer is now operating with a different email address

Here's another scam email via motoseller.com. As usual, the email headers are not useful because the message is relayed through motoseller.

Although this message was shorter than the standard, over explained scam attempts, it still seemed suspicious (foreign IP, references to "this item"). Since I thought there might be a <1% chance that it was legitimate, I replied with a short message that just said "Still available." The follow up message was standard script #2, removing all doubt. The IP resolves to Carrollton, Texas, US.

The email address used by the lad is: binta.luke@gmail.com

Here is the body of the message with the link to my ad removed:

===========================================================
BUYERS COMMENTS
===========================================================

Hope this item still available for sale and how about the condition of this item

Name:Luke Binta

===========================================================
Click on the link below to view your ad details:

===========================================================
NOTE: Sell safely! These links will show you what country the enquiry originated from or the ISP being used.
http://whois.domaintools.com/67.222.157.10 (ISP)
http://aruljohn.com/track.pl?host=67.222.157.10 (Users Location)
Buyers IP Address: 67.222.157.10 | en-us
Buyers ISP: .

Here is the second message:

Thanks for your email, and i will like to know how much are you
selling the item last price , let me know if you accept my offer,I do
have a shipper that will come for the pickup once you have provide me
your PayPal email address, it will use for sending the funds to your
paypal account.so please get back to me with these information or send
me money request through your paypal account so that i can send you
the money to your paypal account okay....

1: Your PayPal Email ID.....

2:Your Phone Number......

3: Your item price:...............

Regards


--
your item still up for sale and how about the condition of the item

As the second message comes via gmail, there still is no useful information in the headers.

Delivered-To: me
Received: by 10.220.76.3 with SMTP id a3cs52150vck;
Mon, 21 Jun 2010 07:54:27 -0700 (PDT)
Received: by 10.101.105.2 with SMTP id h2mr3741937anm.83.1277132067341;
Mon, 21 Jun 2010 07:54:27 -0700 (PDT)
Return-Path: <binta.luke@gmail.com>
Received: from mail-gx0-f194.google.com (mail-gx0-f194.google.com [209.85.161.194])
by mx.google.com with ESMTP id a5si22957934anj.47.2010.06.21.07.54.26;
Mon, 21 Jun 2010 07:54:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of binta.luke@gmail.com designates 209.85.161.194 as permitted sender) client-ip=209.85.161.194;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of binta.luke@gmail.com designates 209.85.161.194 as permitted sender) smtp.mail=binta.luke@gmail.com; dkim=pass (test mode) header.i=@gmail.com
Received: by gxk25 with SMTP id 25so354673gxk.1
for me; Mon, 21 Jun 2010 07:54:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received-spf:received:dkim-signature
:domainkey-signature:mime-version:received:received:in-reply-to
:references:date:message-id:subject:from:to:content-type;
bh=a5dbQ207BWnAXqOvps2xnzm7UmIj4FU7zsOTdfHZxLw=;
b=BXT2ln09k1tIHtUiRdc/mddo0H2GRJpONaU2U0i5cU+2r6t6jppjTVKQB+pv/ypTqr
FUXufqCmXFkbM4R5NAD2LvTUp2lpo3/SzGcTVNLyoy/j5wijHYwiv7Th5bg0JiVGTs8j
yVsbj5RvlYmsRyXafM9ZbsKk5/61Wl61z23AM=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=received-spf:authentication-results:dkim-signature
:domainkey-signature:mime-version:in-reply-to:references:date
:message-id:subject:from:to:content-type;
b=q6qU0hqsgqwldH+8Y8aOb4QgnwgRBgsFNIGbqD+ZfuVOq53IzXdJAse+u72IleApu8
RaX9th1vInvveVWyjtRsreEdIvwHt3S85FkAcv0KPJ84d893YlJkBas7DJ7K5SkZbfDH
k/r3p13AuwNrc8xxBs8YbBv/KsTK9Zua+sxsc=
Return-Path: <binta.luke@gmail.com>
Received-SPF: pass (google.com: domain of binta.luke@gmail.com designates 10.90.204.20 as permitted sender) client-ip=10.90.204.20;
Received: from mr.google.com ([10.90.204.20])
by 10.90.204.20 with SMTP id b20mr2992061agg.13.1277132065992 (num_hops = 1);
Mon, 21 Jun 2010 07:54:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:received:in-reply-to
:references:date:message-id:subject:from:to:content-type;
bh=a5dbQ207BWnAXqOvps2xnzm7UmIj4FU7zsOTdfHZxLw=;
b=NX3OYxVCWLKd/PxeZZh/ADZwL0pBglS1W8G9zMGh7GH5Gi0RplHE7+9epmoqCjKtks
uVYQF72REyifdCLoBYDftH6XGdE3BtgTSr9fGTauRdYbSQQGjxXzRSMIJHQuja2itlDR
qPxf/njbL0J3P5weuy8quuwtN0ouZE72zyiCg=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
b=ezp2Raztl51WkC3Xu8s3hlwZNSmhvTiflSXjK3aLDY6uchMutOR1ZzlnQcYl5UI5pJ
s4mLlW2RnyPZ6PDVB3Q36LVNg10l9+4U4OA6dQ9sfFy9s4X5C2RjktvxqTrjAa/OwT8/
csHGYKMCCZNZSiETsMRlKUkXyNahuG5jAJZbs=
MIME-Version: 1.0
Received: by 10.90.204.20 with SMTP id b20mr2992061agg.13.1277132065984; Mon,
21 Jun 2010 07:54:25 -0700 (PDT)
Received: by 10.231.145.65 with HTTP; Mon, 21 Jun 2010 07:54:25 -0700 (PDT)
In-Reply-To: <86104C13-F15D-4FE0-98C4-EDBA10A26996@gmail.com>
References: <E1OQcrP-0002B2-2o@otter.van-dns.com>
<86104C13-F15D-4FE0-98C4-EDBA10A26996@gmail.com>
Date: Mon, 21 Jun 2010 15:54:25 +0100
Message-ID: <AANLkTil0A-JFffpcpqjT4EMtSZJh2bQ7JnCJY_o8O-FS@mail.gmail.com>
Subject: Re: Reply to ad
From: Binta Luke <binta.luke@gmail.com>
To: me
Content-Type: text/plain; charset=ISO-8859-1

Thank you for posting, carseller--each scam you post increases the odds that another victim won't lose money, and that a scammer will lose a payday!

As you already indicated, this follows the path of a standard scam, and both the English and the obvious lack of real interest in the item are dead giveaways that this is indeed a scam.

The truth is, the scammer really doesn't care about the quality of your item, or even what it is, because he will never actually get the item. All he wants is the phony shipping fees that he will ask you to forward to the "shipper" after sending fake paypal confirmations.