Can somebody check this email?

Hi,

I met somebody through eHarmony, received his first email this morning. After being scammed recently, I am now checking everybody's IP addresses. This one looks like lots of routing - I've seen this before. So far no other signs that this could be a scammer.

Here is the email info:

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9MA==
X-Message-Status: n:0
X-SID-PRA: Joe <[email protected]>
X-AUTH-Result: NONE
X-Message-Info:
Received: from n11.bullet.mail.ac4.yahoo.com ([74.6.228.83]) by SNT0-MC1-F17.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 7 Jul 2010 22:17:53 -0700
Received: from [76.13.12.67] by n11.bullet.mail.ac4.yahoo.com with NNFMP; 08 Jul 2010 05:17:53 -0000
Received: from [74.6.228.81] by t8.bullet.mail.ac4.yahoo.com with NNFMP; 08 Jul 2010 05:17:53 -0000
Received: from [127.0.0.1] by omp1002.mail.ac4.yahoo.com with NNFMP; 08 Jul 2010 05:17:53 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: [email protected]
Received: (qmail 68597 invoked by uid 60001); 8 Jul 2010 05:17:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1278566273; bh=CmUGfvOAfpUxMUoU1sJ9ky3oyJXhrdNOcpUjRW0AvUE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=
Message-ID: <[email protected]>
X-YMail-OSG:
Received: from [138.32.12.6] by web59516.mail.ac4.yahoo.com via HTTP; Wed, 07 Jul 2010 22:17:53 PDT
X-Mailer: YahooMailRC/420.4 YahooMailWebService/0.8.104.274457
Date: Wed, 7 Jul 2010 22:17:53 -0700 (PDT)
From: Joe [email protected]
Subject: Hello ___
To: _______
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-135293038-1278566273=:49365"
Return-Path: [email protected]
X-OriginalArrivalTime: 08 Jul 2010 05:17:53.0589 (UTC) FILETIME=[EAD5B650:01CB1E5C]

--0-135293038-1278566273=:49365
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello ____!=0A=0AHow was your fourth of july?=A0 I was stuck up here at wor=
k for thwe fourth. I =0Ahave about two more weeks to go till I get a break.=
I hope its nice out so I can =0Ago for a ride on my motorcycle. I'm also l=
ooking forward to playing a round or =0Atwo of golf before leaving again. =
=0A=0A=0ATalk to you later.=0AJoe=0A=0A=0A=0A
--0-135293038-1278566273=:49365
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello ____!How was your fourth of july? I was stuck up here at work for thwe fourth. I have about two more weeks to go till I get a break. I hope its nice out so I can go for a ride on my motorcycle. I'm also looking forward to playing a round or two of golf before leaving again.

Removed domaon keys and ungarbled the text to help with searches- Ralph

Hi VRed,

The IP location is being manipulated.

In my opinion anyone doing this has something to hide.

Note this - by n11.bullet.mail.ac4.yahoo.com with NNFMP; 08 Jul 2010

IN SOME CASES Yahoo use a special protocol "NNFMP" to denote sender MAY be in a list of known scammers, or is using special software to hide their own IP address and details.

Note - it does not necessarily follow that if this protocol is not in a header - it should be assumed that the mail is NOT from a scammer.

I received another email from him today. Headers seem to be the same as the ones I posted, but here is what he says:

I work in the oilfields at the farthest northern tip of alaska as a heavy equipment mechanic. I do a 4 week on 2 week off rotation. I dont like being here so much, but the time off is nice. I got one pic of me on my computer here I can send you. I'll send you some more when i get back home. What is it that you do for a living?

While no grammar mistakes jump out at me, my previous scammer claimed to work in oil industry also. Am I being paranoid?

Also, while we were going through "get to know each other" process, when I asked him "what is one interest you would like to share with your partner" (standard open-ended question on eHarmony) his answer was "honesty, trust, loyalty" Didn't make sense to me then, still doesn't make sense to me now

You are not being paranoid, you are being cautious. The sad reality is that there is a very large number of scammers out there, and some of them are better at researching their roles--and any time "engineer" or "oil company" is mentioned, the odds go up that it is a scammer. The 4X2 work shift he describes is legitimate for the job, but that information can easily be found online, or could even be taken from a former victim.

Although there are some red flags (as Enchantress said, the header definitely is one) I cannot say with certainty that this one is a scammer. If you want to continue corresponding with him, I would recommend starting slow--limit the personal information you provide, and ask lots of questions. Also check each header for the NNFMP--we might be able to get a location or evidence of a proxy from any header that doesn't use that protocol, and scammers aren't always consistent.

Thank you I will keep checking the headers and will be careful with what information I give him. If this is indeed a scammer, then they are getting smarter! But they won't outsmart me because I have you all

Hi ho everyone
Re: NNFMP
Apparently it's a yahoo thing.
May be interesting to look here, http://groups.google.ca/group/alt.spam/ ... a?lnk=raot
Surely hope it helps explain.

Thanks Jolly Roger--we have actually seen that discussion and are aware it is a yahoo thing. The important thing from our perspective is that it hides the sender's location.

The point is, while the use of NNFMP is generally associated with scams and spam, in the absence of some other corroborating evidence, (especially when the limited writing so far does not contain the typical African mistakes) it's not enough to say beyond a doubt that this is an advance-fee scammer.

It is a definite red flag, though, and combined with another flag, would push this one into "confirmed scammer" category.

In trying to understand Yahoo's use of NNFMP in the header, I've done a lot of reading about it. From what I have read, I do believe that it is sometimes included in legitimate email headers as well as in scams. So, as Dotti has said, I'd not immediately assume a scam or that the sender has intentionally manipulated their IP from showing.

@VRed: I agree with Dotti's advice. You can certainly continue corresponding with him, just be cautious. You know what red flags to look for and we're glad to help.

Hi Vred.

I have looked over this too and while I can not see any absolute definate signs that it is a scam, I can see some red flags raised.

If this is a scammer you are dealing with it is a smarter one for sure;

Some minor grammar mistakes but no, nothing that jumps out

NNFMP is a very big red flag, it denotes that the IP has been reported as being associated with scams, as suggested, there is a chance that a genuine person uses the same IP as people who are spammers and scammers so it is not definate proof but certainly something to be wary of.

Search on the IP shows numerous scams using the same IP address, as mentioned above, that is not certain proof but certainly something to be mindful of.

I have gone through the scripts doing some searches and again nothing comes up

Search on the email address shows nothing

Search on the name has more hits than you could poke a stick at but finding scam related hits is quite difficult because it is the name of a well known Australian politician, this is certainly not proof of a scam but it is a trick that the smarter scammers use

This line is found within the header, "omp1002.mail.ac4.yahoo.com" a search on that line shows numerous other scams, again, not proof but more cause for concern

The storyline used including working on an oil rig are very scammer like but again, real people work on oil rigs too so this is not proof of a scam.

The 4 weeks on and 2 weeks off rotation cant be confirmed, I have done numerous searches and it seems none of the information I could find showed oil rig workers who do 4 weeks on and 2 weeks off

While we have not been able to say with certainty that it is a scammer, you do have a range of things to look out for, you could also send any additional emails, profile links or pictures by PM if you are more comfortable to do it that way and we can check it out further for you.

Alternatively if you think this person is worth it, you could ring his company and ask them about their rotation and they might even be able to tell you if a person by that name is employed by them.

One last thing you perhaps should do is take a look at the advice given by eharmony;

Right click and open this link in a new window to see the source

While eHarmony routinely monitors account activity and investigates all complaints of unusual, inappropriate or falsified accounts, eHarmony does not conduct background checks at the time an account is registered. As with any personal interaction, keep in mind it is always possible for people to misrepresent themselves but assessing a match's truthfulness and honesty is ultimately your responsibility. Don't ignore any facts that seem inconsistent or “off.” Trust your instincts—if something doesn't feel right, close communication or if on a date, leave. You're in control of the entire process, so you can choose a comfortable pace for your relationship.
We strongly encourage you to be cautious when sharing personal information that could reveal your identity.

whois gives a very well known oil company...

One thing that would make me cautious is the email syntax - name plus a number @ yahoo.com

Very common amongst scammers