Almost had me - Check this one out

I'm an avid motorcycle rider and I am always looking for a deal. I can across this listing http://www.motorcycle.com/classifieds/h ... 00397.html
It is a 1999 HD Road King, very nice bike - seller wants only $2900.00 (US), Sounds to good to be trye but you never know. So I sent email to seller and he assured me it was a deal and that the bike was in great condition. After 2 emails to establish I was interested he told me to go to a web(3rd party) site and make an account with them. Here's the site: http://www.wdeliverylines.com/
The site almost looks for real - However I went through each tab to include the Contact Us tab. What got my attention was the fact that there is no telephone numbers or a physical address. Aftert this I decided to lead this guy on to see where it goes - he has really pressed me to use the delivery lines site. However, I told him I had tried but couldn't get logged in - so now he asks that I send him hlaf through Western Union using a name and address. Here's the latest contact/email:

I'm out of country these months Mark, I am working as an engineer on a petrol platform in United Kingdom.. I think I've told about this in one of my previous mails..

This is the name and address that you have to use:

Steven Howard
30 Leicester Square
London, WC2H 7LA
United kingdom

I've sent money to my wife too many times and you can pick up the money from any wu office.. Plus, a phone number its not necessary! I will be waiting for your western union scanned receipt so I can check your payment on their website!

What do you folks think?? Since he lists the address in the UK, I thought some one would like to check it out..

Hi Mappage,

Welcome to Scamwarners.

I am glad you have realised it is a scam before losing money.

I haven't looked into this yet but from what you have written above I have no doubt that it is a scam.

The website you were refered to is almost certainly a fake site created by the scammer to add legitimacy to the scam.

Could you please post the header of the emails which will help to convince the sites host to close the fake site when our site killers make a report.

If you dont know how to retrieve the headers, let us know what email providor you use and we can give you instructions, the following link has information about how to obtain headers from most of the more common providors http://spamcop.net/fom-serve/cache/19.html but if you still have trouble finding it please ask

Dont forget to X out your own details before posting.

As far as the scammer is concerned, you can either ignore all future attempts to contact you and he will eventually go away or you can tell him you are no longer interested as you have purchased another bike locally, either way, please do not try to string him along any longer, I presume he has some of your personnal information and it just isn't worth the risk to deliberately upset him while he has your information.

Edited terminology

Absolutely a scam.

On top of the anomalies you noted in the website itself, the registration shows numerous red flags. The domain name was registered 2 days ago, though the "company" was supposed to be in existence since 1994. It is only registered for a year. A quick search for the administrative contact on the website registration (not a common name) reveals a warning about a fraudulent website from a month ago using the same admin contact name (but different address) http://escrow-fraud.com/fraud_data.php?id=8365 , plus another fraud using the same address: http://escrow-fraud.com/fraud_data.php?id=7929

The address you were given for the recipient traces to a radio station, not a home address.

I've included what I hope is the latest mail header. How will it be used - can I see the results with an explanation of how to use it. Here is the latest mail header:

From Howard Sat Jan 31 19:45:34 2009
Return-Path: <[email protected]>
Authentication-Results: mta188.mail.re3.yahoo.com from=gmail.com; domainkeys=pass (ok); from=gmail.com; dkim=pass (ok)
Received: from 72.14.204.236 (EHLO qb-out-0506.google.com) (72.14.204.236)
by mta188.mail.re3.yahoo.com with SMTP; Sat, 31 Jan 2009 11:45:35 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:in-reply-to:references
:date:message-id:subject:from:to:content-type;
bh=FUo+9GDyJP4tpt9JQauPts3XUJFnyhCldYEK3DMQAzc=;
b=SM3YIML7Eh7eRBdKnlE57mHv5C1SVICNmXAYIpXLY9F2QBWDAygFWK0oV1RLAgHnST
6blUUZwnsn/U0ae801RFMEM1AVem00dVL3n7vG2FkDj4oNquAl4eO6ea4eODstWDE9VB
zVI3+JG9d0eB2yxKmfABHpwfQHtTupa3bSrzs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
b=q38gEOBH7sYTNTqP4fFt1LUcPb2fXFVqmegEiZjOpasTW74FNySLwV5v3gKL0CuD5N
eql1xCd8IQyKavcm26ECrYh1Xh6G+3jjzhlqOEtrZGIYTjC+x+WW7tFyPa9LWUiqfc05
bXpc5Mi7NUsw/X0C65+aqWgfY0nc0DzYGh9HQ=
MIME-Version: 1.0
Received: by 10.231.20.1 with SMTP id d1mr329945ibb.17.1233431134644; Sat, 31
Jan 2009 11:45:34 -0800 (PST)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Date: Sat, 31 Jan 2009 13:45:34 -0600
Message-ID: <[email protected]>
Subject: Re: Fwd: A new secure online transaction is waiting for you on
www.wdeliverylines.com
From: Howard <[email protected]>
Content-Type: multipart/alternative; boundary=000325574706a2aa320461cc90a8
Content-Length: 13567

How do you get the info? - what is the process, is there a tool?
Thanks for checking the address listed.

Absolutely a scam.

On top of the anomalies you noted in the website itself, the registration shows numerous red flags. The domain name was registered 2 days ago, though the "company" was supposed to be in existence since 1994. It is only registered for a year. A quick search for the administrative contact on the website registration (not a common name) reveals a warning about a fraudulent website from a month ago using the same admin contact name (but different address) http://escrow-fraud.com/fraud_data.php?id=8365 , plus another fraud using the same address: http://escrow-fraud.com/fraud_data.php?id=7929

The address you were given for the recipient traces to a radio station, not a home address.

Thank you both - Ralph and Dotti for letting me know I wasn't wrong with this.

Howdy,

The IP address of scammers can be gleamed from headers by pasting them into a tool like THIS one. Unfortunately, your scammer is using gmail, a mail provider that strips the IP. Do you have emails from any other provider?

There are plenty of ways to check out suspicious websites. I'm not an expert in any of them, but who.is and DNStools.com are great places to start looking for evidence. Curious sign up info, one year registrations, and registration after the copyright date shown on the site are all things to look for. (I.E. The site says copyright 2005, but who.is shows it as being first registered a month ago)

If you have a query about any site in the future, be sure to post it here. I'm sure an experienced site killer will show you what else they look for.

No they/he hasn't used any other mail providers. However, I do have mail from what is supposed to from the office of the fake delivery company. You think I should copy the headers from those and paste em here or in the email tracing tool you listed..?

It's worth trying if it isn't gmail. There are a few other email providers who remove the sender's IP address though.

Ok - here's one from their supposed office/customer relations:

X-Message-Delivery: Vj0xLjE7RD0wO2w9MQ==
X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPt3Mi6GgUSv7yYKHQgGfDe+2wCW4LegkYQav29Pp7Mm4E=
Received: from web1211.biz.mail.gq1.yahoo.com ([67.195.14.58]) by bay0-mc9-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Sat, 31 Jan 2009 09:42:45 -0800
Received: (qmail 55462 invoked by uid 60001); 31 Jan 2009 17:42:44 -0000
X-YMail-OSG: RTrp8VUVM1nbzRe0mwZ0LSH4nNVJuA_AloX1r1IZ.74JguoaVyuNdkqM
Received: from [85.25.139.99] by web1211.biz.mail.gq1.yahoo.com via HTTP; Sat, 31 Jan 2009 09:42:44 PST
X-Mailer: YahooMailWebService/0.7.260.1
Date: Sat, 31 Jan 2009 09:42:44 -0800 (PST)
From: "Delivery Lines \(PVT\) LTD" <[email protected]>
Reply-To: [email protected]
Subject: RE: Delivery Lines Customer Department
In-Reply-To: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <[email protected]>
Return-Path: [email protected]
X-OriginalArrivalTime: 31 Jan 2009 17:42:45.0108 (UTC) FILETIME=[53031340:01C983CB]

mapage, Can you post the whole email with that latest header? It may help in providing evidence of fraud for purposes of killing the site.

That header gives me an IP address in Germany. I assume that it's the IP of the host server that is mailing out the confirmation emails.

The site itself certainly seems suspect. I'm sure Dotti will have it dead soon after you post/PM the full email.

EDIT: It's not very important, but I'm going to try and read/notify the lad and get his IP that way. I'll post any results I get.
I can't seem to get it working, will try again after some sleep.

Dottie - Here's the latest - I hope it is what you need/want.

From Howard Sat Jan 31 19:45:34 2009
Return-Path: <[email protected]>
Authentication-Results: mta188.mail.re3.yahoo.com from=gmail.com; domainkeys=pass (ok); from=gmail.com; dkim=pass (ok)
Received: from 72.14.204.236 (EHLO qb-out-0506.google.com) (72.14.204.236)
by mta188.mail.re3.yahoo.com with SMTP; Sat, 31 Jan 2009 11:45:35 -0800
Received: by qb-out-0506.google.com with SMTP id e14so397127qbe.5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:in-reply-to:references
:date:message-id:subject:from:to:content-type;
bh=FUo+9GDyJP4tpt9JQauPts3XUJFnyhCldYEK3DMQAzc=;
b=SM3YIML7Eh7eRBdKnlE57mHv5C1SVICNmXAYIpXLY9F2QBWDAygFWK0oV1RLAgHnST
6blUUZwnsn/U0ae801RFMEM1AVem00dVL3n7vG2FkDj4oNquAl4eO6ea4eODstWDE9VB
zVI3+JG9d0eB2yxKmfABHpwfQHtTupa3bSrzs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
b=q38gEOBH7sYTNTqP4fFt1LUcPb2fXFVqmegEiZjOpasTW74FNySLwV5v3gKL0CuD5N
eql1xCd8IQyKavcm26ECrYh1Xh6G+3jjzhlqOEtrZGIYTjC+x+WW7tFyPa9LWUiqfc05
bXpc5Mi7NUsw/X0C65+aqWgfY0nc0DzYGh9HQ=
MIME-Version: 1.0
Received: by 10.231.20.1 with SMTP id d1mr329945ibb.17.1233431134644; Sat, 31
Jan 2009 11:45:34 -0800 (PST)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Date: Sat, 31 Jan 2009 13:45:34 -0600
Message-ID: <[email protected]>
Subject: Re: Fwd: A new secure online transaction is waiting for you on
www.wdeliverylines.com
From: Howard <[email protected]>
Content-Type: multipart/alternative; boundary=000325574706a2aa320461cc90a8
Content-Length: 13567

Here's the actual em where is trying to get me to log into the fake site and set up an account. The bike was listed as being in Florida, Miami-Dade county. As you see he later told me it was in Wa state.

2900 dollars is the final total price, no further fees! Here is how i sell the bike so you can test it before i receive payment and so we can both be protected. Go to www.wdeliverylines.com, register with them, and get back to me when you have done that. I will start a transaction with them as soon as you agree. They will take care of the shipping and of our transaction. I will explain you how it works in steps :
1. I give them the bike for packing and shipping
2. You send them the money
3. They send you the bike
4. You receive the bike and you will have a 3-30 days inspection period to test it and check the documents ( i will receive the money ONLY if you agree to keep the bike, if not you will be fully refunded by the shipping company )
5. If all is OK and you decide to keep the bike I will receive the payment Let me know .

Thanks,
Steven


Hi Steve,
Thanks for the response - I am interested in the bike - I understand the price is $2900.00 - does this include shipping? If it doesn't include shipping, do you have an idea how much the shipping will be? Of course, I am concerned about buying the bike site unseen and I hope I don't offend you, but what kind of guarantee/warranty can you offer me if I buy the bike?
What are the details for buying and delivery to ensure we both feel safe? How much do I need to send you to hold the bike?
When was the last service performed on the bike and performed it?
Can I get your phone #?




--------------------------------------------------------------------------------
From: Howard <[email protected]>

Sent: Tuesday, January 27, 2009 7:04:35 PM
Subject: Re: Classifieds Message: Still offering the RK


Hello ,

I am located in Olympia, WA and i have posted the ad in all the big cities to sell it quicker. The bike is in a great condition, it has no scratches or damage and never been down or wrecked, it has 19800 miles. This bike has a clear title and all papers come along with the bike. The price is $2900 including shipping to your address. Let me know if you are interested .

Thanks,
Steven

Looks like the fake 3rd party site is shut down temporarily. I went to the web of the classified ad, (motorcycle.com) and sent an email to admin for the site telling them the listing is a scam, yet they have not removed the listing. The motorcycle.com site seems to be a legit site.