Probably a scam, but couldn't find it anywhere else.

Hey all,

First time here, hope someone can confirm what I am suspecting.

I have a feeling it is spam, but I had no way of confirming, as spam emails that I get I usually Google to see if anyone else has received them and I guess no one has posted about this generic one:

Here is the email header:

from: Kirk Estrada <[email protected]>
reply-to: Kirk Estrada <[email protected]>
to: "[Myemail@[email].com" <[MyEMAIL@[email].com>
date: Tue, Apr 9, 2013 at 6:21 AM
subject: Good afternoon, [Name]
mailed-by: yahoo.com
signed-by: yahoo.com
: Important mainly because of the words in the message.


Here is the original header:

Delivered-To: [Myemail@[email].com
Received: by 10.52.96.170 with SMTP id dt10csp38480vdb;
Mon, 8 Apr 2013 13:21:03 -0700 (PDT)
X-Received: by 10.52.230.167 with SMTP id sz7mr14794841vdc.81.1365452463284;
Mon, 08 Apr 2013 13:21:03 -0700 (PDT)
Return-Path: <[email protected]>
Received: from nm38-vm3.bullet.mail.bf1.yahoo.com (nm38-vm3.bullet.mail.bf1.yahoo.com. [72.30.239.19])
by mx.google.com with ESMTPS id xa7si19403131vdc.100.2013.04.08.13.21.02
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 08 Apr 2013 13:21:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of [email protected] designates 72.30.239.19 as permitted sender) client-ip=72.30.239.19;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of [email protected] designates 72.30.239.19 as permitted sender) [email protected];
dkim=pass [email protected]
Received: from [98.139.212.149] by nm38.bullet.mail.bf1.yahoo.com with NNFMP; 08 Apr 2013 20:21:02 -0000
Received: from [98.139.212.203] by tm6.bullet.mail.bf1.yahoo.com with NNFMP; 08 Apr 2013 20:21:02 -0000
Received: from [127.0.0.1] by omp1012.mail.bf1.yahoo.com with NNFMP; 08 Apr 2013 20:21:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: [email protected]
Received: (qmail 9474 invoked by uid 60001); 8 Apr 2013 20:21:02 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1365452462; bh=NQ8R60oZAnTD3WiW8OGYKPVe6iEkmbF374szr+jK+s0=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=sLCJbieAMDpEabrWTjXzXhGpPlFKMC/5Jq0SqD2g9R6ajwHj5ibMEZGrrgbk96EOyV81VRyLAgxpid0goXdogIQ8gKGIBSM5+ScvW41XPH5mL820hlitpDdR8STZkR/Y/5yzuPByengsP/nHMjBuKsT9uc9s2crFJUEqc2bB5tg=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=PC8zxvAVoYusT0k7nvKumEjJUb13HGBDEhuwJKpDasBgbqYUHwriEW0ISJAvtEQxe9q7y6RvEGsI+vjlVMO0FMjsBXnGpQfvzuvU645OeocyyaA1umzdieYEke7qccthw8WZoSxDqyz/06dDo1aIe4CbSzRs0XRR83TxruO/YOA=;
X-YMail-OSG: cw_89ZkVM1mReQ4RXQL6Ap4hYpLU34eIUlUf27Rmf9OKIkX
0OVTAU1M1_9a.1hDon0V2F2vMyUfzVzF1Vv9rHPu8hwTKxXvVImAb0uyT11j
SjTkyGRq8yxE6nhdp3fyCfghvTgYYDgetnQqLg44RWg99qb1WS0fSkCq_BC0
lydZfNCisM3ffTx1e_bIn5iuEYWOp1Ac.KXmQsVFVwocZuZxIa1BC9a7XnGA
HQDiRkT2BkxlI2wCfsSE9DQISeZ1pJOxsu1GQeundHpqtLqvR1YCDmNSxw_j
iycbGhp.541IgouNYouwLDRoR9F3fpe9UzVAmTddEFVKn5_.U1QoWePWrlHV
VfWozFU25hC0a1XoH49FF.MYvu3GNfUeNc2VuXIjgPx8c4zd2ez175_Ni7xK
hNFGbXVEJFGEIGDvu7tZkCdULF_XabeD_szJwybNMDTjuidn4y9yUg07.eAB
bNmDAIUQUTA--
Received: from [178.172.231.113] by web162604.mail.bf1.yahoo.com via HTTP; Mon, 08 Apr 2013 13:21:02 PDT
X-Rocket-MIMEInfo: 002.001,SGksIFBldGVyIEtvY292c2tpLgoKCkkgaGF2ZSBmb3VuZCB5b3VyIGRldGFpbHMgb24gam9iIHdlYnNpdGUgYW5kIHlvdSBzZWVtIHRvIGJlIHF1aXRlIGEgc3VpdGFibGUgZW1wbG95ZWUuCgpCcmllZiBSZXF1aXJlbWVudHM6CgotIE92ZXIgMTgKLSBBVSBjaXRpemVuCgoKSW4gdGhlIGV2ZW50IHlvdSBhcmUgaW50ZXJlc3RlZCwgZG8gbm90IGJlIHNoeSB0byB3cml0ZSBiYWNrIGF0dGFjaGluZyBhIGJyaWVmIHJlc3VtZS4KCkJlc3Qgd2lzaGVzLApMRkcgY29tcGFueQoKCgoKCgoKCgoKCgoKCgoKCgoKCgoBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.140.532
Message-ID: <[email protected]>
Date: Mon, 8 Apr 2013 13:21:02 -0700 (PDT)
From: Kirk Estrada <[email protected]>
Reply-To: Kirk Estrada <[email protected]>
Subject: Good afternoon, [Name]
To: "[Myemail@[email].com" <[Myemail@[email].com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Here is the email contents:

Hi, [Name].


I have found your details on job website and you seem to be quite a suitable employee.

Brief Requirements:

- Over 18
- AU citizen


In the event you are interested, do not be shy to write back attaching a brief resume.

Best wishes,
LFG company

Things I note:
-Grammar error
-Companies don't look for people in such a way for a job
-Companies would have their own email hosts, not gmail or yahoo? Especially online ones?
-If you found my details on a job website, why do you need my resume?
-LFG is a very vague name, Google points me to here: https://www.lfg.com/

Anyone else receive a similar type of email?

Any thoughts or comments welcome.

Things I note:
-Grammar error
-Companies don't look for people in such a way for a job
-Companies would have their own email hosts, not gmail or yahoo? Especially online ones?
-If you found my details on a job website, why do you need my resume?
-LFG is a very vague name, Google points me to here: https://www.lfg.com/

.................

Any thoughts or comments welcome.

I think that you have summed up your suspicions very well.

This e-mail was sent via IP: 178.172.231.113 which tracks bank to Republic of Belarus - Eastern Europe

Thank you for the very quick reply! Ahh a Belarus IP, there you go hehe!

I will go ahead and mark the email as spam!

The "basic requirements" are a dead giveaway as well.

If the only requirements for the job are that you are over 18 and a resident of a specific country, then why do they even need a resume? And why would they have to email random strangers, when there are millions of unemployed people meeting that criteria that would line up on their doorstep for a real job.

Those two "criteria" are the standard for money mule recruiters. That is inevitably where this one would go. The "over 18" is because you would need to have a bank account to run the money through, and the "AU citizen" means they want to steal from phished/hacked accounts in your country. If they have the money transferred internationally, transactions will likely be flagged or stopped sooner, so they want to make sure they have a mule lined up in the same country.

Another thing to note on this email, besides the use of free email providers, is the different "from" and "reply-to" addresses. This is because they are spamming this email to dozens, if not hundreds, of job posters, and they know there is a good chance that the address used to send the email will be closed for spamming. Having you reply to a different email address ensures they won't lose their victims when that account is closed.

Wow that's quite messed up Dotti

A money mule job as you described it sounds incredibly illegal. Like, the police/detectives/agents should be looking in to who these criminals are contacting, figuring out where the money is going and taking care of those individuals. But that would have to assume there are criminals based in the AU? Or would it be possible for them to operate in a different country, and just have those few individuals based in AU then transferring the money in one big go?

So dodgy. ://

Thank you for further explaining though!

The criminals behind this are almost certainly not in AU. Most often these crimes are connected to large cybercrime gangs in the former Soviet Union. They recruit several mules at a time, because they need to keep each transfer below a certain amount, which will be based on either a bank-imposed transfer limit or the rules of the country the transfers are occurring in. (In many countries, transactions over a certain amount have to be reported to a government agency--something the criminals want to avoid.)

Occasionally, we see a scammer from another country (often in Africa) who has bought stolen account information from hackers recruiting money mules.

The criminals will usually have some explanation for the job. The more organized, large-scale operations will have a fake company name and many times a website. Some take the organization a step further as described in the July 16th article on Krebs here: http://krebsonsecurity.com/tag/money-mules/
All names will be fake, all real information hidden. Because the crimes cross international lines, the AU police will not be able to trace the criminals behind them.

The whole thing is highly illegal, and the mule can in fact be arrested, because even though he/she is not the one who actually stole the money, the acts of receiving and forwarding it are criminal.