by ampman
Sat Jan 04, 2014 12:58 am
Unbelievable. This bogus financial company sent a pdf page asking the beneficiary of a huge amount (bogus of course) to send an advance fee payment they call "sundry" and insists that it can't be deducted from the huge amount.
They use [email protected], the correspondent domain name was purchased in August 2013 by a South African (scamming) entity. They don't even have a website, nor address. They actually use NatWest Bank in Sommerset, UK, address which they call their affiliate. NatWest is actually one of the biggest banks in UK and has a page on scams. Below is the header of their email:
Delivered-To: XXXX
Received: by 10.96.211.199 with SMTP id ne7csp836389qdc;
Thu, 2 Jan 2014 23:04:09 -0800 (PST)
X-Received: by 10.68.111.98 with SMTP id ih2mr40686983pbb.73.1388732648320;
Thu, 02 Jan 2014 23:04:08 -0800 (PST)
Return-Path: <[email protected]>
Received: from gateway11.websitewelcome.com (gateway11.websitewelcome.com. [67.18.71.7])
by mx.google.com with ESMTP id pl18si39002999pab.75.2014.01.02.23.03.57
for <XXXX>;
Thu, 02 Jan 2014 23:03:58 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 67.18.71.7 as permitted sender) client-ip=67.18.71.7;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 67.18.71.7 as permitted sender) smtp.mail=internationalremittance@acces ... curity.com;
dkim=pass [email protected]
Received: by gateway11.websitewelcome.com (Postfix, from userid 500)
id 53BE0D27C4E24; Fri, 3 Jan 2014 01:03:57 -0600 (CST)
Received: from ham06.websitewelcome.com (unknown [192.185.0.197])
by gateway11.websitewelcome.com (Postfix) with ESMTP id 209D4D27C4DAE
for <XXXX>; Fri, 3 Jan 2014 01:03:57 -0600 (CST)
Received: by ham06.websitewelcome.com (Postfix, from userid 500)
id 1384F620031; Fri, 3 Jan 2014 01:03:57 -0600 (CST)
Received: from spitfire.websitewelcome.com (spitfire.websitewelcome.com [192.185.83.195])
by ham06.websitewelcome.com (Postfix) with ESMTP id 9064F620019
for <XXXX>; Fri, 3 Jan 2014 01:03:56 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=accessfinancesecurity.com; s=default;
h=Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:To:From:Date:Message-ID; bh=V8XoC9bUwAG/3yKX+gyMAA0InRuJ3nliGKUFFKtAmJ4=;
b=CQQtE2UNBH07pN+QEWzhcpqYXe1ta9zxVj2k5ZgXaoVSq7KND7OHjbyJZ7ychiX+coTWrGWFY3djUlyjxlsbqbybnuvFMWufvX3einYsj7ZqAsVQm0iy5xMJyxgT99YlZ0WZS7jV8gff6hDabnU23Iob5m/zr5lU7MqGacP/Whg=;
Received: from [127.0.0.1] (port=59550 helo=localhost)
by spitfire.websitewelcome.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.80)
(envelope-from <[email protected]>)
id 1VyynU-0002im-DW
for XXXX; Fri, 03 Jan 2014 01:03:56 -0600
Received: from 197.210.248.29 ([197.210.248.29]) by
webmail.accessfinancesecurity.com (Horde Framework) with HTTP; Fri, 03 Jan
2014 01:03:56 -0600
Message-ID: <20140103010356.18071n4l268afu8s@webmail.accessfinancesecurity.com>
Date: Fri, 03 Jan 2014 01:03:56 -0600
From: [email protected]
To: XXXX
Subject: CONTACT US ON MEANS OF PAYMENT
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_zemkpetsst4c"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.11)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - spitfire.websitewelcome.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - accessfinancesecurity.com
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (localhost) [127.0.0.1]:59550
X-Source-Auth: [email protected]
X-Email-Count: 1
X-Source-Cap: c3RldmVuO21ka3dlYmgxO3NwaXRmaXJlLndlYnNpdGV3ZWxjb21lLmNvbQ==
This message is in MIME format.
--=_zemkpetsst4c
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Attn: XXXX,
Find attached proof of payment of your in inheritance and ensure that
the sundry charge is paid before value date. We are unable to make
deducted due to insuraNce policy on your total fund. Make the payment
immediately and send proof of payment as to allow your total fund to
hit your account on the 6th of January 2014 at 1pm.
Regards,
Mrs. Elizabeth Sagorac
http://scamwarners.com/main//guestuploa ... UK-001.jpg
They use [email protected], the correspondent domain name was purchased in August 2013 by a South African (scamming) entity. They don't even have a website, nor address. They actually use NatWest Bank in Sommerset, UK, address which they call their affiliate. NatWest is actually one of the biggest banks in UK and has a page on scams. Below is the header of their email:
Delivered-To: XXXX
Received: by 10.96.211.199 with SMTP id ne7csp836389qdc;
Thu, 2 Jan 2014 23:04:09 -0800 (PST)
X-Received: by 10.68.111.98 with SMTP id ih2mr40686983pbb.73.1388732648320;
Thu, 02 Jan 2014 23:04:08 -0800 (PST)
Return-Path: <[email protected]>
Received: from gateway11.websitewelcome.com (gateway11.websitewelcome.com. [67.18.71.7])
by mx.google.com with ESMTP id pl18si39002999pab.75.2014.01.02.23.03.57
for <XXXX>;
Thu, 02 Jan 2014 23:03:58 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 67.18.71.7 as permitted sender) client-ip=67.18.71.7;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 67.18.71.7 as permitted sender) smtp.mail=internationalremittance@acces ... curity.com;
dkim=pass [email protected]
Received: by gateway11.websitewelcome.com (Postfix, from userid 500)
id 53BE0D27C4E24; Fri, 3 Jan 2014 01:03:57 -0600 (CST)
Received: from ham06.websitewelcome.com (unknown [192.185.0.197])
by gateway11.websitewelcome.com (Postfix) with ESMTP id 209D4D27C4DAE
for <XXXX>; Fri, 3 Jan 2014 01:03:57 -0600 (CST)
Received: by ham06.websitewelcome.com (Postfix, from userid 500)
id 1384F620031; Fri, 3 Jan 2014 01:03:57 -0600 (CST)
Received: from spitfire.websitewelcome.com (spitfire.websitewelcome.com [192.185.83.195])
by ham06.websitewelcome.com (Postfix) with ESMTP id 9064F620019
for <XXXX>; Fri, 3 Jan 2014 01:03:56 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=accessfinancesecurity.com; s=default;
h=Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:To:From:Date:Message-ID; bh=V8XoC9bUwAG/3yKX+gyMAA0InRuJ3nliGKUFFKtAmJ4=;
b=CQQtE2UNBH07pN+QEWzhcpqYXe1ta9zxVj2k5ZgXaoVSq7KND7OHjbyJZ7ychiX+coTWrGWFY3djUlyjxlsbqbybnuvFMWufvX3einYsj7ZqAsVQm0iy5xMJyxgT99YlZ0WZS7jV8gff6hDabnU23Iob5m/zr5lU7MqGacP/Whg=;
Received: from [127.0.0.1] (port=59550 helo=localhost)
by spitfire.websitewelcome.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.80)
(envelope-from <[email protected]>)
id 1VyynU-0002im-DW
for XXXX; Fri, 03 Jan 2014 01:03:56 -0600
Received: from 197.210.248.29 ([197.210.248.29]) by
webmail.accessfinancesecurity.com (Horde Framework) with HTTP; Fri, 03 Jan
2014 01:03:56 -0600
Message-ID: <20140103010356.18071n4l268afu8s@webmail.accessfinancesecurity.com>
Date: Fri, 03 Jan 2014 01:03:56 -0600
From: [email protected]
To: XXXX
Subject: CONTACT US ON MEANS OF PAYMENT
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_zemkpetsst4c"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.11)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - spitfire.websitewelcome.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - accessfinancesecurity.com
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (localhost) [127.0.0.1]:59550
X-Source-Auth: [email protected]
X-Email-Count: 1
X-Source-Cap: c3RldmVuO21ka3dlYmgxO3NwaXRmaXJlLndlYnNpdGV3ZWxjb21lLmNvbQ==
This message is in MIME format.
--=_zemkpetsst4c
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Attn: XXXX,
Find attached proof of payment of your in inheritance and ensure that
the sundry charge is paid before value date. We are unable to make
deducted due to insuraNce policy on your total fund. Make the payment
immediately and send proof of payment as to allow your total fund to
hit your account on the 6th of January 2014 at 1pm.
Regards,
Mrs. Elizabeth Sagorac
http://scamwarners.com/main//guestuploa ... UK-001.jpg
Last edited by ampman on Sat Jan 04, 2014 3:40 am, edited 4 times in total.
