Not Sure What To Do Next

I recieved the following email:
Good Day,

I am Mr.Idris Isah. I want to enquire from you if you can handle a transaction of $22.5m dollars belonging to our bank deceased customer who died along with his family during their vacation,i will give you more details and what will be your percentage for your assistants as soon as i receive your reply If you are interested, please forward me the bellow information’s:

Your name: ......

Your country: ......

Your phone Number: .......

Your Tel/fax: .........

Your age: ......

Your occupation: ............

The scan copies of your international passport: .................

Thank for your anticipated co-operation

Yours Faithfully,

Mr Idris Isah.

BILL AND EXCHANGE MANAGER BANK OF AFRICA (BOA)
An obvious 419 scam-I replied:
Dear Mr Idris Isah,

Why would an executive of an African bank be using a web mail service from India?

Please provide for me the following credentials and I shall discuss business with you

Your country: ......

Your phone Number: .......

Your Tel/fax: .........


The scan copies of your international passport and or local African pictue ID: .................

Thank You
Don Smith
President/CEO
Casino's limited France

They have replied with
Dear Don Smith,

Greetings to you.Below are my information you needed from me and also send me yours immediately to proceed to this business as soon as possible:

My country: Burkina Faso.
My phone Number: +22678801133.
The scan copies of your international passport is attached to this message

I hope to read from you soonest.

Regards
Mr.Idris Isah.
And a copy of a passport is attached
I sent a complete transcript including the scan to [email protected]

Hello DonnyBman

could you post the header please? The email address may also be on record somewhere, which can be very useful for recording the exploits of this person

Welcome here DonnyBman.

As Avenging Angel said, it would be great if you could post the headers here too. If you don't know how to get the headers, just ask one of the support team members, or one of the mods. Could you also post the scan of the passport. But before you do, please watermark it with SCAM or FAKE. Or send it via PM to me and i'll watermark it and post it here.

Welcome from me, too, DonnyBman.

Why would an executive of an African bank be using a web mail service from India?

Also, why would a bank executive use a mobile phone as his contact number?

+22678801133

From International Numbering:

Information on phone number range +226 7880XXXX
Number billable as mobile number
Country or destination Burkina Faso
Original network provider* Telecel Faso S.A.

Delivered-To: Removed
Received: by 10.231.199.18 with SMTP id eq18cs33904ibb;
Sun, 2 May 2010 05:58:53 -0700 (PDT)
Received: by 10.220.158.6 with SMTP id d6mr9431683vcx.158.1272805133115;
Sun, 02 May 2010 05:58:53 -0700 (PDT)
Return-Path: [email protected]
Received: from snt0-omc1-s35.snt0.hotmail.com (snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
by mx.google.com with ESMTP id f25si9032532vcs.44.2010.05.02.05.58.52;
Sun, 02 May 2010 05:58:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 65.55.90.46 as permitted sender) client-ip=65.55.90.46;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 65.55.90.46 as permitted sender) [email protected]
Received: from SNT117-W2 ([65.55.90.8]) by snt0-omc1-s35.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 2 May 2010 05:58:23 -0700
Message-ID: <[email protected]>
Return-Path: [email protected]
Content-Type: multipart/alternative;
boundary="_0097b05d-8116-42e4-9be5-282b9cc7db2b_"
X-Originating-IP: [41.203.231.192]
From: IDRIS ISAH <[email protected]>
To: Removed
Subject: What is happing??.
Date: Sun, 2 May 2010 12:58:23 +0000
Importance: Normal
In-Reply-To: <[email protected]>
References:
<[email protected]>,<[email protected]>
MIME-Version: 1.0
X-OriginalArrivalTime: 02 May 2010 12:58:23.0598 (UTC) FILETIME=[25ED40E0:01CAE9F7]

--_0097b05d-8116-42e4-9be5-282b9cc7db2b_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Are you willing to help in this business or not because i have provided you=
all the information you required from me but none from your ends why???.Is=
my email id the curse of your problem or you are just joking with me in th=
is business??.Could you let me know or not??.Are you willing to help me in =
this business or not??.I hope to read from you soonest.

=20

Regards

Mr.Idris Isah.

=20
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=3D60969=

--_0097b05d-8116-42e4-9be5-282b9cc7db2b_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
Are you willing to help in this business or not because i have provided you=
all the information you required from me but none from your ends why???.Is=
my email id the curse of your problem or you are just joking with me in th=
is business??.Could you let me know or not??.Are you willing to help me in =
this business or not??.I hope to read from you soonest.<BR>
&nbsp=3B<BR>
Regards<BR>
Mr.Idris Isah.<BR><BR> <br /><hr />Hotmail: Trusted email with p=
owerful SPAM protection. <a href=3D'https://signup.live.com/signup.aspx?id=
=3D60969' target=3D'_new'>Sign up now.</a></body>
</html>=

--_0097b05d-8116-42e4-9be5-282b9cc7db2b_--

Here's the header
Member email address removed - Ralph

This is the India header

Delivered-To: Removed
Received: by 10.231.199.18 with SMTP id eq18cs162619ibb;
Fri, 30 Apr 2010 20:39:29 -0700 (PDT)
Received: by 10.142.9.17 with SMTP id 17mr4134040wfi.325.1272685169100;
Fri, 30 Apr 2010 20:39:29 -0700 (PDT)
Return-Path: [email protected]
Received: from web114610.mail.gq1.yahoo.com (web114610.mail.gq1.yahoo.com [98.136.183.55])
by mx.google.com with SMTP id 1si3761874pzk.104.2010.04.30.20.39.28;
Fri, 30 Apr 2010 20:39:29 -0700 (PDT)
Received-SPF: neutral (google.com: 98.136.183.55 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=98.136.183.55;
Authentication-Results: mx.google.com; spf=neutral (google.com: 98.136.183.55 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: (qmail 86473 invoked by uid 60001); 1 May 2010 03:39:27 -0000
Message-ID: <[email protected]>
X-YMail-OSG: Removed long and of no use domain key

Received: from [41.203.225.125] by web114610.mail.gq1.yahoo.com via HTTP; Fri, 30 Apr 2010 20:39:27 PDT
X-RocketYMMF: [email protected]
X-Mailer: YahooMailClassic/10.1.11 YahooMailWebService/0.8.103.269680
Date: Fri, 30 Apr 2010 20:39:27 -0700 (PDT)
From: idris isah <[email protected]>
Reply-To: [email protected]
Subject: Good Day,
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1225746876-1272685167=:85920"

--0-1225746876-1272685167=:85920
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable



Good Day,=20
=0A
=0AI am Mr.Idris Isah. I want to enquire from you if you can handle a trans=
action of $22.5m dollars belonging to our bank deceased customer who died a=
long with his family during their vacation,i will give you more details and=
what will be your percentage for your assistants as soon as i receive your=
reply If you are interested, please forward me the bellow information=E2=
=80=99s:=20
=0A
=0AYour name: ......=20
=0A
=0AYour country: ......=20
=0A
=0AYour phone Number: .......=20
=0A
=0AYour Tel/fax: .........=20
=0A
=0AYour age: ......=20
=0A
=0AYour occupation: ............=20
=0A
=0AThe scan copies of your international passport: .................=20
=0A
=0AThank for your anticipated co-operation=20
=0A
=0AYours Faithfully,=20
=0A
=0A Mr Idris Isah.=20
=0A
=0ABILL AND EXCHANGE MANAGER BANK OF AFRICA (BOA)=0A=0A=0A
--0-1225746876-1272685167=:85920
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" ><tr><td valign=3D"=
top" style=3D"font: inherit;"><br><br>Good Day, <br>=0A<br>=0AI am Mr.Idris=
Isah. I want to enquire from you if you can handle a transaction of $22.5m=
dollars belonging to our bank deceased customer who died along with his fa=
mily during their vacation,i will give you more details and what will be yo=
ur percentage for your assistants as soon as i receive your reply If you ar=
e interested, please forward me the bellow information=E2=80=99s: <br>=0A<b=
r>=0AYour name: ...... <br>=0A<br>=0AYour country: ...... <br>=0A<br>=0AYou=
r phone Number: ....... <br>=0A<br>=0AYour Tel/fax: ......... <br>=0A<br>=
=0AYour age: ...... <br>=0A<br>=0AYour occupation: ............ <br>=0A<br>=
=0AThe scan copies of your international passport: ................. <br>=
=0A<br>=0AThank for your anticipated co-operation <br>=0A<br>=0AYours Faith=
fully, <br>=0A<br>=0A Mr Idris Isah. <br>=0A<br>=0ABILL AND EXCHANGE MANAGE=
R BANK OF AFRICA (BOA)</td></tr></table><br>=0A=0A=0A=0A &nbsp;
--0-1225746876-1272685167=:85920--

Member details removed - Ralph

Thank you for posting the headers, I have removed your own email address from both headers for your protection

The first header shows; 41.203.231.192 Burkina Faso (Ouagadougou)*
The second will come as little surprise to us 41.203.225.125 Burkina Faso*

Both emails originated from the same location making it almost certain they were sent by the same person or group.

Edited to include the IP of the first header posted

From the 1st headers:

X-Originating-IP: [41.203.231.192]

41.203.231.192Burkina Faso (Ouagadougou)

The 2nd headers:

Received: from [41.203.225.125]

41.203.225.125Burkina Faso

Edit: Beaten (again) by Ralph.

Ahh yes, but you didn't inadvertantly get the IP from the second email twice as I did, I will go back and fix mine

hi there,

i am looking for this person too.

https:// signup .live. com/ signup. aspx?id=60969 (disabled link - Ralph)

he is still out there and sending me porn links which i can not stop.
i complained to hotmail and then i started recieving emails without the above link

i have been googling the above link and trying to trace, i am gathering info,
but really hotmail help or mods would best help.

here are just some of his ( i am naming him george shukuru) addresses, the bottom three are close i think

Removed long list of email addresses until some evidence can be provided - Ralph

hope this helps catch him

cheers

allan

Hi Allan, welcome to Scamwarners

Could you please post some proof of why you suspect those email addresses are used by scammers.

Here at Scamwarners we do require proof to ensure that the details we have here are as accurate as possible and backed up by proof.

We have many instances where scam victims find their way here and in order to convince them that the details are correct we sometimes need to go to great lengths to show them proof, unfortunately the advice of a new member with one post is not going to be very believable to a person who believes they have a fortune coming their way.

In the interest of ensuring the information here is correct and founded I have removed the list of email addresses from your post, please feel free to post each of them back but include some supporting evidence as you replace them

hi all,
Scammers have been accessing GYCA - West Africa - Groups - Community - TakingITGlobal and , or
Global Youth Coalition on HIV/AIDS | West Africa. Then i think there has been more than one party involved.
*Those that produced scams
*those bulk emailing with Forged mail pretending to be from MS Outlook
* Then i believe they are sharing a referal i.d (https://signup.live.com/signup.aspx?id=60969)
so inadvertantly have left a trail to follow.
* Be cautious of Ubuntu-tz Samahani Nina shida. - ubuntu-tz.lists.ubuntu.com mailing lists
i believe they are some how tied together, and their spam emails are redirects

George Smith has been labelled a scammer and believe this to be TOTALLY untrue, he and others have been doing an oustanding job helping thier community and country, that refferal link has bought them undue attention from those that would abuse the facilities that have been provided, including I.T personel, where they have left the ref. link in forums ,it is a fair indication of what they are up to......No Good.

georgeshukuru at live.com......... This fella has definatley something to do with spamming, and it is his name ....george, that people may have mistaken for george smith. Google the ref i.d and george and you will find some very interesting stuff.

Well atleast we have narrowed some things down and i have stopped recieving spam.

look forward to coming back here and try catch me alive one!!

I will put together the items i have collected so that you may see how i came to this conclusion

Gday All,

Here is a brief description of the last 20hrs.

by googling the refferal i.d , i came up with over 20 pages that i started to go thru and investigate. I joined what ever forumns or newsgroups required
and attemtped to find other links, email addresses and names that matched.

Ininitailly i thought it was one person with so many different emails and names but after hours of searching and a bit of time out to stop and think, i
realised that was not the case.

I cant list everything i did, take too long, but i can list some items that made windows.live take immediate action.


I had already emailed windows.live forum and advised them i was getting spam from refferal i.d 60969, after giving them a list of all emails i had recieved
they must have contacted the owner. The emails kept coming without that i.d, but still had another in there.

searching that i.d, i found Scamwarners.com with a thread that contained the same refferal i.d. i also found a forum that was arabic and it contained code for
redirecting windows.live sign up page.Effectively being able to steal your identity and your log in details.

http://alfrasha.maktoob.com/archive/ind ... 38475.html ( THERE ARE NORTON SECURITY WARNINGS ABOUT VISITING THIS PAGE)

Now, i also had the emails that were spammed to me. Using Spamcop.net and their excellent facility and software, they determined the emails were..

0.00 STOX_REPLY_TYPE STOX_REPLY_TYPE
0.01 MISSING_SUBJECT Missing Subject: header
1.28 MISSING_SUBJECT_2 Missing Subject: header
1.36 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook

That was enough info for me to attach to spamcop report which goes to live.com, isp,the vendors advertised web site.

1 spammimg
2 hijacking
3 Scamming - thread at scamwarners with the same refferal i.d.
4 forging emails

How could one person be so dumb, yet capable of writing source.

I spent a long time investigating George Smith and could not figure why he would risk so much for so little. He is a good man and doing exceptional things
for his people and country.

http://profiles.tigweb.org/smithswork


That is when i realised that all the emails sent had to go thru the same point , as they were getting the refferral i.d attached, probably with signature app???,
there had to be more than one party, probably more, with access to the net, that were not working together.

To be honest i would be guessing from here, but i dare say between the resources they let people use, the mailing lists they advertise, probably lack of security
and old computers, it would be hard to keep track.

Though i do intend to send this exact same email to george smith in that they may be able to keep a closer eye on what goes on.Remember this particular organisation is
for people with H.I.V.

I could be wrong here, and there could be a select few that are just dirty rotten thieves like scammers are.

My wife has seen the interest i have taken here and sent me a fraud email asking for yahoo details, so i go to check it and i have a new spam email from the above party.

this may take a few goes, but atleast i know how to do it.

YOU DONT GET NOTHING FOR NOTHING, AND IF YOU EXPECT TO GET SOMETHING ,YOU WILL END UP WITH NOTHING, PROBABLY LESS.

Though spam is very irritating, it's not something we deal with here so much simply because it is so widespread and difficult to combat, though it is possible. My isp allows me to set up mail boxes so that only specified e-mail addies can reach them, and my personal mail addies, using my name, have such protection and get no spam mail whatsoever.

Any mailbox you operate without such protection will get spam to a greater or lesser degree depending on what type of filters you apply. Many members here seek to attract scam mail to mailboxes set up specially for that purpose, and they usually also get a mountain of spam too, but I have filters set up that send them to trash, as it's just the scams I'm after.

Chasing after spammers is a difficult task and there are organisations already doing that job, and I'm happy to leave them to it. Meanwhile I just enjoy being able to empty my 'trash' and watching their junk evapourate as I go about frustrating scammers.