Cris Mooney
A Personal
Web Page: 

"Of course, that's just my opinion, and I may be full of shit"
- Dennis Miller -

Since this opinion was considered in great detail, it will be difficult to change my mind. However, it's not impossible. I am always open to reason. I welcome well thoughtful, logical, response.

Recorded Nov 20, 1999

Recognizing The Con
(opinion) 

     
    Many new users to the Internet have questions about unsolicited email (SPAM). They want to know: "is this letter legitimate or not?" After 20 or so years of using email, I have developed a few skills in this area, and so I wrote this page to show how I would answer that question for a specific email. Following the train of thought given below, I can relatively quickly evaluate a message. Perhaps these techniques will be of value to you.

    The following evaluation is of this email, a spam message I was shown recently.
     

    Personally, I simply ignore most all mail from someone I don't know unless it clearly indicates in the subject something I need. Something for nothing always goes in the trash, just like the stuff the US post office brings me. For the letter in question here, I might trash it immediately. However, there are some letters that might peak my interest, and thus require greater investigation, and I will treat this message that way.

    The only way to evaluate a letter like this is to pick it apart, detail by detail. There are a great number of resources for learning about this subject, and here are a some of the better ones I have found over the years:
     
    Internet Fraud Watch
    MMF Hall of Humiliation
    What Is Spam?
    Direct E-Mail Advertisers Association
    Reading Mail Headers (AOL)
    Reading Mail Headers (Symantec)
    Hoaxes (the sky is falling)
    Chain Letter Scams
    I wrote these pages:

    Fraudulent Sender (impersonation)
    Hijacking Mail Delivery Systems
    Chain Mail
    Fighting Spam

    After looking at the body of the  letter from a content point of view:

    1. No phone number is provided.
    2. No way to learn more "anonymously" about the sender is provided. No web site, no company name, no organization name. They want my info, before letting me investigate them.
    3. They ask us not to reply to the "from" address from the mail, instead asking us to mail to some other random address.
    4. It is a sales pitch looking for venerable individuals.
    5. They make absurd promises; no one can make everyone happy. Some people can make some people happy, but they seem to offer a utopia - last time I checked, that was not available.
All of these points stink of a con artist to me. There are plenty of valid organizations in the world, I can't imagine any reason to get involved with an organization that operates like this. Even if they are valid, if they operate like this they do not seem like the kind of people that could help anyone. I see no evidence that it has to do with porn, since the content of the letter doesn't contain material that I think would be appealing to potential sex customers. Nevertheless, I don't see anything to indicate it is something of legitimate value. I suspect it is a scheme to collect email addresses so they can send out more unsolicited advertisement. Or, perhaps, a way to find weak people that they can run some other con on.

But that is just be simple surface evaluation; no different than the evaluation anyone would do on any non-electronic solicitation. What can I learn as a technical geek?

What I can do is evaluate the header information:

>Return-Path: <future@thaimail.com> (view it)

This is where delivery errors should be sent. If the mail could not be delivered to you, because it was incorrectly addressed to a non-exitent email name, mail computers are supposed to send an error message to this address. Is it valid? One check I can do is just try and see if there is a web page. I type in http://www.thaimail.com (using the last two words of what comes after "@") to my web browser. If nothing is found, it would not prove much (but would make me suspicious). However, in this case, it is a foreign web site. Why would someone in Pittsburgh send mail from a foreign internet service? Sounds to me like they are hiding something.

And, why "future" as a name. Why not someone's name, or an organization title. Why this anonymity?

Strike one.

>Received: from rly-yc02.mx.aol.com (rly-yc02.mail.aol.com [172.18.149.34]) by
>          air-yc05.mail.aol.com (v62.10) with ESMTP; Sat, 30 Oct 1999
>          19:13:34 -0400 (view it)

The "Received" entries are a listing, in reverse order, of how the mail was handled to get to you. The first entry is the computer handling the mail. A computer called "air-yc05.mail.aol.com" got the mail from a computer called "rly-yc02.mx.aol.com"; this last machine would be where your computer picked up the mail. In this case, two AOL machines are communicating (they names end in "aol.com")...this looks OK to me.

>Received: from green.alltel.com (green.alltel.com [198.133.100.5]) by
>          rly-yc02.mx.aol.com (v62.10) with ESMTP; Sat, 30 Oct 1999
>          19:13:20 -0400 (view it)

The next entry says "rly-yc02.mx.aol.com" got the mail from "green.alltel.com". This is an intermittent delivery computer which may be any computer on the internet. Since mail flows around the internet until it finds its destination, we can't really say this is good or bad, so I ignore it this time and look at the next entry.

>Received: from 210.161.155.2 (unverified) by green.alltel.com (Content
>         Technologies SMTPRS 2.0.15) with SMTP id
>          <B0005871541@green.alltel.com>; Sat, 30 Oct 1999 17:37:10
>          -0500 (view it)

Since this is the last "Received" entry in the list, it tells us where the mail was "dropped in the mailbox" (it is VERY hard to fake this). It tells me a computer with identification (IP) number "210.161.155.2" originated the email. Every computer on the internet has such a four digit number; this number is dynamically assigned to your computer when you dial up your ISP (AOL in your case). So, this number tells us the specific computer that sent the email.

These numbers are similar to phone numbers. Though it is unfinished, I wrote a bunch about this on the page "http://www.paranetics.com/tech/config/route/".

Like phone numbers, IP numbers are grouped by area in the country...I just happen to know off hand that "201.161" is in the pittsburgh area. But, I can try and find out more; according to info on my page, I reverse the number, append ".in-addr.arpa." and look up the "PTR" info using "DIG" at: Men And Mice. This is kind of like calling the operator.

Specifically, I find this is an unnamed computer belonging to "dst01.pc-webzine.co.jp.". Strange, ends in "jp", that's for Japan. Why is a company in Pittsburgh using a "JP" japanese name for their company? And, why is the email sender using such a bizarre company to send email? But lets look a bit further. I am going to try "http://www.co.jp" (using the last two words of the computer name). Interesting, comes up with a web page that is empty. Why don't they identify themselves? What are they hiding from?

Since it is an unnamed computer, I suspect it is one that dialed in to the "CO.JP" ISP service. If that is the case, it should have given the mail to "CO.JP"'s email delivery computer. Instead, it gave it straight to another companies computer "green.alltel.com". Why? I look, and "http://www.alltel.com/" looks like a valid company. However, I wonder why their mail delivery system accepted email from "210.161.155.2". This is known as "relay", and one would prefer that Alltel would not relay email from random individuals. Spam artists rely on this sort of opening, to "hijack" a mail delivery system to send out their spam for free. Since my mail server has been hijacked a number of times, I wrote a page about it "http://www.ramcharger.com/spam/".

If we wanted to go all the way, it is possible that is we contacted the owner of  "http://www.co.jp" they could examine logs and see who was assigned the number 210.161.155.2 on Sat, 30 Oct 1999 17:37:10 -0500. They might not be so accommodating, or they might not keep such records. Too much work for this harmless letter.

Strike two.

>Message-Id: <yPuzi4M9ydTRi.ra1w77UYNZTJJ@210.161.155.2> (view it)

Message ID looks like a valid ID, nothing strange here. Every email message on the Internet should have one, and this looks normal. If we wanted to go all the way, it is possible that is we contacted "http://www.co.jp" they could examine logs and see who gave the mail to the to deliver. They might not be so accommodating, or they might not keep such records. Too much work for this harmless letter.

>From: "future@thaimail.com" <future@thaimail.com> (view it)

This is used to indicate who sent the email. This is where one would normally reply to. If you used the "reply" option in your email program, the reply would be addressed to go here. We have already investigated this address, and are still concerned as to why they don't want us to reply there (as stated in the letter).

>Reply-to: (view it)

This is an alternate address to reply to. Why didn't they use this if they wanted us to reply elsewhere? Why tell us to make a new message with another email address. Continues to indicate they are hiding.

>Subject: Scared? Confused? Lonely? lost? (25735) (view it)

Other than being a standard "con artist" type sales pitch that would tend to gather vulnerable individuals, this also contains a bizarre number. Why? This would usually be your ID number in their database. All the better to track you with my dear. Looks like they have info in a database and are attempting to gather more info about the recipient. They want you to send this ID back with the email, so they can cross reference you with other records they may have. No thanks...not with a sender that is questionable.

Strike 3.

>Date: Sat, 30 Oct 1999 18:30:28 -0400 (EDT) (view it)

This date is very old. If you did not get the mail about 20 days ago, I would be suspicious of this. However, it is quite possible you got the mail this long ago, and it cross references with the dates in the "received" delivery tracking above. I see no problem here.

>MIME-Version: 1.0  (view it)
>Content-Type: TEXT/PLAIN; charset="US-ASCII"
>Content-Transfer-Encoding: 7bit
>To: undisclosed-recipients:;

All the rest of the headers looks normal. And I've already commented on the content of the message enough with the exception of the last lines...

>**********************
>19300 (view it)

Another strange number at the end. I suspect more tracking information. Continues to make me think they are trying to track me. I don't like that.

All in all, the message's origin is suspect. While I don't see any concrete tell tale signs that it was forged (someone other than future@thaimail.com sending it and impersonating future@thaimail.com), I don't see any reason to care if it is forged. The information is anonymous, and highly "con artist" in origin. Personally, I would think one would do better to contact a reputable organization - perhaps one's own church.

More constructively, one might search the internet for "support groups pittsburgh", or something like that, and see if you can find an organization they can investigate before giving them information about yourself. With a couple hours investigation one would probably have dozens of options - all more promising than this one. If one is not willing to invest that much time, then they are likely to get what they paid for.