[amsat-bb] Re: Nigerian scam span purporting to be from W0SL
rdwelch at swbell.net
Wed Jun 26 15:31:35 PDT 2013
Thanks Phil. Yes, I'm not sure how it was done but the settings are
correct in my PC. AT&T has helped me to assign a new password to my
account to shut this down. They say it appears to have been hacked on
the AT&T web mail site. We too noticed the Reply To address change. I
suspected something when I had no incoming mail. It appears that any,
not just replies to me were going to that hacked address. The only thing
I can think of is that AT&T net mail was changing to a new setup. We
were all notified that by June 30, all accounts would have to migrate to
the new ATT.net/mail arrangement. Subsequently I received a message
offering the opportunity to proceed with my migration. I did that and
was surprised when they asked me to login again. Right there I gave
someone my login info. They were then able to login to my web mail site
and access the address book there. I am going to delete the address
book there since I am not on the road much anymore. With the changed
password, the hacker can no longer login into my account. My apologies
to all who got that message. I have seen it before, coming from other
people over the months.
73, Roy -- W0SL
On 6/26/2013 11:05 PM, Phil Karn wrote:
> Today I got a scam email purporting to be from Roy Welch, W0SL, asking
> for an emergency loan. If I got it, I suspect many others on amsat-bb
> got it too.
> The originating IP address is in Nigeria. Where else?
> I've seen this exact scam before. In those cases someone had stolen
> the password of the person they were pretending to be.
> I don't think that happened here. The "From" address was his correct
> email account 'rdwelch at swbell.net' but the Reply-To: address was
> 'rdwelclh at yahoo.com'. Note the extra 'l'.
> I think the scammers created this second account on Yahoo and used it
> to send the scam email, forging Roy's address in the from field. Any
> reply would, of course, go to the scammer's address on Yahoo and many
> people might not notice the subtle change.
> swbell.net has no SPF (Sender Policy Framework) records in the Domain
> Name System to indicate to the rest of the Internet which IP addresses
> may legitimately originate email from that domain, so recipient
> systems cannot easily detect forgeries.
More information about the AMSAT-BB