[amsat-bb] Re: Nigerian scam span purporting to be from W0SL

Phil Karn karn at ka9q.net
Sat Jun 29 01:42:24 PDT 2013

On 06/26/2013 03:31 PM, Roy wrote:
> Thanks Phil.  Yes, I'm not sure how it was done but the settings are
> correct in my PC.  AT&T has helped me to assign a new password to my
> account to shut this down.  They say it appears to have been hacked on
> the AT&T web mail site.

Interesting. I saw no actual evidence in the scam mail itself that your 
account had been hacked.

This particular message was sent through Yahoo's webmail service. Anyone 
could subscribe to the amsat-bb list and see who its contributors are, 
so they would know who to send the scam spam to.

(Wait -- does Yahoo provide service for swbell.net?)

Without cryptographic authentication it's easy to forge email from 
anyone; SPF helps somewhat but it's often not implemented and is 
frequently ignored even when it is. In this case I perused the headers 
myself and saw the IP address, which happens to be in 
Nigeria (look it up!)

It's somewhat trickier to intercept the replies. In this case they did 
it with a Reply-To: header to a fraudulent account (rdwelclh at yahoo.com) 
that'd be easy to miss if you weren't looking for it.

I had theorized that they did this because they hadn't actually gotten 
into your swbell.net account, but it's possible they did it anyway so 
that they'd still get any replies from victims after your account had 
been secured or shut down. It would take a little longer to get 
rdwelclh at yahoo.com shut down since it's at a different service provider.

More information about the AMSAT-BB mailing list