But let's get back to the headers. So I view the full headers and I immediately see the email came from an IP owned by celtusdigital.com. I google it. I *don't* go to it. I just google it. It's not in english and its a joomla site (like wordpress) so now I'm guessing the owner doesn't even know the scammer hacked into their site and is using it to send out massive amounts of spams.
Interestingly, the line with X-PHP is more revealing. It is the scammer software script this cockroach used to send out the massive amounts of spams and the IP number for that sourced to Gambia, Africa. That is probably where the scammer is sitting.
David Williams (or Lin Williams or Rose Williams or Terry Williams - you get the picture) is a common fake name lots of scammers use, and the gmail account to correspond with their potential victims who do reply is a disposable gmail account.
By the time I look at the actual content of the email and where they pretend they are from, it's all already so obvious that it's all made up.
Return-path: [revistap@celt.celtusdigital.com]
Received: from 184.172.246.156-static.reverse.softlayer.com ([184.172.246.156]:38106 helo=celt.celtusdigital.com)
X-PHP-Script: www.revistapikabu.com.mx/mail.php for 41.76.9.170, 41.76.8.4 (The Gambia, Africa)
Subject: Order Quote
From: David Williams [bquality.venture@gmail.com]
Hi Sir/Madam,
We are requesting pricing for the items mentioned below through your store, kindly get back to us if any of this items can be supply as soon as possible also advice on your payment methods.
Item:
1) USB Flash Drives 2 / 4 GB
2) Mirco SD CARDS 1 GB
3) HEW C9730A HP OEM Black Laser Toner Cartridge
We look forward to read from you soon.
Best Regards
David Williams
234n Palm Ave,
Hemet,CA 92543
818 358-0535
Kathleen I just want to say thanks to your site I've been saved. Really nice work and well articulated.
ReplyDeleteGreat Job