Categories
Comments n Critics Internet Web Trends

There is more to than meets the eye

This is a straightforward money mule pitch, so nothing very interesting in the message itself..

 
From: james roberts
Reply-to: james.roberts@sify.com
Date: 24 August 2010 13:13
subject: JOB OFFER:APPLY IF YOU ARE INTERESTED.
   

  Hello,
      
        My name is JAMES ROBERTS , a designer also the Manager of JAMES ROBERTS FABRIC and Consultant live and work here in United Kingdom,will you like to work online from home and get paid without affecting your present job?
          
        Actually I need a representative who can be working for the company as online book-keeper. We make lots of supplies to some of our clients in the USA/CANADA/EUROPE, for which I do come to USA/CANADA/EUROPE to receive payment and have it cashed after I supply them raw materials. It’s always too expensive and stressful for me to come down and receive such payment twice in a month so I therefore decided to contact you.
      
        I am willing to  pay you 10% for every payment receive by you from our clients who makes payment through you.   Please note you don’t have to be a book keeper to apply for the job.
      
        Kindly get back to me as soon as possible if you are interested in this job offer with your details:
      
        FULL NAMES……………….
        ADDRESS ………………
        STATE………………
        ZIPCODE…………….
        COUNTRY…………….
        PHONE NUMBER(S)……..
        GENDER……………..
        AGE………………..
        OCCUPATION………….
          
        Yours Faithfully,
     
        JAMES ROBERTS

But the headers tell an interesting story..

Received: from mail.pna.ps ([213.244.123.84])
    by ********** with esmtp (Exim 4.69)
    id 1Onsd0-0004Yt-Jc
    for **********; Tue, 24 Aug 2010 13:29:22 +0100
Received: from User (unknown [60.18.167.17])
    by mail.pna.ps (Postfix) with ESMTPA id ED6A94476F;
    Tue, 24 Aug 2010 15:12:09 +0300 (IDT)

You can only really trust the last hop before it hits your mail server (in truth, not always then either). That IP is 213.244.123.84 which is indeed mail.pna.ps.

So what the heck is .ps? Well, it turns out to be the TLD for Palestine, and the PNA is the Palestinian National Authority, with servers that look to be based in Ramallah on the West Bank.  So, it looks like the PNA mail servers are either insecure or compromised.

Did you even know that Palestine had a TLD of its own? I didn’t.. so I guess this spam has tought me something!

'Coz sharing is caring