My Encounter With A CraigsList ScammerIt was a dark and dreary day in Johnstown. I sit in my cubicle, soaking wet from my recent trek to the doctor's office. I notice that my GMail tab in Firefox shows 1 new message, so I go and see that it's a reply to a post I made on CraigsList trying to sell one of my camera lenses. I open the email and read this:
Hello, I'm interested in your item. I will like to know if it's still available for sale. If yes, let me know the price including next day delivery to Boise, ID. Payment will be by paypal. Thanks, AlanThe email was from Generic Stores <email@example.com>. This immediately tripped my brain's scam sensor for a couple reasons:
- The name is Generic Stores
- The domain is googlemail.com instead of gmail.com
- Even though googlemail.com is valid for GMail, no one uses it
Alan, The lens costs $100 and is still available. I will have to calculate the next day shipping charges and get back to you. Let me know if this is ok. KevinHis reply was actually good. It was clear that this was an actual human and not some bot. So, continuing to give this person the benefit of the doubt, we work out how much next day shipping would cost and I sent him a money request from Paypal. Within minutes, I get this email in my inbox:
Now, at the time of me receiving this email, I was at the chiropractor so I was working off of my phone. And even on a large screen, this email looks dead on. This guy took his time. My mail client even showed firstname.lastname@example.org as the sender. Ok, I'm a little more convinced. But, I'm not completely convinced. I called PayPal support and asked them to confirm that the payment was made. They said that it was not. So I emailed "Alan" back, told him that the payment wasn't made yet, and asked him to make the payment before I ship the lens.
Twice we go back and forth with him saying I should have the confirmation email in my inbox and me saying it's not there. Some time passed; I ate supper with my family and finally made my way home. I got on my desktop, opened the email, and checked out the headers:
Delivered-To: email@example.com Received: by 10.239.137.203 with SMTP id m11cs319458hbm; Fri, 28 Aug 2009 13:41:36 -0700 (PDT) Received: by 10.216.88.195 with SMTP id a45mr308148wef.63.1251492095950; Fri, 28 Aug 2009 13:41:35 -0700 (PDT) Received-SPF: softfail (google.com: best guess record for domain of transitioning firstname.lastname@example.org does not designate 18.104.22.168 as permitted sender) client-ip=22.214.171.124; Received: by 10.16.169.4 with POP3 id r4mf239349gve.29; Fri, 28 Aug 2009 13:41:35 -0700 (PDT) X-Gmail-Fetch-Info: email@example.com 1 mail.kevinslonka.com 110 firstname.lastname@example.org Return-Path: <email@example.com> Delivered-To: firstname.lastname@example.org Received: (qmail 15233 invoked from network); 28 Aug 2009 20:31:14 -0000 Received: from unknown (HELO WM40.inbox.com) (126.96.36.199) by ns108.webmasters.com with SMTP; Fri, 28 Aug 2009 16:31:14 -0400 Received: from inbox.com (127.0.0.1:25) by inbox.com with [InBox.Com SMTP Server] id <908281231004.WM40> for <email@example.com> from <firstname.lastname@example.org>; Fri, 28 Aug 2009 12:31:45 PM -0800 Mime-Version: 1.0 Date: Fri, 28 Aug 2009 12:31:45 -0800 Message-ID: <5F2A3E70EEA.00000C24paymentnotice@inbox.com> From: "email@example.com" <firstname.lastname@example.org> Subject: ***NOTIFICATION OF AN INSTANT PAYMENT*** To: email@example.com X-Mailer: INBOX.COM X-Originating-IP: 188.8.131.52 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-IWM-ACU: MR-7yYx1yRdosBKTpvAluOAVEzbaUnc_WhS_LjuXXOvJEqIBVG7qLpNhwDIy SsuRxpIIx9qiYAJ43EfZftHUlYfd1c75os1Zr7xuzb8gMW5dxnCER327b4d1 w-QL7WeFMZMGQFzL4z7ljvzI@So, I was looking for where this message originated. If this was a real email from PayPal saying that the payment was sent the first (bottom-most) "Received" line in the headers should be a PayPal email server. This email came from a loopback address, which is impossible:
Received: from inbox.com (127.0.0.1:25)Since I didn't think that looked right, I looked for the next server in the loop:
Received: from unknown (HELO WM40.inbox.com) (184.108.40.206)So this guy didn't cover his tracks well at all. It's obvious that the email did NOT originate from PayPal, but from inbox.com, which I have never heard of before. It was at this point that I was 100% sure this entire charade was a scam and I sent "Alan" this email:
Now that I am in front of a real computer, I checked out the "confirmation" that was sent and verified that you spoofed it. The email originated at: Received: from unknown (HELO WM40.inbox.com) (220.127.116.11) Not Paypal's email servers. Thanks for playing. Go fuck yourself.Here's the lesson. If I wasn't a "computer guy" and understood how email works, I would have been fooled by this. Everything looked 100% legit. If you're dealing with selling an item through CraigsList to someone who is not local, be careful. If you have any thoughts that something might be wrong, find someone who knows what they're doing to examine the emails.
NOTE: Yes, the footer of the "confirmation" email telling me to get 5GB of email from inbox.com should have given it away that it was a scam, however I was on my phone at the time and didn't see that. If you get these emails on your computer, look at the entire message for odd things like this.