Example of fake winning notification email:
CONGRATULATIONS!!!!
FROM:THE DESK OF THE VICE PRESIDENT.
PROMOTIONS/PRIZE AWARD DEPT.
MADRID,ESPAÑA.
BATCH NO: PTP/8573421009//7765
REF. NO: PTP/79065-07855//7765
WINNING NOTIFICATION / FINAL
NOTICE...CONGRATULATIONS!!!!
This is to inform you of the release of EUROMILLONES SPANISH
SWEEPSTAKES LOTTERY/INTERNATIONAL PROGRAM held
on the 24TH of NOVEMBER, 2004. Due to the mix up of
number,the results were released on the 26th of
NOVEMBER 2004. Your email attached to ticket number
20/39/45/75/ with serial number 6954398765 drew the
lucky numbers of 30-56-73-46-23 which consequently won
the lottery in the 1st category.
You have therefore been approved for a lump sum payout
Of (1,000,000.00) One million euros only in cash.
Due to mix up of some numbers and names, we ask that
You keep your winning information confidential until
your claims has been processed and your money remitted
to you. This is part of our security protocol to avoid
double claiming and unwarranted abuse of this program
by some participants.
All participants were selected through a computer
ballot system drawn from only Microsoft users from
over 20,000.00 companies and 3,000,000 individual
email addresses and names from all over the world. To
begin your lottery claim, please contact our agent
below that have been appointed for the processing of
your claim with the email address below, to begin the
processing of your claim:
CONTACT NAME: MARTINS ALBERTO
AGENT:ONXY FINANCE AND SECURITY S.A
CITY/ COUNTRY: MADRID,SPAIN
FREE SERVICE NUMBER: 0034 618-157-904
EMAIL: onxyfinance2@netscape.net
Note that all winning must be claimed not later than
24th of December 2004. After this date all unclaimed
funds will be included in the next stake. Please note
in order to avoid unnecessary delays and Complications
please remember to quote your reference number and
batch numbers in all correspondence. Furthermore,
should there be any change of address do inform our
agent as soon as possible.
Congratulations once more from our members of staff
and thank you for being part of our promotional
program.
Note: Anybody under the age of 18 is automatically
disqualified.
Yours Sincerely,
MRS.Z. PEREZ
This email was sent from Spain: 12.red-83-38-214.pooles.rima-tde.net [83.38.214.12] on Wed, 08 Dec 2004 12:43:35 +0100
inetnum: 83.37.0.0 - 83.39.255.255
netname: RIMA
descr: TELEFONICA DE ESPANA
descr: Provider Local Registry
country: ES
admin-c: AFG2-RIPE
admin-c: JB986-RIPE
tech-c: FLT14-RIPE
tech-c: FSB3-RIPE
status: ASSIGNED PA
notify: adminis.ripe@telefonica.es
remarks: ***************************************************
remarks: For ABUSE/SPAM/INTRUSION issues
remarks: PLEASE CONTACT THROUGH LINK
remarks: http://www.telefonicaonline.com/nemesys/
remarks: or send mail to nemesys@telefonica.es
remarks: any mail to adminis.ripe@telefonica.es will be ignored
remarks: ***************************************************
Example of response from fake security company:
Thank you for your response, Please find application form attached, endeavor to fill-in the apprioprate info and return it as soon as possible by fax.
Alternatively you can also send it via email attachement if you find it difficult to get through our fax.
Also endeavor to notifiy us by email as soon as the fax is sent to our office to avoid any delay.
Await your prompt response and acknowledgement.
Best regards,
MARTINS ALBERTO
The "claim application form", a Microsoft Word document named "Claim Application Form Doc.B2.doc" that accompanied this email lists "ARAB & CO." as the company and "ARAB" as the author, the same as in the "CITY TRUST LOTTERY". It was last saved by someone logged in as "Quaisar". Another Word document emailed to the same person was called "CERT. OF DEPOSIT 2.doc", with a company name of "Cibernet" and an author "x". It was last saved by a user logged in as "Naeem".
Are these deliberate acts to lay a false trail, or does this scam maybe involve Moroccans or other Arabs living in Spain? We don't know yet.
Here were the message headers:
Received: from netscape.net (mow-d26.webmail.aol.com [205.188.139.167])
by air-in04.mx.aol.com (v103.7) with ESMTP id MAILININ43-589a41c2d8c821;
Fri, 17 Dec 2004 08:02:00 -0500
Date: Fri, 17 Dec 2004 08:02:00 -0500
From: onxyfinance2@netscape.net
To: emailaddress ("FIRSTNAME LASTNAME")
Subject: Re:CLAIM FORM ATTACHED
MIME-Version: 1.0
Message-ID: <416AB002.202E26C4.94774544@netscape.net>
X-Mailer: Atlas Mailer 2.0
X-AOL-IP: 212.145.113.203
X-AOL-Language: english
Content-Type: multipart/mixed; boundary=-------418341da2046b89c418341da2046b89c
Content-Transfer-Encoding: 8bit
This indicated the email was sent from 212.145.113.203 in Spain:
inetnum: 212.145.0.0 - 212.145.127.255
netname: IPCOM-NET
descr: Infraestructura Red y Servicios IP
descr: Comunitel Global S.A.
country: ES
admin-c: MV1331-RIPE
tech-c: TLM1-RIPE
status: ASSIGNED PA
mnt-by: COMUNITEL-MNT
changed: tlestayo@comunitel.es 20000531
source: RIPE
route: 212.145.112.0/23
descr: Comunitel Global PA Block
origin: AS12357
mnt-by: COMUNITEL-MNT
changed: tlestayo@comunitel.es 20041007
source: RIPE
person: Monica Vales
address: COMUNITEL GLOBAL S.A.
address: Consorcio de la Zona Franca
address: Area Portuaria de Bouzas
address: 36208 VIGO (PONTEVEDRA)
address: SPAIN
phone: +34 986 21 40 44
fax-no: +34 986 21 40 41
e-mail: mvales@comunitel.es
nic-hdl: MV1331-RIPE
changed: lpozo@comunitel.es 19990215
source: RIPE
person: Tomas Lestayo Martinez
address: Avenida de Manoteras, nº 44
address: 4ª planta, módulo D
address: 08039 ESPAÑA
phone: +34 91 2963321
fax-no: +34 91 2963310
e-mail: tlestayo@comunitel.es
nic-hdl: TLM1-RIPE
notify: dominios@comunitel.es
mnt-by: COMUNITEL-MNT
changed: aceide@comunitel.es 20020416
source: RIPE