[amsat-bb] Re: Nigerian scam span purporting to be from W0SL

Roy rdwelch at swbell.net
Wed Jun 26 15:31:35 PDT 2013 

Thanks Phil.  Yes, I'm not sure how it was done but the settings are 
correct in my PC.  AT&T has helped me to assign a new password to my 
account to shut this down.  They say it appears to have been hacked on 
the AT&T web mail site.  We too noticed the Reply To address change.  I 
suspected something when I had no incoming mail.  It appears that any, 
not just replies to me were going to that hacked address. The only thing 
I can think of is that AT&T net mail was changing to a new setup.  We 
were all notified that by June 30, all accounts would have to migrate to 
the new ATT.net/mail arrangement.  Subsequently I received a message 
offering the opportunity to proceed with my migration.  I did that and 
was surprised when they asked me to login again.  Right there I gave 
someone my login info.  They were then able to login to my web mail site 
and access the address book there.  I am going to delete the address 
book there since I am not on the road much anymore. With the changed 
password, the hacker can no longer login into my account.  My apologies 
to all who got that message.  I have seen it before, coming from other 
people over the months.

73, Roy -- W0SL

R/D/Gd/Ggd

On 6/26/2013 11:05 PM, Phil Karn wrote:
> Today I got a scam email purporting to be from Roy Welch, W0SL, asking 
> for an emergency loan. If I got it, I suspect many others on amsat-bb 
> got it too.
>
> The originating IP address is in Nigeria. Where else?
>
> I've seen this exact scam before. In those cases someone had stolen 
> the password of the person they were pretending to be.
>
> I don't think that happened here. The "From" address was his correct 
> email account 'rdwelch at swbell.net' but the Reply-To: address was 
> 'rdwelclh at yahoo.com'. Note the extra 'l'.
>
> I think the scammers created this second account on Yahoo and used it 
> to send the scam email, forging Roy's address in the from field. Any 
> reply would, of course, go to the scammer's address on Yahoo and many 
> people might not notice the subtle change.
>
> swbell.net has no SPF (Sender Policy Framework) records in the Domain 
> Name System to indicate to the rest of the Internet which IP addresses 
> may legitimately originate email from that domain, so recipient 
> systems cannot easily detect forgeries.
>

More information about the AMSAT-BB mailing list