, and

Here are some messages from Amy of, another CraigsSecure scam site that was just created a few days ago. This is yet another fake verification site that asks you for your credit card information and uses it to sign you up for the porn site If you look at the page source for, you will see that all it does is use a frame to get content from another site, Scammers often use multiple domains for a scam site in this way.

Yes I am an actual person. haha. I hope you are too.

I just wanted to say I’m not interested in any long term commitments, just some sexual activity with a capable person.

Here is a picture. I hope you like it. I would prefer not to share too much information that is personal until I get to know you. I hope you understand. Explain more about yourself..

Hi, glad to see you replied.

Here’s additional information on me, I’m completely clean. you have to be also, protection is required.

you can find me on my page, since I don’t want the risk of some body I know to see my email with all of this stuff. This is my personal page:

Hit me up with a private message saying when you’re free, and if you want to get to know eachother better at your place or my place, or in another place you have in mind. The site will require login and needs your credit card to verify you are legal. Well, speak with you today I hope once I get back

Let’s look at the headers for the second message. Here they are, with the recipient’s name and email address removed. Look at the parts that are highlighted.

Delivered-To: *****
Received: by with SMTP id h1cs217972ybd;
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)
Received: by with SMTP id o45mr4437364yhm.330.1304001219652;
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)
Received: from ( [])
by with ESMTPS id 22si6055883yhl.249.2011.
(version=TLSv1/SSLv3 cipher=OTHER);
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)

Received-SPF: neutral ( is neither permitted nor denied by domain of client-ip=;
Authentication-Results:; spf=neutral ( is neither permitted nor denied by domain of
Received: from [] (port=1512 helo=zap-server)
by with esmtpa (Exim 4.69)
(envelope-from )
id 1QFSHi-0004Xi-9u
for *****; Thu, 28 Apr 2011 09:33:38 -0500

MIME-Version: 1.0
Date: Thu, 28 Apr 2011 07:33:10 -0700
X-Priority: 3 (Normal)
Subject: *****
From: “amy”
To: “*****”
Content-Type: multipart/alternative;
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname –
X-AntiAbuse: Original Domain –
X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain –
X-Source-Sender: (zap-server) []:1512

The sections highlighted in red and blue are the “Received:” headers. These headers, along with the “X-” headers at the bottom are the most useful ones for determining who actually sent the message. They show the various servers and email accounts that were used for sending it. Even though the sender’s address is a Gmail address, the message was routed through two other servers before it got to the Gmail server.

The “Received:” headers should be read from bottom to top. The first of them, highlighted in blue, shows that the message was first sent from a machine with the IP address to Above this we have an “Authentication-Results:” header and a “Received-SPF:” header, neither of which concern us. The second of the “Received:” headers, highlighted in red, shows that the message was then sent from (IP to So the scammer routed the message through two machines before it was received by Gmail.

Now that we know the IP addresses of the servers that were used for sending this message, we can look up the ISPs for those servers and send them complaints. A good site for looking up this information is (Note: The site CQCounter is picky about this URL. It requires that you include that very last slash in the URL, otherwise it can’t find the page.)

Using this site, we see that the ISP for is and that the ISP for ( is The email addresses to which you should send complaints then are and

UPDATE 5/18/11
Someone has reported another site being used for this scam: Just like, loads its content from in a frame. The ISP for is Netelligent. If you receive a scam email asking you to visit this site, then send a complaint to Also send a complaint to the ISP that was used for sending you the scam email. To learn how to do this, read our instructions on sending complaints to ISPs..

UPDATE 5/10/11 is also being used for the scam. It loads its contents from, just like the other sites mentioned.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: