Cooldates.org, Safebootycall.org and Safergirls.org

Here are some messages from Amy of Cooldates.org, another CraigsSecure scam site that was just created a few days ago. This is yet another fake verification site that asks you for your credit card information and uses it to sign you up for the porn site SexxxxMatch.com. If you look at the page source for Cooldates.org, you will see that all it does is use a frame to get content from another site, Safergirls.org. Scammers often use multiple domains for a scam site in this way.

Yes I am an actual person. haha. I hope you are too.

I just wanted to say I’m not interested in any long term commitments, just some sexual activity with a capable person.

Here is a picture. I hope you like it. I would prefer not to share too much information that is personal until I get to know you. I hope you understand. Explain more about yourself..

Hi, glad to see you replied.

Here’s additional information on me, I’m completely clean. you have to be also, protection is required.

you can find me on my page, since I don’t want the risk of some body I know to see my email with all of this stuff. This is my personal page: http://www.cooldates.org

Hit me up with a private message saying when you’re free, and if you want to get to know eachother better at your place or my place, or in another place you have in mind. The site will require login and needs your credit card to verify you are legal. Well, speak with you today I hope once I get back

Let’s look at the headers for the second message. Here they are, with the recipient’s name and email address removed. Look at the parts that are highlighted.

Delivered-To: *****
Received: by 10.150.134.1 with SMTP id h1cs217972ybd;
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)
Received: by 10.236.182.197 with SMTP id o45mr4437364yhm.330.1304001219652;
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)
Return-Path:
Received: from tiguan.websitewelcome.com (tiguan.websitewelcome.com [174.120.5.66])
by mx.google.com with ESMTPS id 22si6055883yhl.249.2011.04.28.07.33.39
(version=TLSv1/SSLv3 cipher=OTHER);
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)

Received-SPF: neutral (google.com: 174.120.5.66 is neither permitted nor denied by domain of amy.lewis2333@gmail.com) client-ip=174.120.5.66;
Authentication-Results: mx.google.com; spf=neutral (google.com: 174.120.5.66 is neither permitted nor denied by domain of amy.lewis2333@gmail.com) smtp.mail=amy.lewis2333@gmail.com
Received: from [74.117.59.214] (port=1512 helo=zap-server)
by tiguan.websitewelcome.com with esmtpa (Exim 4.69)
(envelope-from )
id 1QFSHi-0004Xi-9u
for *****; Thu, 28 Apr 2011 09:33:38 -0500

MIME-Version: 1.0
Date: Thu, 28 Apr 2011 07:33:10 -0700
Message-ID:
X-Priority: 3 (Normal)
Subject: *****
Reply-To: amy.lewis2333@gmail.com
From: “amy”
To: “*****”
Content-Type: multipart/alternative;
boundary=”—–_chilkat_46d_7fe4_005a4654.a044ceca_.ALT”
In-Reply-To: BANLkTikfOSqJ1owwvdVPG2Wodc2TDSe3Zw@mail.gmail.com
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – tiguan.websitewelcome.com
X-AntiAbuse: Original Domain – gmail.com
X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain – gmail.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (zap-server) [74.117.59.214]:1512

The sections highlighted in red and blue are the “Received:” headers. These headers, along with the “X-” headers at the bottom are the most useful ones for determining who actually sent the message. They show the various servers and email accounts that were used for sending it. Even though the sender’s address is a Gmail address, the message was routed through two other servers before it got to the Gmail server.

The “Received:” headers should be read from bottom to top. The first of them, highlighted in blue, shows that the message was first sent from a machine with the IP address 74.117.59.214 to tiguan.websitewelcome.com. Above this we have an “Authentication-Results:” header and a “Received-SPF:” header, neither of which concern us. The second of the “Received:” headers, highlighted in red, shows that the message was then sent from tiguan.websitewelcome.com (IP 174.120.5.66) to mx.google.com. So the scammer routed the message through two machines before it was received by Gmail.

Now that we know the IP addresses of the servers that were used for sending this message, we can look up the ISPs for those servers and send them complaints. A good site for looking up this information is cqcounter.com/whois/. (Note: The site CQCounter is picky about this URL. It requires that you include that very last slash in the URL, otherwise it can’t find the page.)

Using this site, we see that the ISP for 74.117.59.214 is Psychz.net and that the ISP for tiguan.websitewelcome.com (174.120.5.66) is ThePlanet.com. The email addresses to which you should send complaints then are abuse@psychz.net and abuse@theplanet.com.

UPDATE 5/18/11
Someone has reported another site being used for this scam: Safebootycall.org. Just like Cooldates.org, Safebootycall.org loads its content from Safergirls.org in a frame. The ISP for Safebootycall.org is Netelligent. If you receive a scam email asking you to visit this site, then send a complaint to abuse@netelligent.ca. Also send a complaint to the ISP that was used for sending you the scam email. To learn how to do this, read our instructions on sending complaints to ISPs..

UPDATE 5/10/11
Beasafedate.org is also being used for the scam. It loads its contents from Safergirls.org, just like the other sites mentioned.