Craigsllstsafe.org

A new scam site has been found: Craigsllstsafe.org. That’s right, its Craigsllstsafe.org, not Craigslistsafe.org. The misspelling of “Craigslist” in the domain name is deliberate. This site looks just like the now defunct scam site Clsafe.org, which we reported on March 14th. Like that old site, it uses your credit card information to sign you up for the porn site Sexxxxmatch.com.

The ISP for Craigsllstsafe.org is Leapswitch Networks. If you’ve received a scam message for this site, send a complaint to them at abuse@leapswitch.com, and also send a complaint to abuse@netriplex.com. Include the headers of the message with your complaint. Also, send a complaint to the ISP that was used to send you the message. Read our instructions on sending complaints to ISPs for more information.

UPDATE 5/14/11
Ishan Talathi of Leapswitch has left a comment on this post informing us that Leapswitch has suspended the website and that the new ISP for it is Worldstream. Your complaints should now be sent to abuse@worldstream.nl.

Clsafenet.com

Clsafenet.com is another fake “safe dating” site that asks you for your credit card number to verify your identiy. Like several other sites we’ve come across recently, this one uses your credit card number to sign you up for the porn site Sexxxxmatch.com.

Click to enlarge

Notice a couple things on the site’s home page. First, it says that if you want to meet people on the site that “a quick 30 second verification process will let you talk to them safely through our NSOCO.org approved contact system”. NSOCO.org supposedly maintains a database of known sex offenders. Well, guess what? There is no such organization as NSOCO.org.

Second, the sign up form is contained in a frame. That frame’s content comes from Sexxxxmatch.com.

Click to enlarge

Clsafenet.com’s ISP is Romania Data Systems. If you’ve been targeted by this scam and you’d like to help get this site shut down, then send a complaint to abuse@rcs-rds.ro. Also, you should find out the ISPs used for sending you the scam messages and send complaints to them, too.

Cooldates.org, Safebootycall.org and Safergirls.org

Here are some messages from Amy of Cooldates.org, another CraigsSecure scam site that was just created a few days ago. This is yet another fake verification site that asks you for your credit card information and uses it to sign you up for the porn site SexxxxMatch.com. If you look at the page source for Cooldates.org, you will see that all it does is use a frame to get content from another site, Safergirls.org. Scammers often use multiple domains for a scam site in this way.

Yes I am an actual person. haha. I hope you are too.

I just wanted to say I’m not interested in any long term commitments, just some sexual activity with a capable person.

Here is a picture. I hope you like it. I would prefer not to share too much information that is personal until I get to know you. I hope you understand. Explain more about yourself..

Hi, glad to see you replied.

Here’s additional information on me, I’m completely clean. you have to be also, protection is required.

you can find me on my page, since I don’t want the risk of some body I know to see my email with all of this stuff. This is my personal page: http://www.cooldates.org

Hit me up with a private message saying when you’re free, and if you want to get to know eachother better at your place or my place, or in another place you have in mind. The site will require login and needs your credit card to verify you are legal. Well, speak with you today I hope once I get back

Let’s look at the headers for the second message. Here they are, with the recipient’s name and email address removed. Look at the parts that are highlighted.

Delivered-To: *****
Received: by 10.150.134.1 with SMTP id h1cs217972ybd;
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)
Received: by 10.236.182.197 with SMTP id o45mr4437364yhm.330.1304001219652;
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)
Return-Path:
Received: from tiguan.websitewelcome.com (tiguan.websitewelcome.com [174.120.5.66])
by mx.google.com with ESMTPS id 22si6055883yhl.249.2011.04.28.07.33.39
(version=TLSv1/SSLv3 cipher=OTHER);
Thu, 28 Apr 2011 07:33:39 -0700 (PDT)

Received-SPF: neutral (google.com: 174.120.5.66 is neither permitted nor denied by domain of amy.lewis2333@gmail.com) client-ip=174.120.5.66;
Authentication-Results: mx.google.com; spf=neutral (google.com: 174.120.5.66 is neither permitted nor denied by domain of amy.lewis2333@gmail.com) smtp.mail=amy.lewis2333@gmail.com
Received: from [74.117.59.214] (port=1512 helo=zap-server)
by tiguan.websitewelcome.com with esmtpa (Exim 4.69)
(envelope-from )
id 1QFSHi-0004Xi-9u
for *****; Thu, 28 Apr 2011 09:33:38 -0500

MIME-Version: 1.0
Date: Thu, 28 Apr 2011 07:33:10 -0700
Message-ID:
X-Priority: 3 (Normal)
Subject: *****
Reply-To: amy.lewis2333@gmail.com
From: “amy”
To: “*****”
Content-Type: multipart/alternative;
boundary=”—–_chilkat_46d_7fe4_005a4654.a044ceca_.ALT”
In-Reply-To: BANLkTikfOSqJ1owwvdVPG2Wodc2TDSe3Zw@mail.gmail.com
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – tiguan.websitewelcome.com
X-AntiAbuse: Original Domain – gmail.com
X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain – gmail.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (zap-server) [74.117.59.214]:1512

The sections highlighted in red and blue are the “Received:” headers. These headers, along with the “X-” headers at the bottom are the most useful ones for determining who actually sent the message. They show the various servers and email accounts that were used for sending it. Even though the sender’s address is a Gmail address, the message was routed through two other servers before it got to the Gmail server.

The “Received:” headers should be read from bottom to top. The first of them, highlighted in blue, shows that the message was first sent from a machine with the IP address 74.117.59.214 to tiguan.websitewelcome.com. Above this we have an “Authentication-Results:” header and a “Received-SPF:” header, neither of which concern us. The second of the “Received:” headers, highlighted in red, shows that the message was then sent from tiguan.websitewelcome.com (IP 174.120.5.66) to mx.google.com. So the scammer routed the message through two machines before it was received by Gmail.

Now that we know the IP addresses of the servers that were used for sending this message, we can look up the ISPs for those servers and send them complaints. A good site for looking up this information is cqcounter.com/whois/. (Note: The site CQCounter is picky about this URL. It requires that you include that very last slash in the URL, otherwise it can’t find the page.)

Using this site, we see that the ISP for 74.117.59.214 is Psychz.net and that the ISP for tiguan.websitewelcome.com (174.120.5.66) is ThePlanet.com. The email addresses to which you should send complaints then are abuse@psychz.net and abuse@theplanet.com.

UPDATE 5/18/11
Someone has reported another site being used for this scam: Safebootycall.org. Just like Cooldates.org, Safebootycall.org loads its content from Safergirls.org in a frame. The ISP for Safebootycall.org is Netelligent. If you receive a scam email asking you to visit this site, then send a complaint to abuse@netelligent.ca. Also send a complaint to the ISP that was used for sending you the scam email. To learn how to do this, read our instructions on sending complaints to ISPs..

UPDATE 5/10/11
Beasafedate.org is also being used for the scam. It loads its contents from Safergirls.org, just like the other sites mentioned.

Clistsafe.com

Clistsafe.com is a clone of Clsafe.com, a site we’ve already reported. This site does not provide any sort of dating verification service, it has no members, and there are no people on it to meet. It is a scam used to fool you into signing up for the porn site SexxxxMatch.com. After you fill out the sign-up form on Clistsafe.com, you get taken to a page on secure.i-promotions.net:

Click to enlarge

This is the fine print on the order form above:

+ You are entitled to free lifetime access as a basic member without any charge or further participation. Additionally, free premium access* will be granted at no charge provided you complete an online profile and confirm your information within two days, otherwise this membership will recur monthly at 39USD until cancelled.

Clistsafe.com is hosted by LeaseWeb. Forward any scam messages you receive for that site to abuse@leaseweb.com and make sure to mention that Clistsafe.com is known to be a scam site. Be sure to include a copy of the message headers.

UPDATE, 4/25: One of the fake identities used for this scam is Vicky Lattore and her profile page on the site is http://www.clistsafe.com/profiles/vickyyy1/
Another of the fake identities is Diana Richardson who has this profile
http://clistsafe.com/profiles/dia99

Clsafe.org

Clsafe.org is yet another site pretending to offer the CraigslistSafe verification service. Someone posted a m4w ad on Craigslist and received this reply from “Elizabeth Babicke” (robynwhitfield55kk@yahoo.com):

hey I saw your ad and would love an occasional hookup partner.so get back to me.



After he replied to her, he received this message:

hi again are you free right now totalk?
i screen so do this for me and message me on there
securedate
cant stay on much longer though

talk to ya soon,
elizabeth



The securedate link in the message points to http://www.clsafe.org/profiles/elizzy.



The sign up form is contained inside a frame. When you look at the source code for the frame you see that it comes from sexxxxmatch.com, a porn site.

Source for clsafe.org sign up form




Again, there is no CraigslistSafe verification service. Clsafe.org is not a dating site, it’s just a scam used to sign you up for porn sites and the scammer who owns clsafe.org gets a commission for each person he signs up. Anytime a site asks to use your credit card to verify your identity, it’s a scam like this one.