[geeks] Almost scammed on EBay

Gavin Hubbard ghub005 at xtra.co.nz
Sat May 24 08:47:16 CDT 2003


Hi Lads

I though I'd pass along a brief warning about the potential pitfalls of using EBay.

Like most of you, I use EBay to dispose of unwanted equipment and to buy parts for my systems. Since my interest is in (relatively) obscure systems, and because I've been fairly cautious, I've had no problems to date. However I was recently contacted by an EBay user claiming to be in Spain who was interested in buying a reasonably expensive item that I had listed. The email I received looked exactly like an email generated by the EBay contact system and the first part read:

"i am interested in buying your item and and i would like to know if you are
shipping to Spain.
i will cover the shipping cost
please reply asap if you are interested in my offert
check my feedback to see that i am a serious buyer
best regards and thank you for your time
please contact me at organic1232001 at yahoo.com"

The text below directed me to the user account "xcellant1" which did indeed contain excellent feedback and showed the account is actively trading. So I respond positively and the next email I get reads:

"hello
i want to use for this transaction for the safety of the both sides an escrow service that i have worked before with them and they were very fast and secure www.ws-trade.com
 i will cover the shipping and the escrow fees
please reply asap with your response
best regards"

By now I'm a little bit suspicious that my 'buyer' hasn't used a name in either of the emails, plus the fact the 'escrow' site looks a little dodgy. So I google for "wstrade.com fraud" and I get a link to an old post in an EBay message forum which directed me to sos4auctions.com (as a good database of scam and escrow fraud sites). When I searched for ws-trade.com it reveals that the escrow company is indeed a scam:

http://sos4auctions.com/escrow/docs/WS-Trade.com.txt

I was curious about how I got contacted earlier by xcellant1, so I went back and checked the headers for the first email:

"From ???@??? Sun May 25 00:33:56 2003
Return-Path: <organic1232001 at yahoo.com>
Received: from mta5-rme.xtra.co.nz ([210.86.15.141])
          by mta202-rme.xtra.co.nz with ESMTP
          id <20030524111351.UHQP6898.mta202-rme.xtra.co.nz at mta5-rme.xtra.co.nz>
          for <ghub005 at xtra.co.nz>; Sat, 24 May 2003 23:13:51 +1200
Received: from web21404.mail.yahoo.com ([216.136.232.74])
          by mta5-rme.xtra.co.nz with SMTP
          id <20030524111351.BGGP1753.mta5-rme.xtra.co.nz at web21404.mail.yahoo.com>
          for <ghub005 at xtra.co.nz>; Sat, 24 May 2003 23:13:51 +1200
Message-ID: <20030524111350.93225.qmail at web21404.mail.yahoo.com>
Received: from [80.58.6.170] by web21404.mail.yahoo.com via HTTP; Sat, 24 May 2003 04:13:50 PDT
Date: Sat, 24 May 2003 04:13:50 -0700 (PDT)"

Hmm - so the first email didn't even originate from EBay. This is how it was able to pass itself of as coming from user xcellant1 (an account presumably picked at random). When I check the EBay account details for xcellant1 a bit more closely it reveals that that account is registered in the USA, not in Spain.

To follow this up, I ran the 80.58.6.170 IP address against the arin.net whois database. It shows the address range is controlled by the RIPE Network Coordination Centre. So I checked the RIPE whois server and it shows the subnet is administered by Telefonica de Espana SAU (which I presume is an ISP). I've submitted an abuse report through http://www.telefonicaonline.com/nemesys/ and it will be interesting to see if anything happens.

The point of all this is that if it wasn't for the fact that I'm relatively cautious, it would have been fairly easy to fall into this scam. In other words, please keep your BS detectors tuned next time you're using EBay.

Regards,

Gavin



More information about the geeks mailing list