RSS

“Eduard Castaño” (AKA) Wang Chien (AKA) Christman Debra

06 Nov

NIGERIAN SCAMMER SENDING BUSINESS PROPOSAL AND LOTTERY SCAM EMAILS

anti_scam

01/26/13 UPDATE – Eduard Castano also known as Wang Chien has sent me a new business proposal offer under new email_addresses and  IP_addresses — (I’ll post the email’s from newest to oldest and will add this scammers header details under each email.)

Partnership with You Tuesday, January 15, 2013 1:11 PM
From: Christman Debra dchristman@mosineeschools.org

I have an urgent business deal worth of ******* to discuss with
you, contact me for more details for your interest at
wangchien2004@yahoo.com.hk
Thanks
Wang Chien

HEADER DETAILS:

Return-Path: <dchristman@mosineeschools.org>
X-YahooFilteredBulk: 209.62.173.211
Received-SPF: pass (domain of mosineeschools.org designates 209.62.173.211 as permitted sender)
X-YMailISG: i0VLM7kWLDsLfLCywSaSSYx.tSpTBcjTXuGpJZV.D8GRtK4G hbwwRCRgZQgk_cw85gry83cgekJVMrrg3pbltquix.8MA3xnlWVESreBORPy vcSKT.7YBAacVrEqZ.AdIZRUTeOavSVzclLQVSZ6NoRcl04EzUF_IvPbMXa1 yzAJfw8_2dmSgDo_nbe03cbOzpbeo3ufws6Oz8XaNvF2fzou4byjAFwnt0pb u4tTJeAqSAO7hg0ABqNewmtkT4glFaA4HVALqkT0ZUxvJd61F7ML9AfK_dQ1 WJJiiDZBEVosDV5OHjNMv8yRucX6rGF7z0vz4PLU6kd2lgCvrD5KH4SeyH9K 2re9FukaR5tE19lX2005zunxwBcf7WIDCLMkBrHWN0NYpCgXPItS3olsR1td EnBfvHzS1UW2bcPOly5KbL0SvC2rRQE9HKEW214YZz1kjT_4NPIja64yTQme 21Sqp07nP5GHdPQ7JhDuZ09MEKsEY1pRbaU56.FM2fbQAzut2VaaNYRLVil9 jA0ZZwyuZSpmAG245uTo_ULrUhYXK_K5J5LVx2pQlpDmOsjI6k4VlPjyR29E nyDid6ld3dqr4PPmSpA6HZNwCodLFFByYaGqVyYzGNtP7RN.HCrHixcWJJYL YEzbczPRsNBuACSyRl7qYeauGjnt9_Tp5JUUATQqD36Xol8_uCTbMlljqob5 hGPArKHIUprI5xCgdPifF_b9g6Oa9Xp6r_OvT.Xpv4zXmJNC5natiHjfNmFB GDKrNO2zvTHbNnmQw2s7h17s3DheRH9FYgcoy4z.h5ZqXQGhyxjlovl33rvj FZUsmzAVz3.OCdRq683c.ZhcoyD7.cO5vb1egOG9yhE.wlTOXcywrKOBVxmU uvJTlvO0aryX75p4M9lgy2UFVAetNBUoPKf4xury0kOc9slsVIKmXlHyj6hh rlzVmREfCJfHug4QZvuYiAlEQP6IGF8HKdCZnUkxuCu0Kzeq8OGHmOCZVETc Zl5vp5SEFR1ZrUBIO_In6NhVo5kgk.r7_ILNmh_Ns7XHVq6TdWBHzq4ZKP.t pZWgrQEUsCz.4hP9Wc5y2UfkNN31v.5Iq0t7JJoRsQNG0PtE3Q.WV8FmrgnM gGP69Cg5gda2zztCGPQh489ozPxmwoUwSpNJQGOXQDV2jzA8BiNQSDLrq3t4 k.tQVYkqqug3yQHVnPYwC6P7eFXlXf5iHujq42PMfIKkSZR9zQhuROokQb80 IAOsttMEil_yLf0q3rlf0aKBBZ7L2w3PT8lFTtKqwCiDr3T0iCUk2ndfzwkx kibLb2_B9Az2BPj1HO_7ZfnlP0Tch_LkrWyDVtRmdBIR24XFNgAmLjRHP7hR HXo32ZTBHvG33dJq_hAIkMG8hqZzEZ8fALrBC1S5lod8KxHrnRMwjhdTWJ4n UDbmDUJKwTFe.CfRtm5G4cBUEEl6_AmsEvIgzToO_Q_FRdIdauBS1ax10S1Z WiyZcsZR6A0l2KXGTdRaXl62_eKU_P.t2VOXHDRBgmkdu.7DHNI7CLZYhVhS 59OXOQrgRNVMGocvAp7wz6szJRzZxRwOa041fyptbnYzY2X55RNoe7Nkq9Fv Zrjd01_3fMCBdYaaR3szVRwST2DcLpeazg4gpGnah7Jmj4_5fPFb5LIB.J7W vB21EURhkzKyWKcew3HiLkVDNWEwdVgnGKUpo.D7ue3HqJbEvZkPYY4kfqZ3 ARA4Sy.EKNMVv5Zv8Z5NygjbaHYpvM3pIGpAtXia6QRvUBuZAaEI3P79PwWw 8O9ogSwTTrtKNbyN98Bx4QZMMIhHasZdHQX6zjcICBTQ5Lt2d8NalJnpbNab Iw–
X-Originating-IP: [209.62.173.211]
Authentication-Results: mta1361.mail.mud.yahoo.com from=mosineeschools.org; domainkeys=neutral (no sig); from=mosineeschools.org; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO SMTP.MOSINEESCHOOLS.ORG) (209.62.173.211) by mta1361.mail.mud.yahoo.com with SMTP; Tue, 15 Jan 2013 09:00:20 -0800
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtcZACJb9VCsFAHS/2dsb2JhbABFqnGPSoJVgQhzghEBAwUBBQIDHBEDQRoBCwEeBhgHVwEXCIVBAQGCMAELA6hkjk6MCIRPYQOFJoI4TjWFHIY9hyqFX4gm
Received: from exchange.mosinee.k12.wi.us (HELO mail.mosineeschools.org) ([172.20.1.210]) by SMTP.MOSINEESCHOOLS.ORG with ESMTP; 15 Jan 2013 07:40:55 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
Content-Type: multipart/alternative; boundary=”—-_=_NextPart_001_01CDF321.EE6304C1″
Subject: Partnership with You
Message-ID: <99F32978A02442469AB1EFE86C8F05430A5F1380@exchange.mosinee.k12.wi.us>
Thread-Topic: Partnership with You
Thread-Index: Ac3zIcwf/dSkUHjIQFuS8kkg0/8gvw==
From: “Christman Debra” <dchristman@mosineeschools.org>

Below are earlier emails sen by Wang Chien a.k.a Eduard Castano a.k.a Christman Debra trying to get potential victims to “transfer funds” only the funds will be a fake check and the victim will be stuck with the debt once the check bounces and the scammer will waddle off with the cash. He is scamming under multiple names, email address and IP_addresses. Some earlier addresses: wangchienrxm@yahoo.com.hk <>  jcubillos@cardioinfantil.org <> Eduard Castaño  <> ymailverificationdept@yahoo.com.hk <> wangchienrxm@yahoo.com.hk <> ecastano@cardioinfantil.org <> for more information on this scammer click: Nigerian Scammer – Wang Chien 

__________

Subject: DEAR LUCKY WINNER

You won 750.000.00 USD in the on going yahoo

online promo. For claim and verification contact
Michael Helmond via
ymailverificationdept@yahoo.com.hk
immediately.
Eduard.

HEADER DETAILS:

Return-Path: <ecastano@cardioinfantil.org>
X-YahooFilteredBulk: 200.74.147.148
Received-SPF: pass (domain of cardioinfantil.org designates 200.74.147.148 as permitted sender)
X-YMailISG: w7jQS0wWLDs4rKN5WjiJ_ZKbTd2L97P2Y0uL01g1WiV1CDor dgWkAO9_fiPTZBpI2Dncv6CfBNQEL5j_4Qo9Zz5xGtZiIj6aRD.4vOSwrWVD 6zLxCpXc6lVi6XYFjgdiQ5D04jrUdVdoRXxwLcJe_GhRh.CxXGQZ6gCdVU.K jIe4j1I0k5laWsUZ0IYtpuLVyhWajq3q0tzFhMXzK1DUxXIR.r00bGJ95t2r 0Riw.p0NDOlGvuY.fqWvShXqU8NHPKonuKGayLtzbqXY9FMQtpSffvQeGRUK _DOBJZ71HAz7LKJdZQ45KtvFkxPxlLnVEskpYANPzRTs5kUwmQNR_vCByLzu Dtzu.dAwtApsJ3UVRSBJ07M1prOLFWMkHNhm5q1_suuVPHL6eX9ZIDZSijSH 3dWwf3B8wMS8U5RDCrRO06Ar2y86Hr0PxaZMnEaVmcVE77Yqvs2_hf7JopF5 ztBjkEyZyBSVaUecjeP6SL8TX7hU0x9yB4dzW2jsqBzKh_HN1U4FsKtEsdC2 GLpebba4hglNMXJZEbcsERVbuJG1KOIJktvt7j8ftKPhMh7QZOKU9afi_riN l4nyEWKp9pzSCYV.mZsFgK._AUIQ1u4gR2dvhZ81VY1VbKzhJW5mgncCDmlR UiL.VhXtPO3huQkTSWq1tqNB88P4Vn7e7p7IisvZXNtNUZ1vRUhWmSNAKYxU EvwCkBgLlmEsADIGFS9t9gpTRdQMWTvZtd11XUOI6B_7DLRt9nFQSYrP1i.l tEDNAENOqlrJvHkZ2IqN1NVpt9A2phEJo1KMmCk31ZTMrsjzvTF.cXmYkthM jkI.atru4ABpo9qQiCAF3rWKzs7e319PpMX97MnQ9MWhszDrBKDfvhDlShnZ C1PTAscAHjTwTP9H9fsinWjm23yuxsD1Gg.B4AgLx48oIo_ME6HOv2XIKIxI gEe0fztYAlsat9YjLRA39kZlDhCaalAVk0WufQof6wwR4Qix48xjR4s3PUJJ 8__Vb2YT.mrfFyklexAjaAUBdaYvMghlOlSCkrajfWl01893USlHAgfVzd3v ayAvPrCrSiYgywtyXE4JUVwAM6P0HyUKG8mdXVdjf.F6t1Eu1iV0d22fhhwX F7ilx.a5IAiZ8kmZwTZc9RXYUwdRv5wGi5EgNqkyaN1Xxq0YNIUtnLgtt2UE dQoJzykdkGmLD.0RuZla3xgyVZ8fhZj0WzZUHDX9v4MgMIr6dNBLQh60Oym8 cV7lvZxSa1079gJlOlbVDcoRZEMzGRZUfguqQPNJrB6mPnhotirxB2sVttwO zUX4K4o8iyxPaboEHDvszRRCfV.3nJbk2kOcImybh86GiO0lZKBR3fm1zyhY O46e8WnmQx20FLYv3kSrfWAPmPm67AEK731bw6phc0AWvAqOEO65aX9IUFI4 .coCX9WmtGhkwYIxUnlZy_QGGO_j5c4fyKTs4WGTu3_mY.Hm0DtRQv8rBC91 .Vt53mi7GFpsmFNel7JLas_l7y8DcjJDjAtjrKCisCfLddY9kE50c9xRd4sR qpGAIm1oIoGxsCWO61r6At4pIvp3TPdbdMm5rhhuGgruQuoqGebtOelE3GqR lnHZRQox9m4MRgyS4d2Nf8OzK2cXW2I-
X-Originating-IP: [200.74.147.148]
Authentication-Results: mta1032.mail.bf1.yahoo.com from=cardioinfantil.org; domainkeys=neutral (no sig); from=cardioinfantil.org; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO correo1.cardioinfantil.org) (200.74.147.148) by mta1032.mail.bf1.yahoo.com with SMTP; Tue, 06 Nov 2012 07:17:28 -0800
Received: from correo1.cardioinfantil.org (localhost [127.0.0.1]) by correo1.cardioinfantil.org (Proxmox) with ESMTP id 8573154268; Tue, 6 Nov 2012 10:17:25 -0500 (COT)
X-Virus-Scanned: amavisd-new at cardioinfantil.org
Date: Tue, 6 Nov 2012 10:17:21 -0500 (COT)
From:
Eduard =?utf-8?Q?_Casta=C3=B1o?= <ecastano@cardioinfantil.org>
Message-ID: <2045381316.8532495.1352215041750.JavaMail.root@cardioinfantil.org>
Subject: DEAR LUCKY WINNER
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [78.108.63.46]
X-Mailer: Zimbra 7.2.0_GA_2669 (ZimbraWebClient – FF3.0 (Win)/7.2.0_GA_2669)
To: undisclosed-recipients:;
Content-Length: 178
Electric Blue Bar

200.74.147.148 ↔ Malicious behavior detected from this IP and others have posted this IP as well.

Electric Blue Bar

78.108.63.46 has been white-listed and malicious behavior has been detected from this IP

Sample Spam URLs & Keywords Posted From 78.108.63.46
Domain: gaygalls.net
URL: http://gaygalls.net/?gallery-BRIANNA
Domain: bitly.uk.pn
URL: http://bitly.uk.pn/hRElSh
Domain: bitly.uni.me
URL: http://bitly.uni.me/eQeGHrqL
Domain: adultgalls.com
URL: http://adultgalls.com/?sexy-CHARMAINE
Domain: adultgalls.com
URL: http://adultgalls.com/?sexy-NATHAN
Domain: bitly.uni.me
URL: http://bitly.uni.me/nEdPFf
Domain: 8adb9886.rqq.co
URL: http://8adb9886.rqq.co
Domain: adultgalls.com
URL: http://adultgalls.com/?sexy-NADIA
Domain: adultgalls.com
URL: http://adultgalls.com/?girl-CHERIE
Domain: finance.uni.me
URL: http://finance.uni.me/?post-gx.html
Domain: bitly.uni.me
URL: http://bitly.uni.me/HlnDQE
Domain: gaygalls.net
URL: http://gaygalls.net/?gallery-LYNNETTE
Domain: adultgalls.com
URL: http://adultgalls.com/?profile-DELORES
Domain: adultgalls.com
URL: http://adultgalls.com/?sexy-TRINA
Domain: bitly.uni.me
URL: http://bitly.uni.me/nEdPFf
Electric Blue Bar

Wang Chien’s IP information below

Delivered-To: [my.redacted.address]
Received: by 10.58.74.4 with SMTP id p4csp1549300vev;
Sun, 14 Oct 2012 14:47:46 -0700 (PDT)
Received: by 10.236.191.135 with SMTP id g7mr9187637yhn.83.1350251265182;
Sun, 14 Oct 2012 14:47:45 -0700 (PDT)
Return-Path: <jcubillos@cardioinfantil.org>
Received: from correo1.cardioinfantil.org (correo1.cardioinfantil.org. [200.74.147.148])
by mx.google.com with ESMTPS id b62si13082962yho.125.2012.10.14.14.47.44
(version=TLSv1/SSLv3 cipher=OTHER);
Sun, 14 Oct 2012 14:47:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of jcubillos@cardioinfantil.org designates 200.74.147.148 as permitted sender) client-ip0.74.147.148;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of jcubillos@cardioinfantil.orgdesignates 200.74.147.148 as permitted sender) smtp.mail=jcubillos@cardioinfantil.org
Received: from correo1.cardioinfantil.org (localhost [127.0.0.1])
by correo1.cardioinfantil.org (Proxmox) with ESMTP id 0E273542B2;
Sun, 14 Oct 2012 16:47:43 -0500 (COT)
Received: from correo.cardioinfantil.org (unknown [172.17.1.25])
by correo1.cardioinfantil.org (Proxmox) with ESMTP id EC30F542AF;
Sun, 14 Oct 2012 16:47:42 -0500 (COT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by correo.cardioinfantil.org (Postfix) with ESMTP id 934363AF4050;
Sun, 14 Oct 2012 16:47:42 -0500 (COT)
X-Virus-Scanned: amavisd-new at cardioinfantil.org
Received: from correo.cardioinfantil.org ([127.0.0.1])
by localhost (correo.cardioinfantil.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id p8ibmghSTrxO; Sun, 14 Oct 2012 16:47:42 -0500 (COT)
Received: from correo.cardioinfantil.org (localhost.localdomain [127.0.0.1])
by correo.cardioinfantil.org (Postfix) with ESMTP id 509173AF404B;
Sun, 14 Oct 2012 16:47:41 -0500 (COT)
Date: Sun, 14 Oct 2012 16:47:41 -0500 (COT)
From: Wang Chien <jcubillos@cardioinfantil.org>
Reply-To: wangchienrxm@yahoo.com.hk
Message-ID: <891039962.7121111.1350251261294.JavaMail.root@cardioinfantil.org>
Subject: GOOD DAY
X-Originating-IP: [173.254.216.69]
X-Mailer: Zimbra 7.2.0_GA_2669 (ZimbraWebClient – FF3.0 (Win)/7.2.0_GA_2669)
To: [redacted]

Advertisements
 

Tags: , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: