I have been contacted by a HR department about a job and I'm 99% sure its a scam and would like to know how I can check where the email has come from as it has attachments and they are probably going to open a virus if I open them.
Shame as I liked the sound of the job :-)
An unsolicited email with attachments is 101% likely to be a scam.
Apart from that, to see where an email came from you need to examine the header. This shows a (variable) amount of info about where it came from and how it got to you. It can be informative, if not always 100% certain, in figuring out who really sent it.
If you want you can post it here then the assembled experts can have a look. Well, I'll have a look, anyway. ;-)
By the way, this needs to be the full header. You don't normally see this in most email software. You need to look at the 'page source' or similar words to see it.
This is an example of a legitimate email header for an email sent to me from Codeproject:-
Received: with MailEnable Postoffice Connector; Fri, 24 Apr 2015 06:36:37 +0100
Received: from mail.maillist.codeproject.com ([65.39.148.44]) by marksmailserver.net with MailEnable ESMTP; Fri, 24 Apr 2015 06:36:35 +0100
Received: from jobs1 (unknown [192.168.5.180])
by mail.maillist.codeproject.com (Postfix) with ESMTP id 11B3D150A18DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
for <marksaddress@marksdomain.com>; Fri, 24 Apr 2015 01:32:28 -0400 (EDT)
d=maillist.codeproject.com; s=mail; t=1429853548;MIME-Version: 1.0
bh=4FB7Qgbo3NZBsvCQ9zUydAbSvQLmvaB+dzK18aj6/Wo=;
h=MIME-Version:From:To:Date:Subject:Content-Type:
Content-Transfer-Encoding:Message-Id;
b=To4kKL89heDIgVgbLpximYxUfB4HTz68EQ+fdFnV42DJbSKc 6Zce5O4HSDW5FGb7k
GvCOErqLK/yDfJeSlK8jRGRpMzsSCIEh3zndf9q96WjejUwiemN6ZYPRpZTu KLnSAc
uPLD1ox958xq+2tyaFGKKfK66JV9/v+KKjK1TNAE=
From: "CodeProject" <mailout@maillist.codeproject.com>
To: "markrlondon" <marksaddress@marksdomain.com>
Date: 24 Apr 2015 01:36:33 -0400
Subject: Daily News - Microsoft is bringing back Solitaire for Windows 10
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
Message-Id: <20150424053228.11B3D150A18@mail.maillist.codeproj ect.com>
Return-Path: <mailout@maillist.codeproject.com>
This is it...
Return-Path: <info@stinefinance.com>
Received: from wdc021.relay.arandomserver.com (wdc021.relay.arandomserver.com [208.43.228.73])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mtaig-maa02.mx.aol.com (Internet Inbound) with ESMTPS id 68E02700009D7
for <daryl100@aol.com>; Mon, 27 Apr 2015 11:28:58 -0400 (EDT)
Received: from wdc005.hawkhost.com ([158.85.51.195])
by se002.arandomserver.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.85)
(envelope-from <info@stinefinance.com>)
id 1Ymkxm-0004ZS-At
for daryl100@aol.com; Mon, 27 Apr 2015 10:28:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=stinefinance.com; s=default;
h=Content-Type:MIME-Version:Subject:Message-ID:To:From:Date; bh=9y5EZA9d9C0Gb2G5p5NcPu/rw1m67AG1EZp/7EKVIHQ=;
b=NwtnDMO0soLc5wJI5r7Mmz/Ar5cd2KTM5v6I0LNRnkLUtoUfPFSmhwf+TVBwmHI+cnjTXy3Gj dPgd8bwAfc9VmlorAPA8E0LlBC+CZ53lgPR8KAtjA2cWoQbk89 NzXfOo49Wbchtxv6qF5JEfqzvZrx2Q51xRtOPru0uRzh9hmY=;
Received: from host-89-240-245-36.as13285.net ([89.240.245.36]:54906 helo=wdc005.hawkhost.com)
by wdc005.hawkhost.com with esmtpa (Exim 4.85)
(envelope-from <info@stinefinance.com>)
id 1YmkxY-001Ceg-Ay
for daryl100@aol.com; Mon, 27 Apr 2015 11:28:48 -0400
Date: Mon, 27 Apr 2015 16:19:22 +0400
From: "Nicole N. Allen" <info@stinefinance.com>
Organization: Stine Corporate Finance LLC
To: Daryl <daryl100@aol.com>
Message-ID: <1743416521.20150427161922@stinefinance.com>
Subject: Application/Vacancy Info-27.04
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------00519018A364B42CA"
X-Filter-ID: s0sct1PQhAABKnZB5plbIS9XcDQtGYlUAmdw13FTrnmg1dbwGB efxPxyOoL11h+EWywi3RPeT3mN
b5O6yuT+gXRVLccSSP1a+RYDuapYWFmFPZlOYkaiibXAEahQxa QlOsdPysyFqCSj3RbFTKJG5z9V
tB4DEsHOKcICKgTv+vc4+k2KxdmGXAi6u9MpwFl/ctgzcDoFd+96Xw4QUNtTnSb92MmpzUHwhjM7
Ye1jNhONMBQUAqdLJ8vEpucv1AV+sT2PAyRBxqMK5QS9N1fH08 Eavzt+PYIWFngwZuyqjCZoQpi8
zsUwHEJhVlQEYYDaobjePMwdNRe2U8wGkeI2u+6BimGVLXOHfr nyznGiAtfTPpuFqUUQz+mM8JAD
4ECWxsWDj0KDMKmnSdbeERIKWi/UNo/R96ZsXe/Fek2jFu+pEDLFakEeMHT2HB6E/Qq0TgdH0ECP
FSAkW0usxjYJpOeqO/CUtAh8Gj45YihBTM2VQEaotwxFJJP/yCUXo3OkZG8K3WdmZvygZBJgYr0J
MUoUzaR8ZiGjCa5eblc2vBINU0jABaVHK+5Bf89fmVWqHJ4/eQwX8czaqLttcGYGf3tzJzDXtW19
p+oSJq/sPNSM7//aYsIi2G4GyfEU5djj8c1vyCjiytHPhapnVc1468hglhBjd8R48 sAB2gT08vsU
P87+SdINZnTf7SoE740a
X-Report-Abuse-To: spam@se001.arandomserver.com
X-Filter-Fingerprint: IFrWXGses7OKB5S5G8/dJb0kolOUiviGeQyDsBgQ6PBA3cTUQ1R++keuE7RDJ8Kg3RbML Ualw1oC
mj99/u+PoqoVy8a3lsStJtAvpObFX0Wok1JBYnOLzfRIhlEHQynLUpn dEJ0YoaLytXXo8BMTaX2p
Mk7LBarWD9Fj4R3eIu5cOy/3Wm9qfF/CZNvP/2Kowv61T+KDYyYtREgszdyFwv8IxCB3p/oCKvxr
eyISh3JGb7OS5oVgiO+kDxZrVPLz3MmEGC2PrUKqLq5WmHK+Nw ==
X-Originating-IP: 158.85.51.195
X-SpamExperts-Domain: wdc005.out.arandomserver.com
X-SpamExperts-Username: relay
Authentication-Results: arandomserver.com; auth=pass (login) smtp.auth=relay@wdc005.out.arandomserver.com
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.17)
X-Recommended-Action: accept
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5700.7163/103667
X-AOL-VSS-CODE: clean
X-AOL-SCOLL-AUTHENTICATION: mtaig-maa02.mx.aol.com ; domain : stinefinance.com DKIM : pass
Authentication-Results: mx.aol.com;
spf=none (aol.com: the domain stinefinance.com appears to have no SPF Record.) smtp.mailfrom=stinefinance.com;
dkim=pass (aol.com: email passed verification from the domain stinefinance.com.) header.d=stinefinance.com;
x-aol-sid: 3039ac1ade82553e55b90ed5
X-AOL-IP: 208.43.228.73
X-AOL-SPF: domain : stinefinance.com SPF : none
------------00519018A364B42CA
Content-Type: text/plain
Last edited by dizz; 27th April 2015 at 20:06.
Ok, that appears to have been sent originally from a computer on a TalkTalk (Opal Telecom as-was) ADSL line in the UK. The initial mail server through which it was sent belongs to a company called Hawk Host, https://www.hawkhost.com. It turns out that Stine Corporate Finance's stinefinance.com domain is registered with Hawk Host for web hosting, thus legitimately connecting Stine Finance with Hawk Host.
On the face of it, the above connection (i.e. it was sent via the mail server provided by the web hosting company for the stinefinance.com domain) makes it seem legitimate.
On the downside, a Google search reveals that Hawk Host's mail services have been implicated in spam on previous occasions. Nevertheless the fact that stinefinance.com domain and the hosting mail server are connected seems positive.
BUT WAIT... when was stinefinance.com registered? According to a WHOIS lookup for stinefinance.com, it was registered on 17th April 2015.
Oh dear... is Stine Corporate Finance a real company?Creation Date: 2015-04-17T20:21:47Z
The WHOIS information for the domain shows this registrant:
Registrant Name: Connell-Moore Lewis Kieran
Registrant Organization: Stine Corporate
Registrant Street: 56 Westgate
Registrant City: Wakefield
Registrant State/Province: West Yorkshire
Registrant Postal Code: WF1 1XF
Registrant Country: GB
Registrant Phone: +44.07438845864
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ConnellMoore80@yahoo.com
But this registrant information doesn't match too well with the info on the Stine Corporate Finance website (stinefinance.com) which claims to be an American company with an HQ at "600 Mamaroneck Ave, Harrison, NY 10528, USA". Bizarrely I can't see a telephone number for Stine Corporate Finance on their website.
Furthermore the Stine Corporate Finance website claims that...
Hang on, does the USA have a "Financial Services Authority"? No it does not. And the USA also does not as far as I know have a national company registration number system (company registration is organised on a state by state basis). The "Financial Services Authority" and "company registration number" are phrases that a UK person would use, not an American company.Stine Corporate Finance LLC registered office 600 Mamaroneck Ave, Harrison, NY 10528, USA are authorized and regulated by the Financial Services Authority. Company is registered in USA with company registration number 779420471
And here's the final clincher, from http://stinefinance.com/careers.php:
This entire website is a scam to either collect personal details or to get people signed up to act as payment mules, or both. Stine Corporate Finance is a fake company. It does not really exist. It has a real web and email hosting account where it has a real-looking website and from which it can send legitimate-looking emails. But it's all a scam.We need people who are looking to grow with a company.
Stine Corporate Finance LLC looking to hire :
Data Entry Operator
Payments processing Manager
Clients database builder
Payments processing coordinator;
eCommerce Manager
No experience necessary
All ages 18+.
Applicant must demonstrate sufficient competence in spoken and written
English(Bilingual skills a plus, but not necessary).
I note that the 600 Mamaroneck Ave, Harrison, NY 10528 address exists (see Streeview here) but it looks like it might be serviced offices or the kind of place that might provide an accommodation address.
Well well, 192.com tells me that there is a Lewis Connell-Moore ("Age Guide: 21-24") living in West Yorkshire: Link. I've not paid for a 192.com subscription so I don't know his exact address. Looks like he might well live with brothers and mum and dad.
Is this a case of an entirely innocent person's stolen ID details being used without their knowledge to register the domain, or an innocent(ish) patsy with enough knowledge to get himself into trouble, or a very naughty person indeed? As observed in my message above, the fake website definitely uses British terminology where it should use American terminology.
** edit - additional **
Oh, and the 56 Westgate, WF1 1XF address in Wakefield is a NatWest Bank.
Last edited by markrlondon; 28th April 2015 at 02:17.
Great work Marklondon. I get a load of email like this all the time offering all sorts of things, they just get deleted as I cannot be bothered trying to find out if they are legit or not
Great sleuthing Mark! You've got it totally figured out. Well done indeed!
There are so many scams out there, mostly quite easy to spot. Unsolicited too good to be true, is always just that.
Wow.....thanks chaps that's very impressive,
So it looks like I'm stuck in the factory/job from hell for a little longer :-(
Perhaps I should offer my services in the wanted section, at least I wont get scammed.
Thanks again
Dizz.