Lottery Scam Spam - What to look for

Another day and another (actually one of many) scam spam e-mail into my Inbox.  I opened it.  This time it's ostensibly from the UK National Lottery.  Let's go through it.

The first thing that leaps out at me is the "From" e-mail address:

"LOTTERY BOARD" <infoweb_36@bellsouth.net>

Bellsouth?  Isn't that an American company?  A quick check over at the Bellsouth website confirms that they have no offices in the UK.  So, the UK National Lottery using a US company to send out its e-mails.  Suspicious.

The second thing is the "To" e-mail address:

info@uklottery.co.uk

This is a standard of spam e-mails and one of the easiest ways to spot spam - lack of personalisation.  If an e-mail doesn't have your e-mail address, or has something like "Dear Valued Cutomer", or some other form of generic greeting, you can be 99.9% sure that it is spam.  The exception to this rule is if you are signed up to a newsletter or other e-mail list.  But you would know about this.

Another way to check the origin of any e-mail is to type the domain address (the part to the right of the @ sign) into a web browser.  A legitimate company will have a website at that address.  This one however, doesn't.  You can see that is basically a parked domain, i.e. a domain with no web space.  Very suspicious.

Remember, I haven't even read the e-mail yet! 

Let's take a look at the full header information.  This is the information that is attached to every e-mail detailing the path taken to get to your Inbox, the origin and importantly, the message Id.  I use Yahoo! email, so at the bottom of the e-mail message I can click on "Full Headers" to see this information.

First let's take a look at where the e-mail came from:

X-Originating-IP: [205.152.59.69]

This is the source of the e-mail.  This information could be spoofed (i.e. falsified), and this is a very common tactice.  But let's check anyway.  I click on over to DNSStuff and put the IP address (205.152.59.69) into the WHOIS lookup.  The results show that the e-mail actually does come from Bellsouth, or rather a computer using  Bellsouth as their ISP.  While this doesn't seem very helpful, it does provide you with the e-mail address of the person or department that handles abuse, i.e. spam.  Click on "get results with the E-mail address" to see.

The next thing I see is:

X-Mailer: Openwave WebEngine, version 2.8.16.1 (webedge20-101-1106-101-20040924)

Openwave is a communications solutions provider primarily for the mobile corporate market.  In their "About Our Customers" section is the following:

"Openwave's roster of customers contains more than 25 wireline service
providers, including BellSouth, Cox Communications, Deutsche Telecom,
NTL and Telstra"

Next we have another:

X-Originating-IP: [208.110.218.201]

This time the WHOIS search results show that this IP address belongs to a range owned by Time Warner Cable.  Again you can get the abuse e-mail address.

Next, we have:

Message-Id: <20070713031831.OXLH13159.ibm63aec.bellsouth.net@mail.bellsouth.net>

Now, it's just a simple case of e-mailing the respective companies mentioned above with the header details, and hopefully another spammer has been taken down.  At least temporarily.

Finally you can always visit the site from the which the e-mail is claiming to be and take a look at the information they post about scams.  Most websites do this nowadays in response to the massive amount of scam spams that are sent out.  Really there is very little excuse for being taken in by them if you just stop to think for a second.

Like it says on the UK National Lottery site "Remember, if it looks too good to be true, it probably is!"  Wise words.