A poorly-worded Stanford CS account phishing email

I received a pretty crappy attempt to get me to give up access to my lifetime Stanford computer science department email address. I hope no one falls for this!

From: Stanford University Subject: Computer Science- Web Upgrade Date: May 29, 2013 1:20:01 PM PDT To: you Reply-To: noreply@cs.stanford.edu

This email is being sent to you because of violation security breach that was detected by our servers. Our server detected that one of the messages you received from a contact has already infected your mail with a dangerous virus.

You can no longer be allowed to send messages or files to other users to prevent the spread of virus to other @cs.stanford.edu mail users. Please follow the link below to perform maintenance work needed to improve the protection of the web-mail for us to verify and have your account cleared against this virus.


WARNING!!! E-MAIL OWNERS who refuses to upgrade his or her account within 48hrs after notification of this update will permanently be deleted from our data base and can also lead to malfunctioning of the client or user's account and we will not be responsible for loosing your account.

The link goes to: http: //www.123contactform.com/form-591874/Web-Upgrade (I didn't click on it)

The full headers are below:

Stanford University 
To: you 
Reply-To: noreply@cs.stanford.edu
Delivered-To: [redacted]
Received: by with SMTP id bo6csp23125wjc; Wed, 29 May 2013 13:26:10 -0700 (PDT)
Received: from forward1-smtp.messagingengine.com (forward1-smtp.messagingengine.com. []) by mx.google.com with ESMTPS id fd1si22565649vcb.65.2013. for <[redacted] data-preserve-html-node="true"> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 29 May 2013 13:26:10 -0700 (PDT)
Received: from imap19.nyi.mail.srv.osa (imap19.nyi.mail.srv.osa []) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id A6A7D206BF for <[redacted] data-preserve-html-node="true">; Wed, 29 May 2013 16:26:06 -0400 (EDT)
Received: by imap19.nyi.mail.srv.osa (Postfix, from userid 501) id A1D2E220145; Wed, 29 May 2013 16:26:06 -0400 (EDT)
Received: from compute5.internal (compute5.nyi.mail.srv.osa []) by sloti19d2p1 (Cyrus git2.5+0-git-fastmail-9272) with LMTPA; Wed, 29 May 2013 16:26:06 -0400
Received: from mx2.nyi.mail.srv.osa ([unixlocal]) by compute5.internal (LMTPProxy); Wed, 29 May 2013 16:26:06 -0400
Received: from cs-smtp-2.Stanford.EDU (cs-smtp-2.Stanford.EDU []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.messagingengine.com (Postfix) with ESMTPS id 343A26C03AC for <[redacted] data-preserve-html-node="true">; Wed, 29 May 2013 16:26:02 -0400 (EDT)
Received: from mail.tu-berlin.de ([]) by cs-smtp-2.Stanford.EDU with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1UhmwN-000518-0K; Wed, 29 May 2013 13:25:52 -0700
Received: from [] (helo=[]) by mail.tu-berlin.de (exim-4.72/mailfrontend-7) with esmtpsa [TLSv1:AES256-SHA:256] id 1Uhmri-0000EC-0L; Wed, 29 May 2013 22:21:02 +0200
X-Received: by with SMTP id h6mr2788483vez.18.1369859170090; Wed, 29 May 2013 13:26:10 -0700 (PDT)
Received-Spf: neutral (google.com: is neither permitted nor denied by best guess record for domain of noreply@cs.stanford.edu) client-ip=;
Authentication-Results: mx.google.com; spf=neutral (google.com: is neither permitted nor denied by best guess record for domain of noreply@cs.stanford.edu) smtp.mail=noreply@cs.stanford.edu
X-Sieve: CMU Sieve 2.4
X-Spam-Score: 1.6
X-Spam-Source: IP='', Host='cs-smtp-2.stanford.edu', Country='US', FromHeader='edu', MailFrom='edu'
X-Spam-Charsets: plain='iso-8859-1', html='iso-8859-1'
X-Resolved-To: [redacted]
X-Delivered-To: [redacted]
X-Mail-From: noreply@cs.stanford.edu
Content-Type: multipart/alternative; boundary="===============2107424360=="
Mime-Version: 1.0
X-Pmx-Version:, Antispam-Engine:, Antispam-Data: 2013.5.29.200920
X-Pmx-Spam: Gauge=IIIIIII, Probability=0%, Report=''
X-Remote-Spam-Score: 0.5
X-Remote-Spam-Checker-Version: SpamAssassin on cs-smtp-2.Stanford.EDU
X-Scan-Signature: 5257551a17fe2eabeabf44262ae65875
Computer Science- Web Upgrade

Scam: traveling, mugged, and need cash

I've gotten this email from more than one person in the past. If any friend asks for cash via email, please make sure you talk to them directly on the phone before you even think about helping them. Usually, it means that their email account has been compromised, so they should also immediately change all of their passwords.


I'm sorry you're getting the mail from me at this Point in time,my family and I came down here to Manila(Philippines), for a short vacation unfortunately we were mugged at the park of the hotel we stayed,all cash credit cards and cell were stolen off but luckily for us we still have our passports with us.

I have been to the embassy and the Police here but they're not helping issues at all and our flight leaves pretty soon from now but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills.Please be so kind to reply back so I can tell you what to do and how to get some cash to us.

I'm freaked out at the moment

Here's a helpful snopes article that talks about this scam. Also, all the telltale signs of scam from non-native English speakers are there: poor grammar, arbitrarily capitalized words, missing spaces, and the use of the word, "kind" or "kindly."

My most popular picture has been used a lot

Screaming Turtle online usage as of Dec 21, 2011 My most-published picture is a picture of a juvenile loggerhead turtle being released into the wild just off of Palm Beach, Florida. It is commonly referred to as "[the screaming turtle](http://photos.echeng.com/gallery/3381454#189233567_EExXr)". According to Google, it is [being used online in about 21,200 locations](http://ech.cc/rvEVZi). One day, I will unleash an IP attorney to hunt down all unauthorized commercial use. I don't care about the personal use, as long as people attribute me and leave my watermark on the picture (which many do not).

Hint: to see where your pictures are used, go to Google Images and drag a JPG into the search field!

Rampant credit card fraud in downtown Mountain View restaurants

Last month (November, 2011), 11 people at our office in downtown Mountain View were hit with credit card fraud. Most of us eat at the same group of restaurants on and around Castro Street in Mountain View. I was out of town, and was thus spared being a victim. However, I returned in late November and resumed using my credit card for lunch in downtown Mountain View. A couple weeks later, my American Express was shut down for fraudulent activity. It had been used at two Home Depot locations: one in Pennsylvania, and one in New York. One charge was for over $700, and the other for $450. That makes 12 credit card fraud victims at our company—a significant percentage. The logical conclusion is that a someone who works at a restaurant in downtown Mountain View is stealing credit cards. If you're headed to Castro Street to eat, it may be prudent to either 1) go somewhere else, or 2) pay in cash.

London robbery scam

This is the second email like this I've gotten from a friend's compromised email account. People, please don't fall for stuff like this! > This had to come in a hurry and it has left me in a devastating state. I am in some terrible situation and I'm really going to need your urgent help. Yesterday, unannounced, I came down to London for an urgent situation. Well we actually got robbed and they made away with my wallet (which included my cash, diaries and credit cards). My cell phones were not brought along since I did not get to roam them before coming over. The phone cables have been burnt including internet connection cables and the Hotel's database has been compromised as well. So all I can do now is pay cash and get out of here quickly. > I have spoken to the embassy here but they are not responding to the matter effectively,I will appreciate if you can lend me the sum of $2450 to sort-out my bills and to get the next available flight home, I'll Refund the money back to you as soon as i return, let me know if you can be of any help. Please be rest assured that I'd have your money reimbursed to you immediately I get home. I hope to read from you as soon as possible. Please keep this to yourself only! i will explain better to you when i get back home.

It's a [common scam](http://www.google.com/search?q=I+have+spoken+to+the+embassy+here+but+they+are+not+responding+to+the+matter+effectively), and I'm putting it here on the web to add yet another page for Google to find and index in the hopes that people will find it.

Block Facebook apps that allow printing of friends' photos

A Photo Editor [recently posted](http://www.aphotoeditor.com/2010/07/19/print-your-friends-facebook-photos/) about Facebook apps like Walmart, Target and others that allow the printing of photos hosted on Facebook. The problem is that Facebook allows those apps to print your friends' photos, too, which should be unethical and/or illegal for copyright violation. I just blocked the following apps and reported them to Facebook for privacy violation:

- [Print to Target](http://www.facebook.com/apps/application.php?id=351684036263&ref=ts) - [Walmart](http://www.facebook.com/apps/application.php?id=181585006811) - [Walgreens](http://www.facebook.com/apps/application.php?id=56440425769) - [Shutterfly](http://www.facebook.com/apps/application.php?id=181585006811)

To block an app, click through to the app when you're logged into Facebook and then click on "Block Application," which is an option in the left-hand menu. You can also report the application for bad behavior by scrolling to the bottom of the Application page and clicking on "Report Application."

There may be more apps that allow the printing of friends' photos. I'll block and report every one I come across.

United Airlines Elite Choice is legit (but you'd never know)

I received an email from United Airlines today about their "Elite Choice" program, saying that I had reached a certain number of Elite Qualifying Miles and was eligible for an award. I clicked through, and was confronted with this page:

The URL is , which instantly made me suspicious. Furthermore, all of the other links in the email were shortened URLs hosted at *link.p0.com* (instead of at the united.com domain). This made me even more suspicious. I was *sure* that it was some sort of scam, but then I remembered that I actually enrolled in this program, and that the number of miles they said I had reached matched the number I actually had. I looked back at old emails from United, and all of them use the *link.p0.com* URL shortener. That was enough information for me to continue to login (and indeed, it worked, and I received a confirmation email from United)... but I very nearly did not follow through. If United's goal was to stop some percentage of people from going through with the reward redemption process (due to healthy paranoia), they are geniuses.

If *any* company asked me to supply login credentials on a site with a second domain name, I would balk. Can you imagine if Paypal asked you to login at something like paypalrewards.com?

Every company needs an internet-savvy employee or two on staff. In this case, we can't be sure if it was idiocy or genius.

Getingate = spammers

I received 3 comments within 20 minutes claiming that Getingate is a better commenting system better than is [Disqus](http://disqus.com). It's pretty clear that Getingate is using comment spam to spread the word about their product. I hope Google picks this up: **Getingate are spammers, and you shouldn't work with them.** Here are the comments I just received:

From John (two identical comments, 1 minute apart):

> *Have any of you tried the Getingate Commenting System (www.getingate.com)? I prefer it over Disquis - it's much easier to install and simpler to use. They're currently holding a competiton for the website that generates the most comments. First prize is $1K and second prize is $500.*

From romi :

> *Did you try using Getingate's Social Web commenting tool? they don't take cheap shots such as faking comments, don't spam your website, and they are FREE. Also their interface is not as ugly as Disqus... try it.*

Luckily, I was able to use Disqus to immediately mark the comments as spam and blacklist both the users and ip addresses.

**UPDATE:** It looks like Getingate has noticed my post and has responded via Twitter:

*@echeng works for the competitor and trashes the better tool of the two.
I hope you got paid a lot to do that.*

Here's the problem with their approach:

@Getingate only has 1 follower!

To the spammers over at Getingate: I'm not trying to "trash" your tool. I'm trashing your marketing methods.

I'll tell you what. Every time you try to retaliate, I'll write about you AGAIN, right here in this post, and send a note out to my Twitter, Facebook and web audience. Perhaps it will help spread the word about your product, and maybe some of them will follow you. Who knows -- I may even DOUBLE your Twitter audience!

Of course, none of this changes the fact that Getingate spammed my journal. 3 comments in 20 minutes pushing an unknown company is suspicious in anyone's book, and your so-called "facts" about Disqus are bogus.

Just for fun, I did a Google search on "Getingate". Here's what I found:

Declaring war doesn't pay off, guys. An apology would have been a better move.

**UPDATE 2**: According to one of the comments Getingate left below, they want me to believe that the comments left on my website were by "3 different people who all felt the need to comment on your blog."

I did some poking around, and the 3 comments left here were by two people: [John Phan](http://www.linkedin.com/in/jxtphan), who is listed as "Advisor at Getingate" in his LinkedIn page (he posted 2 identical comments), and Romi S, whose sole purpose seems to be [hating Disqus and loving Getingate](http://www.blippr.com/profiles/97406).

John Phan, Advisor at Getingate

Romi S loves Getingate!

Getingate, John Phan is an advisor to your company and should be reprimanded for spamming. Romi S might just be a super fan who has no Google record other than touting your product's incredible features, but somehow, I doubt that is the case.

California LLC Statement of Information scam

I *almost* was fooled by this one. Wetpixel received an urgent notice from the "Business Filings Division" today stating that we had to submit a Statement of Information in order to continue doing business in California (LLCs have to file one every 2 years). The fee? $239.00 I filled out the form and wrote a check, but something didn't seem right, and I went to Google for help. It turns out that this is a common scam that quite a few people fall for. Through official channels, the actual fee for filing is $20.

Here's the fraudulent form: (download)

fraudulent statement of information form

... and here's the actual form (Form llc-12, which you can download from the Secretary of State):

actual statement of information form

Bastard scammers.

Paypal is the vehicle for scams on Craigslist

I'd like to state first that I use and rely on Paypal for many different kinds of transactions. Used between people I know (who have existing, stable accounts) and through eBay, it has been a convenient and consistently-useful tool. However, I just sold two cameras and a Blackberry using Craigslist, and the experience was a bad one. For every solid lead, I received at least ten emails from scammers who wanted me to mail the phone / cameras overseas, often including large sums of additional payment for shipping. All of them offered to pay via Paypal.

I've heard of people scamming Craigslist sellers by using Paypal to initiate payment, and then canceling or disputing the payment once the item has been shipped off to West Africa somewhere. The emails persist even though my Craigslist posts state very clearly:


One annoying thing is that the scammers often start by writing a single email -- e.g. "Is the item still for sale?" After a response or three, they then state that they are actually buying it for their brother / aunt / co-worker, and that they are out of town, and that they'd like me to mail it to Nigeria. As a general rule, if there is a complicated story behind the reason for the purchase, it is probably a scam.

I've started to ignore those sorts of emails, along with emails exhibiting poor grammar or a total lack of respect. The fragmented OMG / LOL / no-punctuation emails are from the younger generation; I tried responding to one of them, and they guy wanted to come pick up the phone at midnight (with 5 minutes of notice).

Now, I just delete responses when they are even a little bit strange. The sad thing is that some legitimate responses get filtered out, but if it's hard to tell, I probably won't want to meet those folks in person, anyway.

If I feel like putting a *[sic]* after what I've just read, I hit delete.

OK, now for the fun part: examples!

> From: larry Linda Date: August 18, 2009 4:58:35 AM PDT Subject: Re: Blackberry Bold 9000, original box - $270 (SOMA / south beach)

> Hello, Nice to here back from you, I don't have pick up arrangements due to the fact that I'm out of the Country to Athens Greece for a Conference meeting,so you will be shipping the item to my Son in West Africa.I'm buying the item for him as a Gift because he win a scholarship in two days ago and i we be offering you $275 for the item and $100 to cover up the shipping fee down to him at oversea,I will be paying you via PayPal.So kindly get back to me with your Confirmed PayPal e-mail address so that i can transfer the funds into your Account,so you will be shipping the item via the USPS Express Mail Service(EMS) after payment has been done.i will be waiting to here back from you with your paypal account info so that i can send that to paypal online for the instant money transfer.get back to me ASAP...


Here's one with no punctuation. It may be legit, but why take the chance?

> From: sammy lankky Date: August 17, 2009 8:26:24 AM PDT Subject: Blackberry Bold 9000, original box - $270 (SOMA / south beach)

> is this item still available for sale. if yes kindly get back to me ASAP......

And another, with typos and poor grammar:

> From: Manu Dubey Date: August 17, 2009 7:54:31 AM PDT Subject: buy phone

> hi i am intrested to buy this phone. give me your cell number.

No. I refuse.

> From: Allyson Willams Date: August 17, 2009 3:31:47 AM PDT Subject: Blackberry Bold 9000, original box - $270

> Hello seller i see your item online i will like to buy it for my brother who as a promotion to NYC i will like to make payment with paypal and i will like to no the item condition and the item total prices.with the shipping cost to him.will can still make the payment via bank to bank transfer.

Bank transfer? No punctuation? No thanks!

> From: Clarence King Date: August 7, 2009 8:22:46 PM PDT Subject: Canon 1Ds Mark III digital SLR body - $4500 (SOMA / south beach)

> Is your listed item still available for sale?Got some interest.

> From: Clarence King Date: August 8, 2009 8:38:36 AM PDT Subject: Re: Canon 1Ds Mark III digital SLR body - $4500 (SOMA / south beach)

> Thanks for getting back to me..I really appreciate your response to my earlier mail.like am serious in buying this item so pls do withdraw the advert from Craigslist. I will also like you to know that i will be paying by paypal due to the fact that i will not be able to meet up with the cash and local pick up, you can contact me on this number 18642739289 or email me. so you will be shipping it oversea.I will be adding $200 for the shipping and handling cost... I will need you to provide me with the Your paypal email address so i can send the money to your paypal account.

> Hope to hear back from you.