A poorly-worded Stanford CS account phishing email

I received a pretty crappy attempt to get me to give up access to my lifetime Stanford computer science department email address. I hope no one falls for this!

From: Stanford University Subject: Computer Science- Web Upgrade Date: May 29, 2013 1:20:01 PM PDT To: you Reply-To: noreply@cs.stanford.edu

This email is being sent to you because of violation security breach that was detected by our servers. Our server detected that one of the messages you received from a contact has already infected your mail with a dangerous virus.

You can no longer be allowed to send messages or files to other users to prevent the spread of virus to other @cs.stanford.edu mail users. Please follow the link below to perform maintenance work needed to improve the protection of the web-mail for us to verify and have your account cleared against this virus.


WARNING!!! E-MAIL OWNERS who refuses to upgrade his or her account within 48hrs after notification of this update will permanently be deleted from our data base and can also lead to malfunctioning of the client or user's account and we will not be responsible for loosing your account.

The link goes to: http: //www.123contactform.com/form-591874/Web-Upgrade (I didn't click on it)

The full headers are below:

Stanford University 
To: you 
Reply-To: noreply@cs.stanford.edu
Delivered-To: [redacted]
Received: by with SMTP id bo6csp23125wjc; Wed, 29 May 2013 13:26:10 -0700 (PDT)
Received: from forward1-smtp.messagingengine.com (forward1-smtp.messagingengine.com. []) by mx.google.com with ESMTPS id fd1si22565649vcb.65.2013. for <[redacted] data-preserve-html-node="true"> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 29 May 2013 13:26:10 -0700 (PDT)
Received: from imap19.nyi.mail.srv.osa (imap19.nyi.mail.srv.osa []) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id A6A7D206BF for <[redacted] data-preserve-html-node="true">; Wed, 29 May 2013 16:26:06 -0400 (EDT)
Received: by imap19.nyi.mail.srv.osa (Postfix, from userid 501) id A1D2E220145; Wed, 29 May 2013 16:26:06 -0400 (EDT)
Received: from compute5.internal (compute5.nyi.mail.srv.osa []) by sloti19d2p1 (Cyrus git2.5+0-git-fastmail-9272) with LMTPA; Wed, 29 May 2013 16:26:06 -0400
Received: from mx2.nyi.mail.srv.osa ([unixlocal]) by compute5.internal (LMTPProxy); Wed, 29 May 2013 16:26:06 -0400
Received: from cs-smtp-2.Stanford.EDU (cs-smtp-2.Stanford.EDU []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.messagingengine.com (Postfix) with ESMTPS id 343A26C03AC for <[redacted] data-preserve-html-node="true">; Wed, 29 May 2013 16:26:02 -0400 (EDT)
Received: from mail.tu-berlin.de ([]) by cs-smtp-2.Stanford.EDU with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1UhmwN-000518-0K; Wed, 29 May 2013 13:25:52 -0700
Received: from [] (helo=[]) by mail.tu-berlin.de (exim-4.72/mailfrontend-7) with esmtpsa [TLSv1:AES256-SHA:256] id 1Uhmri-0000EC-0L; Wed, 29 May 2013 22:21:02 +0200
X-Received: by with SMTP id h6mr2788483vez.18.1369859170090; Wed, 29 May 2013 13:26:10 -0700 (PDT)
Received-Spf: neutral (google.com: is neither permitted nor denied by best guess record for domain of noreply@cs.stanford.edu) client-ip=;
Authentication-Results: mx.google.com; spf=neutral (google.com: is neither permitted nor denied by best guess record for domain of noreply@cs.stanford.edu) smtp.mail=noreply@cs.stanford.edu
X-Sieve: CMU Sieve 2.4
X-Spam-Score: 1.6
X-Spam-Source: IP='', Host='cs-smtp-2.stanford.edu', Country='US', FromHeader='edu', MailFrom='edu'
X-Spam-Charsets: plain='iso-8859-1', html='iso-8859-1'
X-Resolved-To: [redacted]
X-Delivered-To: [redacted]
X-Mail-From: noreply@cs.stanford.edu
Content-Type: multipart/alternative; boundary="===============2107424360=="
Mime-Version: 1.0
X-Pmx-Version:, Antispam-Engine:, Antispam-Data: 2013.5.29.200920
X-Pmx-Spam: Gauge=IIIIIII, Probability=0%, Report=''
X-Remote-Spam-Score: 0.5
X-Remote-Spam-Checker-Version: SpamAssassin on cs-smtp-2.Stanford.EDU
X-Scan-Signature: 5257551a17fe2eabeabf44262ae65875
Computer Science- Web Upgrade

Scam: traveling, mugged, and need cash

I've gotten this email from more than one person in the past. If any friend asks for cash via email, please make sure you talk to them directly on the phone before you even think about helping them. Usually, it means that their email account has been compromised, so they should also immediately change all of their passwords.


I'm sorry you're getting the mail from me at this Point in time,my family and I came down here to Manila(Philippines), for a short vacation unfortunately we were mugged at the park of the hotel we stayed,all cash credit cards and cell were stolen off but luckily for us we still have our passports with us.

I have been to the embassy and the Police here but they're not helping issues at all and our flight leaves pretty soon from now but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills.Please be so kind to reply back so I can tell you what to do and how to get some cash to us.

I'm freaked out at the moment

Here's a helpful snopes article that talks about this scam. Also, all the telltale signs of scam from non-native English speakers are there: poor grammar, arbitrarily capitalized words, missing spaces, and the use of the word, "kind" or "kindly."

Paypal is the vehicle for scams on Craigslist

I'd like to state first that I use and rely on Paypal for many different kinds of transactions. Used between people I know (who have existing, stable accounts) and through eBay, it has been a convenient and consistently-useful tool. However, I just sold two cameras and a Blackberry using Craigslist, and the experience was a bad one. For every solid lead, I received at least ten emails from scammers who wanted me to mail the phone / cameras overseas, often including large sums of additional payment for shipping. All of them offered to pay via Paypal.

I've heard of people scamming Craigslist sellers by using Paypal to initiate payment, and then canceling or disputing the payment once the item has been shipped off to West Africa somewhere. The emails persist even though my Craigslist posts state very clearly:


One annoying thing is that the scammers often start by writing a single email -- e.g. "Is the item still for sale?" After a response or three, they then state that they are actually buying it for their brother / aunt / co-worker, and that they are out of town, and that they'd like me to mail it to Nigeria. As a general rule, if there is a complicated story behind the reason for the purchase, it is probably a scam.

I've started to ignore those sorts of emails, along with emails exhibiting poor grammar or a total lack of respect. The fragmented OMG / LOL / no-punctuation emails are from the younger generation; I tried responding to one of them, and they guy wanted to come pick up the phone at midnight (with 5 minutes of notice).

Now, I just delete responses when they are even a little bit strange. The sad thing is that some legitimate responses get filtered out, but if it's hard to tell, I probably won't want to meet those folks in person, anyway.

If I feel like putting a *[sic]* after what I've just read, I hit delete.

OK, now for the fun part: examples!

> From: larry Linda Date: August 18, 2009 4:58:35 AM PDT Subject: Re: Blackberry Bold 9000, original box - $270 (SOMA / south beach)

> Hello, Nice to here back from you, I don't have pick up arrangements due to the fact that I'm out of the Country to Athens Greece for a Conference meeting,so you will be shipping the item to my Son in West Africa.I'm buying the item for him as a Gift because he win a scholarship in two days ago and i we be offering you $275 for the item and $100 to cover up the shipping fee down to him at oversea,I will be paying you via PayPal.So kindly get back to me with your Confirmed PayPal e-mail address so that i can transfer the funds into your Account,so you will be shipping the item via the USPS Express Mail Service(EMS) after payment has been done.i will be waiting to here back from you with your paypal account info so that i can send that to paypal online for the instant money transfer.get back to me ASAP...


Here's one with no punctuation. It may be legit, but why take the chance?

> From: sammy lankky Date: August 17, 2009 8:26:24 AM PDT Subject: Blackberry Bold 9000, original box - $270 (SOMA / south beach)

> is this item still available for sale. if yes kindly get back to me ASAP......

And another, with typos and poor grammar:

> From: Manu Dubey Date: August 17, 2009 7:54:31 AM PDT Subject: buy phone

> hi i am intrested to buy this phone. give me your cell number.

No. I refuse.

> From: Allyson Willams Date: August 17, 2009 3:31:47 AM PDT Subject: Blackberry Bold 9000, original box - $270

> Hello seller i see your item online i will like to buy it for my brother who as a promotion to NYC i will like to make payment with paypal and i will like to no the item condition and the item total prices.with the shipping cost to him.will can still make the payment via bank to bank transfer.

Bank transfer? No punctuation? No thanks!

> From: Clarence King Date: August 7, 2009 8:22:46 PM PDT Subject: Canon 1Ds Mark III digital SLR body - $4500 (SOMA / south beach)

> Is your listed item still available for sale?Got some interest.

> From: Clarence King Date: August 8, 2009 8:38:36 AM PDT Subject: Re: Canon 1Ds Mark III digital SLR body - $4500 (SOMA / south beach)

> Thanks for getting back to me..I really appreciate your response to my earlier mail.like am serious in buying this item so pls do withdraw the advert from Craigslist. I will also like you to know that i will be paying by paypal due to the fact that i will not be able to meet up with the cash and local pick up, you can contact me on this number 18642739289 or email me. so you will be shipping it oversea.I will be adding $200 for the shipping and handling cost... I will need you to provide me with the Your paypal email address so i can send the money to your paypal account.

> Hope to hear back from you.