Is the University of Alabama running a 419 scam now?

Look at the mailing path and the email address. I thought at first it could have been a spoofed addy, but the mailing path comes from bama.ua.edu

"from Man Tech Company Ltd <holt034@bama.ua.edu> hide details 4:03 pm (17 minutes ago)
reply-to info_mantechcoy02@yahoo.com.cn
date Aug 21, 2007 4:03 PM
subject RE:FILL OUT COMPANY FORM.............ASAP
mailed-by bama.ua.edu {emphasis mine}


--
FROM THE DESK OF Mr.Chiyo Asuka
Man Tech Company Ltd.
No.2, Lane 70, Ming Chu Road, Sec.
1,Tung Pao, Japan

This mail is serving as an invitation to treat with the above named
company. Our company was established in 1970.

Over the years we have accumulated invaluable experience in our
business and we are proud to claim we are second to none. Due to the
increase in demand of our products in America and Canada, Europe we
have decided to move our products fully into the continent of America
&
Europe.

By so doing,we are searching for reliable persons/companies who can act
as a RECEIVING PAYMENTS AGENT who will act as medium of reach between
our customers and us in their area of locality.

Note that, if finally aprroved as our Representative, you are entitled
to an annual income of $24,000USD and 10% of whatever amount you
receive from customers who are making payments for outstanding invoices
on behalf of the company.

Our account officer in Japan will convey to you the medium which
you will use to remit any funds received on our behalf.If you are
interested in being a REPRESENTATIVE AGENT in the above location and
your locality,

please fill out this form below:MAN TECH COMPANY.
Receiving Payment Account Form:
Title : Ms Mr Mrs Dr: ..........
First Name: ....................
Surname: .......................
Age: 20-55+ ....................
Relevant Experience: ...........
Your Company Name: .............
Monthly Income: ................
Residential Address: ...........
State...........................
Zip.............................
Country.........................
PhoneNumber:....................
Fax Number:.....................
Email Address: .................

Do you have an exclusive relationship with another Asia based company?
YES /NO.Please also let us know the best time to reach you on phone
especially as we have a difference in time. Thank you for your
time.
Please send the above details to our marketing manager via email:

Mr.Yukio Wong
EMAIL: info_mantechcoy02@yahoo.com.cn

RESPECTFULLY SUBMITTED,
PRESIDENT- MAN TECH COMPANY LTD
JAPAN"

I *know* this can't be legit... c

nt

:silly:

What you've shown here is very incomplete. You need to look at the trace headers ("Received" headers) to see where it really originated. Spam almost invariably uses a forged return path, for obvious reasons.

I just clicked where it says "show details" and this is what I get:

from Man Tech Company Ltd <holt034@bama.ua.edu> hide details 4:03 pm (2 hours ago)
reply-to info_mantechcoy02@yahoo.com.cn
date Aug 21, 2007 4:03 PM
subject RE:FILL OUT COMPANY FORM.............ASAP
mailed-by bama.ua.edu


I know in yahoo mail you can go into you email settings and just click a button that says "show complete headers", but I can't find that in Gmail

It's in the drop-down menu at the top of the message display.

Delivered-To: xxxxxxxx@gmail.com {blanked out by me}
Received: by 10.141.34.13 with SMTP id m13cs278460rvj;
Tue, 21 Aug 2007 13:06:56 -0700 (PDT)
Received: by 10.35.68.16 with SMTP id v16mr9216136pyk.1187726815621;
Tue, 21 Aug 2007 13:06:55 -0700 (PDT)
Return-Path: <holt034@bama.ua.edu>
Received: from smtp-a.ua.edu (smtp-a.ua.edu <130.160.4.38>)
by mx.google.com with ESMTP id z80si11193091pyg.2007.08.21.13.06.49;
Tue, 21 Aug 2007 13:06:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of holt034@bama.ua.edu designates 130.160.4.38 as permitted sender) client-ip=130.160.4.38;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of holt034@bama.ua.edu designates 130.160.4.38 as permitted sender) smtp.mail=holt034@bama.ua.edu
Received: from localhost (<130.160.4.40>)
by smtp-a.ua.edu (8.13.6/8.13.6) with ESMTP id l7LK39Pr013791;
Tue, 21 Aug 2007 15:03:09 -0500 (CDT)
Received: from 81.199.43.163.rmts.satcom-systems.net (81.199.43.163.rmts.satcom-systems.net <81.199.43.163>)
by bamamail.ua.edu (IMP) with HTTP
for <holt034@localhost>; Tue, 21 Aug 2007 15:03:09 -0500
Message-ID: <1187726589.46cb44fd42fe5@bamamail.ua.edu>
Date: Tue, 21 Aug 2007 15:03:09 -0500
From: Man Tech Company Ltd <holt034@bama.ua.edu>
Reply-to: info_mantechcoy02@yahoo.com.cn
Subject: RE:FILL OUT COMPANY FORM.............ASAP
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.1
X-Originating-IP: 81.199.43.163
-----------------------------------------------------------------------------------

Ok, can you make heads or tails out of this?

You can only really trust the trace headers from the point where mx.google.com receives the message from 130.160.4.38, but the rest are consistent. It was posted using the university's webmail server:

https://bamamail.ua.edu/

As you can see, the poster's IP address was 81.199.43.163, which is in Nigeria (surprise surprise). They used the 'holt034' account (David Holt, a chemical engineer, according to Google) on the webmail server: presumably his password has become known to spammers. Report it to abuse at ua.edu; if that bounces, Help.Desk at ua.edu. By now, David Holt is probably aware that something is wrong, if he's still around, since his mailbox will be full of bounces...

http://whois.webhosting.info/81.199.43.163

info N/A

http://www.geektools.com/whois.php

inetnum: 81.199.43.0 - 81.199.43.255
netname: CIDR-KasTelecom-1
descr: Kas Telecom, Nigeria
country: NG
admin-c: AA5239-RIPE
tech-c: AA5239-RIPE
status: ASSIGNED PA
mnt-by: AS12491-MNT
source: RIPE # Filtered

person: Adelere Aodu
address: Lagos, Nigeria
phone: +234 17921102
e-mail: adelere.aodu@kastelecom.com
nic-hdl: AA5239-RIPE
source: RIPE # Filtered

Edit: sorry, hadn't seen the post just before mine.

The kastelecom.com email address you quote is a contact at the spammer's ISP, not the spammer himself! In theory, that'd be a suitable address to complain to; but in the real world, it's pretty much a waste of time complaining to Nigerian providers.

I post spam all the time at the Usenet group news.admin.net-abuse.sightings.

http://groups.google.com/group/news.admin.net-abuse.sightings/topics?hl=en

I bet if you checked the headers, it would probably show it originated from Nigeria.

Use this tool to check it out.

http://headertool.apelord.com/headers