Original mail identification

Post your questions about IP address geolocation here.
Post Reply
thierry
New Member
Posts: 3
Joined: Mon Mar 13, 2017 2:07 pm

Original mail identification

Post by thierry » Mon Mar 13, 2017 2:34 pm

Hello everyone.
Thanks for accepting me here.
Here is the short story:

I have a small local restaurant - @traditionfribourgeoise on Facebook (Café Restaurant du Tilleul, Fribourg, Switzerland) and got a reservation for 10 people to eat for a whole week. For my wife and I, that was GREAT and so helpful (financially speaking) news.

Some person Amanda Walter, Pediatrician and I exchanged about 20 mails over a few weeks’ time and they sent me a cheque in order to pre-pay for their reservation. I went to my bank; they sent it out to be cashed in and the cheque was sent back to my bank as a falsified cheque.

I can’t understand how anyone could do that to such a small restaurant like ours, barely able to foot the monthly bills. I feel betrayed and I had to pay for the fees my bank charged me to send the cheque out. And “they” didn’t make a dime out of this!!! I even fear this scheme may just come from much closer than I can imagine.

From the informations listed below, could someone give a hand with this? If so, please let me know. If not, what could I do about (where to turn to) identifying these mean people without it costing me an arm and a leg.

I also tried this: http://www.ip2location.com/free/email-tracer

Original mail:

Delivered-To: {removed}@gmail.com
Received: by 10.159.54.138 with SMTP id p10csp351596uap;
Fri, 10 Feb 2017 01:48:09 -0800 (PST)
X-Received: by 10.36.127.132 with SMTP id r126mr27272934itc.57.1486720089219;
Fri, 10 Feb 2017 01:48:09 -0800 (PST)
Return-Path: <{removed}@gmail.com>
Received: from mail-it0-x243.google.com (mail-it0-x243.google.com. [2607:f8b0:4001:c0b::243])
by mx.google.com with ESMTPS id 6si1387976ioj.112.2017.02.10.01.48.09
for <{removed}@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 10 Feb 2017 01:48:09 -0800 (PST)
Received-SPF: pass (google.com: domain of {removed}@gmail.com designates 2607:f8b0:4001:c0b::243 as permitted sender) client-ip=2607:f8b0:4001:c0b::243;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com;
spf=pass (google.com: domain of {removed}@gmail.com designates 2607:f8b0:4001:c0b::243 as permitted sender) smtp.mailfrom={removed}@gmail.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: by mail-it0-x243.google.com with SMTP id o185so3831839itb.1
for <{removed}@gmail.com>; Fri, 10 Feb 2017 01:48:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=Ozjao5HUvTyNxYEzwi9Pq7Hgse+PYkdQ5VYacJXKDfg=;
b=ufsyVFsPdvI5W4RfsajFPhjsKR2Ey3QtQshu6ZxBPU9fHD3qqJTx8BF6H2NaIUDlDx
/A7uvjDE3rkDAP88lvUZQzjH2DKQDRDu8esPb7cdOlEzB6mOmrHZdn8wtmoCX8orHD+m
QoHJGW6vPN7plxGBCJxb4gsIA2fBs30vhkaAU1OwOrBRispkwg+VRcoYYn2+ukKAr5rr
8neuN0kzAv7CJ6Cp5evHQpxKReTKAdhx919ieLO/Qp6uM29ERlTBp8cLpsEEkfBVBHYW
7kTqVzqbOSw+mJxsSKCxhEFV0UanS2agH77hEuPx01xUI3OwAttCKOf9WGY6EAaocNr7
2NGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=Ozjao5HUvTyNxYEzwi9Pq7Hgse+PYkdQ5VYacJXKDfg=;
b=MgUSooDIIAhAEUTXFKZiCh/bDQI2gA4Zs9GJ9jD5vecYi2YvsyH6XhAAAtMkk/emGd
u1KHVJusRopFHfXGOB0mvhyZ2/oPdoutQwEC7Gfpsp+JbwH5HVcV4ZJskj10Ri+i7Cnq
6EXtfbJa9lr4LXm1ppaWh5wPRIP15uN3epHLToB+lBKXY9HSr/92mpSKIgTeF0/xns2s
G/fUP9Z2pAxT7swOM8nm0ScOdZbhhO2FTGJhmsOCmNVOL2DlrEbJUSVwev3V/VoVc8eK
sm8I2HUsbKRpknq6LobNFW3P34WPcB0Firxzlj9434lSfcEfdZBczS0VPA1RalMapRNe
G5fQ==
X-Gm-Message-State: AMke39k+xd0Z8jCLHp20aN0c2G7WEq/AkSzJnTgOMQqgDhSKtMTv9seGzuY9unrOpckZvlYs589ycx23IXEzZQ==
X-Received: by 10.36.84.67 with SMTP id t64mr7356424ita.105.1486720088912;
Fri, 10 Feb 2017 01:48:08 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.27.65 with HTTP; Fri, 10 Feb 2017 01:48:08 -0800 (PST)
From: Amanda Walter <{removed}@gmail.com>
Date: Fri, 10 Feb 2017 10:48:08 +0100
Message-ID: <CAJg7q3e3ap=vufzDT4Jqe_ZwgUmqzAot0+t7JNzZncT4BDizrQ@mail.gmail.com>
Subject: Dinner Reservation
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=001a1143e030c7bb99054829fee7
Bcc: {removed}@gmail.com

--001a1143e030c7bb99054829fee7
Content-Type: text/plain; charset=UTF-8

Hello,
I was just informed that the payment has been sent out and hopefully you
will receive it soon. Please kindly get back to me via email as soon as you
receive the payment.
Thanks and have a wonderful day.

--001a1143e030c7bb99054829fee7
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello,</div><div>I was just informed that the payment=
has been sent out and hopefully you will receive it soon. Please kindly ge=
t back to me via email as soon as you receive the payment.</div><div>Thanks=
and have a wonderful day.</div><div><br></div></div>

--001a1143e030c7bb99054829fee7--

Thank you.
Thierry Christinaz
Café Restaurant du Tilleul in Fribourg, Switzerland.

User avatar
Chrispcritters
Forum Administrator
Posts: 2200
Joined: Tue Mar 02, 2010 5:41 pm
Location: 127.0.0.1 | ::1
Contact:

Re: Original mail identification

Post by Chrispcritters » Tue Mar 14, 2017 9:52 am

Unfortunately this is a very common scam in terms of sending a check in advance in hopes that you will refund a portion and/or send goods. (obviously in your case it's food service and not goods).

Gmail no longer includes the sender's IP address in the headers.

I suggest that you report the fraudulent check to your local law enforcement let them deal with it.
Founder and Chief Marketing Technologist of WhatIsMyIPAddress.com.
You can follow me on Facebook and Twitter for some behind the scenes info.

thierry
New Member
Posts: 3
Joined: Mon Mar 13, 2017 2:07 pm

Re: Original mail identification

Post by thierry » Tue Mar 14, 2017 10:06 am

Well, thanks for having taken the time to reply.
I don't know if they have ""local law enforcement"" for that kind of thing here in Switzerland, Will check.

The thing is they didn't make any money out of this, Makes me think it's "private affairs" so to speak, Will let you know if I can get legal help on this.
Their mails were written in perfect English .

Any ideas why Google no longer include senders' IP?

User avatar
Chrispcritters
Forum Administrator
Posts: 2200
Joined: Tue Mar 02, 2010 5:41 pm
Location: 127.0.0.1 | ::1
Contact:

Re: Original mail identification

Post by Chrispcritters » Tue Mar 14, 2017 10:12 am

These things usually result in something like... "Oh, we need to cancel, please send a refund back..."

If the check was fake then a criminal action took place. It's worth reporting as it could be part of a larger pattern in your area.

Many email providers no longer include the sender's IP address for privacy reasons.
Founder and Chief Marketing Technologist of WhatIsMyIPAddress.com.
You can follow me on Facebook and Twitter for some behind the scenes info.

thierry
New Member
Posts: 3
Joined: Mon Mar 13, 2017 2:07 pm

Re: Original mail identification

Post by thierry » Tue Mar 14, 2017 4:07 pm

"If the check was fake then a criminal action took place. It's worth reporting as it could be part of a larger pattern in your area."

Yes, you're right and that's what I am trying to find out: who to talk/write to about it here in Switzerland. I've no idea but working on it.
Thanks much for your time.

User avatar
Chrispcritters
Forum Administrator
Posts: 2200
Joined: Tue Mar 02, 2010 5:41 pm
Location: 127.0.0.1 | ::1
Contact:

Re: Original mail identification

Post by Chrispcritters » Tue Mar 14, 2017 4:21 pm

I'd start with asking your bank who to report it to.
Founder and Chief Marketing Technologist of WhatIsMyIPAddress.com.
You can follow me on Facebook and Twitter for some behind the scenes info.

nielsencl1
Active Member
Posts: 236
Joined: Sun Dec 23, 2012 5:47 pm
Location: Minneapolis, MN

Re: Original mail identification

Post by nielsencl1 » Mon Mar 20, 2017 5:47 pm

I am sorry you were taken by this fraud, but you really are quite lucky. If things were done differently you could have lost much more money. The good news is you now know you can't trust anyone on the Internet, and can do things differently so you have less risk. The main lesson is to not get too excited about increased business until the money has been confirmed in your control.

If "Amanda" was really a doctor then they could afford to use a credit card or wire you the money.
Good Luck!

rony albert
New Member
Posts: 1
Joined: Tue Mar 21, 2017 5:58 am

Re: Original mail identification

Post by rony albert » Tue Mar 21, 2017 6:03 am

O that sounds so sad but i think there must be some way to trace such fraudulent activities.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest