Email Spam Filter:
jwSpamSpy
Try it for free!


About spam / "419" / Blog
jwSpamSpy
Recent spam domains
Spam domain blacklist

Software
Links
joewein.de
joewein.net
Contact
Google

 

419 Scam – "GOLDEN REEF LOTTERY / SOUTHTRUST INVESTMENT PTY. / Harry Robben"

"SOUTHTRUST INVESTMENT PTY." is the fake identity used by a gang of advance fee fraud ("419") scammers operating in Nigeria and South Africa. It's a fraud. (see one example scam email here).

The three scam operations "HERITAGE FINANCE LTD / NATIONWIDE LOTTO UK", "WORLD WIDE CASH CHANGE / PRESTIGIOUS LOTTO UK" and "SOUTHTRUST INVESTMENT PTY. / GOLDEN REEF LOTTERY" are probably closely related. All three scams use websites of fake security companies, email from which is sent from Nigeria. They all send similarly worded money demands involving Word documents. A further scam in this series is "BOND TRUST LIMITED".

jwSpamSpy
Are you sick of spam too? Do you want it stopped now?
Try jwSpamSpy, the spamfilter we use to track the spammers!
Free 30-day trial version available now!

The scammers have registered websites for the fake lottery and fake claims agent:

Email addresses used for the scam:

  • claimsmanager@southtrustltd.net
  • deptmanager@southtrustltd.com
  • harry@southtrustltd.com
  • harryrobben@southtrustltd.net
  • hrobben@southtrustltd.com
  • mrharry@southtrustltd.net
  • mrharryrobben@southtrustltd.com
  • mrharryrobben@southtrustltd.net
  • mrhrobben@southtrustltd.com
  • mrrobben@southtrustltd.net

Sample email from "Mr Harry Robben":

Return-Path: <mrrobben@southtrustltd.net>
Received: from  hotmail.com (bay23-f22.bay23.hotmail.com [64.4.22.72])
 by rly-xh01.mx.aol.com (v104.17) with ESMTP id MAILRELAYINXH18-48641f0020a37b;
 Thu, 20 Jan 2005 14:10:03 -0500
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Wed, 19 Jan 2005 07:48:07 -0800
Message-ID: <BAY23-F2264142CBAE7EAAFB576ABDF800@phx.gbl>
Received: from 165.146.71.161 by by23fd.bay23.hotmail.msn.com with HTTP;
	Wed, 19 Jan 2005 15:47:18 GMT
X-Originating-IP: [165.146.71.161]
X-Originating-Email: [mrrobben@southtrustltd.net]
X-Sender: mrrobben@southtrustltd.net
In-Reply-To: <MazUSxvjP0004181e@hotmail.com>
From: "Harry Robben" <mrrobben@southtrustltd.net>
To: #################
Subject: Requirements
Date: Wed, 19 Jan 2005 15:47:18 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 19 Jan 2005 15:48:07.0060 (UTC) FILETIME=[44E67D40:01C4FE3E]
X-AOL-IP: 64.4.22.72
X-Mailer: Unknown (No Version)

Dear Firstname Lastname,
We are in receipt of your claims file, from GOLDEN REEF LOTTERY with ticket 
number, 125-75-7849
with a serial number of 69-66, which drew lucky numbers, 09, 10, 22, 32,  
35,44, (05).  reference Number REFERENCE NO: ST-A542-9 and BATCH NO: 228-GP. 
Be informed that we have in our possession instruments of payment for the 
sum of US$2,000,000.00 to you. You will be required to fill the attached 
"Lottery Winnings Claim Form"  with all necessary details, after download, 
kindly print, fill, and send back either by fax or as an email 
attachment.Please follow the link below to download the lottery claims form 
from our website

http://www.southtrust.co.za/lottery.htm

You will also be required to pay a fee of USD6,500.00 (Six thousand five 
hundred United States dollars only), or itís equivalent in your local 
currency. This payment is to cover transfer charges, Insurance of vital 
documents like prize claim certificate and other transfer documents, 
handling and opening of account charges.

Note that your total prize claim of US$2,000,000.00 has been insured to it's 
value and as such cannot be deducted from.This is in accordance with section 
13(1)(n) of the national gambling act as adopted in 1993 and amended on 3rd 
July 1996 by the constitutional assembly. This is to protect winners and to 
avoid misappropriation of funds.

A certificate of prize claim along side other vital documents will be sent 
to you via Courier service immediately transfer of your winnings is 
effected.

Note that your winnings will be transferred within 24hours after the receipt 
of all the requirements. I shall be awaiting your response.

Truly yours,
Harry Robben.
CLAIMS DEPT. MANAGER,
SOUTHTRUST INVESTMENT PTY.
PHONE: +27 838919033
FAX: +27 115076331
EMAIL: mrrobben@southtrustltd.net

The email above was sent from South Africa.

WHOIS details for sending IP address 165.146.71.161:

     OrgName:    Telkom SA Limited 
     OrgID:      TSL
     Address:    PO Box 2753
     Address:    Pretoria
     Address:    0001
     City:       
     StateProv:  
     PostalCode: 
     Country:    ZA
     
     NetRange:   165.146.0.0 - 165.146.255.255 
     CIDR:       165.146.0.0/16 
     NetName:    TELKOMNET-B4
     NetHandle:  NET-165-146-0-0-1
     Parent:     NET-165-143-0-0-1
     NetType:    Reassigned
     NameServer: NS1.TELKOM.CO.ZA
     NameServer: NS1.IAFRICA.COM
     NameServer: RIP.PSG.COM
     Comment:    
     RegDate:    1993-06-16
     Updated:    1995-02-27
     
     TechHandle: VW4-ARIN
     TechName:   Wilson, Victor 
     TechPhone:  12-311-2988
     TechEmail:  wilsonvm@telkom.co.za 

Example of money demand:

Return-Path: <mrhrobben@southtrustltd.com>
Received: from  rly-yi04.mx.aol.com (rly-yi04.mail.aol.com [172.18.180.132])
 by ################# (v#####) with ESMTP id MAILINYI14-7c941bd9f1d247;
 Mon, 13 Dec 2004 08:55:01 -0500
Received: from  hotmail.com (bay23-f15.bay23.hotmail.com [64.4.22.65])
 by rly-yi04.mx.aol.com (v103.7) with ESMTP id MAILRELAYINYI47-7c941bd9f1d247;
 Mon, 13 Dec 2004 08:54:37 -0500
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Mon, 13 Dec 2004 03:18:07 -0800
Message-ID: <BAY23-F1583CC4DC5F4DB065EDC12A9AB0@phx.gbl>
Received: from 81.199.85.129 by by23fd.bay23.hotmail.msn.com with HTTP;
	Mon, 13 Dec 2004 07:58:20 GMT
X-Originating-IP: [81.199.85.129]
X-Originating-Email: [mrhrobben@southtrustltd.com]
X-Sender: mrhrobben@southtrustltd.com
From: "Harry Robben" <mrhrobben@southtrustltd.com>
To: #################
Subject: CLAIMS REQUIREMENT/PROCESSING FORM
Date: Mon, 13 Dec 2004 07:58:20 +0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_3e16_65d8_51ad"
X-OriginalArrivalTime: 13 Dec 2004 11:18:07.0085 (UTC) FILETIME=[6BADB9D0:01C4E105]
X-Mailer: Unknown (No Version)


------=_NextPart_000_3e16_65d8_51ad
Content-Type: text/plain; format=flowed

ATTN:  THIRD CATEGORY WINNER

We are in receipt of your claims file, from GOLDEN REEF LOTTERY with 
reference Number REFERENCE NO: ST-A542-5 and BATCH NO: 228-GP. Be informed 
that we have in our possession instruments of payment for the sum of 
US$2,000,000.00 to you. You will be required to fill the "Lottery Winnings 
Claim Form"  with all necessary details, after download, kindly print, fill, 
and send back either by fax or as an email attachment.

Please find attacted Lottery Winnings Claim Form (LWCF)

You will also be required to pay a fee of USD6,500.00 (Six thousand five 
hundred United States dollars only), or itís equivalent in your local 
currency. This payment is to cover transfer charges, Insurance of vital 
documents like prize claim
certificate and other transfer documents, handling and opening of account 
charges.

Note that your total prize claim of US$2,000,000.00 has been insured to it's 
value and as such cannot be deducted from.This is in accordance with section 
13(1)(n) of the national gambling act as adopted in 1993 and amended on 3rd 
July 1996 by the constitutional assembly. This is to protect winners and to 
avoid misappropriation of funds.

A certificate of prize claim along side other vital documents will be sent 
to you via Courier service immediately transfer of your winnings is 
effected.

Note that your winnings will be transferred within 24hours after the receipt 
of all the requirements. I shall be awaiting your response.

Truly yours,
Mr. Harry Robben.
CLAIMS DEPT. MANAGER,
SOUTHTRUST INVESTMENT PTY.
PHONE: +27 838 919033
FAX: +27 115 076331
EMAIL: mrhrobben@southtrustltd.com
www.southtrust.co.za


------=_NextPart_000_3e16_65d8_51ad
Content-Type: application/msword; name="LWCF.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="LWCF.doc"

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAATwAAAAAA
AAAAEAAAUQAAAAEAAAD+////AAAAAE4AAAD/////////////////////////////////////
....
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

------=_NextPart_000_3e16_65d8_51ad--

This email from a supposedly South African lottery was sent from Nigeria (IP 81.199.85.129)

     inetnum:      81.199.84.0 - 81.199.87.255
     netname:      CIDR-COMMUNICATION-01
     descr:        Internet service provider
     country:      NG
     admin-c:      TECH7-RIPE
     tech-c:       TECH7-RIPE
     status:       ASSIGNED PA
     notify:       lir@ipplanet.net
     mnt-by:       AS12491-MNT
     changed:      lir@ipplanet.net 20040902
     source:       RIPE
     
     person:       Tech Supernet300
     address:      21 Mobolaji Bank
     address:      Anthony Way Ikeja
     address:      Lagos
     address:      Nigeria
     phone:        + 234 1 4976493
     e-mail:       admin@supernet300.com
     nic-hdl:      TECH7-RIPE
     changed:      lir@ipplanet.net 20040902
     source:       RIPE
This is the same provider as used by the "HERITAGE FINANCE LTD" scammers and in the "Mr. Chen Chun-Hwa" dead foreigner scam. It could be the same gang or they could be using internet cafes sharing the same provider.

The claims form (LWCF.doc) was created by someone using the user name "GUNIT". The document was last printed out on 2004-10-29.


"southtrustltd.net" (complaints to: abuse@msn.com)
As you can see from the record below, this supposedly South African company is registered using a (probably bogus) residential address in the USA only about three months ago. The administrative contact email address for the domain is none other than the address of the "claims manager", i.e. "Mr Harry Robben" himself. The Admin phone number is too long by 2 digits.

WHOIS record for 419-scam domain "southtrustltd.net"

Domain Name.......... southtrustltd.net
  Creation Date........ 2004-10-28
  Registration Date.... 2004-10-28
  Expiry Date.......... 2005-10-28
  Organisation Name.... Edith D Levine
  Organisation Address. Apt 3b 301 E. 111th st.
  Organisation Address. 
  Organisation Address. New-York
  Organisation Address. 10029
  Organisation Address. NY
  Organisation Address. UNITED STATES

Admin Name........... Edith D Levine
  Admin Address........ Apt 3b 301 E. 111th st.
  Admin Address........ 
  Admin Address........ New-York
  Admin Address........ 10029
  Admin Address........ NY
  Admin Address........ UNITED STATES
  Admin Email.......... claimsmanager@southtrustltd.net
  Admin Phone.......... +1.212722139087
  Admin Fax............ 

Tech Name............ MSN NOC
  Tech Address......... One Microsoft Way
  Tech Address......... 
  Tech Address......... Redmond
  Tech Address......... 98052
  Tech Address......... WA
  Tech Address......... UNITED STATES
  Tech Email........... MSN-PA-TECH@msn.com
  Tech Phone........... +1.4258828080
  Tech Fax............. 
  Name Server.......... pdomns1.msn.com
  Name Server.......... pdomns2.msn.com


"southtrustltd.com" (complaints to: abuse@msn.com)
The .com version of the domain was created on the same day as its .net sibling using the same probably bogus street address in the USA. The Admin phone number is too long by 2 digits.

WHOIS record for 419-scam domain "southtrustltd.com"

Domain name: southtrustltd.com

Registrant Contact:
   Edith D  Levine
   Edith D Levine (deptmanager@southtrustltd.com)
   +1.212722139087
   Fax: none
   Apt 3b 301 E. 111th st.
   new-york, NY 10029
   US

Administrative Contact:
   Edith D  Levine
   Edith D Levine (deptmanager@southtrustltd.com)
   +1.212722139087
   Fax: none
   Apt 3b 301 E. 111th st.
   new-york, NY 10029
   US

Technical Contact:
   NOC MSN
   NOC MSN (MSN-PA-TECH@msn.com)
   +1.4258828080
   Fax: none
   One Microsoft Way
   Redmond, WA 98052
   US

Billing Contact:
   NOC MSN
   NOC MSN (MSN-PA-BILL@MSN.COM)
   +1.4258828080
   Fax: none
   One Microsoft Way
   Redmond, WA 98052
   US

Status: Locked

Name Servers:
   pdomns1.msn.com
   pdomns2.msn.com
   
Creation date: 28 Oct 2004 06:57:32
Expiration date: 28 Oct 2005 06:57:32


The South African domain "southtrust.co.za" is registered using an African name and a South African postal address. The contact email address uses a Chinese name and the webmailer tiscali.co.uk, which is one of the most popular webmailers amongst "419" scammers.

WHOIS record for 419-scam domain "southtrust.co.za"

0a. Last Update:  Tue Oct 26 16:06:52 SAST 2004
0b. Sender:       accounts@webonline.biz
0c. Posted:       26 Oct 2004 14:06:15 -0000
0d. Subject:      southtrust.co.za
0g. Hist Cnt:     1
0h. Inv Number:   398495
0i. Contract:     NEW
0j. Coza Version: $Revision: 1.105 $ $Date: 2004/07/08 13:12:58 $
1a. Domain:       southtrust.co.za
1b. Action:       N
2a. Domain Owner: Tabu Kalimbuka
2b. Owner Postal: PO Box 1253, PO Box 1253, Buccluech, Johannesburg, Gauteng, 2066
2c. Owner StAddr: 10 Heronshaw , Gibson drive, Buccluech, Johannesburg, Gauteng,
2d. Payment:      150
2e. Ac/Inv/Chqe:  I
2f. Bill/Acct:    WebOnline
2g. Mail Bill to: accounts@webonline.biz
2h. NoDelayWord:  **set**
2i. Invoice Addr: P.O. Box 1264, Wingate Park, 0153
2j. Owner Phone:  0115076315
2k. Owner Fax:    0115076315
2l. Owner E-Mail: jinging@tiscali.co.uk
3a. Opp Date:     2004/10/26 16:06:39
3b. CNAME Base:   
3c. CNAME sub1:   
3d. CNAME sub2:   
4a. Adm Contact:  Web Online, Accounts
4b. Adm Title:    Accounts Department
4c. Adm Company:  Web Online
4d. Adm Postal:   P.O. Box 1264, Wingate Park, 0153
4e. Adm Phone:    +27.0861666555
4f. Adm Fax:      +27.0866801585
4g. Adm E-Mail:   accounts@webonline.biz
4h. Adm Nic:      
5a. Tec Contact:  Web Online, Support
5b. Tec Title:    Support Department
5c. Tec Company:  Web Online
5d. Tec Postal:   P.O. Box 1264, Wingate Park, 0153
5e. Tec Phone:    +27.0861666555
5f. Tec Fax:      +27.0866801585
5g. Tec E-Mail:   support@webonline.biz
5h. Tec Nic:      
6a. Prim NS FQDN: dns10.webonline.biz
6b. Prim NS IP:   196.30.15.157
6e. Sec NS1 FQDN: dns2.webonline.biz
6f. Sec NS1 IP:   216.127.84.49
6i. Sec NS2 FQDN: 
6j. Sec NS2 IP:   
6m. Sec NS3 FQDN: 
6n. Sec NS3 IP:   
6q. Sec NS4 FQDN: 
6r. Sec NS4 IP:   
7a. Prim MX FQDN: 
7b. Prim MX IP:   
7c. Prim MX Cost: 
7d. Sec MX FQDN:  
7e. Sec MX IP:    
7f. Sec MX Cost:  
8a. Net bk Start: 
8b. Net bk End:   
8c. Net bk Start: 
8d. Net bk End:   
8e. Net bk Start: 
8f. Net bk End:   
9a. Description1: 
9b. Description2: 
9c. Description3: 
9d. Description4: 
9e. Description5: 
9f. Description6: