Are these spoofed emails or someone is sending them from bitcoin.org?

[paraipan]

We're receiving allot of strange emails from bitcoin.org lately and I was curious to know if they're legit or someone is spoofing the domain for their own interest.

Here are some of them:

from:    donation@bitcoin.org
reply-to:    info@bitcoin.org
to:    support@rugatu.com
date:    Sat, Oct 19, 2013 at 3:52 AM

Bitcoin Foundation standardizes, protects and promotes the use of Bitcoin cryptographic money for the benefit of users worldwide.

Bitcoin Foundation Accepts Donations in Bitcoins

We believe this is important for two reasons:

1. It represents our strong belief in the value of Bitcoin as a medium of exchange AND
2. It automatically makes the Foundation’s assets public information—allowing Bitcoin users to see how much we have received in donations and emphasizing our commitment to transparency
3. Help this for us true

Make a donation

Donate to the Bitcoin Foundation:

BTC:   1PPqWCmzDeBxgtfwNPqekzHBTzxnkXba5i

LTC:   LLqWMnmCA2D51Lc5eSt5zaMADVgFRMEAzs


We guarantee
if you send just 0.1 or some BTC or LTC to wallet you very help us
our mission make bitcoins technology is future
Your donation can support

from:    invests@bitcoin.org
reply-to:    invests@bitcoin.org
to:    support@rugatu.com
date:    Sat, Oct 19, 2013 at 10:51 PM

Dear Bitcoin Member,

Bitcoin has made considerable progress and improvement, it has become the leading e-currency and its services are being improved continuously.

Recently we have estabilished a very important relation with leading Forex traders from Tokyo and we decided to give a special offer to you:

GET 400% Bitcoin Address Bitcoin RETURN IN 1 Hours !

Investment plans below:
1 - 4 BTC we return in 1 hours  400%
5 - 8.5 BTC we return in 1 hours 350%
10 - 47.5 BTC we return in 1 hours 500%

Investment Example:

You send deposit 1 BTC  we return 4 BTC
You send deposit 5 BTC  we return 8.5 BTC
You send deposit 10 BTC  we return 47.5 BTC
You send deposit 100 BTC we return 470.5 BTC

You need to make spend deposit to Bitcoin Forex Investment Address: 1EPJJyST5awBYuqt2inH3WBWzdnALutzTe

Login your bitcoin account or software / Send Money  (Coins).


The minimal deposit is 1 Bitcoin, while the maximum deposit is 100 Bitcoin per member.
The 300 payout will be made back to your Bitcoin Address in 1 hours.

The payout is IMMEDIATE, GUARANTEED and there is NO RISK from losing your bitcoin.
This is a TIME LIMITED ONE-TIME OFFER and you must ACT NOW!

This opportunity will not last long, so you must react quickly.
Deposits are accepted until Oct 28. 2013 4:00 (GMT).


Thank You.

Best Regards: Bitcoin.org and Tokyo forex partnership.
Bitcoin Project 2008–2013 Released under the MIT license

You Get Money Number Your Wallet Your Money in Hour Stable

Investment Address: 1EPJJyST5awBYuqt2inH3WBWzdnALutzTe

from:    new@bitcoin.org
reply-to:    new@bitcoin.org
to:    support@rugatu.com
date:    Sun, Oct 20, 2013 at 12:09 AM

Bitcoin is an innovative payment network and a new kind of money.

Bitcoin Wallet


Your Bitcoin wallet is what allows you to transact with other users. It gives you ownership of a Bitcoin balance so that you can send and receive bitcoins. Just like email, all wallets can interoperate with each other.

Getting started with Bitcoin

Choose your wallet

Upload Complete >  New File
Congratulations! Your upload completed successfully

Bitcoin-0.8.5-win32-setup

Yes

Download Link

http://www.sendspace.com/file/9ne22o

in attach also file for you version new

You can bring a Bitcoin wallet in your everyday life with your mobile or you can have a wallet only for online payments on your computer. In any case, choosing your wallet can be done in a minute.

Using Bitcoin to pay and get paid is easy and accessible to everyone.

What do you think?

[rpg]

email headers please

[paraipan]

email headers please

Code:

Delivered-To: xxxxxxxxx@gmail.com
Received: by 10.114.0.228 with SMTP id 4csp49107ldh;
        Sat, 19 Oct 2013 14:02:13 -0700 (PDT)
X-Received: from mr.google.com ([10.205.105.73])
        by 10.205.105.73 with SMTP id dp9mr1252712bkc.33.1382216532641 (num_hops = 1);
        Sat, 19 Oct 2013 14:02:12 -0700 (PDT)
X-Received: by 10.205.105.73 with SMTP id dp9mr542392bkc.33.1382216532459;
        Sat, 19 Oct 2013 14:02:12 -0700 (PDT)
X-Forwarded-To: xxxxxxxxx@gmail.com
X-Forwarded-For: xxxxxxxxx@gmail.com xxxxxxxxx@gmail.com
Delivered-To: xxxxxxxxx@gmail.com
Received: by 10.204.226.133 with SMTP id iw5csp58037bkb;
        Sat, 19 Oct 2013 14:02:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-original-authentication-results:delivered-to:delivered-to
         :content-type:mime-version:content-transfer-encoding
         :content-description:subject:to:from:date:reply-to:return-receipt-to
         :message-id;
        bh=tYwU0gnZQSWsvDC6GXua4Ejq+oZyZoCY1Eusaz59eaM=;
        b=at3eGk9LGUyyY2ryViGyw3cp3kdV6BtHMv88RM7QWIFd58uhr5dTBCkOUHC8/44V+2
         276kKhpjhlgXKb3eW3qGIKu5M8xgYsbD63doFuucfPz91S0DgIcDmdKnyK16gmXjJ5JN
         c5e4aezfL9+8P3R5ztG3vLdBAO5alp72SIJsLHXPQAfX3N17oaUG9YHL9+yKS7zZri85
         i2Ex6BtBCelgZVg5+v7zKcXlgGMgwl6Qpacgkp9wmfhIbvu3C6rNycmXhtV70JD2KetS
         AH7EpZLIdDeBj4OsSYiWzAxoZ13mPCpBwwbAJeFb4jimLQ9N1fyAYhEEJd861hI8GVT3
         jMlA==
X-Original-Authentication-Results: mx.google.com;       spf=pass (google.com: domain of SRS0=ntU1=T5=bitcoin.org=invests@bounce.secureserver.net designates 173.201.192.185 as permitted sender) smtp.mail=SRS0=ntU1=T5=bitcoin.org=invests@bounce.secureserver.net
X-Received: from mr.google.com ([10.50.128.137])
        by 10.50.128.137 with SMTP id no9mr5468927igb.36.1382216530982 (num_hops = 1);
        Sat, 19 Oct 2013 14:02:10 -0700 (PDT)
X-Received: by 10.50.128.137 with SMTP id no9mr4299466igb.36.1382216530042;
        Sat, 19 Oct 2013 14:02:10 -0700 (PDT)
X-Forwarded-To: xxxxxxxxx@gmail.com, xxxxxxxxx@googlemail.com
X-X-Forwarded-For: xxxxxxxxx@gmail.com xxxxxxxxx@gmail.com, xxxxxxxxx@googlemail.com
Delivered-To: xxxxxxxxx@gmail.com
Received: by 10.64.227.50 with SMTP id rx18csp38085iec;
        Sat, 19 Oct 2013 14:02:09 -0700 (PDT)
X-Received: by 10.43.10.198 with SMTP id pb6mr5874773icb.40.1382216529512;
        Sat, 19 Oct 2013 14:02:09 -0700 (PDT)
Return-Path: <SRS0=ntU1=T5=bitcoin.org=invests@bounce.secureserver.net>
Received: from p3plsmtp14-03.prod.phx3.secureserver.net (p3plsmtp14-03.prod.phx3.secureserver.net. [173.201.192.185])
        by mx.google.com with ESMTP id jb1si8916913icb.5.2013.10.19.14.02.08
        for <xxxxxxxxx@gmail.com>;
        Sat, 19 Oct 2013 14:02:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of SRS0=ntU1=T5=bitcoin.org=invests@bounce.secureserver.net designates 173.201.192.185 as permitted sender) client-ip=173.201.192.185;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of SRS0=ntU1=T5=bitcoin.org=invests@bounce.secureserver.net designates 173.201.192.185 as permitted sender) smtp.mail=SRS0=ntU1=T5=bitcoin.org=invests@bounce.secureserver.net
Received: (qmail 14057 invoked from network); 19 Oct 2013 21:02:08 -0000
Delivered-To: support@rugatu.com
Received: (qmail 14050 invoked by uid 30297); 19 Oct 2013 21:02:08 -0000
Received: from unknown (HELO p3plibsmtp01-10.prod.phx3.secureserver.net) ([10.6.12.197])
          (envelope-sender <invests@bitcoin.org>)
          by p3plsmtp14-03.prod.phx3.secureserver.net (qmail-1.03) with SMTP
          for <support@rugatu.com>; 19 Oct 2013 21:02:08 -0000
Received: from mx1.uaeexchange.co.in ([203.197.151.29])
	by p3plibsmtp01-10.prod.phx3.secureserver.net with bizsmtp
	id f9261m0020eJYjv019266l; Sat, 19 Oct 2013 14:02:08 -0700
X-Authority-Analysis: v=2.0 cv=AtUwKpBP c=1 sm=1
 a=2LujIVcxHzjGFIFK9kwEgA==:17 a=iM3w-qz-v2IA:10 a=1gkY2oB4D8cA:10
 a=sg1Movbh_6AA:10 a=wPDyFdB5xvgA:10 a=IkcTkHD0fZMA:10 a=hxtorQ8BAAAA:8
 a=c3CknTMcAAAA:8 a=xqfsdtIXgKcA:10 a=FJK6MB_soEjotqEc3dMA:9 a=QEXdDO2ut3YA:10
 a=WdolIobSAHYA:10 a=PvSqNWqEmEJ5-Lh7:21 a=NVN3th6WmReDMRcw:21
 a=2LujIVcxHzjGFIFK9kwEgA==:117
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mx1.uaeexchange.co.in (Postfix) with ESMTP id 00A8A20869A
	for <support@rugatu.com>; Sun, 20 Oct 2013 02:32:05 +0530 (IST)
X-Virus-Scanned: by Wipro AntiSpam Gateway at uaeexchange.co.in
Received: from mx1.uaeexchange.co.in ([127.0.0.1])
	by localhost (uaeexchange.co.in [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id jBa4Ld49r46N for <support@rugatu.com>;
	Sun, 20 Oct 2013 02:32:04 +0530 (IST)
Received: from [192.168.0.100] (unknown [89.223.47.197])
	by mx1.uaeexchange.co.in (Postfix) with ESMTPA id 48892208696
	for <support@rugatu.com>; Sun, 20 Oct 2013 02:32:03 +0530 (IST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Dear Bitcoin Member News 2013
To: support@rugatu.com
From: invests@Bitcoin.org
Date: Sun, 20 Oct 2013 00:51:01 +0400
Reply-To: invests@Bitcoin.org
Return-receipt-to: invests@Bitcoin.org
Message-Id: <20131019210205.00A8A20869A@mx1.uaeexchange.co.in>

[BCB]

That's India dude. I doubt it's legit

[Zeek_W]

uaeexchange.co.in 

[error]

Blatantly obvious fakes, even without looking at the headers.

The good news is nobody seems to have fallen for them yet, if the empty history of those Bitcoin addresses is any indication.

[pedrog]

Bitcoin Nigerian Letter.   

[blockgenesis]

I asked sirius if he could add a SPF record to his DNS server to help email providers to move these fraudulent emails directly into their SPAM folders..

[paraipan]

I asked sirius if he could add a SPF record to his DNS server to help email providers to move these fraudulent emails directly into their SPAM folders..

Thanks

[Rannasha]

Obviously it isn't legit, but the sender looking like bitcoin.org makes you question it (before the 400% return part..).

Spoofing a sender address is absolutely trivial. You should never trust an email because of its sender address.

[LiteCoinGuy]

but they are also asking for Litecoin, so legit 

[Mike Hearn]

SPF is obsolete and many email providers ignore it. Much better is DKIM+DMARC, which is what Sirius should set up (ideally), although really by now perhaps the domain name should be transferred to the foundation or Gavin. Sirius isn't really involved any more.

[blockgenesis]

SPF is obsolete and many email providers ignore it. Much better is DKIM+DMARC, which is what Sirius should set up (ideally), although really by now perhaps the domain name should be transferred to the foundation or Gavin. Sirius isn't really involved any more.

Sirius answered some of my requests in the past (he didn't answer this one yet). But I agree that it is important to be able to count on the person controling bitcoin.org . I asked sirius if he had some "backup plan" in case anything happened to him but got no answer. So of course, I would be more reassured too if the domain was in the core dev team hands since sirius availability seems to be very limited now.

[rpg]

uaeexchange.co.in  

Received: from unknown (HELO p3plibsmtp01-10.prod.phx3.secureserver.net) ([10.6.12.197])

are you sure? i think its coming right from the godaddy network. I bet Godaddy email servers are not relaying, as such they would not be accepting emails from india to send to google.

So some computer at godaddy has been hacked or has a internet facing web server that allows HTTP proxies where an email can be sent using socks. A bot on another computer can also scan the internal network for web servers of course.

10.6.12.197 is a private address part of 10.6 that are used in many internal networks

All the other headers down are trash, they are inserted on purpose

Should godaddy be made aware they are sending spam?


EDIT: of course rugatu.com can be owned by our friend and he has an email forward to google. Forgot abut that possibility

[Dabs]

The english isn't perfect. So that's a telling sign already. And they didn't use a vanity address. (not that they have to, just makes it look better.)

Who is brave enough to check out the binary file? hehehe.

[rpg]

The english isn't perfect. So that's a telling sign already. And they didn't use a vanity address. (not that they have to, just makes it look better.)

Who is brave enough to check out the binary file? hehehe.

send it over, that's what the virtual machines are for 

[tripppn]

The payout is IMMEDIATE, GUARANTEED and there is NO RISK from losing your bitcoin.
This is a TIME LIMITED ONE-TIME OFFER and you must ACT NOW!

This is my favorite part!

[Dabs]

The english isn't perfect. So that's a telling sign already. And they didn't use a vanity address. (not that they have to, just makes it look better.)

Who is brave enough to check out the binary file? hehehe.

send it over, that's what the virtual machines are for 

They said you can download it here
http://www.sendspace.com/file/9ne22o

[bennybong]

I am running a similar scam, except my odds are much better.

Just send any btc to my sig and I will try and send you back as much as I can! (honest)