A few days ago, I wrote an entry about fake check scams in which I commented on the scammer's use of an apparent third-party Russian domain as a 'prop' for their scam. I've just received a batch of scam emails that quote a reply address of 'afbls@gawab.com' — this scammer seems to like using Gawab, an Egyptian free email service — and contain URLs pointing to two German domains, allianz.de and billit.de.

These are almost certainly legitimate domains that have nothing to do with the spammer (or each other — they have entirely different contact information and are hosted by different providers) but have been selected because they look reputable while being probably unintelligible to the targets for this scam. Both sites are in German, but the 'billit.de' domain has a scattering of English. English phrases on the site include the title 'billing and loyalty systems', which fits well with the nature of the scammer's supposed 'business'.

My report of this to Gawab was acknowledged with an email that said it had been "... submitted to our -- UNASSIGNED -- department ...". I don't know whether that's a good sign, but I hope Gawab will pull the scammer's account swiftly before he has a chance to snare anyone.