This blog post will serve as an incident report for the Armstrong State University police department’s Cyber Forensics unit, which is now part of Georgia Southern University.

The following companies will be given a link to this post:

  • PayPal, Inc.
  • Google
  • eBay

On February 17, 2018 I listed my MacBook Pro for sale on eBay. The listing can be found at the following address. I received an email from The IP Address of the email is which maps to

The email in its entirety can be read here: peggy_hamrick_email.

The seller told me to send a request for a PayPal payment and I soon received a spoofed email. The email has a spoofed reply to However the email address identified the sender as This is a real email address (see bottom image), however it was sent from a mail server that isn’t listed as a MX record for

I haven’t gotten to any major classes but I have done by best to summarize what I found. The fake payment email was sent from 2a02:598:a:0:0:0:78:34 which points to mxe1.sezman.ce. This server is not listed as a MX record for – the servers listed for can be seen in the emails below (mx1.sezman.ce, mx2.sezman.ce).

This email can be downloaded here:

If you need any further information, you have my contact information.


"" headers
The email headers from the SCAM email show they spoofed the reply to They used the SPF record and the other qualifiers to ensure that their email reached the potential victim’s inbox.
Verifying that is a valid email. is a valid email – name servers are noted in this post
Name Servers IP Addresses
The IP Addresses of the name servers listed as MX records are in this photo. Also note the SPF record
Mail Server of Spoofed Email
This is the email server of the spoofed email. While not listed as a MX record for, it shares the domain of the two mail servers listed as MX records.

Published by burnedfaceless

Brian Abbott is a student at Georgia Southern University's Armstrong campus in Savannah, GA.

Leave a comment

Your email address will not be published. Required fields are marked *