Scam email #212365 - FROM UN COMPENSATIONS PAYMENTS UNIT.
The email was sent on 2017-01-11 20:15:56 and appeared to be from firstname.lastname@example.org but this address could have been spoofed.
If you replied to this email, your reply would have been sent to email@example.com which was the scammer's actual email address.
It was probably sent from 18.104.22.168 in Unknown, United States
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Wed, 11 Jan 2017 20:15:56 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||22.214.171.124|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 126.96.36.199 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||uXy7paUWLDsR3CaD47VOH2VBVWQ9suEsq0CzW4Cy152MlU1i ImiAvhV0UZ2r3JmEwQ7rjr4LnRNu2CB3EQiNc3G3JJPAIbzSbE7p2nJJjUV3 okp_ttDkRW7yZzgdfnIjTVoc7eTH.L9VVUVDqk6znzQYm7GqwQKqnZMNsRXu 1hsgHoh3vUH6z8Md8JImD77WXf24Ube6MAcCr7yFFQ1NCeGYrxkwJI4vN3Ue JPWLdYRrwJmtXIlHaRSGsEL73vGNVKf4U4rthCl.TmBBUFjBcrWNtvBoP5sc LL312BhBf4IGSvQ9FKot4XvHK_W_lIqlpPEErj3cB2ckt1IqStqCrktuNQat sKJAlncqxSubG91MKMi4l5rLqiv7y6TKuiVD7D1njLIzCySVF9UbsU187yjj jI3aVRpc7DaU_yZqvND5n287XRRAVJqtIkVuPUl9HWFpWa5BV4d.K9FlDw24 PVF5lcIMGaXkaYVOX.EEBy95b9q66QKkGJ3lUADpiZF7pQECo192idpt7H8. CF7abkGrjrL3nTPHHBAkroM0rAi5dSV2vSX0Xgi5fHxcBUDbAc8zC0iBh75. FpqtK0_SY8Z7_LFWCD_r6Eb6xKWwuNoK7Cg_w_M2LAggab8N.9bekyaLG5dr bpIdx7XY0HoSG2uWjtsKR5Pof_GTPAIeIuA1AaOfj9JTZvgzzv8gzVE7LpZH ITJRHnnUb8z8Ma0a4viU7TMo9mU8fCsZ5cqvc4BSYf0WV2FXzuCE3zdlQkfa qOKHsXRzzEhogZJEQowBYKA39pFcWCJvYsJHcJS5cjQaARNPrqAguW8Y9ZjD rpVeO37zL4kSllKzJpF760YDD1ut8bVaIAAZC6tluMoJA22WdiGDBsUIHX5E JTvUSYHVjI0uWoE8hF4YKdJb6vXsrSeJOf9wYxXIiJ4_fdpf2yr9iw5vq2AA QhUTii2.fjU_5c_7efHRWG9aFKjIT2af5WxRyKvAXaXxky6YmW0nPIMRbmIK KvAPABKEtBGqICfUMiaS_lghVkCGGY.dE9BUGhWmvCIZBtl_wmlRfWjum38q v9wWUuBzgiAoXYo.W0oOnHt1SULy6sjsunVOpl.DqXnvej0rorpVyyusx3Yy _dOeC7iGsxq3YIkiT06XuCi9fWCZFkftLpZOGIRT3sqr8fLcsEfKGCs7GUDd spaDPk3BvTXCh.sgwUQWSPjNg6DIwtQBEECUszW0J8VWyKmfOgdqCDg9N5Nu LP5iL_Qha4IAELes1n8kKChPDZPxhytY5APKCw5rEoaZkFTIaYwWmzrP_tdE Sfoo39saAfvNw_.S9QvJm_U8XSZfWMmouBtV2mSQ2IjcIdDamNHtkXrq3m1N fIYQoCLnSkFE6XpMAfQTRNesXlXICL1.fXZTtu5uTZ4Vf_Ah2lBgZbUMhl3X XeOmzozDAuHBRAav.0qEDICGgxPmZIYvgaWb0uPYSUxNeHLgnAUtThh9JB8L p1NR98A7jsnNGsJlN_mcjKyHX6GeAgDWrlzSRGnDHsHZIgJh8a8WMIFfPZlM n9xPwhr8WzjDRNSJ9EeykZgNsYVa.vKwFCn.IwZpMia1gUASrYB4cnFgm8RK DAUchyiEd75.feCYz0OsjF3yu.1nhyegwvZRQdEzMyWY_mmGl3I-|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[188.8.131.52]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta1669.mail.gq1.yahoo.com from=gmail.com; domainkeys=neutral (no sig); from=gmail.com; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-oi0-f67.google.com) (184.108.40.206) by mta1669.mail.gq1.yahoo.com with SMTPS; Wed, 11 Jan 2017 20:15:56 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-oi0-f67.google.com with SMTP id 3so76365843oih.1 for [email address removed] Wed, 11 Jan 2017 12:15:55 -0800 (PST)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:from:date:message-id:subject:to; bh=CAq7QCTQ9HVVAPdJMD5Kv+cvUw+vJVTeKL6NfOpCdpg=; b=RlK9YsDNU7YeK1YCOecJ8WbVKVj9aNg7VYef820rkK6/LR5udNc19i7jEJ8gYlzAv1 B4LstXIck1jamjpHWSGlrcs6vkzzqgQq7XYhJjArR/BduCbPy/nImlAoq0yoAv5sCCBw lPQR3PRNMtv4mk3bRtJ/gZkkknwr9HgOpSNA8go01i7zKIRE1IkcV/NoPeF+E6kRb78X mEUHTDTGSwwa28ThdgY4mbJBGTT3/FjGt1Q2oKlm+YM0RfdnZyIz/s0VWBOlTqFqoHMA I05d2CREjLnrQ+Ot+I5pR79CnQT1+pCOrFl6gLpBAXhKQhqyt+JXTCANkG6MiPPfhPSW FY9Q==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to; bh=CAq7QCTQ9HVVAPdJMD5Kv+cvUw+vJVTeKL6NfOpCdpg=; b=Vz8+x1az9wAzn1fus5qqT9XrMzSnSmGcmtsDjfvgFWgizopz3JYj/r8/yk5ce63I+B MC08DExr9F87BTV2JztIE1wRskubxgaAR22yWfq0gs6F0XVTATSuqMmPPJNK84N+9Svt eG+PAGBSUkrDf7mjs5xMwMoHKGIxEqvef772i/svpGM+vBrKchMIzQmvQtubX1rFsm0a LLA5E2GqmK9EgrLGo4Tps2TcuMg306ucbFRky4yyAQAK3NR2nivy8y7D7UMRfBcBbPRS YwbfBnFUOnW98WuMd6k/RPMVMHLE1697OIQfwFz84GqxhD6FF3RHpqY7eDo/G1TJL/Pj iLIw== X-Gm-Message-State: AIkVDXLxE76xRXF2qNVJL2NgJHqiAY7Aco9RHQUvizz97SnCX9LuhJCzdFmgo6lNYWIDjjMQ6nlBYp0R3PWS/Q==|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 10.157.9.238 with SMTP id 43mr5428465otz.124.1484165755272; Wed, 11 Jan 2017 12:15:55 -0800 (PST)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 10.157.40.162 with HTTP; Wed, 11 Jan 2017 12:15:54 -0800 (PST)|
|Reply-To:||This is the email address any reply would be sent to by default||[email address removed]|
|From:||This is the address the email was apparently sent from||UN COMPENSATIONS PAYMENTS UNIT [email address removed]|
|Date:||The date/time the email was sent||Wed, 11 Jan 2017 12:15:54 -0800|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||FROM UN COMPENSATIONS PAYMENTS UNIT.|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||text/plain; charset=UTF-8|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||1852|
Your content is below the advert
UN COMPENSATIONS PAYMENTS UNIT.
REF/PAYMENTS CODE: 03354.
AMOUNT ; $2.550 Million USD.
How are you, Hope all is well with you and your family, You may not
understand why this mail came to you.
United Nation have been having a meeting for the past 3 months which
ended 15,October 2016 with the World Bank President Mr.Jim Yong Kim and
the United States Secretary of State Mr. John Kerry.
This email is to all the people that have been scammed in any part of
the world, and the people that have lost their properties in the
earthquakes and tsunami United Nations and World Bank have agreed to
compensate them with the sum of $2.550 Million (Two Million Five
Hundred and Fifty Thousand United States Dollars) each, this includes
every foreign contractors that may have not received their contract
sum and people that have had an unfinished transaction or
international businesses that failed due to Government problems etc.
Your name and email was in the list submitted by our Monitoring Team
of Economic and Financial Crime Commission observers and this is why
we are contacting you, this have been agreed upon and have been
You are advised to contact MR.BANTHOON LAMSAM of KASIKORN BANK
Plc,BANGKOK THAILAND, as he is our representative, contact him
immediately for your check/International Bank Draft of USD$ 2.550
Million (Two Million Five Hundred and Fifty Thousand United States
Dollars) This funds are in a Bank Draft for security purpose so he
will send it to you and you can clear it in any bank of your choice.
Therefore, you should send him your full Name and telephone number
with your correct mailing address, where you want him to send the
Draft to you.
Contact MR.BANTHOON LAMSAM immediately for your Check:
Telephone: + (66)9012-82-3453
Good-luck and kind regards,
Mr. Ban Ki-Moon
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 MILLION_USD BODY: Talks about millions of dollars
0.0 TVD_RCVD_IP4 Message was received from an IPv4 address
0.0 TVD_RCVD_IP Message was received from an IP address
0.6 HK_RANDOM_ENVFROM Envelope sender username looks random
0.5 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
[220.127.116.11 listed in list.dnswl.org]
0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source
[18.104.22.168 listed in dnsbl.sorbs.net]
0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is
1.6 SUBJ_ALL_CAPS Subject is all capitals
-0.0 SPF_PASS SPF: sender matches SPF record
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
for more information.
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 LOTS_OF_MONEY Huge... sums of money
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
0.0 MONEY_FRAUD_5 Lots of money and many fraud phrases
Please be careful with the links in the above email - Scammed.by strongly suggests that you do not click on any links in the above message
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
You can contact ScamSearch at help at scammed.by for any information, help, or if you have spotted a legitimate email. Please link to the email you think is legitimate.
ScamSearch does not accept any responsibility for visitors enduring any issues as a result of following links in the above email and/or contacting the sender
Please do not contact the sender unless you know what you are doing (i.e. experienced scambaiters)