The email was sent on 2018-01-12 03:33:02 and appeared to be from email@example.com but this address could have been spoofed.
If you replied to this email, your reply would have been sent to firstname.lastname@example.org which was the scammer's actual email address.
Although the email apparently came from Sunnyvale, this is where Gmail, Yahoo and Outlook are. They probably hid the actual sender's IP address and put their own in instead.
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Fri, 12 Jan 2018 00:33:02 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||188.8.131.52|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of yahoo.com designates 184.108.40.206 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||3CBlhrUWLDv0iFc77ODzDwD7VbJCEQxbYg.kL2d81.xulEv1 Hp1lYnFTusYdUYFELL5lshyOOrA5nXnblBSFaZwmDb5bjirQnqjRemvWS.SW VhwuqkvK_23uVj0ApDhIcExlrMjZc7255mo8_pUtslSgDuoaiKMhT.hM0HEH 1ZrhC4HsF.ckJAFlinMRJRT9WjtgRfx3Re_1C_KS60rothWPb_NtBHTWNhkH fRk30cnhrs8_0J3TaaLH.yUNOmk.61Vie6vRc9zcs.yfXvDayrb6QIHRx0HK mHY4viu0LSAU_eptX0pWkJmbRqttYA0Z4ex.DMege2rXZdmDqs9kgZ.Gmzqp RNjSO6bZ_pxgVevRSXNvicKt8SNeW8m7400WWJkquJfThU9IOpZmLbrw4XOD wfDX6Hjwbk14g8dk2BrVfhWZ_3AQkVySBIv8fPC5Q82Rs0GW3YMIgMwdiMaT gQ.8nDiRW8ASf7R4z9hDXYL_XXVCOvO2.iefVPZHphMDDgaSyfIbIvwGO_Io V4gTYDrSagMCgKKLE1HFC4.zSd5VLgl4xhq7.SA1w7iS4J8Go6dNF35h6M1x mIunsUn0mKEyTXUaGFqL8bUcfX7buj1znEJCz12E1jpqcKa4C3XRzHW2.MS9 XbqElx3Ipg_Kjd2swKa2PBdyzo9A5gWJvHqBv8Y62VNmexnbuFQmJCK4jfrR WDY_v3oxAUhjh4rykdLb79q2jPRhqksFK7BsSAFmzRvm7iung_JDd5AjHYC0 krqiWu2K8UsR_300v8F5j0qwfKHEz5LBLY8Muw7k3xtHeOLydagqF_PyK02j 1CFEYOHceKZWccFpH.ycr4BwjIilqfRS.QiSbnD1ym5AY1HVYHHRYUUzwS8p 86mRly7lAvS7ef1.MUKZQEUtlUCMboAc4UNKxaVs0hy4VzdV37wa0C4hz.A6 KkfUoZ.ant7fgtHh5qbfUyBsFVR.QOQU86fkBlPER9f_T6WFfaftS_u8iMw9 Woi.X0UtJdBQWCNmOv9pak93laD9yeEIeBfl9hkHaTBbkdbdI4hSn73sqTez gdxAZCP9K68nKrL5cncVNgKvySqnUSKk8HrcC6W.0AUATPhgLl6DAm75LvVY 54VTBkvfYiewhlE8fymNUz18yLB_kLhO24mHO9l2qZ9lZc.pWX.RXRxmO9Pl 6db6Nj.dVwobeVmYqUd6GtNO.LOJJxAv9sPDHJ_PXkSQxzkVp09gG2ExpJJ9 fpX2..Lbnf7q_RQnIXDL7AnOWtYqAuFpNJvOGAun.dQPz2vy_FQ13z7rbvx1 MN0EXUMxlthWvEAoNBtyehzXmHUZQNin_iSiQHwtNeaelQdP_jITVyPeGZZA XDt46DUqFg1C|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[220.127.116.11]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4121.mail.gq1.yahoo.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO sonic307-12.consmr.mail.ne1.yahoo.com) (18.104.22.168) by mta4121.mail.gq1.yahoo.com with SMTPS; Fri, 12 Jan 2018 00:33:01 +0000|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1515717180; bh=o619dp5BlzFww5UaTe74uAPBaRZbGMrNGFRc9rJ4Bfk=; h=Date:From:Reply-To:Subject:References:From:Subject; b=hCJR8OKxW1Lkobr6dyBdo240kzqjkekGvNjYtnv4nvnqzfTKLs/TzUfrHu/TqTnCiTy3xeJdoJOQUr2PMF/of3ia0nio3BSvUW9gHBh5QaZXWnOho5MwmDzgRrfhs+/MgxZCtKHilnQHoUyAchhMbmTZwsVkGb95HFXLxlIIFoYsipcGwft+artB7XkWFhyCQ89kLk6WVY88P/OViU/NStADEcnq6R2dbtcsIYpy2yh+ed2CoM6pbuE2VGxTqpsjU9QsVvc17y97EqruXtOM35mxpHTJeRk8PjYoHNE1G2PPuTAfPCANfWioubrPDm+hmOEIobvjc+m4CQZo1uUURQ==|
|X-YMail-OSG:||A unique ID added by the Yahoo Outbound Spam Guard||GQHeAD0VM1khR_ZzN.jnsPHIcv9MttnupBGsWdeJSLJH1OtpLRGnms6xqZgLt26 VrCPpuUuwsdEC_jb7.d5oqsOi.6YfDbyC8BPA.JkBaTI1TCps0inZ0073dibWnUE2G.ELc1jJ79k dPKEnnrxcCNh5GGgujOgpOgBNOu9xYLKIxU8B.nYe9Y3Hqsg0wKGGwr4t7xCfUwXtvikhnMzy6Lf UkhQeJUNpqK3nIiUnN7a4LZMunXOeo5PU9gaTyw0EG4jLvQYoyhXpCBiMhlDUL5Zi5nJteH8n85g iBlE3Tv38f7aaQg0V8_xmyGD1fd_m4otyy1v9O9OAk0SGk7YZtIUgAc.h5dFrhCNhyuOym_LOIBR u7MGCcunANUMQ4P3TUyHe8DK.0q4gcSTtrXaqsJ58qbi8VeuSleZOb93i4MhLJpTb3KLk7cc5VUB 2v5h2lA7XasR.ixBkP6ySSqvw3LvDvoiKWVj2eSsVFhmKBoRW8_cEDn4V8eigArJ5PopNYEq.ISq 6bYakaENUzOOELsiLwOCCdPElvHvdmyMVI9ghJlyE2x56lr8cKsVt|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Fri, 12 Jan 2018 00:33:00 +0000|
|Date:||The date/time the email was sent||Fri, 12 Jan 2018 00:32:55 +0000 (UTC)|
|From:||This is the address the email was apparently sent from||"MR. VICTOR OBAD" [email address removed]|
|Reply-To:||This is the email address any reply would be sent to by default||"MR. VICTOR OBAD" [email address removed]|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||OFFICE OF THE MONEY GRAM MONEY TRANSFER.|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||text/plain; charset=UTF-8|
|Content-Transfer-Encoding:||How the email has been encoded to comply with regulations (e.g. maximum characters per line)||quoted-printable|
|References:||Facilitates the threading of emails; helps the email client piece together which emails belong together in a conversation||[email address removed]|
|X-Mailer:||The software used to send the email. Spambots, including those used by scammers, often falsify this as a version of Outlook or Outlook Express to get through some spam filters||WebService/1.1.11185 YahooMailBasic Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0 CometBird/11.0|
|Content-Length:||The size of the email, in bytes||2873|
pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (ww.ofice123[at]yahoo.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [22.214.171.124 listed in list.dnswl.org] 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 1.6 SUBJ_ALL_CAPS Subject is all capitals -0.0 SPF_PASS SPF: sender matches SPF record 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit ("mr. victor obad"
) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (ww.ofice123[at]yahoo.com) 1.0 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers 1.2 MISSING_HEADERS Missing To: header 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: moneygram.com] 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.5 REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this 0.0 LOTS_OF_MONEY Huge... sums of money 1.2 UPPERCASE_75_100 message body is 75-100% uppercase 1.9 REPLYTO_WITHOUT_TO_CC REPLYTO_WITHOUT_TO_CC 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 3.3 MONEY_FRAUD_5 Lots of money and many fraud phrases
Please be careful with the links in the above email - Scammed.by strongly suggests that you do not click on any links in the above message
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
You can contact ScamSearch at help at scammed.by for any information, help, or if you have spotted a legitimate email. Please link to the email you think is legitimate.
ScamSearch does not accept any responsibility for visitors enduring any issues as a result of following links in the above email and/or contacting the sender
Please do not contact the sender unless you know what you are doing (i.e. experienced scambaiters)