The email was sent on 2018-02-13 03:25:08 and appeared to be from firstname.lastname@example.org but this address could have been spoofed.
If you replied to this email, your reply would have been sent to email@example.com which was the scammer's actual email address.
Although the email apparently came from Mountain View, this is where Gmail, Yahoo and Outlook are. They probably hid the actual sender's IP address and put their own in instead.
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Tue, 13 Feb 2018 00:25:08 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||220.127.116.11|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 18.104.22.168 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||ROyAUbYWLDsUY4lgfhkvJrb845cPHxgscCKtRFuAY.hPT1q2 VMHISR_7EiW0dFDXjpRsrlnk_O8.YmZ7isQElfGRCTlquZW3CIWABjCDSNnW 1Ksr3AhK6O4ivonfKtX6.0blMcC7qyxG2EKtI.qElij5EbGB6ybQhUshoNip ozor45_dkWAkBfeEKI73XtnFrvTmkc17PFhyeh7wWhBUNY9lXtW0IKAIDKeX G.Gk3yD.4gl_6wB5x.RsNV81UO4pqk304bqoKyVwoTdfI9ojD_ijUlLMq5_C AkEou18N.2ADl0B0hfdslDcPKFmkoBXZ1ISotcW2d4r8XCUSkCz7EfHak0c9 5UpSwgTmL7UZ9OfYwlIwcnVMeX.uYYWm3pO1MoS8Hv8lo_FGomdfcXw32C2s efs60Ot4pmb03IhvE5seTfZh..7i5.amSLUxwbupr2fxLazlzbzSHvcENGbR HmkkCqTZZDRgtvh7AXptDG8xiqvLHfwz0g3XarbpcGEw2T5XG1LzgDowlA8t LM7Fb2g6LhccCvwOA54SMdv6s0TLyycshw884Ks5fmnQc7ctM4XjKfPYqzZE cfP4IGb6HxhhH_0s6oVqfOe1A0031B0d31MHQjLidHnAdpv4NvzJnge6GYm0 kODyQrbbxp0QfLWKayXAYwaJeGLESL8xj5oG668dHwmdI5lUvDrv11inhnli R7.lEjhOopZ8cGwiCZrBCbD4m_uOi5w2YhDhKt.AN4ARt9CRw15WMbmT_1UE lf7hqc0_cM.FoZTugFq_koyzGukanviD3Za0IRPo2XmBxvc.qCrrAAtxisP_ 2MIuAcwHlrN9q3XXtmhxBV3dVdejLtpEMSHpJ1wn5mDqEBDPEc52IKgUqcbI XsApjp_w1_YAFJ41d2C3K7lldMoBtCY00uHCRf3g65cMrH7lSWLkR7Ni2FQj GWdtqwwhP0NMCALrSompHQAF8yyoCa3BZ_vUqh4GFie6O6FmnHWicSOq5uWK CqdcQ8GKdf5oSlVCtXomV6UJPPdY2DpE5ZJgckdnXLQkqn_DFsNT_ufzSLGG Rl3ZfnoeMboz1qEzLibYEkBe_pcZSm_ywBBkbCyoE7zutxLYA2D36ocx19KJ bT15Xja9uOhsbRAhRlchWTo.iudVH_e4RfC1V0OYrnQxVxtf435grK3R2_5D KKTJMXlYjXIHy5swRnOOqOnHK6fMI1Ho5LBAkhqSvAfyptsiPNnkX32V2WeS MEpYBjfiIfYGpa74QTH2.WcOLwuJRZoIlF3WD17L5dw.Q5uaOOmjEgh9.wla ou2VqBsUOfPp1CAZyoHUtTl9h08Yk3CAsyc0PjrhDTmJ8Afb4P5B3BkIe_RD t6M-|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[22.214.171.124]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4299.mail.gq1.yahoo.com from=gmail.com; domainkeys=neutral (no sig); from=gmail.com; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-ot0-f196.google.com) (126.96.36.199) by mta4299.mail.gq1.yahoo.com with SMTPS; Tue, 13 Feb 2018 00:25:08 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-ot0-f196.google.com with SMTP id e64so15705460ote.4 for [email address removed] Mon, 12 Feb 2018 16:25:07 -0800 (PST)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:from:date:message-id:subject:to; bh=fYx9Zid6wB98ge/1460ORWxUv5xYhDCJwaigAjvvEQg=; b=I0HoLtSu9zivUuEnX5eIVnJwxkfVjuOJ6gg8XCgtCfZcj2rDpaMhFeyGxg24XqXuxJ 1kJmlwyX9xkZeGma/Qqmpet+HM7v29YQOZLhRkNLNremM272/oy127FpMbuOrMk5aEPs t2xM0aAQqnUIyZVHpFGnSb5Jwf6ZKBKX/gmdGmq7fVnaTdlY+j8x8KhEqDseg0HwKcuY oMviGL0pSoOfZyRcggAWdQskOPbsnWENS0e5i97QzlaGTAnV1tkyB5uIiWLRyo3b+YCT Hi3fi689NOMJ853PcHacjeMqXBvoD7A7ZwleWLZY5/6YkdQnrC+Ck8evfzzZYPz/K8/x MYdQ==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to; bh=fYx9Zid6wB98ge/1460ORWxUv5xYhDCJwaigAjvvEQg=; b=ZUxsoRadEMgA9iRVcJcNW1JiD0+wnY4EpTvMvbg71pkuf0bq8TS8lqgX5OAUgrEPN2 Hw204ZL3ZivaCT4KB7Z8ZLbk720qPKgD3RnldwHKHFOvaZMFxQg1rRL2LPj8T4wpooKu ei6EkYaf0JrfLAGYbHWC+pczv9yd1aSMWEu/0PAnJlLqOCKznC9qwrwnYUt6AzkPCm8T OxEqNFj34/a4fbfrBHHQsQ+Xe3aBPMPD6JIIeccanHnRVea9neEzviF6UMVzHgHJsE2e /yHpfI/xFIfuRduhgCwRHBf8i2sdWspVQ2MyGOv5bq5WTLexl+/R9GVSY74V38t3Iv2Y atAw== X-Gm-Message-State: APf1xPA8dcWHKCIP3xiHU74+l972VJgihyR3YDsITv0Gbz1xfDF6azjT be/7LbtnpQCTYKXNSnk96ihjJy7norLISf+2ZL0= X-Google-Smtp-Source: AH8x227fIqQwks4UtWxt6PjfNylykbH/EQTZuPBloKp8OUwHwT0bVZif2nEwzorvamn/LVHA1+CRL0ba1GO8aUFKlv0=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 10.157.19.41 with SMTP id f38mr10108528ote.344.1518481507110; Mon, 12 Feb 2018 16:25:07 -0800 (PST)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 10.157.33.180 with HTTP; Mon, 12 Feb 2018 16:25:06 -0800 (PST)|
|Reply-To:||This is the email address any reply would be sent to by default||[email address removed]|
|From:||This is the address the email was apparently sent from||Barrister Evans Thomas [email address removed]|
|Date:||The date/time the email was sent||Tue, 13 Feb 2018 01:25:06 +0100|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||Your Inheritance Funds|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||text/plain; charset="UTF-8"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||2571|
pts rule description ---- ---------------------- -------------------------------------------------- 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.0 TVD_RCVD_IP Message was received from an IP address -0.0 SPF_PASS SPF: sender matches SPF record 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (giverappricite1[at]gmail.com) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (giverappricite1[at]gmail.com) 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit (barr.evansthomas111[at]gmail.com) 2.2 HK_SCAM_N2 BODY: No description available. -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [188.8.131.52 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [184.108.40.206 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 LOTS_OF_MONEY Huge... sums of money 1.0 YOU_INHERIT Discussing your inheritance 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 0.0 T_MONEY_PERCENT X% of a lot of money for you 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 0.0 MONEY_FRAUD_8 Lots of money and very many fraud phrases 0.0 MONEY_FORM_SHORT Lots of money if you fill out a short form 0.1 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money 0.0 FORM_FRAUD_5 Fill a form and many fraud phrases
Please be careful with the links in the above email - Scammed.by strongly suggests that you do not click on any links in the above message
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
You can contact ScamSearch at help at scammed.by for any information, help, or if you have spotted a legitimate email. Please link to the email you think is legitimate.
ScamSearch does not accept any responsibility for visitors enduring any issues as a result of following links in the above email and/or contacting the sender
Please do not contact the sender unless you know what you are doing (i.e. experienced scambaiters)