The email was sent on 2018-02-13 23:03:42 and appeared to be from firstname.lastname@example.org but this address could have been spoofed.
If you replied to this email, your reply would have been sent to email@example.com which was the scammer's actual email address.
Although the email apparently came from Mountain View, this is where Gmail, Yahoo and Outlook are. They probably hid the actual sender's IP address and put their own in instead.
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Tue, 13 Feb 2018 20:03:42 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||188.8.131.52|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 184.108.40.206 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||3YgCTtsWLDtHmABII1U2y0JQtPHYGVA3KIyrELVA7pbHM54Q 0.foYXky.3FzVn0kbxW6K1Le8rM3Bsu78yvj06zqylyie7WvRiiypUeQCnhA xTr5.Yfn.kQoCdtSKiwX1meEjo4991Tu0_JK82OjKQ0z6ozDL77Jjjsr4ddN p3Vcj2GbesR9v9O3kN24DnX6d06Bzd2abKm5imdht.SUEs948.Hqij5SStCC RJxjDx.KA.XMPj1SR83Z7jBohVnb3TqBW8PpNc7gzSoJ__NPcyxEJ.JRPJyI Depyh9J7707P1qEPdgyGv2UahrHrL7vPs1BNL.s2ogg5pJt_EOS3aIXT6e7o puNTzTGxd7VH4gtQYk1De7ILbOgoDlDXaMRoxBte85h7yFykqNaCBzCXeov_ CUa3Zjy2pi38C0wGExQDhF0nqegY3ePyAsGRRawhVNQIGxBtSa4xcOS_sBWO ElEeODlCDArAAdfV1uRYHUmKP2E.sUUWQ9UPn_E7PFc7PUv9Cilciw_pqMUb m5NWW_9ma9PA1_jKpbIRKW1jlas0f7J.78hZcAWQ9HAk1cXuV8VSdtcQpQ1g ipfY7nm79NtDS5dG_ARSN7UX2SiJOi3SMRacusXZoayMXvx5mP678njpCsqc vm3GQ22bLb0yuqnYKDRvaBNJyHJ4GXLrL9kjey32GmLvDsOSkw.61tZWcZRW QJy9Ep3dZgXMc2_wL6UfT7KWetOoYB2mCxjVfcf5R9.hUxo0U8ATv5MhyphS ftHqFjIjKoOHiDhhG0SrYuNqP6tQj3wkwb4aKChMsBqMrhaZoHt29Wlo13g8 c6J1l6R3eZxfOvh0T1LHzwPg9__KyjpBG8gu7CxyqfAgbIDpzE673bojYbQb dxFMchtAQV61W8wrtWLmX4g7t.RnyZPwExV9butryDqfRfVQzZbYbScw.ARw bF_C7LO3XfelcNKpAMzA2pO6VfrsJeyZROyMDMQPqWakY9OFgQAouJ3gatGP 7KCl0DGqWclIp34moxSzui_WHCIc5RC4GdWleOYmJfjt_1n.8bopzpk_QkwK gGLO7wIxaADCvY6W4ZtEwUmu3AO7PqrN6ZZHnAFvYod3uRFrDDTO9zzSE9lw zIz_p6LNbzYxxSjzB9zow0ir6BFvynZwM7cRg.6V0Qbt86hIcpq9ADbpSURP Flky.Df6y7gKB9KsfBkJ7cdjHtbINYxYmg5OlJ91qRIRRHaZWyxpWNOhqJyQ GhFP6Souo9GSfcWJBQARsAZ4EcSbXSjQG2moSAJR6s2QAFIqu4Nzl7M2jLHv isB1o1ILly04jIqVyq77vBPJbHK4JkKsCmweY90s|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[220.127.116.11]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4067.mail.bf1.yahoo.com from=gmail.com; domainkeys=neutral (no sig); from=gmail.com; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-ot0-f180.google.com) (18.104.22.168) by mta4067.mail.bf1.yahoo.com with SMTPS; Tue, 13 Feb 2018 20:03:41 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-ot0-f180.google.com with SMTP id e64so18358160ote.4 for [email address removed] Tue, 13 Feb 2018 12:03:41 -0800 (PST)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:from:date:message-id:subject:to; bh=8/xFqGMELm8Xz9stinOH6jIGL6L6hpifVSqyFGWTWOk=; b=GEa7fgQFe4BfdBCAvXUY8NVG23Guy7ngmsJOwOINZlqTSjMEKIoT4cuOL96R+1OGvx T/AC26SLI0Ce+E4s80b6fyF/dsnONg+Avbcs6b1YmxNgpF9VI7++drUs0tuwfOy+nmZ2 OVJWc75G+p5ajDHO2MRlieuMd42RDmgp88VyAICa1SwRtAi1hgX9R2mYyvGaT5wLeCZT bSXuLi+OFpNtuNzkBX14aFf3Vk6GvbXXyKLR+RL5gK1KRTyVDryGfTP3m63OPg0LOele uGgv6zdvOcFYCw1PyFBQyj4w44qPPMI+80rUNPkcsE1KbnAaJRUI3wbywfu7j08cacY1 OpmQ==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to; bh=8/xFqGMELm8Xz9stinOH6jIGL6L6hpifVSqyFGWTWOk=; b=E5m+ocWya6+igIKeOk3Do32LpZgzvFqVf9jX2CnBVlx8WdV/iZ8kSLZmtUQyx8X6cY juFXkobSyz6XPVtqku5me5zSA5LDWlmL/yh8zZc/wFtshUM0LPTE1YoV+GlM85mC2alH CTR0a3YL78xZeHe8g0xCz472buTOxVVRAkytwza14rQB+v7Sz+bHY0EBaR+HTt5r3cRi IQ7VPr164BGzg8fZCA1TGvNBvSeCY2uLBgQ7SfGFI73jJFoGrBg3snRlcE0zpnCvl3j+ itSie6qBVKOmXUMYWFckk1jE8V0VUIOlLi4rTYmSjVnAzGNkhG4YDP03L5Lq0cPLTqtp F+wg== X-Gm-Message-State: APf1xPBhsZ4Yu+LFeL5EVSsfmoJKP9+rlubouhRd/rZ9pIs0pnQwf4Cf Pd13bdEnhy01mCfvqAsqxCsVr2L+7RwhgctTjj0= X-Google-Smtp-Source: AH8x226bmENUrHKCL94JNo2CvF5bkRwJXX4Ckx8DhM1QISYcjQVBEizO3YpKmCRj6ArwF6HpR3gfimgzSJYshA5tFJE=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 10.157.87.106 with SMTP id x39mr1623661oti.245.1518552221539; Tue, 13 Feb 2018 12:03:41 -0800 (PST)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 10.157.47.37 with HTTP; Tue, 13 Feb 2018 12:03:41 -0800 (PST)|
|Reply-To:||This is the email address any reply would be sent to by default||[email address removed]|
|From:||This is the address the email was apparently sent from||CITI BANK CARD [email address removed]|
|Date:||The date/time the email was sent||Tue, 13 Feb 2018 12:03:41 -0800|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||Your Urgent Reply Needed|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||text/plain; charset="UTF-8"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||1711|
pts rule description ---- ---------------------- -------------------------------------------------- 500.000 USD
here in CITI Bank and he should help you get the ATM Card with the
Pin Code. We are writing to notify you if this is really true about
what (Mr.Salvador Campbell) is saying, please if we don't hear from
now till (48 Hours ) time , we would commence dealings with ( Mr.
Salvador Campbell ) get back to us so that we can know what is going
on and know how to handle it, and get your ATM Card to you at once
with the sum of $97 to secure the proof of Ownership Certificate &
CITI BANK CARD Clearance Certificate
Please get back to me if your alive and send me your scan copy of your
ID Card or passport for proper identification and also contact Ms.
Young Gloria foreign Operation Manager ATM Department through her
e-mail: for immediate process youngg… firstname.lastname@example.org
Mr. Williams Donald
Manager CITI Bank USA
Phone No: 1646) 481-0882
[...] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [22.214.171.124 listed in list.dnswl.org] 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (scamcompensation.paymen[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED -0.0 SPF_PASS SPF: sender matches SPF record 3.1 DEAR_BENEFICIARY BODY: Dear Beneficiary: 2.0 MILLION_USD BODY: Talks about millions of dollars 0.9 URG_BIZ BODY: Contains urgent matter 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [126.96.36.199 listed in wl.mailspike.net] 0.0 LOTS_OF_MONEY Huge... sums of money 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 3.1 MONEY_ATM_CARD Lots of money on an ATM card 2.9 ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money 2.3 MONEY_FRAUD_5 Lots of money and many fraud phrases
Please be careful with the links in the above email - Scammed.by strongly suggests that you do not click on any links in the above message
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
You can contact ScamSearch at help at scammed.by for any information, help, or if you have spotted a legitimate email. Please link to the email you think is legitimate.
ScamSearch does not accept any responsibility for visitors enduring any issues as a result of following links in the above email and/or contacting the sender
Please do not contact the sender unless you know what you are doing (i.e. experienced scambaiters)