The email was sent on 2018-09-27 16:34:11 and appeared to be from firstname.lastname@example.org but this address could have been spoofed.
If you replied to this email, your reply would have been sent to email@example.com which was the scammer's actual email address.
It was probably sent from 18.104.22.168 in Lagos, Nigeria
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Thu, 27 Sep 2018 13:34:11 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||22.214.171.124|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of tin.it designates 126.96.36.199 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||Ig1nJIcWLDvQlyHBNRBoFLm5jHHEjvNjfzl5Z9WzBLlN73sO Wzfd6h9eCgd_53sjWYkxvvg4q9UvHcMR52koK_ih..7hBKVl6vkzCgA.ZptK mOVs9a7N_c07fSSSrlqu5vMbj1dzwRmOVzhvq7acz9I.xE9eP9397HVoD.14 fzwVLKzATyEg_KftZlHHbx3AASq592OVqrAiKZCck4.w646TRlv7TDaRSkui t26MqpikyPv0S8oFOE2rcKdlnrxFlCN2eEP_7TOSXu6lmiivL9VFa1IxRRcn kwjHGC49_602KFHdw.wTYLtYSqq7bsiUNufHVMfk5W47wKfwEDywdEzjbFac CsdeJTlnWmVYUuCpWdrQF_OxewlHQgB0BBAWTt4ebn7ZHl_RN9tdDtWRKQm3 UZa0EMXuYKEX569BT_Ta1vsgAm.7VYY2.0_As3iFe885Qs.qbKRU25YPglVd jGx_Hoe2NGeHBL32LOpZ17aiCWKs9rvnqyZJp21frREKCnYhkdSQM76HGFiN 8S_PSCJCO.lZw.SzlonQRkILhKCEX2t3zE1y4U3GpRC8HhCcwX_beytYknaq ByJGCbN9EtcCMLpLnVFRIMTZYojC4Riw.DgGm59QuO00kN0lxhedmVT5uFw0 XP76zoSwfuE7afX.xhGrocCdZhHadNlF85Q5IgJJrq6V.O4h7PTKL7hBdaRF G6V_5nsNQTT3Sm7u5Gsg230ZHmg7p4s0avXkr92b9TilyBHlKKwqHZTYjZf1 HW2U8suH3PZqtKn2OJbHT3TMwSkCFL7pKWKQRdsGE2u3nH1tOkuBuFZ4wPRX LHxAMinOh7BNQvf8g6bgqk7GSkEANTC.j4u_Q0PkoFTfTZER9ujhhiA_3y9D raKQnkOo0vN.kaLfqchLGXBBMzVe5VT.QQX7mxU5Q0oldHcwfPkmUoyH1ndm KHd_shGpIlZNWF09OeJ57uizOJL7imQBYARNkUUMiwNq1ByiBeO0CmsDCluD 1t4yKxYL7bfq5r3dIUVc74JEMxR39xHYrhAkcNrFPS061k1yGxUxu4F_uKbi vqYYdXn7Z9r_3QgE0enjNJjnbuqI4wP1OB4h3KWgS00Y8f1dSSvR3uxxaqC7 kt5yWCHTpTgiTVW33UT4YHSDv49x3zi0GLr_uGyQ.BaH1VGFly.jmT.ozMZC 1R0StFFp15xtoR8qAzDzJp7EwBsUJ3tR3znlEuZL.gqdpCSQ8zhh.OR.JSit nDT5UV5m2FeAGIvNgQru_mANN9yWDt7F7LUVnyx1LjM.NTnLVg5DhU6zSdQI DMKIwjcFjXDq40gLQtqY2wDsjVmtwnPX0dV4eNUuaaKrDqlhcR3uJ8mFI8Ae LrwIVdYIDklsoWrBeNEI.84U54qeTtlPEmMVtVGhyNORsUTbS7H6O2XaJg.x e5fBXuCo6pL8Gl4U_g36a4xV7PS0TlUWD5lOVp_99sBB6QVo_sOB7_t6jRL3 dFm2dkMdTA8WVPAvNid885nlR2qZTYLUJzVLRqXRLa2STlRWD3Xsj622ZcTk ivlZXbLrzfOaLpp9Uas0iYr_SdbQM7Y_T..IYneikl6GmONZ8Ou0tba56.vX b3RBsjJaX41LKQtGn6tCIjhxvJFLTEzZuJlZSbJONlnwbRDUDle4SFVUI5Mq 8rahRo4.4.seeDlmMyG.IV6kRv.F0JLrqdwwCzyv7z.Mi3Io.fjA2zEI4gzq r9QzBuVn0n_6qGf3v4eojjhrypre6_iX3XCUGhLWZcvn_HNdsiRU4Ab8y4Jw 76F33bF4VVfT7OqF7IyVV7Xd6Zs8TyyrnP7_9LUqdMevMR9jMpRjfbGvSKoM 3uauB8PmOxWCFrNbCtX7iTvMVIBHxIUbem6jswOSw0xDs.QM9JuR77h3FjN. 9UVB8TIrl0PJ.4bJPx4veBnhKlZQ9bSiORA5M4TR|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[188.8.131.52]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4242.mail.ne1.yahoo.com from=tin.it; domainkeys=neutral (no sig); from=tin.it; dkim=neutral (no sig)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO smtp1web.tin.it) (184.108.40.206) by mta4242.mail.ne1.yahoo.com with SMTP; Thu, 27 Sep 2018 13:34:10 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from feu3 (10.192.64.13) by smtp1web.tin.it (8.6.060.43) id 5AB0B63D049F34BA; Thu, 27 Sep 2018 15:34:09 +0200|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from (220.127.116.11) by wmlighttin.pc.tim.it; Thu, 27 Sep 2018 15:34:09 +0200|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Date:||The date/time the email was sent||Thu, 27 Sep 2018 15:34:09 +0200 (CEST)|
|From:||This is the address the email was apparently sent from||[email address removed] [email address removed]|
|Reply-To:||This is the email address any reply would be sent to by default||[email address removed]|
|Subject:||The subject of the email||Your ATM Fund (USD$5.5m) Ref: 5521|
|Mime-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||text/plain;charset="UTF-8"|
|Content-Transfer-Encoding:||How the email has been encoded to comply with regulations (e.g. maximum characters per line)||7bit|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||18.104.22.168|
|Content-Length:||The size of the email, in bytes||658|
pts rule description ---- ---------------------- -------------------------------------------------- 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4839] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gargiulogiorgio1957[at]tin.it) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [22.214.171.124 listed in list.dnswl.org] 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.0 TVD_RCVD_IP Message was received from an IP address 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (gargiulogiorgio1957[at]tin.it) 1.0 MISSING_HEADERS Missing To: header 0.0 DEAR_BENEFICIARY BODY: Dear Beneficiary: 0.0 LOTS_OF_MONEY Huge... sums of money 1.6 REPLYTO_WITHOUT_TO_CC No description available.
Please be careful with the links in the above email - Scammed.by strongly suggests that you do not click on any links in the above message
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
You can contact ScamSearch at help at scammed.by for any information, help, or if you have spotted a legitimate email. Please link to the email you think is legitimate.
ScamSearch does not accept any responsibility for visitors enduring any issues as a result of following links in the above email and/or contacting the sender
Please do not contact the sender unless you know what you are doing (i.e. experienced scambaiters)