The email was sent on 2018-11-29 13:52:05 and appeared to be from firstname.lastname@example.org but this address could have been spoofed.
If you replied to this email, your reply would have been sent to email@example.com which was the scammer's actual email address.
It was probably sent from 220.127.116.11 in Unknown, United States
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Thu, 29 Nov 2018 10:52:05 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||18.104.22.168|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 22.214.171.124 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||GmXyvRUWLDugGHbb2nb5eYNrkV_x3AYywOMYn81Azp2jZ2MV oCtHsX9t7ohmsgAT85xFrB0gMpuMaE16Xm6c6y5DgaBXlxCAOqg.C.GxaD9D RU3ekFzcaK4yqkeJ9jPryWzGJuwiqLq7cxc8X97UFNeZWJ5jR.yRByLF8raJ xtsY3S7aVXTYt5OWQF2X5Mq9ayF2Oy0DEQsucs9HylbEQEehHL_Ktglo1g7U dDVpP7IOZXtTSBpqrdjMwFtxRWGOKDoYMNup.t2tjhA1LGz4hjYOD9Z5aLen z_4Xd2C1uBkjiXskyawB42bUcABTayxcgVxuZD9xpdc2_ck7FHGL2XMAth9L jbf4cSYtl2V.BwzCRa9HZQAUoXropxcy0VSD97VJW9kuZZQreLGXVNSwu4HI dPyzPjzw1djNpvO_PbCFC0kgB63HLjEp1Pu0GvGiWL1.a.SZsLTdKZamxGwv qSdjirR8lOjWQGCKDVL.2BWspW7uaI89bQ1TF0UTv6KvuBek.F0KXKoBZJo6 XjVPVTxLP9gYcsMYWEo248q.GvY5jj1HmTjPVs6VWXewl7m5rxATv.aNn.Yg NiqhBz7NJ2ttTnnh4dG2H5gCE66AtrvgiV45DqC94P9ZpWVJLL5KedhzR7pn l.WQ06BKuX53KL.nyAoXVeboVFeQ4a.w2TIbqGj5BJIKR9aGcRrZ8mqY9Y44 dt9HQ_mVmH84_oQ9QXOl.Dvk08C7m7xJDxM.HP8K_.vQ_fwVdkD9YiGV9jzi vhOW9QHP5iqcDtvM_7S0PRaX5fBVu2i2tEtZS_4ux9JdELZoxiWY_0ZvLqBJ kkHa_puCMFtAnwTmamQaGDN0azd9F1AvLMEvPacGRXDcR4_4qo3jIEZUqqvk pggj8G9KtfjOWcgOxLs7U_PiIkhsPgWRKtCWrR_3NgnOyBJhrAC8hNPWhHV4 KHCDoE9NZdTrGjAGtCKXMvN4OKAIk_PzE4gi9iXkMO6.oU7V2zJuxNkGoP17 3tKGtHBcsfnm1H1HWpOfLBO8P97GiCCjgAgzmV7er7Z5Ew.iVdXtRGFE_yuv C7JHObPBX7Tncbw4qiJv0AJSnXwqQtqGhnptbDOo6HFoKuRdfMtn71GKwVgm YqSBrE4LeaGbPEBo_kxGuSoSGMrO|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[126.96.36.199]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4366.mail.ne1.yahoo.com from=gmail.com; domainkeys=neutral (no sig); from=gmail.com; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-ot1-f67.google.com) (188.8.131.52) by mta4366.mail.ne1.yahoo.com with SMTPS; Thu, 29 Nov 2018 10:52:05 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-ot1-f67.google.com with SMTP id a11so1296551otr.10 for [email address removed] Thu, 29 Nov 2018 02:52:05 -0800 (PST)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=bEvZx+LtRrJU4L9NEdL2c2+zY/IAKDOHeigKT1nKYEw=; b=fAHqmC/PS/dF3V2j2BVMrSuwgvKKQu4ZW3zmmyABM6EBgyBouO3aoguxQECecaNLQa sYucHVi22HQ2dVo6/WoTJHO+zQT3OsMU7J/iULyfYiqceXZBC6ueGJJtR9wZQez+n3or 0Be55NtQ5aTalGgocodyJ2R+TIN/h6FCLB2eZXYSR6vpfIz77Z+hCxxt60MzTni+oVOP Jk2hLfXImVAQPkS7yyb0h5uBLdj45++puw5X1ChqOYmPKF9Uu/V2DbiOdN9rvF4Y8t/d 5NoHH6jSYUTdNfInXaJ7eahT+PNcPM29ln4LzOK9bwaO7NTDuCgzgGm8OuG79r7pxmvd YwLQ==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bEvZx+LtRrJU4L9NEdL2c2+zY/IAKDOHeigKT1nKYEw=; b=rpNP0hprG4SZEzj4Tg0b4qQgU23i1nPItBeSEjDWHCGxWc+zHQdyTG46RgmV0KaFiI Io1IMneEdTpvO/ys3UO2/+aK4ZtB0bqBGdkQVrcnsP5Fus4aW28wgRM3xlAnylBbDbso UJnKSB03gTW4V6EYULtiZIWWSdLzmz4bhMJYXMfiAsun8PX0UTtJrz9FAoDaSKqZtbVR bmVcb8mUsnbrwff9DwqIN4x5iXixjnOmMw7bUHEDsNX/aCBei/SsuANICBSVAYiCbI/o 2tMfhwwb+qNP9ps4JonrwK8aZPIDxHGujk0LZ07PggkUa/J1hKglNSkD4tpvJPrOskTc Pa1A== X-Gm-Message-State: AA+aEWYpOLOjFtc3OKwQJ6v98+z5VfqohW59RJfKMzess+zcEx/Mpm7a VsT4UH0zWCioluo8PcEOv+tbvBYcvyzkj1maG6I= X-Google-Smtp-Source: AFSGD/X/q5dbQJEJY1L8pzxwZJ9jeihsbxQtec3kBxJaTx4D2G1h/WEERlenPRQuSyhvBy4V6MJ2gIkZ8q93xkeJV6Q=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 2002:a9d:6108:: with SMTP id i8mr614306otj.278.1543488724989; Thu, 29 Nov 2018 02:52:04 -0800 (PST)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|From:||This is the address the email was apparently sent from||HSBC London [email address removed]|
|Date:||The date/time the email was sent||Thu, 29 Nov 2018 11:51:53 +0100|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||RE: TRANSFER OF US$1,000,000.00 INTEREST VIA ATM CARD.|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||multipart/alternative; boundary="0000000000002afb7d057bcb79be"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||4270|
pts rule description ---- ---------------------- -------------------------------------------------- 000.00 INTEREST VIA ATM CARD.*
I am Mr Iain Mackay, the Group Finance Director of HSBC Bank Plc London
Sometime ago, in our bank your inheritance money was brought to our bank
from AU PAYMENT PANEL AND AFTER SOME PERIOD OF TIME, THIS FUNDS WAS TAKEN
BACK to their treasury in world. For the period of time this fund was in
our bank, it generated an interest of US$1,000,000.00 which we considered
your long suffering by not receiving your payment and decide to pay you
this interest fund via ATM Card.
We have arranged your payment through our ATM Card Payment and below is the
The swift card center will send you an ATM CARD which you will use to
withdraw your money from any ATM machine in any part of the world, but the
maximum is US$10,000.00 (Ten Thousand US Dollars only) per day, so if you
like to receive your fund this way, do let us know by contacting us once
you receive this mail with the below stated information's.
1) Full Given Name
2) Addresses where you want them to send the card.
3) Phone and Fax numbers
4) Your Company and Position
Expecting your immediately response.
Mr. Iain Mackay
Group Finance Director
Hsbc Bank Plc London
Tel:+44 20 33185541; Fax: +44 20 35141829
[...] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 1.5 SUBJ_ALL_CAPS Subject is all capitals -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (hsbc.imackay[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.0 T_DEAR_BENEFICIARY BODY: Dear Beneficiary: 0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [184.108.40.206 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [220.127.116.11 listed in wl.mailspike.net] 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.0 LOTS_OF_MONEY Huge... sums of money 0.9 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 0.0 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
Please be careful with the links in the above email - Scammed.by strongly suggests that you do not click on any links in the above message
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
You can contact ScamSearch at help at scammed.by for any information, help, or if you have spotted a legitimate email. Please link to the email you think is legitimate.
ScamSearch does not accept any responsibility for visitors enduring any issues as a result of following links in the above email and/or contacting the sender
Please do not contact the sender unless you know what you are doing (i.e. experienced scambaiters)