The email was sent on 2019-01-09 19:48:54 and appeared to be from email@example.com but this address could have been spoofed.
If you replied to this email, your reply would have been sent to firstname.lastname@example.org which was the scammer's actual email address.
It was probably sent from 188.8.131.52 in Unknown, United States
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Wed, 09 Jan 2019 16:48:53 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||184.108.40.206|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 220.127.116.11 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||hy6qt40WLDsnw8DVVdsRYLw0VN9uJ7aj9Pwvjzl3.Kq_Q5BX Vkm3bXsLd3hJC6CXK92DI3_8OTarK.mGFboLppcFUKyEWkg6uap5wPeZndUG nrSbHjhcYhD_8B1u7Ofji8IGm0O2dz6FaTxK0pMyyeRuaSqjP5rSwvG1ZIjO Pi4JhXR0E06lTRfPgy_QE7UkXYLNgD3mPEMUI_Kro1RaPZ5j4vc4PNAMqgtr L97B1YWDNwa19_Ifbm8D5zdGL.hUAcoXAbh4UWgs029waj3KA0SgF6H_OEe2 91SKX0MEvOq62x8aIxPjG0xL6KfItSHtULD7ginsEUz_vGZTwbH5HaMVpkkI y5N_wwlrunvLTWuh3HyYtr3tnOiM9uI6tAF3aRGFIszulntKP8Ud.kcay6ke BSZtBYHc913WfydnPKaxmpBuksihl.TCkWMm7Ckm6SQbcoJE_YQaprtBvggd Aoq8wMFIdLKTBQGkKyZbqK0naNGcQbSoKTGbQzBTKbvVKuMXKnPKZMbFG8sH Apnb7gOZnmojT7gC_jIoc_YMBdQUeT9RDPjHfY9PDBGHbzd43ctr0YmOpgnF BXRWqAnhNMQHjJ8tQsSh4F9gshYMfe3lC1.2wLea2GOGdvjEYoH0UDuZn0hU VJEtQRJ3fD9bgPEkSVkIfKu1luQ4ce63Lt7WhjXbQ59LIzNjYJWtm3Aj5slQ 7rbjUvURA2YppYJrt6.sq3wynWB3Q5nf.4HVqZYLKdFvnpXgyi8MsnrJyR.C dlDGLDyVSiO1OqJprtbomMuewvR_QtmAUCPDRZEpVZlzT9fdwgQQk1doqgAk y3sRJmJYRVWys98ACyb94ER329o4kJJPb_dHsyEi8.NmLmGuh_N71.fVgyB8 vkA2H3OE7fEAFi7py2Eyw_XtXR6fUv8UtJe9AqJP.WYm9t2KlIbZ_HfXTKmn 2P_2g4JXkjGa6yvbtUwhQR6mZX1o8vEdUm5TUkh7GOVN4UhN4YQk0iVTlNB8 ChpOrMxxmQvAQvr.wM4mNIDq7YKKUdISgGEWjYXYxayVMO3l5gd32wRkK3Un 8G8finT5IelCFaranHPvxss4PPFevzgZVdaoJ2Cw10VurY8wyxSBxqyv.BzV BSz6V07ou9.og.5ehPCfHOCbPw6l_rYpvLS9iMAxBiHwW.oH0AzlqjtNWTiB eoMz_6pUhXNX3iN7j7x8b7K08w9ErQf0k8rS4F.rarkEqQlY1o1FYQ--|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[18.104.22.168]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4175.mail.ne1.yahoo.com [email address removed] header.s=20161025; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-wr1-f65.google.com) (22.214.171.124) by mta4175.mail.ne1.yahoo.com with SMTPS; Wed, 09 Jan 2019 16:48:53 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-wr1-f65.google.com with SMTP id l9so8335145wrt.13 for [email address removed] Wed, 09 Jan 2019 08:48:53 -0800 (PST)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:from:date:message-id:subject:to; bh=xpRR8MqPS0jontMqlisWz6hIzlvk4Te063cgVZ0lNho=; b=io1iVT21byYRgFloiou4MOiUms4XsVyK1rpw7A9bOwG0aObHM5WHoC8sftjjWeDcqZ JljPzBfnowl9YM/6p/C/r6kqZI6yFkSdHMyE84z8v0wO0gbFf+Xre+nExEs1Rk4C7tPc rmecTkpYpCbV68I+shUEGtNOYbC/0V85xbEZumXP5trVEuSg3SazySAajV7EPGhiYVy+ p/EQ1ENSTlluUyM3KmhwU6kP05jXuUKh7dwsVN+D/hiTCjVTFOBpjz4YqeH3rFvsSdxF vyrK7llyq6eRbVUeQPJN+FP7/OAo5/zEUpbtQ5sXIl/RNtaRc89XkjkCCmB+xy57avZl eqAQ==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to; bh=xpRR8MqPS0jontMqlisWz6hIzlvk4Te063cgVZ0lNho=; b=oxxIp0XaP33WuB0WJlE1xL7rt9g1dIO4wDzwciN4ErXuLabg7el5I8Ws1O76tiGUUm 1JwH9EdFVekWUypvHYbJOk2S6lfPeEezAjYb0xwD9VozOUuan6sAKbYlkpVaGIV3G+kS rqFfrOWxFDZc2i3N0BpDHLwQ7pNVrghITCgMCRtzuLP9zYebBXEYW4OEhNmKHNKZJmLo Xwhr133mapZ7gk0T+m3pSka2hgxpxgQp04dZgWOaJa6GjVPEBYcRE5IwjKHrKPQSTi3L p/T6u4F8syKturAPeIrzliF8NXoCMiSuSqV21Sx9jlkSNiiDe/cRL67BqsQYO6E07Bi2 V+1A== X-Gm-Message-State: AJcUukda+66OlPaR4u+1k6StocPvpruwffroUo4PLqxST+PSTn67Qh6I EdOCVg3p2As+d+qRWCBPsqf4GwhzSLf6OEJAa4U= X-Google-Smtp-Source: ALg8bN7IjHMoffwpDmzOyaiibRBw8UC3750QnbFiggfvPXrzGEIjujidz0Y+y5zBwZJdOR7nOQoFGxejh6wPccbguYg=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 2002:a5d:6b81:: with SMTP id n1mr6234573wrx.149.1547052532048; Wed, 09 Jan 2019 08:48:52 -0800 (PST)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|Reply-To:||This is the email address any reply would be sent to by default||[email address removed]|
|From:||This is the address the email was apparently sent from||Western Union [email address removed]|
|Date:||The date/time the email was sent||Wed, 9 Jan 2019 17:48:40 +0100|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||Re: Happy New Year|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||multipart/alternative; boundary="0000000000009f31a1057f093cf7"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||4011|
pts rule description ---- ---------------------- -------------------------------------------------- 000.00 USD from us on a daily basis until
your sum of $950,000.00 USD is completely transferred.
THEREFORE BELOW IS THE INSTRUCTION FOR YOU TO REMIT THE $75 USD FEE VIA
OUR SERVICE WESTERN UNION OR RIA MONEY TRANSFER OUTLET:
RECEIVER NAME: ====== AUSTINE MABIA
COUNTRY: ====== BENIN
CITY: ======= PORTO-NOVO
AMOUNT: ====== $75 USD
Regardless following our official agreement with Ministry of Finance your
$9,000.00 USD daily payment will be split into two transfer and you will be
receiving $4,500.00 USD twice daily until we have finished transferring
your total funds $950,000.00 USD.
PLEASE FORWARD THE FOLLOWING TO US:
MTCN / Ref Number
Your Full Address
Important notice this offer will valid only but 72 hours three working days
from today 9th Jan to 11th Jan 2019 therefore we urge you to do the
necessary and remit the $75 USD fee today so that we will proceed
reactivate your file and start your transaction instantly.
I'm glad to be of your service.
Mr. Richardson Turko
Tel: +229 6200 3918
Auditing and Accounting General Manager
Cotonou - Republic of Benin
[...] 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.0 TVD_RCVD_IP Message was received from an IP address -0.0 SPF_PASS SPF: sender matches SPF record 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (jcampbell7755[at]gmail.com) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (jcampbell7755[at]gmail.com) 0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [126.96.36.199 listed in list.dnswl.org] 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.0 LOTS_OF_MONEY Huge... sums of money 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 2.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
Please be careful with the links in the above email - Scammed.by strongly suggests that you do not click on any links in the above message
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
You can contact ScamSearch at help at scammed.by for any information, help, or if you have spotted a legitimate email. Please link to the email you think is legitimate.
ScamSearch does not accept any responsibility for visitors enduring any issues as a result of following links in the above email and/or contacting the sender
Please do not contact the sender unless you know what you are doing (i.e. experienced scambaiters)