The email was sent on 2019-01-15 11:19:37 and appeared to be from firstname.lastname@example.org but this address could have been spoofed.
If you replied to this email, your reply would have been sent to email@example.com which was the scammer's actual email address.
It was probably sent from 184.108.40.206 in Unknown, United States
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Tue, 15 Jan 2019 08:19:37 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||220.127.116.11|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 18.104.22.168 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||cc2zqbwWLDvT7CI_.PzJ.M.Zkf9CPWI7sJyPi4DtIVMl9_Wi 6uqfB9lMLFMg8GyWgVHJ7CkN_muy3Ff4b.PFY9uNf4MRkt1ROlogPyA_MZPI rBTxWxuv0Wp6ThWJpmXvAYojEUHniVrEAXPpDz7895rUmmiVEz6RxYfojTxM 0REkoXMZVzkxNNbZXs9fk.5.Vlj3hj8aHxpTxJe.RGUuHBZCQtnxADNgwqqF SojBbu4sKMj_.PJwE9dM22JfJl6F6AwLRM.Rslkk1tbD2a37.YPeSxV0e1Oh ADmEOJY2S2cofeSyD.EqZ6CUMlrKNuFxoY5lMd.op3ZCF8NGAGrb3Y2r6NaV gGNwD7mYxKrnuDqDNOciuv98Xrm0KNpsP7Ws6WoHMuZt7aBfkXshSF3AeNKY Se71r.VeO676WqX3FXB1S1dg6l7TUHS1B5c..DVMLx39f6O_UFxOJjDHKa_E 0DhKkVOgkZuW7kgMGPuhKLC0RTYQ3l_xPLR..qgspL2MuoyYLfkDJqB00FJx QLo42JonkV_WtaaFWbpR0pAOl54o.V6c8ttewOemd7eiMF_WeZMzdWGkUNtM TJPfd1p_JEvMOxyFnQyL14CHNpBiPy.Ay86tt3jLbX2NkW.KdYiaX2R.MjcJ B6RFTyRaVkI8tsp3Qm1mwuPzIhp00LMhzkrfCmRRaI6PXZhG_TPJMRzOte5q nZmyuUHujLHyvATgvG2OMy0ZKV1ox9mmfI5HGEFzrkxELw6MTTNk0zmc09DX B3fV_pozFTUbrJMBQeS8S7i3PVeQwwEzIrVqF5AfoIU107LAFy6l9hN7AGiB D9p8PLiNHcxm4CRQJ9KK4gLm6UiV_FbeLik3PMh2wQC44edc8YlFUEvou_Va B77QDc__721R4mcPUyDrfg7fijsz7g3w_uLKj6m444JqCF2isoj7Z3Moy7Em u4Buev6wauGe6atAi3HxZz2p1lkExSFPz7dxMxXGCIlBN9pXTKOSHwhi3rF5 ZgUAVCyyzwliHqwOLQLhBYPZEUJmoFJpR6RKbM9cyWCdHHBy3_AiOcZEo_8J NhESCdAzo7lwuFk8dY8xDW_JX1Y20Yzy18hSrRPXZLX3DtFMIxccG7TvPbg. jPTQGMTYbcvM1v8-|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[22.214.171.124]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4302.mail.bf1.yahoo.com [email address removed] header.s=20161025; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-oi1-f195.google.com) (126.96.36.199) by mta4302.mail.bf1.yahoo.com with SMTPS; Tue, 15 Jan 2019 08:19:37 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-oi1-f195.google.com with SMTP id x202so1424988oif.13 for [email address removed] Tue, 15 Jan 2019 00:19:37 -0800 (PST)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=gsJP5M+hDQmhdlTOTifUyUTc8ZDz/2RuDPGoQVFTuOY=; b=Pjh/ThwsxCaj8yzJpnQvKBWQd3xfQTyRbIh8i3FQ8UhKUNKmJ4jGR4v8MQfQxG0oEE zz6+nWTpXHZzbfkzyG8kGh7tQwSkdzYkESEG0xZzKalrJGQ09sWJmyOm55ZFDN6nSAG6 LgQh9DECpU0pAlq6vxzyOhMY4vJ+4PRYa8yMHV/N7tqFE/iLBj/XFxwKkGMEWls4O2dD bkqBeqVL/qyWvlA0Y1qvYQwrvUJpvSt+XyhBoDnO3pRuQXbCq5kfY2w17qiUaysr0ynZ 5C7BzdRyHCmSHuxloyhFoL8vgulmGfkYzeNm2zN7Aa3W5nqcTSvTTGIbM0NpGTcHFnpz 8Tfw==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=gsJP5M+hDQmhdlTOTifUyUTc8ZDz/2RuDPGoQVFTuOY=; b=i4TPUX7ju1IPKMEWRj57/teZY9DPVsY26rgyyf+rEJlWSz0NoT3C/Z7S93wZ4c4qmS e7kYh4siF2kQkE2yEAMU445Q8+Sg1uY0BNcd/dbwG9e7sUFARvkrFLxNndMJb0ulgSMe 7mt47X1o0OJz9v05ck2RIewXMcvulGp8z9ALSRmnm81BQis+LqhkuZM3yIB5xnwXF7Wu koZ491IFh1QpEw18+vB4lXmh1gz5ovHUdL6p402QaxPebqtDsosdSZWvnV/Qis1WhGf9 H1haQMJsdhpitx2NxHOkMnCio0R6gegbSOQNzbm4SeN4a+O3jfqtUHrrDIzLo1wSLzwA GBFA== X-Gm-Message-State: AJcUukfKndabFZkSVXHiUZwKki2vD+9rbT34sapJSLwBaZE8xfePswmH 52OzFbL24c3DEY0RT5+Jk2JdVrUaQXAXYLqnwaQ= X-Google-Smtp-Source: ALg8bN4osZ9V1ETOeMQ5R+7EOvsJZyS7y2GFx2tTCNO0JBEJ693FFnIT//TbiScKfzDOqmzarUJ6eBGpx4plB+Pw/ek=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 2002:aca:5c87:: with SMTP id q129mr1392600oib.189.1547540376919; Tue, 15 Jan 2019 00:19:36 -0800 (PST)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|From:||This is the address the email was apparently sent from||Hsbc Bank Plc London [email address removed]|
|Date:||The date/time the email was sent||Tue, 15 Jan 2019 09:19:24 +0100|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||RE: TRANSFER OF US$1,000,000.00 INTEREST VIA ATM CARD.|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||multipart/alternative; boundary="000000000000712514057f7ad23c"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||5920|
pts rule description ---- ---------------------- -------------------------------------------------- 000.00 INTEREST VIA ATM CARD.*
I am Mr Iain Mackay, the Group Finance Director of HSBC Bank Plc London
Sometime ago, in our bank your inheritance money was brought to our bank
from AU PAYMENT PANEL AND AFTER SOME PERIOD OF TIME, THIS FUNDS WAS TAKEN
BACK to their treasury in world. For the period of time this fund was in
our bank, it generated an interest of US$1,000,000.00 which we considered
your long suffering by not receiving your payment and decide to pay you
this interest fund via ATM Card.
We have arranged your payment through our ATM Card Payment and below is the
The swift card center will send you an ATM CARD which you will use to
withdraw your money from any ATM machine in any part of the world, but the
maximum is US$10,000.00 (Ten Thousand US Dollars only) per day, so if you
like to receive your fund this way, do let us know by contacting us once
you receive this mail with the below stated information's.
1) Full Given Name
2) Addresses where you want them to send the card.
3) Phone and Fax numbers
4) Your Company and Position
Expecting your immediately response.
Mr. Iain Mackay
Group Finance Director
Hsbc Bank Plc London
Tel: +44 203 3180798; Fax: +44 20 35141829
[...] 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 1.6 SUBJ_ALL_CAPS Subject is all capitals 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (parryjoneshsbc[at]gmail.com) -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [188.8.131.52 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [184.108.40.206 listed in list.dnswl.org] 0.0 T_DEAR_BENEFICIARY BODY: Dear Beneficiary: 0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 LOTS_OF_MONEY Huge... sums of money 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 0.0 MONEY_ATM_CARD Lots of money on an ATM card
Please be careful with the links in the above email - Scammed.by strongly suggests that you do not click on any links in the above message
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
You can contact ScamSearch at help at scammed.by for any information, help, or if you have spotted a legitimate email. Please link to the email you think is legitimate.
ScamSearch does not accept any responsibility for visitors enduring any issues as a result of following links in the above email and/or contacting the sender
Please do not contact the sender unless you know what you are doing (i.e. experienced scambaiters)