The email was sent on 2019-03-03 10:21:24 and appeared to be from email@example.com but this address could have been spoofed.
If you replied to this email, your reply would have been sent to firstname.lastname@example.org which was the scammer's actual email address.
It was probably sent from 220.127.116.11 in Washington D.C., Location found from phone number in email - Click here to see the location on a map
Click here to leave a comment
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Sun, 03 Mar 2019 07:21:24 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||18.104.22.168|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of yahoo.com designates 22.214.171.124 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||TlcmsxYWLDuit.LuqXiWr9QTqvY3GOOCPewJIKQ6p1KtHXke pRxhlhioDTFWi8xnDdHIv_rol4L04HP8WcxwaTj.tTaF56Yhgn0faQNkM4fy WtkqnRdQGoBzya4OzHe2hL66grpuwens0aqXmkQ84.GjvFB7VAq1oNSi2k79 93o.tQUf40tPJRW6U_sJ9HwCl6HSmIdtO9I1etSwXz4LSiyqleXTUm4gl6G2 rAA4BFRk922s4dn58oMkj2fb2l6EA_lcMsehfYIDsnW4QN1bRMY9OAMXYnTN yjjbBIwFdtTCyXXDKaz7mGXaoLc1PHeIr2ojuxsP_4v7SWnayGuVWqP5o_kG gUmtLr_PyQFlDOLo4mewriQXkuTMWbtkNOTMoA0XkLQCdea6xtzKtALSIw9o cc3cgXjCkNLLk382ubBKapMe6caInCMyLNRakU0QaohINZ0ssp0yRqHTPosf sJE0TBxl_9kAxCxBaoTR6Y7CQzFwG_oSGt4PZljytMzGMghJxRcM0JAddQco lEPYlQ_DYjNY1I.WrJDEOCWf_QLp7hhpL1bAUmdZWcFRXyVoG8SCTK6h4lJJ _PHURMwCWxiOBzbqLz2Zk93yYdYjJUpZn27El.jSbbCpokkts5YpdOrIkpuw 7fPxVX3disvqWkL2krnnohZsSuvbkjoA.26fARQuC1Ib3WyVMsAO6S2VdZxI DpDmX.Zj0pNIT6qGokHi.nMJDq3woSyvNAe8Q1jZ0VZi52o7PqiL.8rIUuC9 ExKMp7Xm3sEaDTEhW6hB69ASPXeue5vvDdznWMD0poEGKnQlbVZkFGvc0r0l T7vN6Tdh8G0_JOwVuYtug_zCHE46idB9D2Kk8xyvHbzMLMVRS8ezA_zMD1XH mn5f129xYNk6US0Zk7nIflPaR51i09qC2unNpLTkkEiOHJGdrmJ1JzZS5rHS WI1KmX.xhF70U8g_Aa0jPPkdR8gyihS9om71EsuHZYDBFwFz2lzMummIlPrQ Ko8Z_FQhm9ZZDlceR7ULO1DSYm7u.IpF1r6U7wHV60EwmLEZ1W8b9O.MNj3y dY2k8FWC_9Apd35fb_yAC3M7rjfmXvQLT13YI3PrKSmFwy32s3WNqkJfNsNT 5tfWsuzCZveEyIFvbgjcimMSiC1HyXAzAploxzuaVVRPDh5q8tvHNtwvcuIx 2rzVbrN9ZRsfE71GTingqJD7DD0UAatY|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[126.96.36.199]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4204.mail.gq1.yahoo.com [email address removed] header.s=s2048; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO sonic305-47.consmr.mail.ne1.yahoo.com) (188.8.131.52) by mta4204.mail.gq1.yahoo.com with SMTPS; Sun, 03 Mar 2019 07:21:24 +0000|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1551597683; bh=EbnLnUQBq2stQZlti7HDgTDZJH4X7HSbhqJHeTQDF1M=; h=Date:From:Reply-To:Subject:References:From:Subject; b=gseoqCef7gW4eZgVfssNMM36P2Bej2wlsqmuv7iDrYOFper/6jRjRJhrD6lNPK6qq+li6GKc4BrbDF5isfPQdoB7NNQhV+elek+zIxto06mYu/zMs1FctZDdvZnBalkitSQ9tP97WlVmCO0TwdnanN+Y54bTEczKmG53eYz8b69aIIyYI7oyj/508L2eS0I48F9bfIry9B+RlqHy9KiGCeNiS+mPtWdHGvQfI/9mlWc2Ksq7ei0nPDn9oeT5PxCMqTDK2XX2tTfhQKHD3/Q+rxStJVjxu7vwS1wrqJ/aqQ8o1pGz9WJA/waMy/wpKx3cXneJEI0dEVkX5sEBwGiGDw==|
|X-YMail-OSG:||A unique ID added by the Yahoo Outbound Spam Guard||vEJiA8wVM1ni91P02ATCy2v9UhXGEX6sXjTM4HuTcLhlHU0Xb35GbogDByXrfQ- -|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Sun, 3 Mar 2019 07:21:23 +0000|
|Date:||The date/time the email was sent||Sun, 3 Mar 2019 07:19:21 +0000 (UTC)|
|From:||This is the address the email was apparently sent from||WHITE HOUSE CHIEF OF STAFF [email address removed]|
|Reply-To:||This is the email address any reply would be sent to by default||WHITE HOUSE CHIEF OF STAFF [email address removed]|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||URGENT RESPONSE NEEDED|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||text/plain; charset=UTF-8|
|Content-Transfer-Encoding:||How the email has been encoded to comply with regulations (e.g. maximum characters per line)||quoted-printable|
|References:||Facilitates the threading of emails; helps the email client piece together which emails belong together in a conversation||[email address removed]|
|X-Mailer:||The software used to send the email. Spambots, including those used by scammers, often falsify this as a version of Outlook or Outlook Express to get through some spam filters||WebService/1.1.13201 YahooMailBasic Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36|
|Content-Length:||The size of the email, in bytes||1176|
pts rule description ---- ---------------------- -------------------------------------------------- 7.5 MILLION TO YOU AFTER NEGOTIATING YOUR FUND RELEASE TERMS WITH THE BENIN AUTHORITIES. THE JUSTICE DEPARTMENT EXPECTS YOU TO PAY THE SUM OF US$725 ONLY TO THE BENIN AUTHORITIES OR ITS AFFILIATED AGENCY HERE IN USA . THE FEE IS FOR THE ENDORSEMENT OF YOUR FUND RELEASE APPROVAL. AND AFTER THE ENDORSEMENT PROCESS WHICH IS LIKELY TO TAKE 24 HOURS, THE BOX CONTAINING YOUR FUND WOULD BE DELIVERED STRAIGHT TO YOUR HOME ADDRESS.
NOTE: FAILURE TO COMPLY TO THIS FOLLOWING INSTRUCTION THE FUND WILL BE SHIPPED TO THE TREASURIES ACCOUNT DEPARTMENT FOR CONFISCATION ON 5TH OF NOVEMBER 2018.
YOU ARE REQUIRED TO COMPLY WITH THIS ARRANGEMENT WITH UTMOST URGENCY TO ENABLE US DISPENSE OUR DUTIES AND OBLIGATION ACCORDINGLY THEREBY ALLOWING US TO SERVE YOU IN A TIMELY MANNER.
FEEL FREE TO CALL OR TEXT ME IF AM UNABLE TO ANSWER +1 (202) 886-8142
HON JOHN FRANCIS KELLY
WHITE HOUSE CHIEF OF STAFF
GOD BLESS UNITED STATES OF AMERICA
[...] 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (diplomat_stephencurry202[at]yahoo.com) 1.0 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers -0.0 SPF_PASS SPF: sender matches SPF record 1.6 SUBJ_ALL_CAPS Subject is all capitals 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit (dhs.desk0045[at]gmail.com) 1.2 MISSING_HEADERS Missing To: header 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (diplomat_stephencurry202[at]yahoo.com) 0.9 URG_BIZ BODY: Contains urgent matter 0.0 DEAR_BENEFICIARY BODY: Dear Beneficiary: 2.7 UNCLAIMED_MONEY BODY: People just leave money laying around 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [184.108.40.206 listed in list.dnswl.org] 1.2 UPPERCASE_75_100 message body is 75-100% uppercase 0.0 LOTS_OF_MONEY Huge... sums of money 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.0 MALFORMED_FREEMAIL Bad headers on message from free email service 1.9 REPLYTO_WITHOUT_TO_CC No description available. 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 0.0 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
Please do not click on links in the above email or make use of any contact details in the above email.