The email was sent on 2019-03-22 13:25:53 and appeared to be from email@example.com but this address could have been spoofed.
If you replied to this email, your reply would have been sent to firstname.lastname@example.org which was the scammer's actual email address.
It was probably sent from 18.104.22.168 in Unknown, United States - Click here to see the location on a map
Click here to leave a comment
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Fri, 22 Mar 2019 10:25:53 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||22.214.171.124|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 126.96.36.199 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||sxd3khAWLDtapfjk84inNFeTKFARfjwqWRFeEhURwb6tjekr NxwHj5q3rRd1Kqa3DccZTIFlI3u9cnZBCt2miTQPHOaQARVXZvhrTEJkK0bF bCiCcvj0GDHigDeROg0uTOCZeY.lCaxkxBPFKzlXTT6tsuAY3zrMD9BW2TON 2XeS6wwsJQKlajg21AxBhmiZbaGrJxFM0XQG_fG.glk9qclAB.NBQj9hNaKZ Z6MUqzqrantjlz21LjUTLYggZb.i9kjgPzwqfnS1_9V5q6QJJT9djAZehcpa OD3TVpeT_eXCH1XqmAz35YVEwjMiY2x6adbt87TZ.Pn8FeRXxRHHOZ51pNa0 GPnO5Y4KjN1ITi7tU__7S5oRJt6APnDRDIZmyzK9sR.tDQbwCFhI51lWBP9J uMWWfouz8IPHgBiaevXUjvU4n_X1T5ReIvwrh8KFoWDZ_C5yLyYo47VIMvU8 MEsRvzy4yEwtY0d6jX.jlZO5lLC5FJ6L3NtF9ZR5y5Qw8YOTwRAxmKp4k0Ci IU.zBj2XJOhzeSZgQJZtgQ2VHvf5Uz4usyjZzsQWumv261o6oJuc.O_rZHJL SCsUVkdoxsCgFksL1IcCTtL5c7kTUSLJsvcg_iVtWSgssbGMzjTcO_flbfcm 1lMFbTGqz7XmRPF_wlhGfA6YRfJK_QKR6U9alrxhTnBgc4SAOx7B0AdXx4pb _fVhH1CCJXgaJ6X6UBNziu5hFCEaTvhRUHmdNBJW.J4kaJjG_1f0lJpMYFc0 UxqhwGSgkfPZhYxtZv8LwBzt8Z2b7NUxZjduvkyQJQKfbrGfz7Ms5XsUr4WP c5y2rREWXnOTxDlZ3Aai0QRlH3hYQj.qP4IfFqx9Ea7H5jJZgC0ngI7iIh6B RzNQPX30Q5eV9pBW2SUDdy85Nf177m_kxUcMdcGMI_toRDV71eIX9i2.Cu8O i17aHsXBXdMiUueu084M0UDP.87iMwdcARW8Ycs5YJ3Mnq2RSDY_wOEmSYU_ m3hujdeZg4fVwjzhRxLgK83uCh9JNP8LTMV04Z6aNgXZPmSJ6KPSyPQy4x8A F5VbSkU6nfl5s1dm7TMPQfgM7k0lQy0lzTnaBDER0F65c5MFou4vgVZmVa9X 87miEOGnlZpbFG2aprofjf.TRSWNVY9hYj4BRAu27K6IXYV63wLHSPnqqO_b mzabyaKlboSBb7JJvq4n5hbA3GFT6unwFDH_wEV58ndRLA--|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[188.8.131.52]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4010.mail.gq1.yahoo.com [email address removed] header.s=20161025; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-ed1-f67.google.com) (184.108.40.206) by mta4010.mail.gq1.yahoo.com with SMTPS; Fri, 22 Mar 2019 10:25:52 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-ed1-f67.google.com with SMTP id h22so1220843edw.7 for [email address removed] Fri, 22 Mar 2019 03:25:52 -0700 (PDT)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ZBSAt672c6HvysbTakS4eXzC5152znJVQE40PLYzjxo=; b=oE8S4c3yRLlgUhFEvaBbaDHnooR37RqNAxI9P7UFCbj0MJZA3G9ZUGu3BmAHTtNO64 8Pkx/dw0Osn8hqAV2r2zLodx6/kOk1v592XtTIbwkDzPHL/1A2FW7RJGvulTArGzr5Pw PMKYdntUTgeol48O+T/kSVHoNQp77Wwlnm8UmEp3a65w49B6GkmJDJZfxWgCYPC/6jSo d1cDPP16gYp+6GFj2Nd75v8L7FFTRIFUFyAyGdD38h/VwY/B3eVtlU+1lBV7gZQzmOBv BNWC0CBI9j3Nu7MvpmJwy/38a4E0XrZQ5wfvCkj9KRj1Cj80EdUGjp9SvtKAp7UlXLFT 430g==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ZBSAt672c6HvysbTakS4eXzC5152znJVQE40PLYzjxo=; b=VUecFKHEE1DJ+cgRnyRe9eLttVyVgXsRwCFhcZSb8HDSVma+MXot1s5J8KpzkI1ghT DmjNl/+QaNMuiaomCWz/knRqrMNXYjfixTPzaaHSqK/6AdwIimV6l1QGduDGMLXNZJZ/ kvIRgj0grkVHa1gTwF4drd9I++aRpOXcp2iBkQHjLiOsxOECP/iZNvdb9ecVGkoaq+vP AfPAcWjv4dBSXGsHVdv0nOSPGh/uiMzKaFEe79jct0Qc3rqraJT6THczav3o9Tn7SN7p pvu9tYlVB1d7UPBhS2wRczCSG8L8K1et8pMNkeeciYlSmpUwLUqqaYEKyFaHXSXsgEqa nvfQ== X-Gm-Message-State: APjAAAV4bjr2L5GB2DiVdeiM6rnF8Q0ffFQT9+wlOvBR3kuQ6fXMRth7 Sq1FKHUFELJECTkzYXZzuaLbIOEmENmmOo2woRw= X-Google-Smtp-Source: APXvYqz5lm7fJ7hx11yCbUNqf0WzhNRqKimu26QS6ARAdbt2BfN7PjRWjQgj9dAXPk5HHw1jlghhayfCbR4V0NOvSJY=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 2002:a50:8864:: with SMTP id c33mr5978450edc.110.1553250350402; Fri, 22 Mar 2019 03:25:50 -0700 (PDT)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|From:||This is the address the email was apparently sent from||usaembassy Nigeria [email address removed]|
|Date:||The date/time the email was sent||Fri, 22 Mar 2019 03:25:26 -0700|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||PAYMENT NOTICE|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||multipart/alternative; boundary="000000000000622e2e0584ac47ef"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||20154|
pts rule description ---- ---------------------- -------------------------------------------------- 8.2 MILLION .WE HAVE DECIDED TO TAKE THIS ISSUE UPON OURSELVES TO
SAFEGUARD YOU FROM THESE CRIMINAL MINDED INDIVIDUALS WHOSE ONLY INTEREST
WAS TO EXTORT MONEY AND FEES FROM YOU.
THIS IS IN LINE WITH THE AGREEMENT I SIGNED WITH THE NIGERIA GOVERNMENT ON
MY ASSUMPTION OF OFFICE AS THE USA AMBASSADOR TO NIGERIA, RESULTING FROM
COMPLAINS WE RECEIVED DAILY ON SCAMS IN NIGERIA AND IN AFRICA, ASIAN AND
SO YOU ARE HEREBY ADVISED TO CONTACT MY OFFICE ON THE ABOVE EMAIL AND PHONE
NUMBER, RECONFIRM,YOUR FULL NAME,YOUR MAILING/BILLING INFORMATION,DIRECT
PHONE/FAX NUMBERS THE NAME OF YOUR NEXT OF KIN AND A COPY OF YOUR
INTERNATIONAL PASSPORT OR DRIVERS LICENSE IDENTIFICATION FOR RECORD
PURPOSE AND EFFECTIVE DELIVERY OF YOUR ATM CARD.
HOWEVER,ALWAYS KEEP ME POSTED AS SOON AS YOU RECEIVE YOUR ATM CREDIT CARD
VALUE OF YOUR FUND.
WE HAVE CALCULATED AND APPROVED THE ARRIVAL OF YOUR ATM CARD TO BE WITHIN
THREE DAYS UPON THE RECEIPT OF THE ABOVE DETAILS.
*Mr. W.STUART SYMINGTONUnited States Ambassador to (Nigeria)*
[...] 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.0 TVD_RCVD_IP Message was received from an IP address 1.6 SUBJ_ALL_CAPS Subject is all capitals 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (usaembassy.nig144[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (usaembassy.nig144[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.0 HK_SCAM_N2 BODY: No description available. 1.7 DEAR_SOMETHING BODY: Contains 'Dear (something)' 0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [220.127.116.11 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [18.104.22.168 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists… #dnsbl-block for more information. [URIs: gmail.co] 1.2 UPPERCASE_75_100 message body is 75-100% uppercase 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.0 LOTS_OF_MONEY Huge... sums of money 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 2.9 MONEY_ATM_CARD Lots of money on an ATM card 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 2.2 MONEY_FORM_SHORT Lots of money if you fill out a short form 1.4 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money 0.0 FORM_FRAUD_5 Fill a form and many fraud phrases
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
Please do not click on links in the above email or make use of any contact details in the above email.