The email was sent on 2019-03-31 12:29:32 and appeared to be from email@example.com but this address could have been spoofed.
If you replied to this email, your reply would have been sent to firstname.lastname@example.org which was the scammer's actual email address.
It was probably sent from 126.96.36.199 in Unknown, United States - Click here to see the location on a map
Click here to leave a comment
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Sun, 31 Mar 2019 09:29:32 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||188.8.131.52|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 184.108.40.206 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||VtbKd5MWLDs07SohTyAOvXDiQCBcMoeJpG4Iz8_L8BMy08Sx Aogb1EyCqwyL1OGTqItExABndrVNNNWrb3R4g.QCeY1JM5uwnpbhMO1W3M1P FHXPRpLp_R60xhYBPUvMeI8ufXKlfpav_goZceyjvcueSnRH2H0POO7Cc0u3 rSUpriDJ6TOaXGfWA7uc1U6Vwn4lrm6bJEjJpD4LKuip.PPkhNtchHzSpR6I dsHDacj8O4e41u_9WQF2xDqal.GKjTFYFDMcDG9rv75Ke6z9JMLcWlCedXR4 l6AXaQH7BsubLGFh3eMD1uLdt_ABtv4yzYfgsEpT3KD2ygN5Kg2wCJiRCJ.d NmIkBRU5VGCzQvQTqw4Ngpfjuw23ab.xduiXjeP_NL_G3ZRwF9uJuzE5S60A Oq7b.O0IwwkGDGFlhDMTbN.w2bwbCtl48StOX78IcpxCZHJ4ydZqHqdfqPTp NZL0Fn.eW2JaI3ZT6BeZC6LTotiWW4nqV_eEadSOVwj7w5BoSdaQvCmnfCIu MwolU3sNX2BbF0zvJc3o68B5SReFln83RI6cRmyZGR9HJcdS_yOAn9FCDtt3 Z6r0lRH5UvBW.Vls0cUu9hCLZYkrDTJCicT1rhkGFAPsYz7K0yowmDGqGCie kVsELBDXJIKFBC2vtykB5yA96cyAzpbaSBnrOrqy_zM4eDxoHWedu1WmaTHv jFEGHoA0RpvlYtGrWJbF8TzZ7wGQMbcOSxurZH22luQlTv0_tSYnXF1bYKVh 5eMtmZcRJNZgnMkbjrUkdpUx_dyBhhv8ASOsET3ce1bHvGkzCqJ3M18UCUA5 bFV0bTV2Iu4XI2Gi21cZxgq_aSUePMoVQowEmISqr60SKl2KQP1ub.JIb7_h k_6oGXtLlVbbvAkkQkoPqmE8WxtRF7wIrExc_lhm2SfXsZjovRa5tRIl8p0a Rw2FGMgmMaCcEtzk965S3bi.gfHB3uIqP7eArTfauPDn_OpYNLEdjetoQj.M XESIDQfVL6A40OrnzAMHnrmlMSWDvaOfDO5dXDfhV9hesXsaR.f6FMqytNoS qkPVFHjNdoRaoypWyBkCydMn9tsqAa_qj0go3P6B.Q960xqV3u5dYa2..2PE b4NosTLmLaXd54GFdCIiz.6YQUmz9NKoo_vROokqz0_XzBnaia3n8xw9TPa. h9mTB3sGP6XIu8dA8ltZaAwAwxKFdRvVWeOKGFmj6Q--|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[220.127.116.11]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4365.mail.bf1.yahoo.com [email address removed] header.s=20161025; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-ua1-f68.google.com) (18.104.22.168) by mta4365.mail.bf1.yahoo.com with SMTPS; Sun, 31 Mar 2019 09:29:32 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-ua1-f68.google.com with SMTP id t15so1527906uao.5 for [email address removed] Sun, 31 Mar 2019 02:29:32 -0700 (PDT)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=dR8u/FxeI/kBnbvOKxFs9f/j7gH7h63dOLxX683+sn4=; b=oNtj6a/4/ylwNm5+5otUj2NDjZqQ8XWfsw3kuJgEi5kqqCcUuxQq3O/h6o6aNlOGeY rCZSnM3iERV9i0RO8250jIkq0AWxUD72IPSQIVEaB6Og3Gwv1ZZvcteaVa9+sc8fPIBp 3qE5i3Jb+UqxgF9CEKHNv5qUy6qHfcbPTnGFGYBBXwjyMg6jD8wswbyUlPJvIMSsL/9o LHdl7h5MVahDYhVrzKM7oa7/sAdLLOmhYpGQCLq45Hfz/idDjpARxdY35jtvHURk2dMN y2kSwaZh7k8J3qtsTqbc3OCCDRlLTq22024bgVe8DSz238eCJTc3056myOPDlAnEegBM Y96A==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=dR8u/FxeI/kBnbvOKxFs9f/j7gH7h63dOLxX683+sn4=; b=aEzJjzPOPTOoTxuv4rHgOiMJgZ7JtuPceACEODvKYEPkXPq97YPXOymf/t9NgBSobj N1Pdhe7SocafAR1JMYTvwFFvcfgZ/HaOYsVztj7gZtUpZLlTyChRhqiAp/9t6X3w9TC1 dJIb/LVw0nuJHcExoy7kMkY7EEqhEPyCYr2UCTS4lR90pdyr6uCwj3GtxkEdksogalPz e2ab2pzYQ27X//mIAh/tbhakQuLTAx6IyQtMM4TEQdTEqdHBjre/W+wrOstLhfXCL5O9 WTD2MBeIEvjn86mOo/I+iYcH2k8PWcSVdpqX5QwV4SNHRzSGDFMO1/42eZiDsLmNSE+A wEHg== X-Gm-Message-State: APjAAAV0NwDxw1nsKN2xdZATjGIkxWRqXH4rI68h2LcCyo6V3jpP54oO 54F6OLkJ8+Pa3gpOd5tYjP7zKluX1gtMNebfql4= X-Google-Smtp-Source: APXvYqwoOfTvd6Xtjbl7GdDv3j9axOWj3eRMr6Z3LnEl/kWqJyGe7eJhYBlQlMhBVHorJNb68Xf5QiAW53b0NKybpsg=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 2002:ab0:2a11:: with SMTP id o17mr19981452uar.29.1554024571638; Sun, 31 Mar 2019 02:29:31 -0700 (PDT)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|From:||This is the address the email was apparently sent from||MR JAMES ENTWISTLE [email address removed]|
|Date:||The date/time the email was sent||Sun, 31 Mar 2019 10:29:06 -0700|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||PAYMENT NOTICE|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||multipart/alternative; boundary="000000000000909ee60585608a88"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||12323|
pts rule description ---- ---------------------- -------------------------------------------------- 8.2 MILLION .WE HAVE DECIDED TO TAKE THIS ISSUE UPON OURSELVES TO
SAFEGUARD YOU FROM THESE CRIMINAL MINDED INDIVIDUALS WHOSE ONLY INTEREST
WAS TO EXTORT MONEY AND FEES FROM YOU.
THIS IS IN LINE WITH THE AGREEMENT I SIGNED WITH THE NIGERIA GOVERNMENT ON
MY ASSUMPTION OF OFFICE AS THE USA AMBASSADOR TO NIGERIA, RESULTING FROM
COMPLAINS WE RECEIVED DAILY ON SCAMS IN NIGERIA AND IN AFRICA, ASIAN AND
SO YOU ARE HEREBY ADVISED TO CONTACT MY OFFICE ON THE ABOVE EMAIL AND PHONE
NUMBER, RECONFIRM,YOUR FULL NAME,YOUR MAILING/BILLING INFORMATION,DIRECT
PHONE/FAX NUMBERS THE NAME OF YOUR NEXT OF KIN AND A COPY OF YOUR
INTERNATIONAL PASSPORT OR DRIVERS LICENSE IDENTIFICATION FOR RECORD
PURPOSE AND EFFECTIVE DELIVERY OF YOUR ATM CARD.
HOWEVER,ALWAYS KEEP ME POSTED AS SOON AS YOU RECEIVE YOUR ATM CREDIT CARD
VALUE OF YOUR FUND.
WE HAVE CALCULATED AND APPROVED THE ARRIVAL OF YOUR ATM CARD TO BE WITHIN
THREE DAYS UPON THE RECEIPT OF THE ABOVE DETAILS.
*Mr. W.STUART SYMINGTONUnited States Ambassador to (Nigeria)*
[...] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address -0.0 SPF_PASS SPF: sender matches SPF record 1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (usaembassy.nig0444[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 1.5 SUBJ_ALL_CAPS Subject is all capitals 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (usaembassy.nig0444[at]gmail.com) 0.0 HK_SCAM_N2 BODY: No description available. 2.0 DEAR_SOMETHING BODY: Contains 'Dear (something)' -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [22.214.171.124 listed in list.dnswl.org] 1.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_HK_NAME_FM_MR_MRS No description available. 0.0 UPPERCASE_50_75 message body is 50-75% uppercase 0.0 LOTS_OF_MONEY Huge... sums of money 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.9 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 2.6 MONEY_ATM_CARD Lots of money on an ATM card 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 2.2 MONEY_FORM_SHORT Lots of money if you fill out a short form 1.5 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money 0.0 FORM_FRAUD_5 Fill a form and many fraud phrases
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
Please do not click on links in the above email or make use of any contact details in the above email.