The email was sent on 2019-04-11 12:11:56 and appeared to be from firstname.lastname@example.org but this address could have been spoofed.
If you replied to this email, your reply would have been sent to email@example.com which was the scammer's actual email address.
It was probably sent from 184.108.40.206 in Unknown, United States - Click here to see the location on a map
Click here to leave a comment
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Thu, 11 Apr 2019 09:11:56 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||220.127.116.11|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of yahoo.com designates 18.104.22.168 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||7BXwD7AWLDs5zp0nyNV63T_TixkOqHCJL8AQ.hLA3dcLXsnI 8A5QTk2rjB0NOZKlgM23Uilcnjfvm_O6qPZdfKjgC7vZR24taw73a_1hXGle 2tYqUdPPlzUh9FZtd1a9gzGrjZVwazUOsebQjgdQbLgscJTSbOP3YAEb9y_l CWJhcOdOyFmNbDmn4P._d446qiQTAfsmIS9nTFm8LTg9PwvAIcErO7e1Qo31 Kaza5gkNE6qh7VRrRBtk0aGG8I38G79KsnkTcj7fyJE9iZJ.3aPKb68x44Qa EmrRGlcTFFifHgXvgVCs_6IPjteBPoW10x57VgnJ_ZJ.vRf4N5Gw5DaJJa3I FH1Xp5h1oaA4C9ZZnXCOafVtlYl2h2sk6Jz6wNndF73jqdKjsyfH6IEYobpE wsaovFxRMkJFAQ6iLrelh84hWoFLUSu7oxEs8r10O6UVa_pOd985VIxxMGj2 f6rAnQhbAoM1SDu2dqOmaY4tm06DEmuGakEoIhmatjVgJnx_f8QUj2FUcP37 yqguEa8WdBXFivui.5IPjSYvYqPPWbmk7bpPOMeWAqr09Hi3vFbKk7EoU37k CMCqb4XBcboMIZsqislu8yhdRt1D2sypTikm.AH5lKsnsPItDSNAkKeJHIra rYhO59aWtR1KpqCDbqTlcqQ_RNtWrv5Li9u5CcmtK5Uhc1IMakxEiuadJ3Iw L6KllTYFWzF9aFxIB2G7mczVDQBQ2FmQ4duNVMQo_Y2h5_QCO.C9g2DXfw_w .sosDJhjZFZTbStcKMLeSisjwseBqXajgezybpv8.72EULJNkn72mUxzBbUV FDnyzuprRoLZqKdu6HSId48tOOVs8PtywSOwiYjaMBSDgwAViEaAJzONvGM4 6YolO0F9_2kHprH1CTgwY7jlj_g.h9IevgtDyE2V7B5JTYZcm7e0Fz1KOzBQ yTguPzI9ERnCDUJ0jpDtXiisgS9xN6TY8ej9n9ZVRvcFLl_ZGL2uWg4CI_z. Vabg4X_kn5am87LMcgZRYpA2EfrK8s.ZbwoalF4Z7V9w_iN3r._An0H7F0Bb 2pB9TcDaYeBNBYGSi5NIba_sRhR.bIyOOUB.QPwyiJh_KIWp4gKQ_WKe1zsB zH6CL7QGjcEDNryS4Y6ma3zop714XUWjVXe5SDaDSBmlFnFf0dUQeEs_2SXX IwCcb_ejp.hOCCVhKL54Lx2_a8FEEhkKk2yJQphWzxTUGlPoy5OqJDTfug--|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[22.214.171.124]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4137.mail.gq1.yahoo.com [email address removed] header.s=s2048; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO sonic313-56.consmr.mail.ne1.yahoo.com) (126.96.36.199) by mta4137.mail.gq1.yahoo.com with SMTPS; Thu, 11 Apr 2019 09:11:55 +0000|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1554973915; bh=Z4dae/uPN8JoNcn8xQ4aLJUa+Zz5KhvOyAtKsBkHjLM=; h=Date:From:Reply-To:Subject:References:From:Subject; b=LIHt7O4Pc+h93ipY38DJGPA2iK4axC2vuGi5+WLP219NtnPmaX51ayBTsEzqmYOUWdjGBMBFUy9HaS4esdFZKjVoRaaxKLBDzgZKaK5oyc5L8w5coShpjPN94aRxEE2eu+mM/FhLDLK3PnumflLwwcs58ajOgnFOo7lCO/tSfGqmb5JugbkHR5E7NSEFpHc0st/wRp+SKLaYzx0iyfCwGMKhgewgXC721rOI0bQd/lzihS6bWAGzIwwOCIBA5yIiq/a2hmd/1yquXuz50TpYy0YrxrgiMLC+3MvrNcTtMABj1X2P6YpYYl7wSksq1cQfwFSlOOv/RJ5h7YEy1mONqQ==|
|X-YMail-OSG:||A unique ID added by the Yahoo Outbound Spam Guard||UhhowWAVM1n9yCPy1lYwbyAAOXyKEQbqjirOYBBUQsFb75IV_FykIzgLCWMxuAN zDDbXKQ7FREstoqGqfk1XsIEwOp7vVyAPpvxjmQDMAla4LgzhUFXYtSV0uXqzrkpVdTce52Kyr0. Mre8R5vk6zYU1CtrxGzzefXqyo8.puFaaDPfsDFGPnefWxX7LfEtLNnjr9p21pCHt3jlq6AmN7bs UCl3ekSqoR.8ZRJShguNOJk4tXH9_I_Rtj2bkHFSQaNVOAzjsAME5p8wEgegSaG1hspZ2AMkEKGa zkI6pC.kAa7DyrAfRE0RrzfuajgpjR3XAPXElFf9xnZpNipm5PhchZ8ZFH_dfObDANPkWX1JGwPf 8jdMATJaxv9InsmDaLZTfePqY_Z0UERG6dEU.srVxfMQ.QRGljzUX8j59K6iApUcmUosE3dQekSY X8oJU2PQupGjBo1Upc0JxJ2LqeO.3k7gKNs_Q6mbrEk0TdCSU4UKCO7gLO_XPtGsdONiCfztDHXd e7HDJS3QAmxRhiYwXwuHgO_e98u35ozxCwDI91MwgrCyjs2AtzO3FqbxLBbd23vOhjZpxlzlY5fR ok54uAIJFVorWoIFUjRmRi6VYgEMQTNiBZc9FNhqOswG38q7I1yiaTbXGB76aV3F_c3edOuuo1DI XFAQNOTtvuTA4LUazMC3hxheDACKB_mux4ufpIWH8w9vCWThfLuUEuRS55g8W4La3r3KcY.X7L0q UfbVabusW_PZrcdK63j7EcPyfPYi7kULPiAIXT3LOXSlT0CjlY.Do8mJPOznhi8VO.7k.XT0xgIQ MR.KefUZvXaQTwSuD2X7I2nTUFeLRItFK6xqXuZwcjWJ98QGaSFLz2wKKl_rY5UAKCjEOHG1woO4 OXMqEVCTQEbLA7HShLh2rdlPhs3Q1uEfxDjL_GnXrJTyTbyJoN.8n4mUnKUuJtBrErwVgs52zWaI 7ieYMWvrKh4sfH35tsmrz3SRkdB5I8oZi2TKhE4sLghQxAVUFNGN0DnXMm60dVRSo22DA6cIaw7f LKlVXZyzBYPXjNv8d4Sm7iTIRxjkmf0PEoW03Y_1xAe2GEh.3zovZ3VyzYIgfnLMkBUVMT9OF9DL Ewu6VuQJUB9nGTrRxqTX84wd7L0DAIFw-|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 11 Apr 2019 09:11:55 +0000|
|Date:||The date/time the email was sent||Thu, 11 Apr 2019 09:11:53 +0000 (UTC)|
|From:||This is the address the email was apparently sent from||UNITED STATES TREASURY DEPARTMENT [email address removed]|
|Reply-To:||This is the email address any reply would be sent to by default||UNITED STATES TREASURY DEPARTMENT [email address removed]|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||UNITED STATES TREASURY DEPARTMENT|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||text/plain; charset=UTF-8|
|Content-Transfer-Encoding:||How the email has been encoded to comply with regulations (e.g. maximum characters per line)||quoted-printable|
|References:||Facilitates the threading of emails; helps the email client piece together which emails belong together in a conversation||[email address removed]|
|X-Mailer:||The software used to send the email. Spambots, including those used by scammers, often falsify this as a version of Outlook or Outlook Express to get through some spam filters||WebService/1.1.13212 YahooMailBasic Mozilla/5.0 (Windows NT 6.1; rv:66.0) Gecko/20100101 Firefox/66.0|
|Content-Length:||The size of the email, in bytes||4747|
pts rule description ---- ---------------------- -------------------------------------------------- 000.00 USD (Ten Million Five Hundred Thousand United States Dollars) which was collected from an authorized delivery agent which was sent from United Nations and the delivery was stopped at a local airport here in the U.S holding a Luggage which he confessed that you are the owner, he made us understand that the funds belongs to you as a Compensation prize from the United Nations and he was sent to deliver it to your home. After proper investigations, we discovered the delivery agent does not have tangible documents to deliver this Luggage to you, and he was stopped and sent back to his country,meanwhile, the funds were retrieved and kept in our custody in your favor.
After several investigations to know the source of the funds and to confirm the legitimacy of the funds, we confirmed that the funds are clean and not act of Money Laundering or for sponsorship of Terrorism in the U.S. After acknowledging the delay in your retrieved funds which is truly $10,500.000.00 USD (Ten Million Five Hundred Thousand United States Dollars). The Secretary of State (Mr. Rex Tillerson) scheduled a time frame to settle all foreign/local debts which includes Contract/Inheritance/ Gambling/ Compensation (Sponsored by Microsoft and National [...] 0.6 HK_RANDOM_ENVFROM Envelope sender username looks random 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 1.0 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers -0.0 SPF_PASS SPF: sender matches SPF record 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (userwwwperrier[at]yahoo.com) 1.6 SUBJ_ALL_CAPS Subject is all capitals 1.2 MISSING_HEADERS Missing To: header 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit (mrsbridgetdouglas01[at]gmail.com) 2.0 MILLION_USD BODY: Talks about millions of dollars -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [188.8.131.52 listed in list.dnswl.org] 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 1.1 MALFORMED_FREEMAIL Bad headers on message from free email service 0.0 LOTS_OF_MONEY Huge... sums of money 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 1.9 REPLYTO_WITHOUT_TO_CC No description available. 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 0.0 MONEY_FRAUD_5 Lots of money and many fraud phrases
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
Please do not click on links in the above email or make use of any contact details in the above email.