The email was sent on 2019-06-16 00:05:04 and appeared to be from firstname.lastname@example.org but this address could have been spoofed.
If you replied to this email, your reply would have been sent to email@example.com which was the scammer's actual email address.
It was probably sent from 18.104.22.168 in Unknown, United States - Click here to see the location on a map
Click here to leave a comment
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Sat, 15 Jun 2019 21:05:04 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||22.214.171.124|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 126.96.36.199 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||n5KKdH4WLDtaIS9TetxP0k7uHIAK8XX5AgF_ZKOU.laRkPL1 QJOzjVxgB3kDSZvQomUyG9tz8NH9wCY5zWldUCgMVIlFhGRbLB8IZfi5IIYw ZslSoyJ.LanYYkKQRfvwTGaeBnpFwa7j9OJDCGredfmzEqdRCyoaDJyWJ56R K53SurvhWjXkcuTQbvTm6E_p_mq07nlRwny0kHgck2UXg0HGrG2XYHE_Ie3T wSFA1l9MnUOYwu5r4F52YJJKxPELW6W603Rw9Wn4Ycdpd9KjN3.w8K4UeTp0 c_eMw7EiAiJdhkq_OzA117D4kqXsBE060WTrIc8ZodXf6P2VshioOQJRY6Vm b0XMvxWjC2_KHzkkFwFC9ewuK1yHkJLIvu_OPEnsApQlSOPLRzbT93u26w6D jg5B77v05jH1aWWig5v8BiKFMH.ER0yNovDHz0Pxp_3Y9sYoHCd93YQmfGOM G5ic8S4_k2dOu0oOWWgd.YKa2adKadgkGsEPL6DyzmFe7IVs0alCpC7i5Xi7 Nva_kLzyDZ_5n7ErcqoW4StvZjn4QnU8tT0SuC_KAv5qI3HQc2J5c6s.JuUa Kenf.Ly97aCGoLihsjTXgNir_hNL94Ab0gykOtuWk3vbC8DSF5Pc8SBzDt2D BsUqvF_Pg5SdSVXLVxoSh5zhVVCLmN8yh0Vcb5ymRrEgcMFlrnBAkBBVJNma p3sSx0dZMuoJnxQDbdIAoARkZdFAIMWCVyDUThfliGnTB2a2lJRY7uGo9UsR EiRaMYCBwOYdezc9oikICIsTIdGKrijkz8tq29NfRw2CsxnJoRCFkGijSY9. Hk.iejUPRc9qv85Py.TJlaEV2VmZD4O8KnFPYTPoEZIUVJPjyNbc9a.QsITe veMMvXpXRhmeJjf9pJQOuPPdOiW3DGxEOmfFpVwaZ7y0yL8jiFOQ0Z4kF5Gf 0KIAE5G5D6ghqHFTyJ_zSlKDtdt93.aLiBXz0XX5VHshX2V2dd1Uae1_ftPp iEyG_4IuhiIUXfxUvgYsTU7qONXWesz4cBZ4hGWw8bkml9Ip8USx3SV4QmAa 7eCCjCdrJzAComskC9dCOr4KotqgVspRzAVCxKlFWfxbAIANMpYMtV6mbh8x WX_o8oE0n60xiNscihXdVmeOre_pSdsrOw--|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[188.8.131.52]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4300.mail.bf1.yahoo.com [email address removed] header.s=20161025; dkim=pass (ok)|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-lj1-f193.google.com) (184.108.40.206) by mta4300.mail.bf1.yahoo.com with SMTPS; Sat, 15 Jun 2019 21:05:03 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-lj1-f193.google.com with SMTP id 131so5715377ljf.4 for [email address removed] Sat, 15 Jun 2019 14:05:03 -0700 (PDT)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=eEu4ulTEH09EF6E63u+MqWdEViRGZ34D5/9WxOM46cs=; b=TrZyE1hrHW5G4pYqfkqiVoxyVxd+YNdHCdSct1jStQv1LpEP+9KofG2suq6C+bv5ex RBgS7AnL5MKiQUnri03NsvmaB41ilnz+X0HQGmdvNqZun4++0rgtRwC3+M5Jl2cv+5ST Tq7z7UaXKIQ6ZUz9wGX73JWMDOz8PDNhWPrlZ/RPTeaM2/EzrlfrquZRG79/qaTK3Tz3 l5Gdbf3fPLRoPnRqi6KSYmUe8OMkI/NaJCcKRNj/u+EsFZEUA7GwhPLoe6O8pvYFIacP mrSLmkT4vkA4KtvJ2Xj7iKaaxLGEZ+5iqItvtKXZEqA/aRDDzGr4aAHT+rQxaVckVr/r FDtg==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=eEu4ulTEH09EF6E63u+MqWdEViRGZ34D5/9WxOM46cs=; b=HiKK/cLRDUeRetmzIAcJ4pWZQj0yy4ybQF/K2Nk2U33yRE/+dcK5U7uJl1a30x4bGf xR7JFuGU9vs+OzGwkrcC5KEabmUYXWFFhLSE42LzAaVGvW22ROWxJwvmtyUBsHB+Kqlk u21ic42g65WtY9lPmpfYPcEQpIn3DenZe+dRsdvJ4L44mcYHNSpcLWxeDWg02ffCT9wM XUkNxhyBDYADnKe92Gw3UlNpwaeIuf54VG636Og6V7FTh+mRb5Ui9nGaavyVLwhpn4BT 4R/Oj9IH1Jfv2N2C3coyq/v1S88l2aCSwXUFBlBKtIezUBVykDnG3ZaOCQORzbid+k+4 eS8g== X-Gm-Message-State: APjAAAXLuVQCaVOvtO00WDJ9rkFObViqP1dvj0LLJQMgUXOUfbGPA8QI V6dm4DH+0bXRZwDs3ZBKQIqRzmLLsrnSmcmc1/w= X-Google-Smtp-Source: APXvYqyLypkTEvizLEbc9ES/tZ+uNwn0gqDQFbGCIyPKETAIKlhSJttyPn9A6PMHOfXdAKE2Wb7de1B10XKs8fe4AZE=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 2002:a2e:9e14:: with SMTP id e20mr54071805ljk.172.1560632702991; Sat, 15 Jun 2019 14:05:02 -0700 (PDT)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|From:||This is the address the email was apparently sent from||bob Frank [email address removed]|
|Date:||The date/time the email was sent||Sat, 15 Jun 2019 22:04:49 +0100|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||INTERNATIONAL FUNDS REGULATORY AUTHORITY|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||multipart/alternative; boundary="000000000000e305f7058b631d47"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||17381|
pts rule description ---- ---------------------- -------------------------------------------------- 15.5 MILLION US DOLLARS
HAVE JUST BEEN BROUGHT TO MY DESK FOR CANCELLATION WHICH I HAVE TO TAKE MY
TIME TO LOOK INTO YOUR PAYMENT FILE TO KNOW WHY YOUR OVER DUE PAYMENT
SHOULD BE CANCELED AND I FOUND OUT THAT IT WAS BECAUSE OF YOUR INABILITY TO
SECURE YOUR ACCESS CODE THAT IS WHY THEY
HAVE RESOLVED TO HAVE YOUR PAYMENT OF $15.5 MILLION US DOLLARS CANCELED.
NEVERTHELESS, DUE TO HUMANITARIAN GROUND AND SYMPATHY AND BECAUSE I DO NOT
WANT YOUR PAYMENT CANCELED SO I IMMEDIATELY CALLED UP THE PRESIDENT
(PRESIDENT MUHAMMADU BUHARI) TO EXPLAIN YOUR MATTER TO HIM AS REGARDS TO
YOUR PAYMENT AND HE PERSONALLY CALLED UP A MEETING WHICH WAS RESOLVED THAT
ALL PAYMENT AND ANY PAYMENT BE REDUCED TO IT'S BAREST MENIAL IN OTHER TO
ENABLE YOU AFFORD TO PAY THE FEE SO THAT YOUR PAYMENT BE RELEASED TO YOU.
YOU HAVE BEEN MANDATED TO IMMEDIATELY COMPLETE YOUR LONG AWAITED FUND WITH
THIS OFFICE INTERNATIONAL MONETARY FUND, SO YOU HAVE BEEN MANDATED TO
COMPLY FOR THE FINAL VET OF YOUR PAYMENT.
TO THIS END IT WILL INTEREST YOU TO KNOW THAT THE ONLY FEE REQUIRED OF YOU
HAVE BEEN REDUCED TO THE SUM OF $110 ONLY WHICH IS IN OTHER TO ENABLE YOU
HAVE THE FEE PAID SO THAT YOUR ACCESS CODE WILL BE RELEASED TO YOU
IMMEDIATELY IN OTHER TO ENABLE YOU HAVE SPEEDY ACCESS TO YOUR FUND ONCE IT
IS RELEASED TO YOU.
PLEASE WE WANT YOU TO KNOW THAT YOU HAVE ONLY 1 WEEK TO DO THIS PAYMENT SO
WE CAN CLEAR, RELEASE AND EFFECT YOUR FUND [...] 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000] 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.0 TVD_RCVD_IP Message was received from an IP address 0.5 SUBJ_ALL_CAPS Subject is all capitals -0.0 SPF_PASS SPF: sender matches SPF record 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (bob303683[at]gmail.com) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (bob303683[at]gmail.com) 1.0 HK_SCAM_N3 BODY: No description available. 0.6 URG_BIZ BODY: Contains urgent matter -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [220.127.116.11 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [18.104.22.168 listed in list.dnswl.org] 0.8 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 UPPERCASE_75_100 message body is 75-100% uppercase 0.0 LOTS_OF_MONEY Huge... sums of money 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.9 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 2.0 MIME_NO_TEXT No (properly identified) text body parts 1.7 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
Please do not click on links in the above email or make use of any contact details in the above email.