The email was sent on 2019-07-10 08:19:54 and appeared to be from email@example.com but this address could have been spoofed.
If you replied to this email, your reply would have been sent to firstname.lastname@example.org which was the scammer's actual email address.
It was probably sent from 126.96.36.199 in Unknown, United States - Click here to see the location on a map
Click here to leave a comment
Explains what each bit of the header means, and shows the journey the email took. Click here to show or hide it
|X-Apparently-To:||Used when there is no 'to' field in the header, does the same thing (says what email address(es) the email is sent to||[email address removed] Wed, 10 Jul 2019 05:19:54 +0000|
|Return-Path:||The address the email was sent from, or at least the one this email should be 'bounced' back to if it can not be delivered. Often spammers and scammers modify the email header to set a different return-path||[email address removed]|
|Authentication-Results:||Returns the result given in the Received-SPF field, and says spf=pass if the email passed authentication. Also uses the DKIM signature, and equally returns dkim=pass if the DKIM signature was okay. More info||mta4426.mail.ne1.yahoo.com [email address removed] header.s=20161025 dkim=pass (ok); spfDomain=gmail.com spfResult=pass; dmarc=pass(p=none sp=quarantine dis=none) header.from=gmail.com|
|X-YahooFilteredBulk:||The IP here was blacklisted by Yahoo for sending spam||188.8.131.52|
|Received-SPF:||Returns 'pass' if the email was sent legitimately, 'neutral' if the server thinks nothing is right or wrong, 'soft fail' if it's not a serious issue, 'fail' if the email was sent by an unauthorised user or IP address (often if the mail server is hacked into), 'none' if the server can't tell, 'permerror' if the mail client does not understand what the server is saying, 'temperror' if the client can't connect to the server. More info||pass (domain of gmail.com designates 184.108.40.206 as permitted sender)|
|X-YMailISG:||A unique ID added by the Yahoo Inbound Spam Guard||ouWSAl8WLDvm5kVAOs6QfjFoUap42jyEe52fjxA9ZvxMt5wE quTaLpPzXzJaMZ1ctHXsw959hSyqs0FULSvLt8XUIsJqXFYwqwyXOptfudZT gqkhXuEgxKtIqjVUK6tdXQrXvwJuf6qATMX0Fd7qOuzF7_2g5vqrjiIV.TRG DPtf_jrFt7bSOR._2wqs997j76IhbIx_WKr.dBB3S6wlQnxz92aY7V93k7SO AltqfpVY0XPHhOrweOXDafvYfYrOr7IqthQVxGEkF_n0YEfR0chpG7ftwp1U FpyTJ3R9sydg2wROxNLrBFOIRRPo7YAeJC5uU27tqPAbRA7f9dmcc2cHP8li 8fB2rpjfTao1hWqlrkNbYFEct3LTyhNoJ4y3YDNpJKgsmf2U7JU5VKZ6ZuMy yq8Y2bWHwoBYriorQ6xXSaNpn9tfJFjv4tW_J2biamOJjn1.Q0bbOYtlPTWJ uny4BuuuCbxmUJyE1MdrX2KO.gFHag30Exom0FmfaMXeugM65EEPQ5W1ruii f299aJ.pFA9HpVynUkFFLHO9Hi_3GvOgg1nOwgh1_xuyfbZ.W69SDeWA0Hf9 rCGNkyN_uwuL.NTiBk2SIZK_vxZFk44ghwq01d9nxc4vV.3Up6_1afs5eKmI zux_iC9dIdCtf.Y8Rk3pBCZAuyq7j0m9FkH6iypURxA4BqlFeWEeBnWYrKdO Gl0NIsV6PeWJI2jq6F9GzOOo7JKLUbvs0xYSVw3WqT4pE0jRKi99H2msAAR0 q8.SmQSRekE65mlyDZUBVC5rYWh_GiZnUwj6MkW77pyu6NpG.3bMiHC5pAHL xBC.MUUQ6CXFD.Y3eYOwW_bFptgvupLMqUUHiolxZS54xaf3blW0F0uF25V4 fS1DlSBxudqPNXi0gnnX.V4hSus4JxBAsjsHwUsUWdaa7CIeJEpcSQDdETpF jpBUrX0EsajilTbxoQ1jtMHgxPKzitSLhXXNXJuumRtIxlU2ty_uYr9V6ZaR TGSHB_tk3Bi4bg_haxFvMdLGgR5qChYTEnSn.bh5wjYTmY3xbYz9G9yogU0O f8obqwN15J_lOoTAubJ_wYshJphWsKSh.AfvDqqgJCiroBFxKvtdBDRpvzMi 0xQmR8sbDNHgpGSXzlQ4xxC3cuXU5ILXJCf0hMP4F4QFeuwidEipcSYrfP7s CAzzAFQr4VTZi1nvesZchJNUXgD2it2pBHdQ_ihUBdX9YtsgJq0tiPPllIrq Yl1A|
|X-Originating-IP:||The IP address the email was originally sent from, sometimes wrong - the bottom 'Received' field in the email header is the most reliable indicator of what IP the email came from||[220.127.116.11]|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||from 127.0.0.1 (EHLO mail-ed1-f65.google.com) (18.104.22.168) by mta4426.mail.ne1.yahoo.com with SMTPS; Wed, 10 Jul 2019 05:19:53 +0000|
|Received:||Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by mail-ed1-f65.google.com with SMTP id e3so619822edr.10 for [email address removed] Tue, 09 Jul 2019 22:19:53 -0700 (PDT)|
|DKIM-Signature:||Used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=3M4jBjeKPnlUXBfq1P7hDNo+n844cTs1DCSaPp2Ntl4=; b=kndJTcYJqJmikKfp9Cvsqq+7HS/EiWjgayVYtGuV6dTpC4n7hkGY88BdV+8+rLIgkL YSFo+id90scU1KH9s9y5d9QfIgJUj5cpW9mxM3jDhlIHSXvpF6byQZ5MMwsXssoRrrH8 Ns2sRpANqvGzEROJNqQ02Y3vOOOMu8ZW050RbiXz2vVy/Z/uygYLQLjNLGcC79OSadsO g3/IiLpk8eERHdG9EfcEGW82njrliu60BNd2m+uQtVQpasLbl0fsrnAiwRcZK3dzbmJ9 Cqp7sATZ0cbKABXplYqmiMwS84yIsBBApwddUIcI4MUJCiOaTvn1gCQlDdABzABvywR5 Mz4g==|
|X-Google-DKIM-Signature:||Google Mail adds this to all their headers, it is used to verify message integrity and ensure the header is not spoofed||v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3M4jBjeKPnlUXBfq1P7hDNo+n844cTs1DCSaPp2Ntl4=; b=c57Ho2bsGpbCzdcLhYVLpfLuixtZDTIsasTKVWFX6UqeC0zhJM5yUhwGk3Og11VSj9 qlqlT1BRsJyIZ7+7h8ACVzPmthHGmubeos0Eu5/mf67OghMS+mj7hwHArcRUVHWjtQFF Q87XSSndXptU5V+Lvprz3/P6iaehfeHSPYZV7gwVHY6AQYiJC3PXcYUKs6N0lynGBTiu l4R2DqBaOFMBx31b8OEc4689RXLwm5yywzFdG5IDyDVnDekJI9w3+KEpTXb74rC2F/IK qmzvuUsTdwiat1s2eRHytkkf4lW/izJ5mfCb1SdlqNFuXGdNwN8pJX7yQ65+fGdxsVg0 XwXg== X-Gm-Message-State: APjAAAUnv1bfvv0wfIpIqmuboMhZkugMnWzsYsYfmHoGejxXFrWP/9V9 HtcbVj0joDFknQm/rLXDiltmtNch0Gk2DkNVZQM= X-Google-Smtp-Source: APXvYqx4DwRS0okwU7cg/cRu6adMan0ihQb63dcuqD+Q9wfHk/GLCeCF4514u6mJiy6+oq5k7Rq4GzvgOeweAxF0Nro=|
|X-Received:||Just like 'Received'. Part of the journey the email took to reach us/you, these tend to be in the order bottom-to-top so the first 'Received' is the last step the email took and the last 'Received' is the first step the email took||by 2002:a50:a4ef:: with SMTP id x44mr29628356edb.304.1562735992188; Tue, 09 Jul 2019 22:19:52 -0700 (PDT)|
|MIME-Version:||Included, usually 1.0, if the email or header contains any non-ASCII characters or non-text attachments, or if the email is multi-part (contains a plain text version plus an HTML one, lets the user's email client or webmail decide which version to display)||1.0|
|From:||This is the address the email was apparently sent from||USAEMBASSY NIGERIA [email address removed]|
|Date:||The date/time the email was sent||Tue, 9 Jul 2019 22:19:44 -0700|
|Message-ID:||A unique ID assigned to the ID for reference purposes||[email address removed]|
|Subject:||The subject of the email||PAYMENT NOTICE M|
|To:||The email address(es) the email was sent to||undisclosed-recipients:;|
|Content-Type:||What type of content the email usually is, usually text/html, and what character set is used||multipart/alternative; boundary="000000000000b139f8058d4cd37a"|
|Bcc:||Email addresses the email was secretly copied into, this field is usually blanked so even by viewing the email header you can't see who was secretly copied into the email||[email address removed]|
|Content-Length:||The size of the email, in bytes||11819|
pts rule description ---- ---------------------- -------------------------------------------------- 8.2 MILLION .WE HAVE DECIDED TO TAKE THIS ISSUE UPON OURSELVES TO
SAFEGUARD YOU FROM THESE CRIMINAL MINDED INDIVIDUALS WHOSE ONLY INTEREST
WAS TO EXTORT MONEY AND FEES FROM YOU.
THIS IS IN LINE WITH THE AGREEMENT I SIGNED WITH THE NIGERIA GOVERNMENT ON
MY ASSUMPTION OF OFFICE AS THE USA AMBASSADOR TO NIGERIA, RESULTING FROM
COMPLAINS WE RECEIVED DAILY ON SCAMS IN NIGERIA AND IN AFRICA, ASIAN AND
SO YOU ARE HEREBY ADVISED TO CONTACT MY OFFICE ON THE ABOVE EMAIL AND PHONE
NUMBER, RECONFIRM,YOUR FULL NAME,YOUR MAILING/BILLING INFORMATION,DIRECT
PHONE/FAX NUMBERS THE NAME OF YOUR NEXT OF KIN AND A COPY OF YOUR
INTERNATIONAL PASSPORT OR DRIVERS LICENSE IDENTIFICATION FOR RECORD
PURPOSE AND EFFECTIVE DELIVERY OF YOUR ATM CARD.
HOWEVER,ALWAYS KEEP ME POSTED AS SOON AS YOU RECEIVE YOUR ATM CREDIT CARD
VALUE OF YOUR FUND.
WE HAVE CALCULATED AND APPROVED THE ARRIVAL OF YOUR ATM CARD TO BE WITHIN
THREE DAYS UPON THE RECEIPT OF THE ABOVE DETAILS.
*Mr. W.STUAR T SYMINGTONUnited States Ambassador to (Nigeria)* [...] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 TVD_RCVD_IP4 Message was received from an IPv4 address 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (usaembassy.nig1444[at]gmail.com) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (usaembassy.nig1444[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.5 SUBJ_ALL_CAPS Subject is all capitals 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 2.0 DEAR_SOMETHING BODY: Contains 'Dear (something)' 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists… #dnsbl-block for more information. [URIs: gmail.co] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [22.214.171.124 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [126.96.36.199 listed in list.dnswl.org] 1.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.0 UPPERCASE_50_75 message body is 50-75% uppercase 1.6 HK_SCAM No description available. 0.0 LOTS_OF_MONEY Huge... sums of money 1.3 PDS_NO_HELO_DNS High profile HELO but no A record 0.9 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 1.0 MIME_NO_TEXT No (properly identified) text body parts 1.0 MONEY_ATM_CARD Lots of money on an ATM card 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 2.5 MONEY_FORM_SHORT Lots of money if you fill out a short form 1.2 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money 2.8 FORM_FRAUD_5 Fill a form and many fraud phrases
The email above is most likely a scam but every now and then legitimate emails do come through, as do spam emails which are not attempting to defraud, so please use your judgement
Please do not click on links in the above email or make use of any contact details in the above email.