Page 1 of 1

Help identifying Origin of Email

Posted: Fri Apr 12, 2019 7:04 am
by oracledragoness
Good morning,

I was presented with this email reagarding a package being sent through diplomatic courier/DHL. I would like to confirm if this is a scammer email Below is the full email header.

X-Apparently-To: {removed}@yahoo.com; Fri, 12 Apr 2019 01:24:28 +0000
Return-Path: <{removed}@diplomats.com>
X-YahooFilteredBulk: 74.208.4.200
Received-SPF: pass (domain of diplomats.com designates 74.208.4.200 as permitted sender)
X-YMailISG: htQ1MdgWLDvYuaa8AiYB3szt4gyUXSdNvTWyrp04lmFud2YJ
panFicILQbTuPYRXb.tmZ9Hhp1RPZuHPQXqxQ7zBmMMJwn2n.X7WVqQJF44U
4EuutGMt3qmyqBIYBzjD99jTfzX0XCvlyrZDUGRJPLfZVm35N2bUDHJNFy3L
KLxBEtcScnrGOS.H5EXZYjvqg7YbdXQRq1EuWr1MnszeIgvuCdszNr61PPrO
oPS.Te_21MYvnT7garhkG.blTWa7pnUCjKml7l.3DFi_qxpMXIc77EC4FPas
p9taZAaH_wNIV879fThNon9jTEEMy5wGFccI.TC1hsD4SiRks.ZfzjqxzwsI
CMlkU__GMUc4cYEQHn6ejFbkcj0NOl6vQrrv1E93fQtdsKPqyvzxCI3JxeVG
zZsInxLVBRCvEohdOh2b76TiAvEl_KJtcIPN.cI1Jaes25OpC6TtPlbJX_jC
CE.AvEbUzc9R8pJz4ijFXaWPMERRbPCb8jzQ31m2tUdfEXEveRewvv0cX.Ap
kyEcNrp0V4d28OhZuSsBGoRkkJcxK2rHLKSAlcqReuQypkPuPXfJC8lxPddm
eZK5YaV3XGJdsWcge_LA9N880BE6Vlw6woQx7bWJZ4p_HLyBIXuqPcm7zIhV
T.qrMDIJNmceBwYzmpT9RoS2GkDoJfBkgIrW_0qZfcEL3eH0J2lIi9ydzrHM
rOyfSW0KKqdI01t3Im1_6MEPzRIBbg7hFz1IUL6YQZeOzSis9CUXqAEr.MB0
TbGeI_1kKXQdYFaF3QGi_w2ZZ18Ifl57ZvqGyjapwQT5fbTEwDb.hvWNJQ02
7PhAa0X8UfKCJu1kuaHZKgj5k6rzfq9kGvhcNh9ZUQ6XIRLGxR46Cg96vOzD
Tk1A9b245zjh9uTatLJ1XY4AWAQ0ldmALwp3hgGUozt7spjZ6uFO7mICh6aq
uLXw2RGmq5nSU1e9NPxK5shhvYiZLkhnhr.WevTMpybQDi7a9enT6vHndbPg
YhKQVi3Np7QA8cCMBR0XacuCrwxYJfpYDiyFHAMz3G3bbCQn6r8jXXxUw2VR
I6ieRrp9iN1zcuIZ3i98GyyN.0OYXMkGEkwli7Z_PepPmsbspNDCXfYzJzkd
RFxyoqVchMbemA8EdeKWcEsauORDMHNZeMSRm6IilE66CcjKS8g0rMnpoypo
HbjqaRcsm8MH5ivc.Rl9B8R0fDEPlerc_0SgVUAoFoAk42xP1kLv6XQS9Wij
BmJDjZuk7bOg99Iyw9sjE7kNmE6f
X-Originating-IP: [74.208.4.200]
Authentication-Results: mta4326.mail.gq1.yahoo.com
[email protected]; header.s=dbd5af2cbaf7; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO mout.gmx.com) (74.208.4.200)
by mta4326.mail.gq1.yahoo.com with SMTPS; Fri, 12 Apr 2019 01:24:28 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com;
s=dbd5af2cbaf7; t=1555032267;
bh=qsnCJca5mTtsOfGACbwF671YO40dHODioKl6zp/wTqU=;
h=X-UI-Sender-Class:From:To:Subject:Date;
b=OzSZO8C1DCsyDXEv3bHDdWfXFtvVaDnYdBbEyABJlyBUg4XkzXYg/hIx+Sl3iG0gy
sv/jPpqt6/ImhPzt+iAZxDWjNMhT7TPd9PqHgO//6610iJXNy5TQ4qZg+8ptMY4oR7
NrD2vpq/P9nZQwq/fwqvGOqq2dXGBw9jgO0sjL+c=
X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79
Received: from [142.234.157.20] ([142.234.157.20]) by web-mail.mail.com
(3c-app-mailcom-lxa03.server.lan [10.76.45.4]) (via HTTP); Fri, 12 Apr 2019
03:24:27 +0200
MIME-Version: 1.0
Message-ID: <trinity-6ddf6408-1fde-41f[email protected]>
From: "Raheem Richard" <{removed}@diplomats.com>
To: {removed}@yahoo.com
Subject: FEES
Content-Type: multipart/related;
boundary=kenitram-a03fb498-19c5-47c8-a9b5-80ce43fc0bc0
Date: Fri, 12 Apr 2019 03:24:27 +0200
Importance: normal
Sensitivity: Normal
X-Priority: 3
X-Provags-ID: V03:K1:VWuw+z0ZlrqQjc7WFmzOgtj04UZhuB3XM7Y6YWck0vUQ1ppE+4GL5V/es0VptSOhOMHLu
b+nRfealRW77XnYqj28C0n3yIVdY2/3ikGuQZvfKdTQIUvPWFnf1oLFFat3VsBeoB+gY8ROppexN
V4YRFo/ADoYO9TLCfLCNF7ckJKwTs8cHJbYB7QqdwX3wyP6FzmbNRvp2LG+ZhZsTAVt0QyIklgzL
hcEI2k3jNpxyIKCLaNWj0iDfdKG5hmyRfbRoLefeigHQMl54sp7shUSFvaRjPQg7AJSTGImcvDor
7A=
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:CNVVDdVXV5U=:R0DVR40nQwoM4DdSHXqYee
Z0+XkBx5R9Yz+T1KfOo9vOgMtS9P2A7w1lOItOv4kvCSMtKBnhY2mhgMkyzn6aKhjwOO4/bqt
n+4HqjHwe0mlSV2x1wWbzuSdU5RlHsDr8X2QaEjHIzIMnDlVkUInAzHLsoBpOPxKeWHd5kFeV
PU/BRKE8RzHx2GVeXNis9Cxm9ilcfOb+EWd11ijJXV9sKny06K8zV8ee12AiVI/Pnx7OR0rms
7pufz5cE0Z6mMpLAGyUgt3T2j53HBXWcRyOK64u1UViWCsbNFmSXGq09w80DI1DgEVrzEEv4X
UyQ2qmxnkvRoHEc7ZCpF6QFQeRuMQbyUqLkow1gHQleQv2DC733AQRr+tY8T2mCQW63i2oFAR
0ByubE1tL2S54CUhXgvrGmkh+hGJRLCwpWPWesg4bHGLs0eYn7u5PkgD/07LVqPBTxCjqCUDH
VQkyKP7vuLuHiYyRfF8ertC8SnMPIa2ucTm92wMHuUSP9g84qGlOpeA4ROgEX4Ezwp6lBWKxR
Jw6s42RKYgsI/sjF094YeuM83XXke++6Q8gVsZLwQ9aamjd3JATptHqTSGFi8uS7BpL78XGDP
h63/QhC6rPalXPpO7IK6O2Jmk0dcEde2V+
Content-Length: 21684

--kenitram-a03fb498-19c5-47c8-a9b5-80ce43fc0bc0
Content-Type: text/html; charset=UTF-8



Thank you for your assistance.

Re: Help identifying Origin of Email

Posted: Fri Apr 12, 2019 7:54 am
by Chrispcritters
Unfortunately, the headers do not include the sender's IP address.

I can say, with certainty, that it's a scam.

Re: Help identifying Origin of Email

Posted: Fri Apr 12, 2019 8:22 am
by oracledragoness
Thank you very much for your assistance. If you would like to make this public for others to recognize please do.

If the sender is masking their IP address, is there a way to decode it?

Re: Help identifying Origin of Email

Posted: Fri Apr 12, 2019 11:19 am
by Chrispcritters
It's already public ;)

If there was a source IP address in the headers and it was that of a VPN/Proxy/Tor you would very likely not be able to find the user's real IP address.

Re: Help identifying Origin of Email

Posted: Sun May 12, 2019 2:59 am
by coolguy12388
142.234.157.20 isn't this the IP address??

It says Burbank California