An
Email with the Subject "Urquhart" was
received in one of Scamdex's honeypot email accounts on Fri, 21 Aug 2015 05:18:48 -0700
and has been classified as a Advance Fee Fraud/419 Scam Email.
The sender shows as Franzoni Barthold <franzonibarthold@gmail.com>.
The email address was probably spoofed. Do not reply to or contact any persons or organizations referenced in
this email, or follow any URLs as you may expose yourself to scammers and, at the very least, you will be
added to their email address lists for spam purposes.
Scam TagCloud
580 million dollarsdiednext of kin millionclientfundsentmaildollarconfidentialfranzonibarthold@gmail.com will huge amount($13.580 million dollars)(eng alex urquhart)financial
NO CHART DATA - EMAIL HAS NOT YET BEEN ANALYSED
Scam Email Headers
This a (redacted) view of the raw email headers of this scam email.
Personally Identifiable Information (PII) has been suppressed, but can be
supplied as received to appropriate investigating or law enforcement agencies on request.
EEEEEstdClass Object
(
[return-path:] =>
[envelope-to:] => mxw@o7e.net
[delivery-date:] => Fri, 21 Aug 2015 05:18:48 -0700
[received:] => Array
(
[0] => from 66-220-157-64.outmail.facebook.com ([66.220.157.64]:17826 helo=smtpin.mx.facebook.com)by bigcat.newsblaze.com with esmtp (Exim 4.85)(envelope-from )id 1ZSlHF-0003DU-VXfor mxw@o7e.net; Fri, 21 Aug 2015 05:18:48 -0700
[1] => from [209.85.217.193] ([209.85.217.193:36018] helo=mail-lb0-f193.google.com)by 10.224.57.51 (envelope-from )(ecelerity 2.2.3.50 r(45166/45167)) with ESMTPS (cipher=DHE-RSA-AES128-SHAsubject="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com") id 15/10-12232-81717D55; Fri, 21 Aug 2015 05:18:32 -0700
[2] => by lbvd4 with SMTP id d4so3258581lbv.3 for ; Fri, 21 Aug 2015 05:18:30 -0700 (PDT)
[3] => by 10.112.135.103 with HTTP; Fri, 21 Aug 2015 05:18:30 -0700 (PDT)
)
[dkim-signature:] => Array
(
[0] => v=1; a=rsa-sha256; d=fwd.facebook.com; s=s1024-2014-q3; c=relaxed/simple;q=dns/txt; i=@fwd.facebook.com; t=1440159513;h=From:Subject:X-:Date:To:MIME-Version:Content-Type:Authentication-Results;bh=Z0qm5slZHCrdlJULMHkimugi28abp2daBEAcRp8YRgw=;b=Idcj0g7PDGN+8ri3PRYrhH9ODJbz4n1QoSUEuJcKTeWlUYe5Qm0WZFYq595795DQxsZbbejAdHLfp275VfjYDzUeO0nhqVa4GzV76kX/V/z9WSbkIHiptNj59WR+th6pAuZfxFtKQPQWrBOCdU1DE/8EE0te8neXQV8pXyPERcw=;
[1] => v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; bh=Z0qm5slZHCrdlJULMHkimugi28abp2daBEAcRp8YRgw=; b=DV9+svzyIGsMz4x9Gea1xFXtA6dr5JxcWP3UR9IbLyRBj5AuoaQfMyh/tfNnxOm4IP eZtuD9RheBeeBTSakwK+/F136LQ0JrgmBeXIuRdPQXwvCxQG6ALbD9vW8iDvC2+dO19+ /cJeO0YrZTiStoTWhCgNHks2G13ijeneHc4nhtO2QfihoyIC2qMcReOy9koNQvAY17ED 36pNThYrFvcub9UvNcQG0uv03KFUl/6dK+pSPo3aUaFgPz+yX0VEoWZs+i6b8CukYVYx uVYV3L2WmkPSrPoIhINowDf+TisFMJvD2BFCXQsSZ6ZBgBDjHv1hRgNkeoejINbDrVzO X/8Q==
)
[x-original-to:] => dumbtube@facebook.com
[authentication-results:] => Array
(
[0] => smtpin.mx.facebook.com x-tls.subject="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com"; auth=pass (cipher=DHE-RSA-AES128-SHA)
[1] => smtpin.mx.facebook.com; spf=pass smtp.mailfrom=gmail.com
[2] => smtpin.mx.facebook.com; dkim=pass header.d=gmail.com
)
[received-spf:] => pass (smtpin.mx.facebook.com: domain gmail.com designates 209.85.217.193 as permitted sender)
[mime-version:] => 1.0
[x-received:] => by 10.152.120.7 with SMTP id ky7mr7815649lab.12.1440159510611;Fri, 21 Aug 2015 05:18:30 -0700 (PDT)
[reply-to:] => franzonibarthold@outlook.com
[date:] => Fri, 21 Aug 2015 05:18:30 -0700
[message-id:] =>
[subject:] => Urquhart
[from:] => Franzoni Barthold
[to:] => undisclosed-recipients:;
[content-type:] => multipart/alternative; boundary=089e0117690d0ce51b051dd14407
[bcc:] => dumbtube@facebook.com
[x-spam-status:] => No, score=2.5
[x-spam-score:] => 25
[x-spam-bar:] => ++
[x-ham-report:] => Spam detection software, running on the system "bigcat.newsblaze.com",has NOT identified this incoming email as spam. The originalmessage has been attached to this so you can view it or labelsimilar future email. If you have any questions, seeroot\@localhost for details.Content preview: I am sending this message to you with the trust that you will keep it confidential as it has to do with a huge amount of money($13.580 million dollars)one of your relative(Eng Alex Urquhart) who happen to be my client, died by brief illness.and since then the financial firm has asked me to present his next of kin for the inherit of this fund. i will expect you to indicate your interest for more details. [...] Content analysis details: (2.5 points, 4.5 required) pts rule name description---- ---------------------- -------------------------------------------------- 2.3 HK_SCAM_N2 BODY: No description available. 0.0 TVD_RCVD_IP Message was received from an IP address 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (franzonibarthold[at]gmail.com) 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different-0.0 SPF_PASS SPF: sender matches SPF record-1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 HTML_MESSAGE BODY: HTML included in message-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different 0.0 LOTS_OF_MONEY Huge... sums of money 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails
[x-spam-flag:] => NO
)
Domain Names used for collecting scam email ("Honeypot email accounts") have been obscured and replaced with the token 'HUN1P0T'
Community Action - SPAM/non-Scam Report
Occasionally, incorrectly categorized emails get into the Scamdex Scam Email Database and need to be removed. If this
email has Personally Identifiable Information (PII), or is, in your opinion, from a bona-fide entity, let us know.
Scamdex will, as soon as is practicable, take-down any emails that in our opinion should not
be in our database. Note that ALL emails in the Scamdex Scam Email Database were received as Unsolicited Commercial Email, aka UCE or
SPAM, via unpublished 'Honeypot' email addresses.
I am sending this message to you with the trust that you will keep it confidential as it has to do with a huge amount of money($13.580 million dollars)one of your relative(Eng Alex Urquhart) who happen to be my client, died by brief illness.and since then the financial firm has asked me to present his next of kin for the inherit of this fund. i will expect you to indicate your interest for more details.
I am sending this message to you with the trust that you will keep it confidential as it has to do with a huge amount of money($13.580 million dollars)one of your relative(Eng Alex Urquhart) who happen to be my client, died by brief illness.and since then the financial firm has asked me to present his next of kin for the inherit of this fund. i will expect you to indicate your interest for more details.
