This one was sent via AOL - similar situation to what Andy reported, except phishing as from an FNB email addy.
Code:
Return-path: <bobboshirl@aol.com>
Envelope-to: [<me]
Delivery-date: Wed, 04 Apr 2012 07:52:56 +0200
Received: from oms-db04.r1000.mx.aol.com ([205.188.58.4])
by oran.eh-servers.net with esmtp (Exim 4.69)
(envelope-from <bobboshirl@aol.com>)
id 1SFJ9L-0004Dn-J5
for [me]; Wed, 04 Apr 2012 07:52:55 +0200
Received: from mtaomg-db05.r1000.mx.aol.com (mtaomg-db05.r1000.mx.aol.com [172.29.51.203])
by oms-db04.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 33CA71C00008A;
Wed, 4 Apr 2012 01:52:51 -0400 (EDT)
Received: from core-die001a.r1000.mail.aol.com (core-die001.r1000.mail.aol.com [172.29.231.65])
by mtaomg-db05.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id D490BE000082;
Wed, 4 Apr 2012 01:52:48 -0400 (EDT)
X-MB-Message-Source: WebUI
Subject: FNB :-) R1896.47 paid from cheq a/c..136461
X-MB-Message-Type: User
MIME-Version: 1.0
From: "inContact@fnb.co.za" <bobboshirl@aol.com>
Content-Type: multipart/mixed;
boundary="<hr />---MB_8CEE03E4CBB8F96_9E4_2B733_webmail-d001.sysops.aol.com"
X-Mailer: AOL Webmail 35911-STANDARD
Received: from 41.23.35.126 by webmail-d001.sysops.aol.com (205.188.181.92) with HTTP (WebMailUI); Wed, 04 Apr 2012 01:52:48 -0400
Message-Id: <8CEE03E4CB92E35-9E4-BC01@webmail-d001.sysops.aol.com>
X-Originating-IP: [41.23.35.126]
Date: Wed, 4 Apr 2012 01:52:48 -0400 (EDT)
x-aol-global-disposition: S
X-SPAM-FLAG: YES
X-AOL-VSS-INFO: 5400.1158/79760
X-AOL-VSS-CODE: clean
X-AOL-SCOLL-SCORE: 1:2:251064160:93952408
X-AOL-SCOLL-URL_COUNT: 1
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d33cb4f7be1b05b86
X-Spam-Status: No, score=4.6
X-Spam-Score: 46
X-Spam-Bar: ++++
X-Ham-Report: Spam detection software, running on the system "oran.eh-servers.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: A payment has been made to your account. please find attached
your FNB account statement in your email. FNB provides additional security
on our secure website server for internet and Cellphone banking directly
from your email, this bringsunity and combined strength to our commitment
to provide exceptional banking in South Africa. [...]
Content analysis details: (4.6 points, 5.0 required)
pts rule name description
---- ---- ---- ---- ---- ---- ---- ----
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[205.188.58.4 listed in bl.score.senderscore.com]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[205.188.58.4 listed in list.dnswl.org]
3.0 AXB_X_AOL_SEZ_S AOL said this is S
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(bobboshirl[at]aol.com)
0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
1.0 MISSING_HEADERS Missing To: header
0.0 T_HTML_ATTACH BODY: HTML attachment to bypass scanning?
0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
X-Spam-Flag: NO
X-Brightmail-Tracker: AAAAAhp1PMsadjHc
X-Brightmail-Tracker: AAAAAA==
Note the From: line.
I'm not familiar with the AOL interface, but they're probably using the FNB email account as the "account name" in AOL to create the illusion.
Did you like this article? Share it with your favourite social network.