hier scheint aber Einer noch zu üben.
- schlechtes Deutsch
- Anrede mit Mail-Addy
- kein Logo, reine html-Mail


header:
01: From - Thu Mar 16 xx:xx:xx 2017
02: X-Account-Key: account1
03: X-UIDL: [UID filtered]
04: X-Mozilla-Status: 0000
05: X-Mozilla-Status2: 00000000
06: X-Mozilla-Keys:
07:
08: Return-Path: <SRS0=5AEHyN=2Z=chericolaw.com=admin [at] eigbox.net>
09: Received: from mailin57.aul.t-online.de ([172.20.27.6])
10: by ehead412.aul.t-online.de (Dovecot) with LMTP ID: [ID filtered]
11: Thu, 16 Mar 2017 xx:xx:xx +0100
12: Received: from bosmailout03.eigbox.net ([66.96.189.3]) by
13: mailin57.aul.t-online.de
14: with (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 encrypted)
15: esmtp ID: [ID filtered]
16: Received: from bosmailscan11.eigbox.net ([10.20.15.11])
17: by bosmailout03.eigbox.net with esmtp (Exim)
18: ID: [ID filtered]
19: for poor [at] spamvictim.tld; Thu, 16 Mar 2017 xx:xx:xx -0400
20: Received: from [10.115.3.31] (helo=bosimpout11)
21: by bosmailscan11.eigbox.net with esmtp (Exim)
22: ID: [ID filtered]
23: for poor [at] spamvictim.tld; Thu, 16 Mar 2017 xx:xx:xx -0400
24: Received: from bosauthsmtp13.yourhostingaccount.com ([10.20.18.13])
25: by bosimpout11 with
26: ID: [ID filtered]
27: X-Authority-Analysis: v=2.1 cv=SZN5d5hu c=1 sm=1 tr=0
28: a=UH8/iCWBfdUmbm4Ft4Vi3Q==:117 a=f3JsuBpjTDvMEg6mVcm7tw==:17
29: a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=6Iz7jQTuP9IA:10
30: a=9DvhAHx2yrWFMPxQWpQA:9 a=aM8gLu4gAAAA:8 a=ym8DdA9eD3IZLIKW_rkA:9
31: a=QEXdDO2ut3YA:10 a=q4UH08J_g1cA:10 a=KVN638fA8Ul8LJI940UA:9
32: a=obsqw5EqefK0cm2E:21 a=_W_S_7VecoQA:10 a=ltXguwzyz4UKhWyt9Mex:22
33: Received: from [91.112.219.58] (port=53848 helo=[127.0.0.1])
34: by bosauthsmtp13.eigbox.net with esmtpa (Exim)
35: ID: [ID filtered]
36: for poor [at] spamvictim.tld; Thu, 16 Mar 2017 xx:xx:xx -0400
37: From: Volksbank Raiffeisenbanken =?UTF-8?B?S29udG9wcsO8ZnVuZw==?=
38: <admin [at] chericolaw.com>
39: Content-Type: multipart/alternative;
40: boundary="Apple-Mail-1276E1D3-DBCD-A580-AFA2-5B537C3FD3FE"
41: Mime-Version: 1.0 (1.0)
42: Subject: Neue Sicherheits, wir bitte um Ihre Mithilfe : 795448709210855
43: Message-ID: [ID filtered]
44: Date: Thu, 16 Mar 2017 xx:xx:xx +0100
45: To: poor [at] spamvictim.tld
46: X-Mailer: iPad Mail (13E238)
47: X-EN-UserInfo: f74dcc9e8f8595a7d3e41b8c724648c6:931c98230c6409dcc37fa7e93b490c27
48: X-EN-AuthUser: admin [at] chericolaw.com
49: Sender: Volksbank Raiffeisenbanken Kontoprüfung
50: <admin [at] chericolaw.com>
51: X-EN-OrigIP: 91.112.219.58
52: X-EN-OrigHost: unknown
53: X-TOI-SPAM: n;1;2017-03-16Txx:xx:xxZ
54: X-TOI-VIRUSSCAN: unchecked
55: X-TOI-EXPURGATEID: [ID filtered]
56: X-TOI-SPAMCLASS: CLEAN, NORMAL
57: X-TOI-MSGID: [ID filtered]
58: X-Seen: false
59: X-ENVELOPE-TO: <poor [at] spamvictim.tld>

und hier ist das Fake-Formular whois:http://www.meine-vrbank.de.ptlweb.webportal.bankid.7559.trackid.piwikb7c1867dd7ba9c57.5cfb953e3e9a61303f57699b42634b9a.killerbeads.org/js/.x/vr/8f125da0b3432ed853c0b6f7ee5aaa6b.html

Lieber Phisher, eine VR-Bank mit ID7559 ... gibbet es nicht