title: Where is dat imporant words in this phishing email, Gmail?

Gmail failed on filtering out phising email again, a big time:

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWS0p1bWk8b8c8Z8nzwN694gijXGqN9tZqtY6MXQ_xjpiVdhgtlHZJB7FgJbwIvvdORW8_WKQi-aRA8dnfw4v7KLRwN6rsM-CfhWwds-9kdDz5CT-b6bFcPJoO7kDMAG-JUIOIPXU2Hy4/s800/2012-04-18--17:52:06.png

Oh, c’mon, its body is empty, where is dat important words? It doesn’t even have a subject line, alright, it has. “cc,” really, Gmail? What, attachment filename, you serious?

Here is a screenshot of that email, glad that Google Docs provides viewing on the net, so I don’t need to download it and worry if it contains virus, though Gmail said it has scanned it. But, even it really has virus, it may need to be specifically designed for attacking on Linux.

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS85yVS7l0XvVSmXssmlPzfcFmvoI9cQ9iei-afRgWnnAyVcvL0EQKuc1-KZJievYqfJ7-sLOH6eXr-gE7NQqQCWwZ6rQ5lA0ZcrfhaASOyEyXrh8CpQZwYLFpRQj3Bp_Iu9ZTs7iGDtE/s800/2012-04-18--17:55:15.png

The ridiculous content is old, but method is little bit new to me — by using attachment. Poor Coca Cola, a victim as well.

1   Archive

1.1   Email headers

Delivered-To: livibetter@gmail.com
Received: by 10.180.93.101 with SMTP id ct5csp181759wib;
        Wed, 18 Apr 2012 00:01:23 -0700 (PDT)
Received: by 10.236.79.8 with SMTP id h8mr1003624yhe.79.1334732483236;
        Wed, 18 Apr 2012 00:01:23 -0700 (PDT)
Return-Path:
Received: from smtp.mail.wowway.com (smtp.wow.synacor.com. [64.8.70.55])
        by mx.google.com with ESMTP id q25si22785285yhj.122.2012.04.18.00.01.22;
        Wed, 18 Apr 2012 00:01:23 -0700 (PDT)
Received-SPF: neutral (google.com: 64.8.70.55 is neither permitted nor denied by best guess record for domain of dbhubbard@wowway.com) client-ip=64.8.70.55;
Authentication-Results: mx.google.com; spf=neutral (google.com: 64.8.70.55 is neither permitted nor denied by best guess record for domain of dbhubbard@wowway.com) smtp.mail=dbhubbard@wowway.com
Return-Path:
X-Spam-Rating: None
X_CMAE_Category: 0,0 Undefined,Undefined
X-CNFS-Analysis: v=1.1 cv=+PD7zhiQh4wHAkX2ildB6Hz7oVUY6cTH2eYUHJ1YceI= c=1 sm=0 a=-4BUNljfCKEA:10 a=FKkrIqjQGGEA:10 a=AhRLOILGsKkA:10 a=gv4l6aEeuxxzeCLns_sA:9 a=K-QaQ4hbBhWg8AMYVz4A:7 a=QEXdDO2ut3YA:10 a=_W_S_7VecoQA:10 a=aIyur2oi7UP9Z7IZqwkA:9 a=IKIoO-ieCDEA:10 a=QLvOlBIuGJjmAZ5IHHaCwQ==:117
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
Authentication-Results: smtp01.wow.synacor.com smtp.mail=dbhubbard@wowway.com; spf=neutral
Received-SPF: neutral (smtp01.wow.synacor.com: 10.10.0.56 is neither permitted nor denied by domain of wowway.com)
Received: from [10.10.0.56] ([10.10.0.56:58781] helo=md02.wow.synacor.com)
 by smtp.mail.wowway.com (envelope-from )
 (ecelerity 2.2.2.40 r(29895/29896)) with ESMTP
 id 07/63-15061-0C66E8F4; Wed, 18 Apr 2012 03:01:20 -0400
Date: Wed, 18 Apr 2012 03:01:20 -0400 (EDT)
From: Roland Mkemoff
Reply-To: claimsgroup222@qatar.io
Message-ID: <1725543783.781174.1334732480276.JavaMail.root@md02.wow.synacor.com>
In-Reply-To: <2128347857.781166.1334732472431.JavaMail.root@md02.wow.synacor.com>
Subject: cc
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_Part_781172_32382883.1334732480274"
X-Originating-IP: [14.99.23.87]
X-Mailer: Zimbra 6.0.5_GA_2328.RHEL5_64 (ZimbraWebClient - SAF3 (Win)/6.0.15_GA_2995)

1.2   Text of attachment, award.docx

         This is to inform you that your email address has won prize money of (£500,000.00) GBP for been an active web-email user. This Lottery promotion was organized by COCA COLA PLC.

A cheque of 500,000.00 GBP has been issued against your winning email and has been forward to Fair Ways Courier Company for delivery to your country of residence.
You are required to contact us with the details below to claim your winnings

1. Full name:
2. Contact Address:
3. Age:
4. Telephone Number
5. Sex:
6. Occupation:
7. State:
8. Country:
9. Nationality:

Contact: claimsgroup222@qatar.io

MR Dave Dawes