...got this email from my bank (see image). All in all, a credible job (I'm not awake yet). The sender is using the imbedded gif to trick readers. The gif is linked to this website: http://www.53.com.wps.portal.secure....fo/context.id/

Here's the email headers:

----------------------------------------------------------------------------

X-Apparently-To: xxxxxxxx@yahoo.com via 206.190.48.84; Fri, 25 Aug 2006 10:21:46 -0700
X-YahooFilteredBulk: 200.158.67.174
X-Originating-IP: [200.158.67.174]
Return-Path: <reference-id_71384id@53.com>
Authentication-Results: mta302.mail.re4.yahoo.com from=53.com; domainkeys=neutral (no sig)
Received: from 200.158.67.174 (HELO 200-158-67-174.dsl.telesp.net.br) (200.158.67.174) by mta302.mail.re4.yahoo.com with SMTP; Fri, 25 Aug 2006 10:21:46 -0700
Received: from transmitting.ifg.com (unknown [35.220.96.177]) by cobaltweb.com with SMTP id X5PPP2ZNBV for <karlstrangfeld@yahoo.com>; Sat, 26 Aug 2006 06:20:50 -0800
From: "FIFTH THIRD BANK 2006" <support_reference851516162754id@53.com> Add to Address BookAdd to Address Book Add Mobile Alert
To: Send an Instant Message "Karlstrangfeld" <karlstrangfeld@yahoo.com>
Subject: Fifth Third Bank: Urgent Notice From Billing Department Sat, 26 Aug 2006 06:20:50 -0800
Message-ID: <73048sj83k89$c7uk474ohf8$5jz6fta76@Y4887529>
User-Agent: PObox II beta1.0
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/related; boundary="GIMXXV0Z00UTQGIS7Q6S"
Content-Length: 9325
-----------------------------------------------------------------------------------

I traced the originating ip address (200.158.67.174) in the email to Sao Paulo. The website's in Latvia with an ip address of 85.115.127.165, belonging to ProNets-LV from what I can tell.

Don't you love those domain names? www.53.com.wps.portal.secure.huaru.info? WTF?

What's the best way to report something like this?