This one is fairly interesting and also ironic for two reasons:

  1. I don't own a car but supposedly I haven't paid a bill for car repair service. I can't imagine why but I can remind people that part of the definition of 'used car salesmen' and 'mechanic' (who repairs cars) is 'con artist'. That isn't to say every single one of them is but many are; yet here it's over email. In any case the domain of the supposed sender (it clearly has been spoofed) suggests an office furniture shop (I've not checked but it's only relevant when looking at the subject). Let me repeat: I do not own a car.
  2. It actually had an attachment; scanning it on 33/55 scanners detect it as malicious (looking at the file in it as text I would have been aghast if no scanners found it malicious); ironically a scanner called 'TheHacker' fails to find it malicious. Worryingly none of Commodore, Kaspersky, Clamav (not completely surprised there), Symantec, Panda nor Malwarebytes detect it as malicious. Ironically Microsoft does. When you read the body of the email it requests you review the bill in the attachment; this is nothing but a booby trap!

Because the sender is clearly spoofed (not only because of what the mail headers suggest but through several queries (reverse lookup on the originating IP seemingly being invalid; the SOA of the supposed sending domain doesn't list the DNS servers as the IP does and the supposed sending domain has its own MX) I will not include the sender email address. I obviously am not including the attached ZIP file. Everything else is more or less the same. I'm not commenting on the headers because I don't think it worth the time.

The lesson here? Spammers and scammers (including phishers) will make up all sorts of excuses and claims in order to try and pull you in; what if I actually did recently have a car repaired? What if I wasn't sure I had paid? In that case I personally would look up the bills I paid but many people would be too alarmed and fall prey to emails like this (it has happened before e.g. when people got email from supposedly the police department for things that the police department wouldn't concern themselves with - and they wouldn't use email anyway!; I think this was in New York). Do not fall for these tricks! No one uses email for something like this and expects a response (obviously there are exceptions like with eBay or some such but those are dealt with through eBay).

X-Account-Key: account2
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Apparently-To:; Tue, 05 Apr 2016 17:41:37 +0000
Received-SPF: softfail (transitioning domain of does not designate as permitted sender)
X-YMailISG: I93Hjb8WLDsOmHB3C0sSIBXjbj8_tSbC0f.VfXZVgkdXnDD0
X-Originating-IP: []
Authentication-Results:; domainkeys=neutral (no sig);; dkim=neutral (no sig)
Received: from  (EHLO (
  by with SMTP; Tue, 05 Apr 2016 17:41:36 +0000
X-Originating-IP: []
Received: from 202.default.location (202.default.location [] (may be forged))
	by (8.14.4 IN nd2 TLS/8.14.4) with ESMTP id u35HfYjV039212
	for <>; Tue, 5 Apr 2016 13:41:36 -0400
Message-ID: <>
From: <>
To: <>
Subject: Unpaid Bill for Car Repair Service 5CE9
Date: Tue, 05 Apr 2016 12:41:34 -0500
MIME-Version: 1.0

We kindly ask you to review our unpaid bill again and send us the payment in order to avoid additional costs.