This might help clarify the attack (I think this is right).
HELO mynewdomain.com
MAIL FROM: <joe(_at_)mynewdomain(_dot_)com> DAVE:
<joe(_at_)mynewdomain(_dot_)com>
RCPT TO: <poorvictim(_at_)victimized(_dot_)net>
DATA
From: billing(_at_)citibank(_dot_)com
Subject: you need to do blah blah in your account
[other headers]
Go to http://www.cltybank.com/ and change your password ASAP!
.
Now, things are somewhat better if you get the entire world to upgrade
their MUA and every MUA does super-smart stuff to tell users that this
message is super-scary, then maybe the world is not so bad, but that
seems a little bit optimistic.
Daniel
--
Daniel Quinlan SpamAssassin developer
http://www.pathname.com/~quinlan/ Free Standards Group, Chairperson