Threatening email allegedly sent from borderline literate FBI agent John Edward.
The fraud, which has been active since February 14, 2011, claims that the FBI intercepted a large trunk full of money at JFK Airport addressed to email recipient. The spam insists that the recipient must reply to email or will be arrested, interrogated, and prosecuted in the "Court of Law for Money Laundrey" [sic].
The email then urges the recipient to read the attached file which contains instructions forbidding the recipient from contacting any bank or persons in Nigeria. Oddly enough, there have recently been 419 campaigns from Nigeria impersonating Robert S. Mueller III.
Most samples of this email originated from Inner Mongolia, targeting citizens of the United States. In general these emails come from Freeweb accounts (budget cuts at FBI must be worse than we thought).
The financial incentive for the spammers is likely blackmail. After all, according to the spam, 'Special Agent Edward' will not arrest, interrogate and prosecute recipient for a fee.
There are several features of these messages that point to their spammer origins. The To field is an fbi.gov address. Recipient is in BCC. This is done so that the reader sees a @fbi.gov address in the header, which lends credibility to the message. The Reply-to field points to a different account than the From field. The message body is a short paragraph instructing recipient to open the attachment immediately.
Both Sender and Reply-to addresses are Freeweb accounts. The Reply-to field also points to a Freeweb account, one that differs from the sender account.
Subject: FROM THE FEDERAL BUREAU OF INVESTIGATION (FBI)
From: AGENT JOHN EDWARD <redacted>@live.ca
URGENT ATTENTION: BENEFICIARY,
KINDLY VIEW THE ATTACHED CONFIDENTIALITY NOTICE LETTER AND GET BACK TO ME IMMEDIATELY.
Yours In Service
Agent John Edward
Federal Bureau of Investigation
Intelligence Field Unit
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW Washington, D.C.