The following header is the FROM in the message envelope.
From: =?utf-8?Q?B=CC=B7B=CC=B7&T?=
<online.communicati...@alerts.comcast.net>
I'm not sure what you mean by disguise, and what you expect should have
been done.
I suppose you're right. I wonder if there's a rule I could develop that
goes like, [if the descriptive From is entirely different to the name
(not domain) part of the smtp address - give it some moderate score].
In this particular case, there is nothing close to "BB&T" in the smtp
address, which could be an attempt to deceive the user and the spam
filters. Not always, I entirely agree, but maybe something I can "play
with" for my setup.
The 'B' characters have been overlaid with a clearly visible slash,
which isn't very clever in a phishing email.
Interesting, Thunderbird does not show any visible slash. Just "BB&T" -
though the font looks different.