There were also several additional people placed in the To: field that could only have been extracted from their Yahoo/Xtra webmail address book.
The subject fields had "FW" and the second one "Hey", and both of them simply contained a link (twice) to a miracle green coffee bean that reduces weight.
Both links were different but went to the same page.
http://property-agent.com/ffls/uifyw.html which also pushes these green beans.
These look very similar to what was happening much earlier in the year, when Yahoo's email passwords were hacked. I'm guessing some of these passwords have been kept for further attacks or the same vulnerability still exists?
Obviously I've encouraged these people to change their passwords again. XTRA really should change to another email provider. I believe BT left them behind after the previous attack.
I can forward headers by PM if required.
Edit: I've just had a third email as bove from a distant family member: http://qantasformula1promo.com/bzahq/gyoryd.html
This also takes you to the evil green coffee beans.