When i first read it, the 'Hello' mail i thought it was from the script. Of course, if it had retained the attachment it'd been more supicious. The test was clearly fake.
The old tricky faked From: field. You can check at its header:
Original-Received: from pobox.com (unknown [85.104.219.99]) by mail.wikimedia.org (Postfix) with ESMTP id 7F30417E5EF
You can see it identifies as pobox.com but it's not pobox.com! host name : pobox.com address : 207.106.133.28
address : 85.104.219.99 host name : dsl85-104-56163.ttnet.net.tr
So it seems from a dialup. The ip belongs to TurkTelekom | Turk Telekom ADSL-alcatel. It was probably automatically originated by a virus. It seems like a W32/lovgate http://www.sophos.com/virusinfo/analyses/w32lovgatez.html
BTW, Brion. How do you sent that email without getting the mailist signature?