I've received two of these so far, both pointing to two different domains of course, and find them rather intruiging given it's the first time I've seen this method used.
The e-mails start off pretty typical of the 419'ers, but then proceed with a link to ask for a donation - and so far, there's no additional infection involved that I can see;
Obviously the "Click here to access my website" would normally be the link, but given I only allow plain text, it's never linkified automagically ;o)
Getting back to the sites themselves, cosmote.md is actually owned by Marius Apostol according to WhoIs records, but softhaven.com looks like a hacked website (given it's hosted by BlueHost, this isn't surprising).
The actual content is as shown in the following screenshots;
cosmote.md and cosmote.md/helpme
In both cases, the source code shows the payment goes to Marius Apostol at email@example.com. Whether or not this is a compromised account or his own, is at this point, unknown.
WhoIs records for cosmote.md are annoyingly, vague as far as registrant information, but do of course, give us the owners name (or at least, the name they gave to the registrar);
I double checked the WhoIs using various different sources, to try and get more information, but alas, nic.md is returning only the above it seems.
It's currently hosted at SoftLayer;
IP PTR: 188.8.131.52-static.reverse.softlayer.com
ASN: 36351 184.108.40.206/18 SOFTLAYER - SoftLayer Technologies Inc
Needless to say, if you receive one of these, DELETE IT!