Date: Tue, 27 Dec 2011 06:06:18 +0700
From: “Destinee Mills”
Subject: The variant of the contract you’ve offered has been delcined.
After our legal department studied this contract carefully, they’ve noticed the following mismatches with our previous arrangements. We’ve composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
With best wishes
Another name used on the spam is “Ramiro Howell”, although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 126.96.36.199 (Serverius Holding BV, Netherlands). This is the second “redret” domain in this /24, so blocking 188.8.131.52/24 might be prudent.
Leave a reply