The spam tsunami continues, this one is a reworking of one seen last month, but with a new payload site.
Date: Wed, 21 Dec 2011 06:43:07 +0700
From: “MERLYN Spicer” [[email protected]]
Subject: Need your help!
Hello! Look, I’ve received an unfamiliar bill, have you ordered anything?
Here is the bill
Please reply as soon as possible, because the amount is large and they demand the payment urgently.
Looking forward to your answer
The malicious payload is on cgredret.ru which I catalogued yesterday (although it didn’t have an IP address then). The IP is now 126.96.36.199 (Interserver Inc, USA) along with some other malicious sites. Block the IP rather than the domain if you can.
Leave a reply