Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 220.127.116.11 (Serverius Holding BV, Netherlands). This is the second "redret" domain in this /24, so blocking 18.104.22.168/24 might be prudent.
Date: Tue, 27 Dec 2011 06:06:18 +0700
From: "Destinee Mills"
Subject: The variant of the contract you've offered has been delcined.
After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
With best wishes