From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist.org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here that indicates an exploit kit.
Sent: 27 February 2013 16:43
Subject: Follow this link
I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226
The malware is hosted on 18.104.22.168 (Logol.ru, Russia). I would recommend blocking the entire 22.214.171.124/23 range to be on the safe side. These other two domains are in the same AS and are currently active: