From: [AOL sender]The link goes through a legitimate hacked site and in this case ends up at [donotclick]rockingworldds.net/sword/in.cgi?6 (report here) which either redirects to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013.net/ngen/controlling/coupon_voucher.php (report here) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 126.96.36.199 (Clodo-Cloud / IT House, Russia).
Sent: 17 May 2013 14:12
Subject: [AOL screen name]
Sent: 5/17/2013 2:11:53 PM
That server contains a number of other suspect domains that I would suggest that you add to your blocklist:
I have several IPs blocked in the 188.8.131.52/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia.