Date: Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]
From: FedEx [firstname.lastname@example.org]
Subject: Your Fedex invoice is ready to be paid now.
FedEx(R) FedEx Billing Online - Ready for Payment
You have a new outstanding invoice(s) from FedEx that is ready for payment.
The following ivoice(s) are to be paid now :
To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo
This message has been sent by an auto responder system. Please do not reply to this message.
The content of this message is protected by copyright and trademark laws under U.S. and international law.
The link in the email goes through a legitimate hacked site and ends up on a malware payload page at [donotclick]oxfordxtg.net/news/absence_modern-doe_byte.php (report here) hosted on:
220.127.116.11 (Langfang University, China)
18.104.22.168 (Greendot, Trinidad and Tobago)
The following partial blocklist covers these two IPs, but I recommend you also apply this larger blocklist of related sites as well.