Date: Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]The link in the email goes through a legitimate hacked site and then on to three scripts as follows:
From: Fax Message [email@example.com]
Subject: Fax Message at 2013-08-07 01:54:34 EST
You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.
* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .
Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!
Powered by j2
2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the jConnect Customer Agreement.
From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on 22.214.171.124 (Gandi, US). There are probably other malicious domains that I cannot see on the same server.