Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Willie Powell wants to be friends with you on Facebook.

facebook
   
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell
   
Bao Aguliar
Bibi Akel
   
Eleanora Casella
Murray Carsten
   
Jordana Fiqueroa
Jona Fiorelli
   
Leisha Heape
Lacresha Hautala
   
Monnie Carrillo
Missy Carreiro
find more pages
         
go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303

Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:
[donotclick]golift.biz/lisps/seventeen.js
[donotclick]fh-efront.clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus.org/products/cleats.js

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:
192.81.135.132
golift.biz
fh-efront.clickandlearn.at
ftp.elotus.org
guterglove.com
grandrapidsleaffilter.com
greenbayleaffilter.com
guterhelmet.com
guterprosva.com