Date: Wed, 21 Dec 2011 06:43:07 +0700
From: "MERLYN Spicer" [sales1@victimdomain.com]
To:
Subject: Need your help!
Hello! Look, I've received an unfamiliar bill, have you ordered anything?
Here is the bill
Please reply as soon as possible, because the amount is large and they demand the payment urgently.
Looking forward to your answer
Fingerprint: 2ccc03a5-e19549f7
The malicious payload is on cgredret.ru which I catalogued yesterday (although it didn't have an IP address then). The IP is now 206.72.207.156 (Interserver Inc, USA) along with some other malicious sites. Block the IP rather than the domain if you can.