There have been a helluvalot of malicious spams in the past few days, some using HTML attachments and some using an HTML-in-ZIP attack, for example:
Intercompany inv. from Safeco Corporation Corp.
Invoice_1750544151.zip
Invoice.htm
Scan from a HP ScanJet #24166324
Scan_HPa.zip
HP_Scan.htm
Re: End of Aug. Statement Required
Invoice_N{DIG}.htm
Your Flightticket
FLIGHT_TICKET_N24207.zip
Ticket.htm
FEDEX: DELIVER CONFIRMATION - FAILED 335929
Collect_Letter-176310.htm
Payload URLs include:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://81.30.160.7:8080/navigator/jueoaritjuir.php
hxxp://88.190.22.72:8080/navigator/jueoaritjuir.php
hxxp://89.31.145.154:8080/navigator/jueoaritjuir.php
hxxp://112.78.124.115:8080/navigator/jueoaritjuir.php
hxxp://194.85.97.121:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
hxxp://webalizerindians.ru:8080/navigator/jueoaritjuir.php
By host:
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
81.30.160.7 (Vinteleport, Ukraine)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
62.85.27.129
81.30.160.7
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
194.85.97.121
202.149.85.37
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
These IPs seem pretty consistent at the moment, blocking them should offer some degree of protection.