Spammer hosting located here:
https://kbxpbapttqisxgyflhne.blob.core.windows.net/kbxpbapttqisxgyflhne/1dqgqcalkdh.html
-> https://www.glowtrk5.com/X/X/?creative_id=X
—> https://secure.trafficlink2000.com/?c=X&s1=X&s2=X
—> http://www.green-coff.ee/aff_c?offer_id=X&aff_id=X&url_id=X&source=Traffic&aff_sub=X&aff_sub2=X
—-> https://nutri.go2cloud.org/aff_c?offer_id=X&aff_id=X&url_id=X&source=Traffic&aff_sub=X&aff_sub2=X
——> https://curcuma3.protibio.de/?refID=X
$ dig +short kbxpbapttqisxgyflhne.blob.core.windows.net
blob.db3prdstr19a.store.core.windows.net.
20.150.75.36
Spam sample
=================================
Received: from nrap.arguanline.com (unknown [191.96.55.40])
by X (Postfix) with ESMTP id X
for <X>; Tue, 22 Dec 2020 X
Date: Tue, 22 Dec 2020 X
From: «Curcuma» <services@arguanline.com>
Subject: =?UTF-8?B?Q3VyY3VtYSwgZGFzIEdlc3VuZGhlaXRzIGdld8O8cnogZ2VnZW4gU2NobWVyemVuIQ==?=
To: X
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=»—-=X.X»
Message-Id: <X.X@X>
——=X.X
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit
<center>
<a href=»https://kbxpbapttqisxgyflhne.blob.core.windows.net/X/X.html»> <br> Unsubscribe </a>
<br><br>
<a href=»https://kbxpbapttqisxgyflhne.blob.core.windows.net/X/X.html» target=»_blank»>
<img src=»https://kbxpbapttqisxgyflhne.blob.core.windows.net/X/X.png»>
</center>
<p style=»text-align: center;»><span style=»display:none;font-size:8px;»><span style=»color:#FFFFFF;»>
=================================