Spammer hosting located here:
http://khoskas.duckdns.org/crpto
-> http://vlkproyal.info/?target=-X
—> http://tracking.jimtedmorris.com/aff_c?offer_id=X
—> http://de.the-cryptosoftware.com/?TrackingID=X
—-> https://grandefex.com/
$ dig +short grandefex.com
34.98.73.147
Spam sample
=================================
Received: from kgtra.minakros.info (17rkrh21.ni.net.tr [95.173.179.17])
by X (Postfix) with ESMTP id X
for <Xh>; Fri, 27 Dec 2019 X
X-Apparently-To: X Fri, 06 Dec 2019 X
Authentication-Results: X
Received-SPF: pass (domain of gmail.com designates 209.85.166.195 as permitted sender)
X-YMailISG: X
X-Originating-IP: [209.85.166.195]
Received: from 10.217.136.19 (EHLO mail-il1-f195.google.com) (209.85.166.195)
by mta4174.mail.ne1.yahoo.com with SMTPS; Fri, 06 Dec 2019 X
Received: by mail-il1-f195.google.com with SMTP id X
for <X>; Thu, 05 Dec 2019 X
DKIM-Signature: X
X-Google-DKIM-Signature: X
X-Gm-Message-State: X
X-Google-Smtp-Source: X
X-Received: by 2002:a92:844b:: with SMTP id X;
Thu, 05 Dec 2019 X
MIME-Version: 1.0
From:=?UTF-8?B?U3RlcGhhbmll?= <tim.meier1@ewe.net>
Date: Thu, 26 Dec 2019 X
Message-ID: <X=X@mail.gmail.com>
Subject:=?UTF-8?B?X==?=
Content-Type: multipart/alternative; boundary=»X»
—X
Content-Type: text/plain; charset=»UTF-8″
Content-Transfer-Encoding: quoted-printable
*Kun for *
<https://s.free.fr/bnPcU5eH>
Abmelden <http://brinscre.duckdns.org/unsub/>
—X
Content-Type: text/html; charset=»UTF-8″
Content-Transfer-Encoding: quoted-printable
<div dir=3D»ltr»><div style=3D»text-align:center»><a href=3D»http://khoskas.duckdns.org/crpto» style=3D»font-family:»Times New Roman»;font-=
size:medium»><b><font color=3D»red» size=3D»60″>Verdienen Sie €13.000 in genau 24 Stunden. Garantiert!
</font></b></a><span style=3D»color:rgb(0=
[…]
=================================