Spotted a new exploited forwarder of some sort at LinkedIn - full spample: http://puffin.net/software/spam/samples/0041_linked_forward.txt Except for the munged "To" and "From" email addresses, that's the pristine network image.
It came From a known friend at "swbell", who normally sends thru Yahoo, and has previously been cracked. At first I assumed the URL was for an actual webpage, so I ran a raw GET on it/this: https://www.linkedin.com/slink?code=ecPnYgf?152=ofobakj&2643&pjrytop==45612858 and got a zero length document with these headers (cookie redacted): HTTP/1.0 301 Moved Permanently Server: Apache-Coyote/1.1 Location: http://www.shopinoklahomacity.com/redirect.aspx?url=http://icynybo.freedom007.top/free/dom/?gelaxo Content-Length: 0 Vary: Accept-Encoding Date: Tue, 17 May 2016 20:25:17 GMT X-Li-Fabric: prod-lva1 Connection: keep-alive X-Li-Pop: prod-ech2 X-LI-UUID: hNLOXbN0TxQQdMWE/SoAAA== The redirect in the Location URL should have been a red flag to any automated security scanner. :\ I re-ran it as a HEAD with a User-Agent that should have screamed "spam", waited a couple hours, repeated, rinsed, stewed, then decided to post here. *** Does anyone have a contact at LinkedIn ops? *** Sadly, LinkedIn follows the Google/Gmail model of failing to make core functionality (like reporting spam) useable without disabling/lowering one's browser security settings/shields. :( - "Chip"