I'm always getting dozens of emails with "Warning! Your email/social security number/ebay account/bank account/phone number/elector card/etc is irregular". And the link they provide to correct the situation is pointed to a .exe or .scr file. Please show these bastards a one-way entry to the HOSTS file.

127.0.0.1 nossoalbum.notlong.com
127.0.0.1 www.orkut.comunnyti.com
127.0.0.1 xflash28.hpgvip.com.br
127.0.0.1 cancelamentoss.pochta.ru
127.0.0.1 comunicandovoce.net
127.0.0.1 channelplug.pop3.ru
127.0.0.1 account.fileave.com
127.0.0.1 www.cartoline.net
127.0.0.1 ircy.accountsupport.com
127.0.0.1 www.rovina.cz
127.0.0.1 specials.uk.msn.com
127.0.0.1 doiop.com
127.0.0.1 www.mantroll78.com
127.0.0.1 vivocobranca--.pop3.ru

And some more of the same scum. Besides being phishing scams, their link directs to an executable so who knows what kind of trojan they attempt to install.

127.0.0.1 cartoesterra.o1rkut.com
127.0.0.1 https.myisland.com.https-manage.com
127.0.0.1 loveisexcellent.net
127.0.0.1 play-boy1.pop3.ru
127.0.0.1 rus-models.cn
127.0.0.1 westernunion.sign-on.us
127.0.0.1 www.cdci.com
127.0.0.1 www.comasmaosnafelicidade2007.com
127.0.0.1 www.crscraft.com
127.0.0.1 www.elim-leipzig.de
127.0.0.1 www.enjoint.net
127.0.0.1 www.federationmultivilles.com
127.0.0.1 www.fortuna.uni7.net
127.0.0.1 www.germnews.de
127.0.0.1 www.knuddel-dich.com
127.0.0.1 www.rendemais.uni7.net
127.0.0.1 www-charges-uol.pisem.su

127.0.0.1 albumnovo.notlong.com
127.0.0.1 atualizer.idilis.ro
127.0.0.1 blogfotos.kit.net
127.0.0.1 ddchidden.freehyperspace.com
127.0.0.1 ddchidden.pcriot.com
127.0.0.1 dennetie.club.fr
127.0.0.1 fr.f257.mail.yahoo.com
127.0.0.1 galeon.com
127.0.0.1 likos.tripod.com
127.0.0.1 pmstrk.mercadolivre.com.br
127.0.0.1 recadastra-install.rbcmail.ru
127.0.0.1 vivofototorpedo.br03.com
127.0.0.1 web.harpercreek.net
127.0.0.1 wiley-blackwell.msgfocus.com
127.0.0.1 www.airconsystem.co.kr
127.0.0.1 www.beeplog.com
127.0.0.1 www.box.net
127.0.0.1 www.capexoutsource.com
127.0.0.1 www.fileguardiam.ifastnet.com
127.0.0.1 www.filenanny.com
127.0.0.1 xuxavideos09102007.fileave.com

If anyone is interested I can start posting the actual links to the executables. One was pretty smart in his attempt to obfuscate the link. Can't remember exactly how it went but he used a ".com" executable which I only saw in the old days of MS-DOS. These days we associate .com to an http address so to a naive user and even to a more experienced but distracted user it would look like a legit domain.

127.0.0.1 brocho.pochta.ru
127.0.0.1 cardcartoes.rg3.net
127.0.0.1 correspondencia.notlong.com
127.0.0.1 freecardirectory.net
127.0.0.1 grupoambev-ltda5.front.ru
127.0.0.1 gruposchincariol4.front.ru
127.0.0.1 hotmail-livee.notlong.com
127.0.0.1 informes2007.front.ru
127.0.0.1 juliofantasma.blogdns.net
127.0.0.1 oifoto.net
127.0.0.1 orkut-recado-amigo.rg9.net
127.0.0.1 pequenocartao.smtp.ru
127.0.0.1 sardari.ir
127.0.0.1 t.umail.com.br
127.0.0.1 torpedovivosms.notlong.com
127.0.0.1 ursos.notlong.com
127.0.0.1 www.boquim.biz
127.0.0.1 www.gruposchincariol1.kit.net
127.0.0.1 www.imagem0087.kit.net
127.0.0.1 www.orkmt.com
127.0.0.1 www.pdstudio.pl
127.0.0.1 www.youtubevideo.kit.net

This appears to be the last of them. I haven't received any nasty link in the last couple of weeks, maybe white forces have moved into play? I was starting to collect these with more method but the list didn't grow.

hxxp://informes2007.front.ru/update_download.exe
hxxp://grupoambev-ltda5.front.ru/orcamento-xls.cmd
hxxp://www.youtubevideo.kit.net/Video.Com

Anyhow I've noticed from my past postings that some higher level domains have more than one site count.

notlong.com
kit.net
front.ru
pop3.ru
pochta.ru
uni7.net
rg3.net
rg9.net
fileave.com

Would it be reasonable to block these higher levels as well or are there legit sites in them? How can one tell?