The original message:
Your email have been reported for sending spam messages (Email Messages Containing Banned Or Illegal Content) Your attention is required to avoid permanent termination of your email account. Copy below link to browser to verify your email address.
http://webmail.com.service.onlineaccountservice.online.madeiraexotics.com/webmail.com/
Failure to comply will result to permanent termination of your email account Webmail Service Provider
While a quick glance may lead one to believe this leads to “webmail.com”, it is actually going to a sub-domain of “madeiraexotics.com”
The page is fairly simple, an image with the various logos, a description, and a login form all in a neat little table. One interesting thing to note about the page layout, however, is the writer seems to have used long strings of “ ” repeated to align various elements on the page. The following two lines of code indicate the page was designed in Frontpage.
<meta name="<a>GENERATOR</a>" content="<a>Microsoft FrontPage 5.0</a>"> <meta name="<a>ProgId</a>" content="<a>FrontPage.Editor.Document</a>">The page submits to update.php, but does validate the email address first.
The validation function has been re-purposed as there is unused functionality to check numeric inputs.Upon submitting (to update.php), the page (presumably logging the email + password first) gives a 302 redirect to index2.htm. Index2.htm tells us that we will be able to use our email account again shortly, and that we should allow up to 24 hours before receiving a "reactivation email".