This just in from Return Path:

Over the course of the past five weeks, spam campaigns have been aimed at the staff members of over 100 ESPs and gambling sites. These targets have received emails typically with content that mentions the staffer by name, and purports to be from a couple, presumably friends or co-workers.

The phish message has been sent numerous times, over several different systems, including using the facility of some ESPs, using online greeting card sites, and by way of a botnet. Sources confirm the list of addresses is very small (less than 3,000 addresses) and aimed 100% at staff responsible for email operations.

The message links to a site that contains a particularly nasty payload. I received one myself and deleted it as I thought it was harmless spam so the attack is going after email infrastructure providers in addition to ESPs.

Click through to the Return Path article for security advice in regards to this attack.