Die Schweizer Formel dürfte in die selbe Richtung gehen:


header:
01: Return-Path: <bluhm-xxx=xxx-xxx=xxx [at] spotter.host>
02: Received: from x16.pushdoms.com ([194.182.173.44]) by mx-ha.web.de (mxweb110
03: [212.227.17.8]) with ESMTP (Nemesis) ID: [ID filtered]
04: DKIM-Signature: x
05: To: xxx [at] xxx
06: Subject:
07: =?UTF-8?B?4ZCFIEVyZm9sZ3JlaWNoIHdlcmRlbjogV2VzaGFsYiA5NSUga2VpbmVuIEVyZm9sZyBoYWJlbuKcjO+4jw==
08: =
09: Message-ID: [ID filtered]
10: Date: Mon, 18 Mar 2019 xx:xx:xx +0000
11: From: "D. B." <bluhm [at] spotter.host>
12: Reply-To: bluhm [at] spotter.host
13: MIME-Version: 1.0
14: Content-Type: text/html; charset="UTF-8"
15: Content-Transfer-Encoding: 7bit
16: Envelope-To: <xxx [at] xxx>
17: X-Spam-Flag: YES

Ziel: whois:https://deutschformel.com/index.php?xparam=schweizerformel.co/index.php&campaign=29954&offer_id=10891&aff_id=10008&creative=1147&aff_sub4=&aff_sub5=&aff_sub2=&aff_sub3=&goal_id=1008&country_code=None&customer_id=1147&aff_sub=&transaction_id=x&trk_sys_id=1&test=0

Langer Weg:

whois:
https://deutschformel.com/index.php?xparam=schweizerformel.co/index.php&campaign=29954&offer_id=10891&aff_id=10008&creative=1147&aff_sub4=&aff_sub5=&aff_sub2=&aff_sub3=&goal_id=1008&country_code=None&customer_id=1147&aff_sub=&transaction_id=xd&trk_sys_id=1&test=0

.
.
.
whois:https://roitrack.net/?a=620&c=1836&s1=10008
.
.
.
whois:https://digclick.net/?a=620&c=1836&s1=10008&ckmguid=2887ed5b-d392-4147-b6d3-975eca7cd4ea
.
.
.
whois:https://afflink.co/c_c?url=https://cbddemands.co/&aff_id=620&offer_id=1256&aff_sub=10008&aff_sub2=&aff_sub5=&aff_sub3=&aff_sub4=&aff_sub5=&reqid=16761344&goal_id=1008&campaign=42248&creative=1836
.
.
.
whois:https://cbddemands.co/?campaign=42248&offer_id=11256&aff_id=10620&creative=1836&aff_sub4=&aff_sub5=&aff_sub2=&aff_sub3=&country_code=US&goal_id=1008&customer_id=1836&aff_sub=10008&transaction_id=x&trk_sys_id=1&test=0

Und JA, auch hier handelt es sich wieder um ein betrüberisches Fake