But this (found earlier on that IP) could have triggered the earlier flag, see: http://urlquery.net/report.php?id=3228295
ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page & URI & EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
while this domain was free of it at that time: http://urlquery.net/report.php?id=3225110
See: http://en.wikimix.info/ip/173.231.1.27 not blacklisted now: http://www.ipvoid.com/scan/173.231.1.27/

polonus