Thursday, March 16, 2006

Tax trouble

I messed up my taxes? Heck, how'd that happen? I haven't filed yet.

Just kidding. I managed to receive four e-mails containing supposed IRS notices saying that I'm owed money and that I should click on a link and fill out the form there.

It doesn't lead anywhere but here's some of the particulars:

From admin@irs.gov (the system administrator for the IRS cares about me!)
The header graphic is from irs.gov.

Del'd byReturn-PathIMP IDClicking link leads to:
61.221.79.115test@simhope.com.tw9Uhz1U02V2VGYjh0000000http://200-158-140-157.dsl.telesp.net.br/update/IRS/caseid886432/
61.221.79.115test@simhope.com.tw9Url1U00c2VGYjh0000000http://200-158-140-157.dsl.telesp.net.br/update/IRS/caseid886432/
61.221.79.115test@simhope.com.tw9UnS1U01n2VGYjh0000000http://200-158-140-157.dsl.telesp.net.br/update/IRS/caseid886432/
61.221.79.115test@simhope.com.tw9YMR1U0212VGYjh0000000http://test.spnet.ne.jp/Gmark/image/caseid886432/

Note that I've said "IMP ID" and not "MSG ID". This and info available about simhope.com.tw leads me to believe that they're an ignorant middle-man. It's the links that the message tries to trick recipients into clicking on that are interesting. Three were from 200-158-140-157.dsl.telesp.net.br and one was from test.spnet.ne.jp. Let's try those.

The nslookup on 200-158-140-157.dsl.telesp.net.br returns 200.158.140.157. A whois lookup on that IP indicates that it belongs to Telecomunicacoes De Sao Paulo S.A. (Sao Paulo Telephone?). Almost obviously a DSL account.

The nslookup on test.spnet.ne.jp returns 211.12.208.189. A whois on that IP indicates that the IP belongs to "Japan Network Information Center". Another telephone company?

Connection attempts to 200.158.140.157 time out. However, connection attempts ("wget -S") to 211.12.208.189, indicate that it's an Apache 2.0.40 server running on Red Hat Linux. The default page was last modified approximately 22 1/2 hours prior to my accessing the server. Oh, and the default page amounts to an open-html tag, an open-body tag, a close-body tag, and a close-html tag. An attempt to visit the page in the link returns a 404 error. However, clicking on the link in the email returns a page containing Japanese sentences. A Babel Fish translation of those pages returns "There was no information which agrees with search. Doing, please try searching for the second time e.g., keyword, category and the commodity etc. are modified. Swallow" followed by a series of untranslated characters.

So it's more or less a dead end. If there was anything there, it's inaccessible now (short of having physical access to the machine). Hopefully you weren't one of the ones that fell for it.