Thursday, March 16, 2006

Tax trouble

I messed up my taxes? Heck, how'd that happen? I haven't filed yet.

Just kidding. I managed to receive four e-mails containing supposed IRS notices saying that I'm owed money and that I should click on a link and fill out the form there.

It doesn't lead anywhere but here's some of the particulars:

From (the system administrator for the IRS cares about me!)
The header graphic is from

Del'd byReturn-PathIMP IDClicking link leads to:

Note that I've said "IMP ID" and not "MSG ID". This and info available about leads me to believe that they're an ignorant middle-man. It's the links that the message tries to trick recipients into clicking on that are interesting. Three were from and one was from Let's try those.

The nslookup on returns A whois lookup on that IP indicates that it belongs to Telecomunicacoes De Sao Paulo S.A. (Sao Paulo Telephone?). Almost obviously a DSL account.

The nslookup on returns A whois on that IP indicates that the IP belongs to "Japan Network Information Center". Another telephone company?

Connection attempts to time out. However, connection attempts ("wget -S") to, indicate that it's an Apache 2.0.40 server running on Red Hat Linux. The default page was last modified approximately 22 1/2 hours prior to my accessing the server. Oh, and the default page amounts to an open-html tag, an open-body tag, a close-body tag, and a close-html tag. An attempt to visit the page in the link returns a 404 error. However, clicking on the link in the email returns a page containing Japanese sentences. A Babel Fish translation of those pages returns "There was no information which agrees with search. Doing, please try searching for the second time e.g., keyword, category and the commodity etc. are modified. Swallow" followed by a series of untranslated characters.

So it's more or less a dead end. If there was anything there, it's inaccessible now (short of having physical access to the machine). Hopefully you weren't one of the ones that fell for it.