It’s tax season
And what do you know? I recently received a refund from the IRS. Wow!
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $480.23. Please submit the tax refund request and allow us 3-6 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here.
Note: For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated.
Regards,
Internal Revenue ServiceCopyright 2008, Internal Revenue Service U.S.A. All rights reserved.
Err… Thanks, but I’m not even a US citizen. Unless our BIR offers refunds in dollars now?
The link points to an IP address registered in Latin America. It gets better: whois info shows the following:
OrgName: Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY
Mexico is in Uruguay now?
The headers are also very interesting:
Received: by 10.114.150.9 with SMTP id x9cs106067wad; Thu, 21 Feb 2008 23:44:15 -0800 (PST) Received: by 10.82.181.7 with SMTP id d7mr20582205buf.4.1203666254308; Thu, 21 Feb 2008 23:44:14 -0800 (PST) Return-Path: <taxrefund@online.irs.gov> Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx.google.com with ESMTP id z40si1631581ikz.4.2008.02.21.23.44.13; Thu, 21 Feb 2008 23:44:14 -0800 (PST) Received-SPF: neutral (google.com: 66.249.92.172 is neither permitted nor denied by domain of taxrefund@online.irs.gov) client-ip=66.249.92.172; Authentication-Results: mx.google.com; spf=neutral (google.com: 66.249.92.172 is neither permitted nor denied by domain of taxrefund@online.irs.gov) smtp.mail=taxrefund@online.irs.gov Received: by ug-out-1314.google.com with SMTP id e2so1204598ugf.21 for <myemailaddress@gmail.com>; Thu, 21 Feb 2008 23:44:13 -0800 (PST) Received: by 10.67.115.10 with SMTP id s10mr1971303ugm.89.1203666253276; Thu, 21 Feb 2008 23:44:13 -0800 (PST) Received: by 10.67.115.10 with SMTP id s10mr1971299ugm.89.1203666253174; Thu, 21 Feb 2008 23:44:13 -0800 (PST) Return-Path: <taxrefund@online.irs.gov> Received: from mailkbh.delud.dk ([194.182.91.20]) by mx.google.com with ESMTP id 32si287442ugd.37.2008.02.21.23.44.12; Thu, 21 Feb 2008 23:44:13 -0800 (PST) Received-SPF: neutral (google.com: 194.182.91.20 is neither permitted nor denied by best guess record for domain of taxrefund@online.irs.gov) client-ip=194.182.91.20; Authentication-Results: mx.google.com; spf=neutral (google.com: 194.182.91.20 is neither permitted nor denied by best guess record for domain of taxrefund@online.irs.gov) smtp.mail=taxrefund@online.irs.gov Received: from mailaarh.delud.dk ([195.192.86.117]) by mailkbh.delud.dk with Microsoft SMTPSVC(6.0.3790.3959); Fri, 22 Feb 2008 08:44:07 +0100 X-Spam-Status: NO, hits=0 required=5 X-Spam-Flag: NO Received: from User ([71.132.110.97]) by mailaarh.delud.dk with Microsoft SMTPSVC(6.0.3790.3959); Fri, 22 Feb 2008 08:44:05 +0100 Keywords: disclaimer Reply-To: <taxrefund@online.irs.gov>
This ran past GMail’s much-daunted spam filters, even when Return-Path was obviously forged. So much for SPF.
Here’s what’s funnier — at the bottom of the message is this boilerplate:
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/
Right. I’m proud that I used to work with a better anti-virus company. 
Read more:
