Coredump

And what do you know? I recently received a refund from the IRS. Wow!

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $480.23. Please submit the tax refund request and allow us 3-6 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here.

Note: For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated.

Regards,
Internal Revenue Service

Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

Err… Thanks, but I’m not even a US citizen. Unless our BIR offers refunds in dollars now?

The link points to an IP address registered in Latin America. It gets better: whois info shows the following:

OrgName:    Latin American and Caribbean IP address Regional Registry
OrgID:      LACNIC
Address:    Rambla Republica de Mexico 6125
City:       Montevideo
StateProv:
PostalCode: 11400
Country:    UY

Mexico is in Uruguay now?

The headers are also very interesting:

Received: by 10.114.150.9 with SMTP id x9cs106067wad;
        Thu, 21 Feb 2008 23:44:15 -0800 (PST)
Received: by 10.82.181.7 with SMTP id d7mr20582205buf.4.1203666254308;
        Thu, 21 Feb 2008 23:44:14 -0800 (PST)
Return-Path: <taxrefund@online.irs.gov>
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172])
        by mx.google.com with ESMTP id z40si1631581ikz.4.2008.02.21.23.44.13;
        Thu, 21 Feb 2008 23:44:14 -0800 (PST)
Received-SPF: neutral (google.com: 66.249.92.172 is neither permitted nor denied by domain of taxrefund@online.irs.gov) client-ip=66.249.92.172;
Authentication-Results: mx.google.com; spf=neutral (google.com: 66.249.92.172 is neither permitted nor denied by domain of taxrefund@online.irs.gov) smtp.mail=taxrefund@online.irs.gov
Received: by ug-out-1314.google.com with SMTP id e2so1204598ugf.21
        for <myemailaddress@gmail.com>; Thu, 21 Feb 2008 23:44:13 -0800 (PST)
Received: by 10.67.115.10 with SMTP id s10mr1971303ugm.89.1203666253276;
        Thu, 21 Feb 2008 23:44:13 -0800 (PST)
Received: by 10.67.115.10 with SMTP id s10mr1971299ugm.89.1203666253174;
        Thu, 21 Feb 2008 23:44:13 -0800 (PST)
Return-Path: <taxrefund@online.irs.gov>
Received: from mailkbh.delud.dk ([194.182.91.20])
        by mx.google.com with ESMTP id 32si287442ugd.37.2008.02.21.23.44.12;
        Thu, 21 Feb 2008 23:44:13 -0800 (PST)
Received-SPF: neutral (google.com: 194.182.91.20 is neither permitted nor denied by best guess record for domain of taxrefund@online.irs.gov) client-ip=194.182.91.20;
Authentication-Results: mx.google.com; spf=neutral (google.com: 194.182.91.20 is neither permitted nor denied by best guess record for domain of taxrefund@online.irs.gov) smtp.mail=taxrefund@online.irs.gov
Received: from mailaarh.delud.dk ([195.192.86.117]) by mailkbh.delud.dk with Microsoft SMTPSVC(6.0.3790.3959);
	 Fri, 22 Feb 2008 08:44:07 +0100
X-Spam-Status: NO, hits=0 required=5
X-Spam-Flag: NO
Received: from User ([71.132.110.97]) by mailaarh.delud.dk with Microsoft SMTPSVC(6.0.3790.3959); Fri, 22 Feb 2008 08:44:05 +0100
Keywords: disclaimer
Reply-To: <taxrefund@online.irs.gov>

This ran past GMail’s much-daunted spam filters, even when Return-Path was obviously forged. So much for SPF.

Here’s what’s funnier — at the bottom of the message is this boilerplate:

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/

Right. I’m proud that I used to work with a better anti-virus company.