Image Source: How Stuff Works (Phishing)
This alert does not only apply to Australians – this scam is probably sent to people in many countries shortly after the close of their particular nation’s tax-year.
Dear Applicant:
After the last annual calculation of our fiscal activity we have determined that your tax refund was miscalculated.
Please provide us with payment details for your tax refund.Tax refund pending: $ 1400 AUD
Please apply online to get it.
Atention this ChargeBack is available only if you apply online.Please submit the tax refund and allow us 3-9 business days in order to process it.
For those who are into details, here are the headers of the email (with my own details xxx-ed out, in the abuse report I’m sending to the abuse@ address and CC’ing to DreamHost they will be left intact):
Received: by 10.231.168.130 with SMTP id u2cs323527iby;
Tue, 6 Jul 2010 14:47:08 -0700 (PDT)
Received: by 10.142.178.2 with SMTP id a2mr194372wff.37.1278452827770;
Tue, 06 Jul 2010 14:47:07 -0700 (PDT)
Return-Path:
Received: from homiemail-mx12.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119])
by mx.xxxxxxxx.com with ESMTP id z1si12081959wfd.86.2010.07.06.14.47.07;
Tue, 06 Jul 2010 14:47:07 -0700 (PDT)
Received-SPF: neutral (xxxxxxxx.com: 208.97.132.119 is neither permitted nor denied by best guess record for domain of thewater@host.genevange.com) client-ip=208.97.132.119;
Authentication-Results: mx.xxxxxxxx.com; spf=neutral (xxxxxxxx.com: 208.97.132.119 is neither permitted nor denied by best guess record for domain of thewater@host.genevange.com) smtp.mail=thewater@host.genevange.com
Received: from host.genevange.com (host.genevange.com [72.52.215.182])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by homiemail-mx12.g.dreamhost.com (Postfix) with ESMTPS id 45EE3278305
for ; Tue, 6 Jul 2010 14:47:07 -0700 (PDT)
Received: from thewater by host.genevange.com with local (Exim 4.69)
(envelope-from )
id 1OWFyo-0001xP-Lw
for xxxxxxxx@xxxxxxxx.xxxxxxxx.au; Tue, 06 Jul 2010 17:47:02 -0400
To: xxxxxxxx@xxxxxxxx.xxxxxxxx.au
Subject: Your tax refund is here. Very important!
From: support@ato.guv.au
Reply-To: support@ato.guv.au
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Tue, 06 Jul 2010 17:47:02 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – host.genevange.com
X-AntiAbuse: Original Domain – xxxxxxxx.xxxxxxxx.au
X-AntiAbuse: Originator/Caller UID/GID – [32052 32054] / [47 12]
X-AntiAbuse: Sender Address Domain – host.genevange.com
Categories: technology
ATO scammer time of the year again for Aussies 
Link OTD: DIY Feminist Cybersecurity 
For those times when actually blocking someone on FB is socially awkward 
Unhappy data retention day 
Hoyden About Town 
For some reason, I get South African ones (I live in Belgium). It could be because of a Zimbabwean mailing list I’m signed up to, but then I’m signed up to lists from Australia and the US as well, so … I don’t know.
I love that ‘guv’ though – hilarious!
well, where is it? 🙂
or did you forward it to abuse@ … if you did, that’s great, that’s where it should get sent!
Unfortunately, it looks as though it’s not being sent from our network, so there’s nothing we can really do about it. Your best bet is actually to send it to abuse@sourcedns.com, the abuse contact for the IP which connected to us to send the email: 72.52.215.182
Hi, Jeremy K – I did send the report to abuse@ with a CC to DreamHost – if you didn’t get the CC then I may need to resend to abuse@ as well. I certainly didn’t mean to imply that DH was itself doing anything nefarious, merely that you needed a heads-up. I will modify the post to clarify this.
I’m getting a tax refund, guv!