Tuesday, May 09, 2006

Fresh Phish today.

Hi all,

I love Fresh Phish in the morning!

Here is the headers and body of another phish email today. These people give me cramps.

I sent it to spoof@ebay.com and pasted the URL into phishfighting.com. Go Go Go!

Authentication-Results: mta163.mail.mud.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from (EHLO web1.octelecom.net) ( by mta163.mail.mud.yahoo.com with SMTP; Tue, 09 May 2006 02:05:11 -0700
Received: from web1.octelecom.net (localhost.localdomain []) by web1.octelecom.net (8.13.1/8.13.1) with ESMTP id k499EL4f022387 for ; Tue, 9 May 2006 03:14:21 -0600
Received: (from test@localhost) by web1.octelecom.net (8.13.1/8.13.1/Submit) id k499ELag022384 for mrlinuxhead@yahoo.com; Tue, 9 May 2006 03:14:21 -0600
Date: Tue, 9 May 2006 03:14:21 -0600
To: mrlinuxhead@yahoo.com
Subject: eBay Member wandasales
Message-ID: <1147166061.70001.qmail@paypal>
From: aw-confirm@ebay.com Add to Address BookAdd to Address Book Add Mobile Alert
Content-Type: text/html
Content-Length: 3699

 Question from wandasales
Item: (6876616738)
This message was sent while the listing was active.
wandasales is a potential buyer.
Hello, What would the shipping cost be to West Virginia zip code 25511?

Email server is at :

Here is a port scan.

Just a RH Linux box with too many ports open. Gee I wonder if the owner knows they are sending this crap out? Let see.

Using DNSStuff.com I see the box is at:

IP address:
Reverse DNS: web1.octelecom.net.
Reverse DNS authenticity: [Verified]
ASN: 29933
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: to
Country fraud profile: Normal
City (per outside source): Provo, Utah

It looks like a campus ISP that is in Provo Utah.

No email address for them but a phone number - call us at 379-3000
(toll-free 1-800-370-1106)
We're located in Provo at 379 North University Avenue, Suite 301.

Well let's call them up and tell them they have a bad person using their RH server.

WHOIS info is blocked but I can probably find the email address.

On to the web site stealing people's passwords and user id's.

Real URL of the scam is at:

Going back to DNSStuff.com I learn that:

IP address:           
Reverse DNS: r59-128-dsl.sea.lightrealm.net.
Reverse DNS authenticity: [Could be forged: hostname r59-128-dsl.sea.lightrealm.net. does not exist]
ASN: 11305
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: to
Country fraud profile: Normal
City (per outside source): Kirkland, Washington

Gotcha sucker, you are in the USA. Busted. Phish fry today!

Looks like Lightrealm is getting upstream pipe from Interland.

Interland, Inc. LR-BLK4 (NET-216-122-0-0-1) -
Lightrealm, Inc. LR-ISP-GTEDHCP4-DSL (NET-216-122-128-0-1) -

A Google for Lightrealm points to http://www.lightrealm.net/

It's a web hosting company. No surprise there.

"Get your own web site, share your special day!" is on the home page.

One that looks like eBay login page? Maybe that's not what thay had in mind.

Interland is a mass reseller of web hosts and a co-location facillity.

I used to work for a company that was bought by them, Hostcentric.

Here is a port scan of the host:

The web server is running Apache on FreeBSD, got sendmail running as well.

Email server is running as bearcomp.net. Hmm. Who are they?

Asking b.ns.interland.net. for PTR record: 
Reports r59-128-dsl.sea.lightrealm.net. [from]

Answer: PTR record: r59-128-dsl.sea.lightrealm.net. [TTL 1800s] [A=None]
*ERROR* There is no A record (may be cached).
That's our boy! I next find out who runs bearcomp.net with our trusty WHOIS lookup.

41064 Riverock Lane
Palmdale, CA 93551-1834
Administrative Contact :
Hess, John
41064 Riverock Lane
Palmdale, CA 93551-1834
Phone: 800-725-8910
Fax: (661) 722-9010
Record expires on 26-Aug-2006
Record created on 19-May-2004
Database last updated on 13-Jun-2005

OK game over. Let's call the cops in Palmdale and have them let Mr. Hess know his server is behaving badly.

New blog "Mr. Phish Finder" tracks down scumbags

I started another blog to track down and expose scambags who send phony email as eBay or Paypal seeking to snarf people's user names and passwords with look-alike webs sites.

I had to call it something so it's known as Mr. Phish Finder

I will try to comment on Linux stuff here and whatever else I can think of.

Ok carry on.

Monday, April 24, 2006

Another eBay scam artist emailed me tonight.

Another eBay scam artist emailed me tonight. This one was just a little different.

I guess now I have an "Unpaid Item Dispute" Points to as the mail server.

Here is the full email headers and all..

X-Apparently-To: mrlinuxhead@yahoo.com via; Mon, 24 Apr 2006 15:56:29 -0700
X-Originating-IP: []
Authentication-Results: mta244.mail.re2.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from (EHLO admin.blackstump.com.au) ( by mta244.mail.re2.yahoo.com with SMTP; Mon, 24 Apr 2006 15:56:29 -0700
Received: (qmail 15991 invoked by uid 10018); 24 Apr 2006 15:35:41 -0700
Date: 24 Apr 2006 15:35:41 -0700
Message-ID: <20060424223541.15990.qmail@admin.blackstump.com.au>
To: mrlinuxhead@yahoo.com
Subject: eBay Unpaid Item Dispute #4858411651 -- response required
From: aw-confirm@ebay.com

eBay Unpaid Item Dispute #4858411651 -- response required

Dear member,
eBay member moviemars-uk has indicated that they already paid for item #4858411651
Review the submitted details regarding the payment.

eBay International AG

Bogus eBay link points to:

Of couse I email "spoof@ebay.com and paste the bogus link into phishfighting.com.

Using DNSStuff let's see who we are dealing with....

The IP address of the email relay is:

And they are .... in San Diego, Califorina. Busted.
This is just the email server that delivered the scam email.

IP address:
Reverse DNS: admin.blackstump.com.au.
Reverse DNS authenticity: [Verified]
ASN: 6130
IP range connectivity: 0
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: to
Country fraud profile: Normal
City (per outside source): San Diego, California
Private (internal) IP? No

Sneaky little bastards blocked the WHOIS lookup, but I got the DNS servers..

blackstump.com.au. A IN 3600
blackstump.com.au. NS IN 3600 ns2.webintellects.com.
blackstump.com.au. NS IN 3600 ns1.webintellects.com.
ns2.webintellects.com. A IN 3600
ns1.webintellects.com. A IN 3600

Now lets see who is hosting the bogus web site. . .

ns1.zerotrance.net. A IN 172800
zerotrance.net. NS IN 172800 ns1.zerotrance.net.
zerotrance.net. NS IN 172800 ns2.zerotrance.net.
ns1.zerotrance.net. A IN 172800
ns2.zerotrance.net. A IN 172800

Chatchy name, eh? is the IP of ns1.zerotrance.net

That is located in. . The U.K.

IP address:
Reverse DNS: ns1.zerotrance.net.
Reverse DNS authenticity: [Verified]
ASN: 29550
ASN Name: EUROCONNEX-AS (Euroconnex Networks LLP)
IP range connectivity: 5
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: to
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No

The ISP phone numbers are here:

inetnum: -
netname: UK-POUNDHOST-20050429
descr: PoundHost Internet Services
country: GB
admin-c: MM5420-RIPE
admin-c: KW725-RIPE
tech-c: MM5420-RIPE
remarks: PH-Network (Europe)
mnt-lower: POUNDHOST
mnt-routes: POUNDHOST
mnt-routes: AS5413-MNT
notify: Matthew@Poundhost.com
changed: hostmaster@ripe.net 20050429
source: RIPE

organisation: ORG-PIS3-RIPE
org-name: PoundHost Internet Services
org-type: LIR
address: PoundHost Internet Services,
Ginchy House,
Marsh Lane,
phone: +44 (0) 870 744 1700
fax-no: +44 1628 639977
e-mail: Info@poundhost.com
admin-c: MM5420-RIPE
admin-c: LP1106-RIPE
mnt-ref: POUNDHOST
mnt-ref: RIPE-NCC-HM-MNT
source: RIPE

person: Matthew Munson
address: Euroconnex Networks LLP,
Marsh Lane,
Maidenhead, UK
phone: +44 870 744 1700
e-mail: matthew@euroconnex.net
nic-hdl: MM5420-RIPE
remarks: ******************************************************
remarks: Please contact abuse@euroconnex.net for any abuse issues
remarks: E-mail sent to other addresses may not be acted upon.
remarks: ******************************************************
changed: matthew@poundhost.com 20050721
source: RIPE

person: Katalin Weigand
address: PoundHost Internet Services,
Marsh Lane,
Maidenhead, UK
phone: +44 870 744 1700
e-mail: Katalin@poundhost.com
nic-hdl: KW725-RIPE
remarks: ******************************************************
remarks: Please contact abuse@PoundHost.com for all abuse issues
remarks: ******************************************************
changed: matthew@poundhost.com 20030827
changed: matthew@poundhost.com 20031009
changed: Katalin@poundhost.com 20031010
source: RIPE

% Information related to ''

descr: PH-Network Europe, operated by Euroconnex Networks LLP
origin: AS29550
remarks: *********************************************
remarks: For Peering and more info: www.euroconnex.net
remarks: *********************************************
changed: Matthew@PoundHost.com 20050601
source: RIPE

email addresses are:

Now, lets see who owns the domain zerotrance.net, shall we..

WHOIS info is blocked by these clowns:
Whois Privacy Protection Service, Inc.

Domain name: zerotrance.net

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007

Status: Locked

Name Servers:

Creation date: 10 Nov 2005 05:18:38
Expiration date: 10 Nov 2007 05:18:38

I emailed the admin at the UK ISP to shut down these clowns.


Sunday, April 23, 2006

Another ebay scammer

Another ebay scammer at this address:


Pasted it into Phishfighing. com and emailed ebay and the ISP in Finland.


resolves to

WHOIS info on

IP address:
Reverse DNS: [No reverse DNS entry per ns1.auria.fi.]
Reverse DNS authenticity: [Unknown]
ASN: 16044
ASN Name: AURIA (Auria Oy)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): FI [Finland]
Country Currency: EUR [euros]
Country IP Range: to
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No

inetnum: -
netname: AURIA-NET
descr: AURIA Turun Puhelin Oy
descr: Game server pool
descr: DATA-4
descr: 20810, Turku
country: FI
admin-c: KPM-RIPE
tech-c: HOST7-RIPE
remarks: ---------------------------------------------------------
remarks: Please send abuse and spam notifications to abuse@auria.fi
remarks: ---------------------------------------------------------
remarks: INFRA-AW
notify: hostmaster@auria.fi
changed: kari.solja@auria.fi 20040802
source: RIPE

role: Auria Hostmaster
address: Auria Oy
address: RIPE management
address: PL 231
address: 20101 Turku
phone: +358 2 262121
fax-no: +358 2 261975
e-mail: hostmaster@auria.fi
remarks: trouble: Please send abuse and spam notifications to abuse@auria.fi
remarks: trouble: General information: http://www.auria.fi/
admin-c: KS1112-RIPE
tech-c: MH14627-RIPE
tech-c: RM7972-RIPE
tech-c: KK2824-RIPE
tech-c: JO2466-RIPE
tech-c: KS1112-RIPE
nic-hdl: HOST7-RIPE
notify: hostmaster@auria.fi
changed: rolf.moller@auria.fi 20041123
source: RIPE
abuse-mailbox: abuse@auria.fi

person: Kimmo Murto
address: Turku Telephone Company
address: Linnankatu 4, FIN-20100 Turku
address: Finland
phone: +358 2 262 1584
fax-no: +358 2 250 0417
e-mail: Kimmo.Murto@turunpuhelin.fi
nic-hdl: KPM-RIPE
changed: hostmaster@kolumbus.fi 19981221
source: RIPE

% Information related to ''

descr: Turun Puhelin Oy
origin: AS16044
notify: hostmaster@auria.fi
changed: marko.hakkarainen@auria.fi 20021014
source: RIPE

Wednesday, April 19, 2006

Caught a new Polish "Phisherman" tonight

Another email from another eBay customer.
Sure. I trust you. Lets fry this clown..

Here is the text of the scam email :

 Question from mmjd1996
Item: (4629414062)
This message was sent while the listing was active.
mmjd1996 is a potential buyer.
Hi, how much would be shipping to Germany? Thanks

Using DNSStuff.com I find out our scammers IP address.

eBay.com URL points to:

1393442438 is decimal for

Seems to be a box on some DSL line in Poland..

IP address:
Reverse DNS: dyk134.internetdsl.tpnet.pl.
Reverse DNS authenticity: [Verified]
ASN: 5617
ASN Name: TPNET (Polish Telecom's commercial IP network)
IP range connectivity: 2
Registrar (per ASN): RIPE
Country (per IP registrar): PL [Poland]
Country Currency: PLN [Poland Zlotych]
Country IP Range: to

The ISP is Poland Telecom. Here are the ISP contact numbers and email addresses.

role: TP S.A. Hostmaster
address: TP S.A. "POLPAK"
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: Poland
phone: +48 22 6252383
fax-no: +48 22 6225182
remarks: trouble: Network problems: hostmaster@tpnet.pl
remarks: trouble: Abuse and spam notification: abuse@tpnet.pl
remarks: trouble: DNS problems: dns@tpnet.pl
remarks: trouble: Routing problems: registry@tpnet.pl
admin-c: TK569-RIPE
tech-c: TK569-RIPE
tech-c: JS1838-RIPE
nic-hdl: TPHT
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
remarks: Please send spam and abuse notification only to abuse@tpnet.pl
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
mnt-by: TPNET
e-mail: hostmaster@tpnet.pl
abuse-mailbox: abuse@tpnet.pl
changed: hostmaster@tpnet.pl 20030122
changed: hostmaster@tpnet.pl 20030904
changed: hostmaster@tpnet.pl 20060306
source: RIPE

Port scan shows nothing but FTP and SSH. No UDP ports open.

So I shoot a quick email to the boys at Polish Telecom (abuse@tpnet.pl).

I also paste the bougus URL into PhishFighing.com.
(That feeds our "Phisherman" with hundreds of bogus usernames and passwords.)

That should keep him busy for a few days.

Just another day ho hum.

The NSA domestic spying program is wrong!

The Bush administration seems to be shreding the fourth admendment as fast as they can, with little or no regard for the Bill of Rights, the Constitution, or any checks and balances imposed by laws or Congress.

Looking at the news lately, I have been outraged, but not shocked at what we have dicovered in the last few weeks from the papers the EFF has filed in court to block AT&T from wholesale eavedropping on ALL internet and phone traffic across the country and around the world.

The thing that got my attention was the equipment being used. It is a pretty high-end gizmo called the Narus STA 6400, which is a semantic traffic analyzer. The Narus STA technology is used by intelligence agencies because it is able to analyze large amounts of data. Like 10 Gigabytes of data per second, tapping into the OC-192 fiber that makes up the backbone of all IP communications worldwide! Here is a little bit about this wonderful device from Narus...

NarusInsight Intercept Suite - Packet-level, flow-level, and application-level usage information is captured and analyzed as well as raw user session packets for forensic analysis, surveillance or in satisfying regulatory compliance for lawful intercept. The capabilities include playback of streaming media (i.e. VoIP), rendering of Web pages, examination of e-mail and the ability to analyze the payload/attachments of e-mail or file transfer protocols. (source: Narus.com)

The NarusInsight Discover Suite (NDS) captures and classifies traffic and data on monitored links in real time at true carrier speeds (up to 10G/OC-192). Detailed layer 3 to layer 7 data are collected and correlated across every link and element on the network.
NDS empowers users to manage IP traffic and applications including VoIP, Skype, P2P (e.g., BitTorrent, e-Donkey/e-Mule, FastTrack/Kazaa, Gnutella, etc.), messaging (AOL IM/ICQ, Yahoo IM, MSN Messenger, Jabber, IRC, MMS), streaming media (RTP, RTCP, RTSP), e-mail (SMTP,POP3,IMAP), Web browsing and push to talk (PTT). (source: Narus)

If it was only being used to spy on "terrorists", and if proper proceedures were followed, nobody would bat an eye. Support would be universal, as long as the laws were followed and a court warrent was obtained in the 72 hour timeframe. FISA was put in place to limit the power the federal goverment had on wire-tapping private citizens after the Nixon administration took massive amounts of wire-tapped phone calls and used it for political purposes.

Knowing a little about the program, it seems my darkest fears are true. I suspected that they were doing exactly what they claim to not be doing, wholesale interception of ALL Internet traffic and phone calls, using packet analyzers to sift thru a ocean of data, looking for a few key words or any suspicious activity.

This means any phone call, any email, any Instant Messaging, any P2P programs, and all of your web surfing has been intercepted and analyized by the NSA and the Bush administration.

If that makes you feel all warm and fuzzy, like he is just trying to "protect" us from the evil-doers, think about this.

This is the guy who exposed a CIA undercover agent for political purposes, to refute the claims her husband was making regarding the facts leading us into war in Iraq. If you think he would do a end-run around Congress and the FISA courts to "protect" us, and not use anything he learns for political purposes, you are badly mistaken. They would use anything they learn to the fullest advantage, to expose some political enemy's dirty secrets, or to extort favors from a business, and Congress is just now finding out about it.

We will see in the next election how much outrage is in the country over this.


--Mark Klein, April 6, 2006

My Background:

For 22 and 1/2 years I worked as an AT&T technician, first in New York and then in California.

What I Observed First-Hand:

In 2002, when I was working in an AT&T office in San Francisco, the site manager told me to expect a visit from a National Security Agency agent, who was to interview a management-level technician for a special job. The agent came, and by chance I met him and directed him to the appropriate people.

In January 2003, I, along with others, toured the AT&T central office on Folsom Street in San Francisco -- actually three floors of an SBC building. There I saw a new room being built adjacent to the 4ESS switch room where the public's phone calls are routed. I learned that the person whom the NSA interviewed for the secret job was the person working to install equipment in this room. The regular technician work force was not allowed in the room.

In October 2003, the company transferred me to the San Francisco building to oversee the Worldnet Internet room, which included large routers, racks of modems for customers' dial-in services, and other equipment. I was responsible for troubleshooting problems on the fiber optic circuits and installing new circuits.

While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet circuits by splitting off a portion of the light signal. I saw this in a design document available to me, entitled "Study Group 3, LGX/Splitter Wiring, San Francisco" dated Dec. 10, 2002. I also saw design documents dated Jan. 13, 2004 and Jan. 24, 2003, which instructed technicians on connecting some of the already in-service circuits to the "splitter" cabinet, which diverts some of the light signal to the secret room. The circuits listed were the Peering Links, which connect Worldnet with other networks and hence the whole country, as well as the rest of the world.

One of the documents listed the equipment installed in the secret room, and this list included a Narus STA 6400, which is a "Semantic Traffic Analyzer". The Narus STA technology is known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets. The company's advertising boasts that its technology "captures comprehensive customer usage data ... and transforms it into actionable information.... (It) provides complete visibility for all internet applications."

My job required me to connect new circuits to the "splitter" cabinet and get them up and running. While working on a particularly difficult one with a technician back East, I learned that other such "splitter" cabinets were being installed in other cities, including Seattle, San Jose, Los Angeles and San Diego.

What is the Significance and Why Is It Important to Bring These Facts to Light?

Based on my understanding of the connections and equipment at issue, it appears the NSA is capable of conducting what amounts to vacuum-cleaner surveillance of all the data crossing the Internet -- whether that be peoples' e-mail, Web surfing or any other data.

Given the public debate about the constitutionality of the Bush administration's spying on U.S. citizens without obtaining a FISA warrant, I think it is critical that this information be brought out into the open, and that the American people be told the truth about the extent of the administration's warrantless surveillance practices, particularly as it relates to the Internet.

Despite what we are hearing, and considering the public track record of this administration, I simply do not believe their claims that the NSA's spying program is really limited to foreign communications or is otherwise consistent with the NSA's charter or with FISA. And unlike the controversy over targeted wiretaps of individuals' phone calls, this potential spying appears to be applied wholesale to all sorts of Internet communications of countless citizens.

Attorney contact information:

Miles Ehrlich
Ramsey & Ehrlich LLP

Source: Legal Pad

Link to the full story is here.

God help us.

Can you call or write your Senator and Congressmen for me? Not that it will do us any good but it's a start..


Webcam feeds from around our fair planet

I added some webcam feeds from around our fair planet.

So far we have:

La Tonnarella, Sorrento Italy

Saint-Gilles-les-Bains, France

Royal Citadel, Plymouth UK

Boston, Massachusetts

Pensacola Beach, FLA

Houston, TX

Vallejo, California

Kamaole Beach, Maui, Hawaii

Sapporo, Japan

Hong Kong, China

And the list may change at any time. The full size views are at My Back Pages.

They don't display correctly in Internet Explorer. Oh well, I don't use Internet Explorer.

Do yourselves a favor.

Get Firefox.

Tuesday, April 18, 2006

Pensacola Beach Blog

A progressive blog from soomeplace I used to live.


Pensacola Beach Blog

Bitch | Lab

Quite a good blog for a little edgy whitty sort of humor.

Check it out.

Bitch | Lab



Absolutly must read for a taste of Southern Culture gone terribly wrong!


Sunday, April 16, 2006

» Why Windows is less secure than Linux | Threat Chaos | ZDNet.com

Excellent Security Blog by Richard Stiennon at ZDnet.

The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture. A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

A picture is worth a thousand words. See diagram below.

The first picture is of the system calls that occur on a Linux server running Apache.

This second image is of a Windows Server running IIS.

Read the rest of it for an eye opener on Windoze vs. Linux security.

» Why Windows is less secure than Linux | Threat Chaos | ZDNet.com

Saturday, April 15, 2006

CNN.com - Beware of tax refund 'phishing' scams - Apr 14, 2006

CNN.com - Beware of tax refund 'phishing' scams - Apr 14, 2006: "Phishing is an e-mail trick that 'lures' users with a promise of money or an urgent security warning that asks users to update their information. But instead of going to a financial institution or the government, the precious personal data goes to identity thieves.
IRS doesn't e-mail taxpayers

At least during this tax season, Internet users don't even have to try and distinguish real from fake information from the IRS. Anything you get in your inbox with an IRS address is a fraud."