Soon to come: IRS Spam

Published: 2007-10-30
Last Updated: 2007-10-30 20:46:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Our friends at iDefense/Verisign shared a template with us for a new IRS phishing e-mail which they expect to be mail out soon (today). The template looks like it will be sent as a multipart mime encoded email with plain text and html part.

The '%' keywords in the template will be replaced with customized content. Expect URL like this to be used:

note that the directory starts with a '.' in order to hide it on compromised unix systems. Another common directory name is '.bbb'. file names to expect are b.php,, update.exe


Here is the top part of the template:

From=IRS e-file <>
Reply-To=IRS e-file <>
Subject=Known e-file Issues and Solutions (2007 tax year), for %comp%!

Binary Attachments


It has come to the attention of the IRS Modernized e-File office that
some transmitters/software developers/return originators are creating
binary files incorrectly. In some instances, the IRS was unable to
display the PDF document because of improper formatting.
Effective immediately, please ensure that binary attachments are created
according to the PDF standards in this correspondence.
The internal identifier (first five bytes of the file) must be the
standard PDF identifier, "%PDF-".
Please download the correct PDF form for your business needs here:




0 comment(s)


Diary Archives