13

A user of mine just received a phishing email claiming to be the IRS. What methods of reporting are available, and what should be included?

AviD
  • 72,708
  • 22
  • 137
  • 218
Holocryptic
  • 233
  • 1
  • 6

3 Answers3

13

Most often, these kinds of emails are sent from either compromised hosts, spammer accounts at free webmail providers, or dedicated spam-spewing networks (this is called snowshoe spam). In either case, the most appropriate parties should be, and should appreciate, being contacted since it represents a threat on their network. Reporting can be tricky, however, as it is not always obvious where the message came from. The first two things you can do are send an email with an RFC5322 attachment of the email, with full headers, to

  • spam@access.ironport.com
  • spam@knujon.net (which copies all reports to spam@uce.gov)
  • or paste the pristine raw email, again with full headers, to SpamCop

Variations of the above that additionally flag reported mail as phishing:

  • phish@access.ironport.com
  • phishing@knujon.net (which also copies phishing reports to APWG)

The first address is used by Cisco for receiving reports of missed spam in their IronPort anti-spam solutions. They monitor this mailbox and develop signatures for reported spam. So, eventually, the specific phish you received should be caught by their spam filters.

The second address is KnujOn ("No Junk" spelled backwards), a non-profit group that collects spammer domain data and follows the money trail in an effort to actually bust domain registrars that are too spammer-friendly.

The UCE address is used by the United States Federal Trade Commission to build out investigations and cases against spammers. Again, given the highly difficult nature of performing such investigations, one should not expect results from sending messages here. However, given the effort involved, and the fact that it might be useful in going after spammers/phishers, it seems a worthwhile action to me.

The most immediately useful action is to contact the folks responsible for the source of the spam. We can use this information to locate compromised computers or accounts, open mail relays, etc, and respond in kind. Determining exactly where to send this information may be tricksome. If your organization has an Information Security office, you can fall back to forwarding said email to them for processing. Otherwise, plow through the Received: headers to determine which mail server the message originated from; the most recent of them that is beyond your organization's control is the culprit. (Do not assume the From: header is valid.)

From that IP address or domain you can look through the registrars to determine technical contacts, and forward the message to them. If you have a domain, then you can also attempt to use abuse@. That address was partially formalized in RFC2142, but is certainly in common use.

In all cases, you really need to forward the email with full headers intact. The specifics of how one does that will depend heavily on the specific mail client, but Forward As Attachment should work in almost all cases (except Microsoft Outlook for Windows).

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
  • 2
    Good resources and explanation. The only thing I would add would be to contact the organization being impersonated. In this case the IRS might be interested in launching their own investigation. – this.josh Aug 19 '11 at 07:33
7

As far as I know, you can report spam to their e-mail and/or internet provider (if any is known). I know Yahoo, DaddyGo etc. even have special forms for reporting spam (try google e-mail provider and +"spam report", e.g. +yahoo +"spam report")

For general direction how to write complain e-mail to provider about spam spam.abuse.net.

For pshising, I would definitely also warm organization / site / whatever is used in attack.

StupidOne
  • 2,812
  • 22
  • 35
5

You can also report it to the IC3, a partnership of the FBI,NW3C and Justice Bureau. http://www.ic3.gov/default.aspx

Jacob
  • 201
  • 1
  • 4
  • IC3 basically expects you to have suffered from ~monetary loss. You can ignore that and still fill it out, but I'm not convinced it will become anything but a government statistic. They also send you a (completely uninformative) paper receipt in the mail, so I only ever did this once (there's no reason to burn tax dollars in this frivolity). – Adam Katz Jan 16 '15 at 21:24