Spamhaus Profile picture
Nov 13, 2021 4 tweets 2 min read
We have been made aware of "scary" emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.
These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!
These emails look like this:

Sending IP: (
Subject: Urgent: Threat actor in systems Image
For anyone interested, here are the sanitised headers from the sample we got yesterday. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Spamhaus

Spamhaus Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @spamhaus

Mar 26, 2021
Japanese shoppers are currently being phished with spoofed Amazon emails. 99% of this spam is being emitted from IPs originating from ASN 4134: CHINANET backbone @chinateleglobal. Read the thread for more detail. #chinese #botnet #phishing Image
Recently we've observed a huge spam run with the subject line "お支払い方法の情報を更新." Google translates this as "Updated payment method information." The message contents are phishing emails, spoofing Amazon, targeting Japanese shoppers.
The spam run continues as we tweet, but Spamhaus subscribers in Japan and worldwide are no longer seeing it in their inboxes.
Read 4 tweets
Feb 12, 2021
If you're using our public mirrors, you need to check your return codes, and soon... here's why.…

#returncodes #config #MTA #Spamhaus
We are implementing 3 new return codes in March. These are error codes, not reputation codes.
If you are not parsing these codes correctly all query responses may be treated either as "LISTED" or "NOT LISTED." Both results may potentially have disastrous outcomes.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!