We have been made aware of "scary" emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.
These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!
These emails look like this:
Sending IP: 153.31.119.142 (mx-east-ic.fbi.gov)
From: eims@ic.fbi.gov
Subject: Urgent: Threat actor in systems
For anyone interested, here are the sanitised headers from the sample we got yesterday.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Japanese shoppers are currently being phished with spoofed Amazon emails. 99% of this spam is being emitted from IPs originating from ASN 4134: CHINANET backbone @chinateleglobal. Read the thread for more detail. #chinese#botnet#phishing
Recently we've observed a huge spam run with the subject line "お支払い方法の情報を更新." Google translates this as "Updated payment method information." The message contents are phishing emails, spoofing Amazon, targeting Japanese shoppers.
The spam run continues as we tweet, but Spamhaus subscribers in Japan and worldwide are no longer seeing it in their inboxes.
We are implementing 3 new return codes in March. These are error codes, not reputation codes.
If you are not parsing these codes correctly all query responses may be treated either as "LISTED" or "NOT LISTED." Both results may potentially have disastrous outcomes.