There are some fake IRS spam mails circulating at the moment that go to a page and try to get you to download a virus file which trend micro office scan picks up as TROJ_ZBOT.CBY.
I am particularly worried about this email as it seems as though the URL contains the email address of the user it was sent to. This will then allow the owner of the site to log valid email addresses when someone clicks on the link in the email. They don't even need to download the file to now be a bigger target for spam.
Solution: I also noticed that there are multiple domains that users are being redirected to so I decided to block *.irs.gov.*.com on our Proxy server to prevent users getting themselves on a spam list.
I found the following domain names in this type of attack so far:
*.irs.gov.y11dera.com
*.irs.gov.fedas1am.com
*.irs.gov.fedasaz.com
*.irs.gov.y11derq.com
Screenshot of the website you get redirected to when you click on the link in the emails.
