DJE
Well-known member
Anybody else seen this by email? The domain names don't look right although they go to official-looking sites.
Suspicious-looking email. "Pleasure Craft Report Service."
- Thread starter DJE
- Start date
Black Sheep
Well-known member
What are the domain names? Do they end ".gov.uk"?
DJE
Well-known member
submit.a.pleasure.craft.report.service"at"notifications.service.gov.uk
sgmr.cop.homeoffice.gov.uk
sgmrsupport"at"digital.homeoffice.gov.uk
The only one I have managed to check is the Home Office. Their page says that their email addresses are always in the format:- firstname.lastname@homeoffice.gov.uk
Sticky Fingers
Well-known member
It seems to be legit. Take a look at this which covers this topic (although no mention of that Private Beta of course)
Notice 8: sailing your pleasure craft to and from the UK
Notice 8: sailing your pleasure craft to and from the UK
prv
Well-known member
It's a better phishing attempt than many, but I think the GDS proof-readers would probably notice that there's only one Home Office. There's also no hits on Google for a "submit a pleasure craft report" service; even if the service was in private beta I'd expect some GDS blog entries about it at the very least.
Pete
Pete
pvb
Well-known member
Scam! Grammatical errors are often a good giveaway.
Black Sheep
Well-known member
I'm happy that those are genuine .gov.uk domains, therefore under the control of the UK government or authorised agents.
Not a phishing attempt.
Not a phishing attempt.
Black Sheep
Well-known member
I don't understand your comment about "only one Home Office" unless you're referring to a misplaced apostrophe?
I wouldn't necessarily expect such a Google hit.
Not a phishing attempt, imho. For it to be one, they would have had to hack one of the Home Office servers, plus identify the OP as someone likely to be relevant to pleasure craft reporting. So unless DJE is likely to be of sufficient interest that a hostile state actor would go to such extraordinary lengths, then he can safely click the links.
DJE
Well-known member
But all the genuine UK government sites that I have seen have been of the form www.gov.uk/topic/sub-topic. These have inserts between www and gov. Is this relevant?
prv
Well-known member
Without meaning to disparage DJE, I suspect he may not be up to noticing unicode homographs in domains, nor links whose title text is different to their actual destination. I don't have the email itself to check these things, so I'm going purely by the text which doesn't quite ring true to GDS's normal style, contains a grammatical error which they're normally very good about avoiding, and refers to a service that is mentioned nowhere else on the Internet. It's possible that the rush to sort this stuff out has caused them to fall below their normal standards, but my money is on a topical phishing attack.
Pete
Black Sheep
Well-known member
Anything that ends .gov.uk is definitely a UK government site (the small print - it might be possible for a third party to use a unicode character to create something that looks like .gov.uk but isn't. In this case, I copied the address, and also retyped the address. They resolve to the same host, so it hasn't happened here, assuming that you copied the address rather than retyping it)
Previous government sites you've been to will be production sites - live sites, providing a service to the public. They will typically have the form you describe. But this is a test of a new service, so is sitting on a development server somewhere with a temporary address.
The middle address is a web server, and probably does have a slash after the .gov.uk bit, with something after it.
The other two are email addresses, and will definitely go to UK government destinations. digital.homeoffice.gov.uk is a subdomain of homeoffice.gov.uk, therefore controlled by them. The Home Office guidance on email addresses is helpful if you know the name of the person you want to email (except where there's two John Smiths), but unfortunately isn't comprehensive.
Black Sheep
Well-known member
I think you're building quite a conspiracy out of one apostrophe. I've seen plenty bigger errors on live government websites, let alone developmental beta services.
OK - DJE, if you right-click on the link, do you get a menu that includes "copy Link Location" or similar? If so, could you do that and paste it into a reply?
laika
Well-known member
The unicode ruse is a fair point but if you bypass cut n paste and just go with bare text I think there's a fair chance that both prv ("This looks all kinds of dodgy") and Black Sheep ("This looks legit") can be right at the same time. "notifications.service.gov.uk" has no mx records associated with it but maybe they're not allowing email replies. It does have an soa record with "awsdns-hostmaster.amazon.com" as the mail address.
sgmr.cop.homeoffice.gov.uk has a dodgy default kubernetes certificate installed.
Interestingly gov.uk has dnssec enabled. Homeoffice.gov.uk does not
Sgmr.cop.home office.gov.uk shouldn’t be exposed to the Internet in that state so there’s some dodgy admin going on here. But as Black Sheep points out, unless there's a serious problem with government DNS the referenced website's set up demonstrates that there are forhead-slappingly incompetent numpties at work.
@DJE : Are you using gmail? If so click on mail, then the 3 dots to the right of the message next to the "reply" arrow. From the pop up select "show original". You should then get a table of information. If the section labelled "dkim" says "PASS" the mail probably isn't spoofed. Just from a really shonkey service which has no business being on the web.
( the mail domain does have a dmarc txt record, although the spf record just lists amazonses so is no help)
Last edited:
Kukri
Well-known member
The Brexit regime are illiterate. They can neither spell nor use correct syntax.
But they can order us around:
“Introduction
This notice is intended for us by owners of pleasure craft who sail their crafts to or from the UK and the customs arrival and departure requirements.”
Notice 8: sailing your pleasure craft to and from the UK
But they can order us around:
“Introduction
This notice is intended for us by owners of pleasure craft who sail their crafts to or from the UK and the customs arrival and departure requirements.”
Notice 8: sailing your pleasure craft to and from the UK
laika
Well-known member
Well who knew? The home office (apparently) have a github repo referencing this stuff:
Update sGMR service Name to Submit a Pleasure Craft Report · UKHomeOffice/sgmr-service@4a1bd2c
I'm going with "legit, but shambolic and forced out as 'public beta' before even being ready for pre-alpha because someone's promised that it'll be done by the end of the year"...
Black Sheep
Well-known member
Good analysis - to more detail than I was willing to dive! My understanding is that an MX record isn't essential for incoming mail, even if it's usual.
DJE
Well-known member
I usually check what a link points to by hovering my mouse over it in so that the details pop up and these all do what they say. But the email address doesn't match the format specified on the Home Office page about how to spot fraud! I was also trying to avoid copying live links into my posts in case somebody else clicked them. I hadn't heard of the use of unicode characters before - must watch out for that one. Bottom of the email looks like this:
I am using Outlook and the internet headers report (with my email address hidden) gives this lot:-
Received: from zeus4.easy-internet.co.uk
by zeus4.easy-internet.co.uk with LMTP
id +O6tOHDG4F9SQgQAgEnNEQ
(envelope-from <0102017686066fa6-09d83cf1-1cf8-44e8-8bf0-494af0e15b81-000000@mail.notifications.service.gov.uk>)
for <da**@******.co.uk>; Mon, 21 Dec 2020 15:59:44 +0000
Received: from e239-80.smtp-out.eu-west-1.amazonses.com ([23.251.239.80]:47493)
by zeus4.easy-internet.co.uk with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(Exim 4.93)
(envelope-from <0102017686066fa6-09d83cf1-1cf8-44e8-8bf0-494af0e15b81-000000@mail.notifications.service.gov.uk>)
id 1krNb3-001Aa7-4y
for da**@*******.co.uk; Mon, 21 Dec 2020 15:59:44 +0000
Reply-To: <sgmrsupport@digital.homeoffice.gov.uk>
From: "Submit a Pleasure Craft Report Service" <submit.a.pleasure.craft.report.service@notifications.service.gov.uk>
To: <da**@*********.co.uk>
Subject: =?utf-8?Q?Submit_a_Pleasure_Craft_Report_=E2=80=93?=
=?utf-8?Q?_Private_Beta_Invitation?=
Date: Mon, 21 Dec 2020 15:58:57 -0000
Message-ID: <0102017686066fa6-09d83cf1-1cf8-44e8-8bf0-494af0e15b81-000000@eu-west-1.amazonses.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0009_01D6D7BC.F6F3BAC0"
X-Mailer: Microsoft Outlook 16.0
X-Spam-Status: No, score=2.7
X-Spam-Score: 27
X-Spam-Bar: ++
X-Ham-Report: =?utf-8?Q?Spam_detection_software=2C_running?=
=?utf-8?Q?_on_the_system_=22zeus4.easy-inter?=
=?utf-8?Q?net.co.uk=22=2C
_has_NOT_identified?=
=?utf-8?Q?_this_incoming_email_as_spam.__T?=
=?utf-8?Q?he_original
_message_has_been_a?=
=?utf-8?Q?ttached_to_this_so_you_can_view_?=
=?utf-8?Q?it_or_label
_similar_future_ema?=
=?utf-8?Q?il.__If_you_have_any_questions=2C_?=
=?utf-8?Q?see
_root\=40localhost_for_detail?=
=?utf-8?Q?s.
_Content_preview:__Dear_Sir/?=
=?utf-8?Q?Madam_You_are_invited_to_partici?=
=?utf-8?Q?pate_in_the_Private
____Beta_=28t?=
=?utf-8?Q?rial_phase=29_of_the_Home_Office=C3=A2=E2=82=AC?=
=?utf-8?Q?=E2=84=A2s_new_=C3=A2=E2=82=AC=CB=9CSubmit_a_Pleasure_Craf?=
=?utf-8?Q?t
___Report=C3=A2=E2=82=AC=E2=84=A2_Service_=5B...=5D_
?=
=?utf-8?Q?_Content_analysis_details:___=282.?=
=?utf-8?Q?7_points=2C_5.0_required=29
__pts_r?=
=?utf-8?Q?ule_name______________descriptio?=
=?utf-8?Q?n
_----_----------------------_?=
=?utf-8?Q?--------------------------------?=
=?utf-8?Q?------------------
__0.8_BAYES=5F?=
=?utf-8?Q?50_______________BODY:_Bayes_spa?=
=?utf-8?Q?m_probability_is_40_to_60%
____?=
=?utf-8?Q?_________________________=5Bscore:?=
=?utf-8?Q?_0.5000=5D
__2.0_DEAR=5FSOMETHING__?=
=?utf-8?Q?_______BODY:_Contains_'Dear_=28som?=
=?utf-8?Q?ething=29'
_-0.0_SPF=5FPASS________?=
=?utf-8?Q?_______SPF:_sender_matches_SPF_r?=
=?utf-8?Q?ecord
__0.0_HTML=5FFONT=5FLOW=5FCONTR?=
=?utf-8?Q?AST_BODY:_HTML_font_color_simila?=
=?utf-8?Q?r_or
__________________________?=
=?utf-8?Q?___identical_to_background
__0.?=
=?utf-8?Q?0_HTML=5FMESSAGE___________BODY:_H?=
=?utf-8?Q?TML_included_in_message
__0.1_D?=
=?utf-8?Q?KIM=5FSIGNED____________Message_ha?=
=?utf-8?Q?s_a_DKIM_or_DK_signature=2C_not_ne?=
=?utf-8?Q?cessarily
_____________________?=
=?utf-8?Q?________valid
_-0.1_DKIM=5FVALID_?=
=?utf-8?Q?____________Message_has_at_least?=
=?utf-8?Q?_one_valid_DKIM_or_DK_signature
?=
=?utf-8?Q?
_-0.1_DKIM=5FVALID=5FAU__________Me?=
=?utf-8?Q?ssage_has_a_valid_DKIM_or_DK_sig?=
=?utf-8?Q?nature_from
___________________?=
=?utf-8?Q?__________author's_domain
_-0.0?=
=?utf-8?Q?_FROM=5FGOV=5FDKIM=5FAU_______From_Gov?=
=?utf-8?Q?ernment_address_and_DKIM_signed?=
X-Spam-Flag: NO
X-SES-Outgoing: 2020.12.21-23.251.239.80
Thread-Index: AQEa+JnWo4ulhEKtHpKj8nZLAr9jDQ==
I am using Outlook and the internet headers report (with my email address hidden) gives this lot:-
Received: from zeus4.easy-internet.co.uk
by zeus4.easy-internet.co.uk with LMTP
id +O6tOHDG4F9SQgQAgEnNEQ
(envelope-from <0102017686066fa6-09d83cf1-1cf8-44e8-8bf0-494af0e15b81-000000@mail.notifications.service.gov.uk>)
for <da**@******.co.uk>; Mon, 21 Dec 2020 15:59:44 +0000
Received: from e239-80.smtp-out.eu-west-1.amazonses.com ([23.251.239.80]:47493)
by zeus4.easy-internet.co.uk with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(Exim 4.93)
(envelope-from <0102017686066fa6-09d83cf1-1cf8-44e8-8bf0-494af0e15b81-000000@mail.notifications.service.gov.uk>)
id 1krNb3-001Aa7-4y
for da**@*******.co.uk; Mon, 21 Dec 2020 15:59:44 +0000
Reply-To: <sgmrsupport@digital.homeoffice.gov.uk>
From: "Submit a Pleasure Craft Report Service" <submit.a.pleasure.craft.report.service@notifications.service.gov.uk>
To: <da**@*********.co.uk>
Subject: =?utf-8?Q?Submit_a_Pleasure_Craft_Report_=E2=80=93?=
=?utf-8?Q?_Private_Beta_Invitation?=
Date: Mon, 21 Dec 2020 15:58:57 -0000
Message-ID: <0102017686066fa6-09d83cf1-1cf8-44e8-8bf0-494af0e15b81-000000@eu-west-1.amazonses.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0009_01D6D7BC.F6F3BAC0"
X-Mailer: Microsoft Outlook 16.0
X-Spam-Status: No, score=2.7
X-Spam-Score: 27
X-Spam-Bar: ++
X-Ham-Report: =?utf-8?Q?Spam_detection_software=2C_running?=
=?utf-8?Q?_on_the_system_=22zeus4.easy-inter?=
=?utf-8?Q?net.co.uk=22=2C
_has_NOT_identified?=
=?utf-8?Q?_this_incoming_email_as_spam.__T?=
=?utf-8?Q?he_original
_message_has_been_a?=
=?utf-8?Q?ttached_to_this_so_you_can_view_?=
=?utf-8?Q?it_or_label
_similar_future_ema?=
=?utf-8?Q?il.__If_you_have_any_questions=2C_?=
=?utf-8?Q?see
_root\=40localhost_for_detail?=
=?utf-8?Q?s.
_Content_preview:__Dear_Sir/?=
=?utf-8?Q?Madam_You_are_invited_to_partici?=
=?utf-8?Q?pate_in_the_Private
____Beta_=28t?=
=?utf-8?Q?rial_phase=29_of_the_Home_Office=C3=A2=E2=82=AC?=
=?utf-8?Q?=E2=84=A2s_new_=C3=A2=E2=82=AC=CB=9CSubmit_a_Pleasure_Craf?=
=?utf-8?Q?t
___Report=C3=A2=E2=82=AC=E2=84=A2_Service_=5B...=5D_
?=
=?utf-8?Q?_Content_analysis_details:___=282.?=
=?utf-8?Q?7_points=2C_5.0_required=29
__pts_r?=
=?utf-8?Q?ule_name______________descriptio?=
=?utf-8?Q?n
_----_----------------------_?=
=?utf-8?Q?--------------------------------?=
=?utf-8?Q?------------------
__0.8_BAYES=5F?=
=?utf-8?Q?50_______________BODY:_Bayes_spa?=
=?utf-8?Q?m_probability_is_40_to_60%
____?=
=?utf-8?Q?_________________________=5Bscore:?=
=?utf-8?Q?_0.5000=5D
__2.0_DEAR=5FSOMETHING__?=
=?utf-8?Q?_______BODY:_Contains_'Dear_=28som?=
=?utf-8?Q?ething=29'
_-0.0_SPF=5FPASS________?=
=?utf-8?Q?_______SPF:_sender_matches_SPF_r?=
=?utf-8?Q?ecord
__0.0_HTML=5FFONT=5FLOW=5FCONTR?=
=?utf-8?Q?AST_BODY:_HTML_font_color_simila?=
=?utf-8?Q?r_or
__________________________?=
=?utf-8?Q?___identical_to_background
__0.?=
=?utf-8?Q?0_HTML=5FMESSAGE___________BODY:_H?=
=?utf-8?Q?TML_included_in_message
__0.1_D?=
=?utf-8?Q?KIM=5FSIGNED____________Message_ha?=
=?utf-8?Q?s_a_DKIM_or_DK_signature=2C_not_ne?=
=?utf-8?Q?cessarily
_____________________?=
=?utf-8?Q?________valid
_-0.1_DKIM=5FVALID_?=
=?utf-8?Q?____________Message_has_at_least?=
=?utf-8?Q?_one_valid_DKIM_or_DK_signature
?=
=?utf-8?Q?
_-0.1_DKIM=5FVALID=5FAU__________Me?=
=?utf-8?Q?ssage_has_a_valid_DKIM_or_DK_sig?=
=?utf-8?Q?nature_from
___________________?=
=?utf-8?Q?__________author's_domain
_-0.0?=
=?utf-8?Q?_FROM=5FGOV=5FDKIM=5FAU_______From_Gov?=
=?utf-8?Q?ernment_address_and_DKIM_signed?=
X-Spam-Flag: NO
X-SES-Outgoing: 2020.12.21-23.251.239.80
Thread-Index: AQEa+JnWo4ulhEKtHpKj8nZLAr9jDQ==
Sandy
Well-known member
I wonder how they know you have a boat?
DJE
Well-known member
I wonder how you know.
dunedin
Well-known member
Don’t rely on that - the new official HMRC Notice 8 page has two typos on the very first line, and lots more apparent errors thereafter.
thrown together in a hurry.
