Secret Intelligence Service SCAM ALERT!! E-mail

Here's an interesting e-mail I received today. The following screenshots show the complete e-mail. Read it all the way through. What do you think, real or fake?






Hands up all those that said real?

All of you who said 'real' are in detention, write out, in full 100 times, my blog post covering 419 scams [here] and the recent blog entry on the 'Police Website Line-up' [here]. ;-)

Hands up all those that said fake?
Well done! Give yourself a pat on the back, it does indeed seem to be a fake. Details below:

Hmmm... the e-mail comes from [or so it claims], 'anti.scam-dpt@sis.gov.uk', SIS.GOV.UK is the domain owned and used by the SIS [Secret Intelligence Service, which is also known as MI6 in the UK.] However, the reply to address in the e-mail body is: 'hollace_fwilliam@britishsecretservice-uk.org', that sounds 'phishy'. So let's look at the domain details for it, shall we?

Here's the DNS entries:

britishsecretservice-uk.org. 600 IN SRV 1 1 5061 federation.messenger.msn.com.
britishsecretservice-uk.org. 600 IN MX 10 pamx1.hotmail.com.
britishsecretservice-uk.org. 600 IN A 65.54.132.254
britishsecretservice-uk.org. 86398 IN NS pdomns1.msn.com.
britishsecretservice-uk.org. 86398 IN NS pdomns2.msn.com.

The MX [e-mail] record is pointing to a 'hotmail.com' MX server, I can't see the SIS using Hotmail as their primary e-mail server, can you? Or, for that matter, MSN DNS servers as their primary and secondary DNS.

Let's look at the WHOIS record, shall we?

Domain ID:D106558818-LROR
Domain Name:BRITISHSECRETSERVICE-UK.ORG
Created On:08-Jun-2005 09:07:00 UTC
Last Updated On:01-Jul-2006 03:55:43 UTC
Expiration Date:08-Jun-2007 09:07:00 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:C338EEA0092FC35F
Registrant Name:MR. HOLLACE WILLIAM FRANCIS
Registrant Organization:MR. HOLLACE WILLIAM FRANCIS
Registrant Street1:3840 Fishcreek Rd
Registrant City:Stow
Registrant State/Province:OH
Registrant Postal Code:44224
Registrant Country:US
Registrant Phone:+1.3306282938
Registrant Email:hollace_fwilliam@britishsecretservice-uk.org
Admin ID:C338EEA0092FC35F
Admin Name:MR. HOLLACE WILLIAM FRANCIS
Admin Organization:MR. HOLLACE WILLIAM FRANCIS
Admin Street1:3840 Fishcreek Rd
Admin City:Stow
Admin State/Province:OH
Admin Postal Code:44224
Admin Country:US
Admin Phone:+1.3306282938
Admin Email:hollace_fwilliam@britishsecretservice-uk.org

Now why would the SIS or MI6 use someone living in Ohio in the US to register a domain for them?

And where is this domain being hosted?

5.54.132.254[Querying whois.arin.net]
[whois.arin.net]

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2004-12-09

Hmmmm.... I wonder if Microsoft know they are hosting a potential 419 scammer on their servers?

If you type 'http://britishsecretservice-uk.org' in to your web browser, after a small pause you end up here:



This is the 'REAL' MI5 website, seems that the domain owner for 'britishsecretservice-uk.org' is currently redirecting all web traffic to the MI5 site. I bet he isn't doing the same with the e-mail traffic, very sneaky!

The final proof that this is a fake, if you really needed any more, is that the SIS is part of MI6, but the fake domain redirects to the MI5 site which the SIS are not part of, and did you notice the use of an MI5 logo in the foot of the e-mail?

Back to the drawing board you 'Bad Guys and Gals from Lagos'....