DHS spam?

[Quartz]

A while back I applied for an ESTA for my eclipse trip next year. I’ve just received a spammy email purporting to be from the DHS. Of course it is spam, right?

Delivered-To: ME
Received: by 10.13.245.5 with SMTP id e5csp1591521ywf;
        Sun, 29 Jan 2017 14:54:39 -0800 (PST)
X-Received: by 10.223.143.45 with SMTP id p42mr15425366wrb.120.1485730479752;
        Sun, 29 Jan 2017 14:54:39 -0800 (PST)
Return-Path: <customs1@rnmk.com>
Received: from mailserver.cmp.livemail.co.uk (mailserver.cmp.livemail.co.uk. [213.171.216.40])
        by mx.google.com with ESMTPS id i204si11024557wma.127.2017.01.29.14.54.39
        for <ME>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 29 Jan 2017 14:54:39 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning customs1@rnmk.com does not designate 213.171.216.40 as permitted sender) client-ip=213.171.216.40;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning customs1@rnmk.com does not designate 213.171.216.40 as permitted sender) smtp.mailfrom=customs1@rnmk.com;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=custhelp.com
Received: from rntfg75.rightnowtech.com (rntfg75.rnmk.com [129.152.93.75]) by mailserver.cmp.livemail.co.uk (Postfix) with ESMTP id 2BA4629DED for <ME>; Sun, 29 Jan 2017 22:54:38 +0000 (GMT)
Received: from [10.84.64.90] ([10.84.64.90:40943] helo=rnmdfg01.int.rightnowtech.com) by rntfg75.rnmk.com (envelope-from <customs1@rnmk.com>) (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTP id 7F/EB-14148-7A27E885; Sun, 29 Jan 2017 16:54:31 -0600
MIME-Version: 1.0
Message-Id: <RNTM.AvMG~wr1Dv8S3xb~Gv8a~yKfHpkqiXz7WVUhAT7~Pv~o.0.1485730469.6DnuGdAhGQ!!.518741@rnmdfg01.int.rightnowtech.com>
To: ME
Date: Sun, 29 Jan 2017 17:54:29 -0500 (EST)
Subject: Survey
List-Unsubscribe: <mailto:customs_metrics@customs-mail.custhelp.com?subject=Unsubscribe AvMG~wr1Dv8S3xb~Gv8a~yKfHpkqiXz7WVUhAT7~Pv~o>
From: Department of Homeland Security <customs_metrics@customs-mail.custhelp.com>
Reply-To: Department of Homeland Security <customs_metrics@customs-mail.custhelp.com>
Content-Type: Text/Html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml" xmlns:rn=3D"http://schemas.rig=
htnow.com/crm/document">
<head>
<title>Survey</title>
                                                                    =20
</head>
<body>

<div style=3D"BACKGROUND-COLOR: #ffffff">
<p align=3D"center"></p>
<table role=3D"presentation" style=3D"HEIGHT: 72px; WIDTH: 100%" cellspacin=
g=3D"0" cellpadding=3D"0" width=3D"100%" border=3D"0">
<tbody>
<tr>
<td>=A0<img alt=3D"Image" border=3D"0" height=3D"77" src=3D"https://help.cb=
p.gov/rnt/rnw/img/enduser/cbp-logo.jpg" width=3D"235" /></td>
<td>=A0</td>
<td>
<p align=3D"right">OMB No. 1651-0136</p>
<p align=3D"right">Expiration: 11/30/2017</p>
</td>
</tr>
</tbody>
</table>
</div>
The following questions ask about your experience on your trip to the Unite=
d States when you were processed for admission.=A0=A0Please <a href=3D"http=
s://help.cbp.gov/ci/documents/detail/1/AvMG~wr1Dv8S3xb~Gv8a~yKfHpkqiXz7WVUh=
AT7~Pv~o/5/15/12/46a3781bc6dfdc82f309c8bc39687b788ca573b1/13/MTQ4NTczMDQ2OQ=
!!/6/1/7/4352846">click here</a>=A0to take the survey.
<p>Thank you for your participation.</p>

<div style=3D"BORDER-TOP: black 1px solid; BACKGROUND-COLOR: #ffffff">Paper=
work Reduction Act Statement: An agency may not conduct or sponsor an infor=
mation collection and a person is not required to respond to this informati=
on unless it displays a current valid OMB control number and an expiration =
date. The control number for this collection is 1651-0136. The estimated av=
erage time to complete this application is=A08 minutes. If you have any com=
ments regarding the burden estimate you can write to U.S. Customs and Borde=
r Protection Office of Regulations and Rulings, 90 K Street, NE, Washington=
 DC 20229</div>
<img alt=3D"" height=3D"1" width=3D"1" style=3D"display: none" src=3D"https=
://help.cbp.gov/rd/AvMG~wr1Dv8S3xb~Gv8a~yKfHpkqiXz7WVUhAT7~Pv~o.gif"/> </bo=
dy>
</html>

[noparse]www.custhelp.com[/noparse] goes to Oracle’s homepage. However putting [noparse]rnmk.com/[/noparse] into Google brings up spam as the first autocomplete entry. [noparse]rightnowtech.com[/noparse] brings up spam results.

Now, I don’t see any link hijacks there so I’m guessing that it is indeed bogus but the malefactors have a genuine Oracle account and will divert me from there. Or have copied the DHS survey and will just gather my info for identity fraud. I have, of course, not visited the link.

I know Eva Luna works in immigration; should I report it? If so, to whom?

[Eva_Luna]

I don’t know. Might be, might not.

[Crazyhorse]

With the link provided I was able to visit the apparently legitimate DHS survey. (using a secured, sandboxed browser) Below is the first page of questions:

1. Are you 18 years old or older?
2. Did you travel to the United States under the Visa Waiver Program?
3. When you arrived in the United States, which line did you wait in for inspection?
4. What Airport or Seaport location did you arrive through?
5. How long did you wait to complete the inspection process (not including waiting for your luggage).
6. Was your wait time:
7. Rate your interview with the U.S. Customs and Border Protection officer. He or she:
8. What did you think of the inspection area?
9. Based on the entry process, did you feel welcomed to the United States?
10. Did your experience with the entry process affect your desire to return to the US?

It appears to me to be a totally legitimate survey conducted on behalf of the DHS by Custhelp.com - a very common and well known outsource provider of customer support, surveys, etc.

To continue to the next set of questions I’d need to actually answer these questions on your behalf and press “Continue” which I won’t do, but someone undoubtedly will.

I would recommend asking a mod to delete the survey URL and your unique ID number from the original post. With that link anyone on the internet forever into the future can visit the survey using an ID number that was made especially for you.

[Quartz]

Thanks. While that does appear to make it more legitimate, I’ll note that I have yet to go, which they should know. The short title and the two spammy domains set my antennae twitching.

[AK84]

Evidence of nothing, but one of the times I entered the US, after I had cleared immigration and customs and was leaving some uniformed guy ran up and asked how was the experience. :eek: He asked questions similar to the ones on the list.

[Crazyhorse]

Quartz:

Thanks. While that does appear to make it more legitimate, I’ll note that I have yet to go, which they should know. The short title and the two spammy domains set my antennae twitching.

I think that’s just our efficient government at work. Who else but an actual government agency would provide a postal mailing address for questions about the “burden estimate” of 8 minutes to complete their survey?

Anyway, the email is from that custhelp place, but the actual survey address is at help.cbp.gov which is the official customs and border patrol website.

[Eva_Luna]

Quartz:

Thanks. While that does appear to make it more legitimate, I’ll note that I have yet to go, which they should know. The short title and the two spammy domains set my antennae twitching.

Don’t overestimate CBP’s ability to have a clue.