--On 31 October 2008 00:02:30 +0800 W B Hacker <[EMAIL PROTECTED]> wrote:
> neil wrote: >> Ian Eiloart wrote: >>> That's useful. It's shocking that most of these banks haven't >>> implemented SPF. I guess that an SPF check before using your snippet >>> might help. I've checked to see which on your list do implement SPF - >>> at >>> <http://www.kitterman.com/spf/validate.html>. Of course, none of this >>> helps if the phishers don't use these domains! >>> >> I have tried in the past to contact banks and ask about SPF, DKIM etc, >> but I have had no reply. >> Its almost as if they welcome fraud ;-) > > Not so... > > Nearly all banks, brokerages, credit-card issuers, mortgage and > insurance firms run a 'private' message system for online customers > within their own logged-in system. > > The ONLY email they send is either advertising/promotional, OR a > 'heads-up' for you to log-in and view a waiting message on THEIR system. > > It is the second one that the 'Phishermen' try to emulate. And, that's the class of spam that this is attempting to deal with. > But anyone who clicks on a URI in a message - even the most valid of > them - is making a serious mistake. Yes, but people do. Phone someone now, and ask them for the credentials to log in to their bank. 99% will give you the details, according to a call bank centre manager that I spoke to. > What the 'wise' do is go off to their own known-good URI and login > independently. > > At this point, the better financial houses have trained their customers > to expect a chosen user-specific graphic and/or engage in a > challenge-response session randomly selected from a previously agreed > set of many such. > > If asked your 'favorite color' and the expected answer stored in their > DB is: 'Six helicopters' you are pretty safe. No more easily retrieved > 'Mother's maiden name'. > > Sae is relative. > > Up until someone looks over your shoulder long enough with good optics, > anyway. > But most financial houses are now doing a better job of securing their > online transactions than they have done of making sound investments..... > > In a sense, if you've been reading the news, the fraud that hurt the > most was an 'inside job', not over the internet. > > :-( > > Bill > > >> >> Yes I know that SPF etc breaks stuff <cue furious debate about >> forwarding>, but I would have though that in the few cases where people >> set up deliberate forwarding they could whitelist, versus the millions >> of phishing mails sent each day. >> >> Rgds >> n >> -- Ian Eiloart IT Services, University of Sussex x3148 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
