Marc Perkel wrote:
If the FCrDNS matches one of these domains it is ham.
If the sender or from address matches one of these domains and the
domain doesn't appear in the Received headers - it's a phish.
<snip>
citibank.com
It's worth noting that Citibank still sometimes uses other domains.
I've seen legit mail from them that uses a citibank.com address, but is
sent from a citigroup.com server.
It could be worse -- a few years ago, they'd use about 5 or 6 domains on
a regular basis, including the defunct c2it.com. Take a look at the
SARE_FORGED_CITI rule in 70_sare_spoof.cf.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
