Hi;
Ned Slider wrote:
<snip>
>My point is it's really not easy to track down such information even
when banks do occasionally try to do the right thing. Maybe there is
already a >list out there. If not, maybe we should compile one? It's
hard work trying to do it by yourself, but done as a group it would make
the task a lot >easier.
</snip>
I did a similar thing for exim. I made a list of popular UK banks that I
had seen phished, then checked them against our local whitelist and DNSWL.
I've submitted entries to DNSWL where needed. If you wish to continue
along those lines then we can implement a more brutal form of SPF or at
least give them a decent spam score :-)
The false positives I've had have been staff mailing, using non public
mail gateways and bulk mailers doing their mail shots.
banks.txt:
abbey.co.uk
abbeynational.co.uk
abbey.com
alliance-leicester.co.uk
...
etc
exim snippet:
warn log_message = BANK PHISHING
sender_domains = +banks
!dnslists = list.dnswl.org=127.0.2.0, 127.0.2.1,
127.0.2.2, 127.0.2.3, 127.0.3.2, 127.0.3.3, 127.0.4.2, 127.0.15.1,127.0.15.2
!dnslists = my-whitelist.example.com
The admins at the banks seem to be blissfully ignorant of phishing and
how to reduce it. You wont get a reply to mail you send so it is up to
you to do what you can. Some are listed at rfc-ignorant, so you cant
even report phishing without going through a call centre. <sigh>
Rgds
N
John Hardin wrote:
On Mon, 11 May 2009, Marc Perkel wrote:
mouss wrote:
Is phishing really a problem for banks? I don't think so.
You're kidding right?
I think mouss' point is that if banks considered phishing "their
problem" they would be pursuing effective technological and policy
solutions like proper SPF and DKIM signing of their customer
communications and not using random third-party mailing services for
their email marketing, thus training their customers to accept email
from any source as legitimate bank communication.
Some do, but even then it's not easy to find. Take a popular UK bank
(Barclays, for example) - they send emails from email.barclays.co.uk
which does have an spf record and mails are signed. However, many
phish claim to be from the primary domain which has no spf record so
how would one know that subdomain even exists if one didn't have
access to legitimate mails from this particular bank? They may send
mails from other (sub)domains too for all I know.
Another - natwest.com has an spf record but natwest.co.uk doesn't. So
may I safely drop all email claiming to be from natwest.co.uk on the
assumption that domain doesn't send mail? If it doesn't send mail, set
the spf record to say so.
Some banks provide minimal information on phishing, but it's more
aimed at consumers and not the type of information that is of much use
to email admins.
My point is it's really not easy to track down such information even
when banks do occasionally try to do the right thing. Maybe there is
already a list out there. If not, maybe we should compile one? It's
hard work trying to do it by yourself, but done as a group it would
make the task a lot easier.
I'm just frustrated at bank phish emails slipping through the system -
they are so easy for us to spot yet there doesn't seem to be an easy
reliable way to catch them. Really I just view them as more unwanted
spam that I'd rather not have reach the inbox. I had to laugh earlier
today - I saw one slip past virtually everything other than clamav
that claimed to be from one bank in the subject, another in the From
address, and contained a URL to a third bank!
Then you get phish where the From address is a bank domain, and the
envelope address is from a completely unrelated domain with a valid
spf record so even a simple From_Bank && spf_pass isn't going to work.
