On 20/03/11 17:17, Marc Perkel wrote:
Want to share your bank list? Here's mine:
Mine was embedded in my last reply:
header LOCAL_FROM_BANK From:addr =~
/\@(abbey|abbeyinternational|abbeynational|allianceleicester|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|citibank|cooperativebank|co-operativebank|cooperative-bank|egg|eggconnect|firstdirect|halifax|halifax-online|hbos|hsbc|hsbcgroup|lloydstsb|mbna|natwest|nationwide|newegg|new\.egg|northernbank|nwolb|rbs|santander|santandercards|smile|woolwich|ybonline|zenithbank)\.(com|co\.uk)/i
score LOCAL_FROM_BANK 6
describe LOCAL_FROM_BANK From a bank domain
Those I believe are all legitimate banking domains; i.e, domains
actually held by a bank rather than some individual or unrelated company
which were listed in subsequent rules. I would score these but also seek
to whitelist the domains by SPF/DKIM to prevent any extremely rare
possibility of false positives.
I differentiate between to two as it allows me to assign a higher score
to the latter. No point accepting mail from a faked bank-type domain -
you know it's going to be phish before you even see it.
I also have a small list of domains that don't exist that I block at the
smtp level to prevent them from pointlessly trying for the next 5 days:
paypalc.com REJECT
securepaypaleu.com REJECT
alert.hsbc.co.uk REJECT
ealerts.hsbc.co.uk REJECT
online.hsbc.co.uk REJECT
secure.hsbc.co.uk REJECT
hsbc-online.co.uk REJECT
hsbcwebmail.co.uk REJECT
paypal-secure.co.uk REJECT
host.ulsterbank.co.uk REJECT
Some organisations, such as Her Majesty's Revenue and Customs
(http://www.hmrc.gov.uk/security/fraud-attempts.htm) are very much on
the ball and provide a list of addresses being abused from which they
don't send mail. I have added some entries over time as I've captured
examples of them. Again, these can be blocked on sight or scored very
highly in SA:
annual-correcti...@hmrc.gov.uk REJECT
cla...@hmrc.direct.gov.uk REJECT
customer.off...@hmrc.customsoffice.gov.uk REJECT
em...@hmrc.gov.uk REJECT
etaxref...@hmrc.gov.uk REJECT
hm-refere...@hmrc.gov.uk REJECT
noti...@hrms.co.uk REJECT
refund...@hmrc.gov.co.uk REJECT
not...@hmrc.gov.uk REJECT
h...@hmrc.gov.uk REJECT
ad...@hmrc.gsi.gov.uk REJECT
i...@hmrc.gsi.gov.uk REJECT
no-re...@hmrc.gsi.gov.uk REJECT
ref...@hmrc.gov.uk REJECT
refo...@hmrc.gov.uk REJECT
i...@hmrc.gov.uk REJECT
servi...@hmrc.gsi.gov.uk REJECT
refu...@hmrc.gov.uk REJECT
refu...@hmrc.co.uk REJECT
onlineservi...@hmrc.gov.uk REJECT
sec...@hmrc.co.uk REJECT
notificat...@hmrc.gov.uk REJECT
hmrc....@refund.gov.uk REJECT
refundsd...@ir-efile.gov.uk REJECT
nore...@notifications.gov.uk REJECT
helpd...@hmrc.co.uk REJECT
securem...@hmrc.gov.uk REJECT
h...@service.co.uk REJECT
tax.ref...@hmrc.gov.uk REJECT
custom...@hmrc.gov.uk REJECT
final-not...@hmrc.gov.uk REJECT
reb...@hmrc.gov.uk REJECT
refund-assista...@hmrc.gov.uk REJECT
serv...@hmrc.co.uk REJECT
serv...@hmrc.gsi.gov.uk REJECT
success...@gov.uk REJECT
taxref...@hmrc.gov.uk REJECT
taxrefu...@hmrc.gov.uk REJECT
tax-serv...@hmrc.customs.gov.uk REJECT
TBH, all these institutions have to do is clearly state we only send
email from this/these addresses and it's either signed and/or listed in
SPF. That would be enough to stop phishing dead. But I get the distinct
impression they really don't care. Even HMRC above who go to the effort
of providing extensive details of scams don't publish an SPF record for
their domain and don't state IF they send email and if so, from which
addresses it is sent and if it's signed. Their efforts are all reactive
rather than proactive.
Arguably this information could help spammers but TBH most of them are
so clueless they can't even compose a convincing message body without
grammatical and spelling errors so I see little hope of them getting
technical details correct whilst there is clearly so much low hanging
fruit for them to harvest.
