--On Tuesday, June 3, 2008 9:32 -0700 Kelson <[EMAIL PROTECTED]> wrote:
Marc Perkel wrote:
If the FCrDNS matches one of these domains it is ham.
If the sender or from address matches one of these domains and the
domain doesn't appear in the Received headers - it's a phish.
<snip>
citibank.com
It's worth noting that Citibank still sometimes uses other domains. I've
seen legit mail from them that uses a citibank.com address, but is sent
from a citigroup.com server.
Many banks also send mail from third-party servers. Bank of America
sends from customercenter.com and par3.com. American Express sends
from aexp.com (which is theirs) and cheetahmail.com. Some send from
bigfoot. It's only personal bank account information-- why keep the
data in-house? :-)
I've noticed those citi mismatches too. Sometimes the PTR and A
records are even confused as to which citi* domain the host is in.
Anyway-- not finding the bank domain a Received header is _not_ good
enough to call it a phish. It would be nice if it were so. They
_usually_ have good SPF records, but I've seen a major bank leave
off their third-party mailer.
Joseph Brennan
Columbia University Information Technology
