Marc Perkel wrote:
Actually in some ways this leads to an interesting idea. In our wiki
here perhaps we should write some guidelines for banks and everyone
else running legitimate email servers as to what is the correct way to
configure their servers. The first thig that come to mind is getting
FCrDNS correct and making sure that the domain of the from address,
the HELO, and FCrDNS all resolve to the banks domain.
I am not sure the SA wiki is the right place to get banks to "listen".
In the case of gmail - I really wish the gmail servers resolved to
gmail.com instead of google.com. Same with msn.com resolving to
hotmail.com. Perhaps I should start working on this?
Why? This is an artifical requirement. There is no problem if your goal
is to do
- if it's from a "good" domain, accept it
- if it's not and if the sender is from a "spoofed" domain, do something.
The thing is to look for the client in a list, not to link each client
to each sender.
The problem is if your list of good domains is incomplete. but this is
not a reason to force an artificial requirement. After all, the checks
above do not solve the phishing problem. mail from gmai1.com,
gmail1.com, gmail-security.com, ... will not be detected unless you do a
lot of work, which has nothing to do with gmail rDNS.