Mike Cardwell wrote:
Ned Slider wrote:
Yes - but I think what he's saying is that you have to start with a
list of bank domains, the test those domains with higher scrutiny.
Does such a list exist? One of my users was getting a lot of spam
pretending to be from banks. I ended up just compiling a regular
expression to match against the from header of the emails:
@([-a-zA-Z0-9\.]+[-\.])?(rbs|barclays|halifax|secure-halifax|hsbc|natwest|nationwide|northernbank|cbonline|ybonline|co-operativebank|bank-of-ireland|bankofengland|lloydstsb|bankofscotland|firstdirect|alliance-leicester|abbeynational|egg|new\.egg|woolwich|firsttrustbank|ulsterbank|citibank|icicibank)\.(com|co\.uk)
It's far from comprehensive obviously, but it covers most of what he
was receiving.
If that regular expression matches, and the connecting host is in a
list of what I refer to as "dodgy countries," then I reject the email.
Yes, that's the type of thing I was thinking of Mike.
I was thinking it might be easier to maintain as a plugin with a
separate bank-domains.cf file listing banking type domains as Henrik
has done for freemail, and then query a FROM_BANK type rule.
That would be good yes. If the banks were serious about combating online
fraud, you'd expect them to come together and agree on a standard for
sending their email, eg they could all use DKIM. They should also
publish a combined directory of their own domain names.
Yes, there are loads of things banks /could/ do to make it easier to
stop phishing, but for the most part they seem totally disinterested. I
would really like to see the creation of a tld along the lines of .bank,
and make it like .gov or .edu (ac.uk) where only confirmed banks and
financial institutions can register such domains. That combined with
mandatory DKIM and/or spf would make it a lot easier to spot and stop
the phishing but I think we are a long way from anything that
coordinated actually happening.
It's been said before on this list, but it doesn't help when banks have
multiple domain names and often mix and match domains/URLs in the same
email (goes to demonstrate their lack of understanding).
In the meantime I'm left working on the basis that for the large part,
banks simply don't send email to my clients so *any* email claiming to
be from a bank is immediately highly suspicious and could probably be
scored well on the way to being spam.
