Hi;

Ned Slider wrote:
<snip>
>My point is it's really not easy to track down such information even when banks do occasionally try to do the right thing. Maybe there is already a >list out there. If not, maybe we should compile one? It's hard work trying to do it by yourself, but done as a group it would make the task a lot >easier.
</snip>

I did a similar thing for exim. I made a list of popular UK banks that I had seen phished, then checked them against our local whitelist and DNSWL. I've submitted entries to DNSWL where needed. If you wish to continue along those lines then we can implement a more brutal form of SPF or at least give them a decent spam score :-)

The false positives I've had have been staff mailing, using non public mail gateways and bulk mailers doing their mail shots.

banks.txt:
abbey.co.uk
abbeynational.co.uk
abbey.com
alliance-leicester.co.uk
...
etc

exim snippet:
warn log_message      =  BANK PHISHING
sender_domains          = +banks
!dnslists = list.dnswl.org=127.0.2.0, 127.0.2.1, 127.0.2.2, 127.0.2.3, 127.0.3.2, 127.0.3.3, 127.0.4.2, 127.0.15.1,127.0.15.2
    !dnslists                  = my-whitelist.example.com

The admins at the banks seem to be blissfully ignorant of phishing and how to reduce it. You wont get a reply to mail you send so it is up to you to do what you can. Some are listed at rfc-ignorant, so you cant even report phishing without going through a call centre. <sigh>

Rgds
N

John Hardin wrote:
On Mon, 11 May 2009, Marc Perkel wrote:

mouss wrote:
Is phishing really a problem for banks? I don't think so.

You're kidding right?

I think mouss' point is that if banks considered phishing "their problem" they would be pursuing effective technological and policy solutions like proper SPF and DKIM signing of their customer communications and not using random third-party mailing services for their email marketing, thus training their customers to accept email from any source as legitimate bank communication.


Some do, but even then it's not easy to find. Take a popular UK bank (Barclays, for example) - they send emails from email.barclays.co.uk which does have an spf record and mails are signed. However, many phish claim to be from the primary domain which has no spf record so how would one know that subdomain even exists if one didn't have access to legitimate mails from this particular bank? They may send mails from other (sub)domains too for all I know.

Another - natwest.com has an spf record but natwest.co.uk doesn't. So may I safely drop all email claiming to be from natwest.co.uk on the assumption that domain doesn't send mail? If it doesn't send mail, set the spf record to say so.

Some banks provide minimal information on phishing, but it's more aimed at consumers and not the type of information that is of much use to email admins.

My point is it's really not easy to track down such information even when banks do occasionally try to do the right thing. Maybe there is already a list out there. If not, maybe we should compile one? It's hard work trying to do it by yourself, but done as a group it would make the task a lot easier.

I'm just frustrated at bank phish emails slipping through the system - they are so easy for us to spot yet there doesn't seem to be an easy reliable way to catch them. Really I just view them as more unwanted spam that I'd rather not have reach the inbox. I had to laugh earlier today - I saw one slip past virtually everything other than clamav that claimed to be from one bank in the subject, another in the From address, and contained a URL to a third bank!

Then you get phish where the From address is a bank domain, and the envelope address is from a completely unrelated domain with a valid spf record so even a simple From_Bank && spf_pass isn't going to work.



Reply via email to