John Hardin a écrit : > On Tue, 12 May 2009, Ned Slider wrote: > >> Then you get phish where the From address is a bank domain, and the >> envelope address is from a completely unrelated domain with a valid >> spf record so even a simple From_Bank && spf_pass isn't going to work. > > That might make a useful general rule, though: SPF Pass and the From: > header in a different domain than the envelope From: address... >
unfortunately, this doesn't "fix" the problem. you can get a phish with a from header = envelope sender = ... in a "typo squatted" domain, such as pajpal.com (the gangs are creative to find variants that get around filters that you set). while we do need to detect phishing at the email reception stage, we also need to detect the missed ones at the "use" stage (either via browser or via email if user sends his password). and even then, we still need to insist on the education side. one way is to intentionally send phishes (that is, trap your own users), and those users who get caught win a half day lesson...