On 30/06/10 19:51, Kelson wrote:
On 6/30/2010 8:37 AM, Ned Slider wrote:
My solution is to just filter ALL mail from bank or bank-like domains.
The vast majority are phishing anyway with only a few marketing emails
(often not from a bank domain) or "your online statement is ready"
notifications that I'm sure users can do without.
I wouldn't be so sure that users can do without* those notifications. I
don't know about the UK, but in the US, banks and utilities are really
pushing paperless statements. Users might be relying on email from their
banks to let them know when their credit card bills are ready.
*More generally, I don't think it's our place to decide what users can
and can't do without among email that they've actually requested. False
positives are one thing. *Deliberately* blocking something on the
grounds that it's not necessary? That's something else.
Yes, apologies, that read badly. Of course I'm not advocating
intentionally blocking legitimate mail.
In fairness, what I meant to imply is that it's probably easier to
switch to a default REJECT policy for bank (and bank-like) domains and
then manually whitelist the genuine stuff than to do it the other way
around; and that well implemented DKIM/SPF policies on behalf of the
banks would make that a far easier task. A default policy of ACCEPT no
longer seems reasonable when 99% of mail claiming to be from bank
domains is phish.
The situation is further compounded by a lack of clarity from the banks
surrounding their policies even when they do have one. Take for example,
Barclays in the UK
$ dig txt barclays.co.uk
;; ANSWER SECTION:
barclays.co.uk. 3526 IN TXT "wp-noop://"
so they have no SPF policy? Wrong, they do, but it's on their
email.barclays.co.uk subdomain as presumably that's the domain they send
mail from - but how are you supposed to know that if they don't tell you?
$ dig txt email.barclays.co.uk
;; ANSWER SECTION:
email.barclays.co.uk. 3473 IN TXT "spf2.0/pra
ip4:207.251.70.64/29 ip4:207.251.97.252/31 ip4:63.146.96.192/30
ip4:63.146.96.196/31 ip4:207.251.96.0/24 ip4:65.125." "54.0/24
ip4:66.165.100.120/29 ip4:208.49.63.128/28 ip4:63.211.90.16/29 -all"
Where on Barclays website does it say we *only* send mail from
@email.barclays.co.uk and you can safely throw away anything claiming to
be from @barclays.co.uk? Why not have an SPF policy on barclays.co.uk
that says this domain doesn't send email (if that's the case)?
IMHO it would be useful to have an up to date list of financial domains
that do send legitimate mail and their DKIM/SPF policies. Likewise, it
would be useful to have a list of fake bank-like domains that are
commonly used for phish (e.g, hsbc-online.co.uk).