On 23/08/12 18:18, Marc Perkel wrote:
Let's take wellsfargo.com (Wells Fargo Bank) as an example.
If the FCrDNS of the connecting server is *.wellsfargo.com it is ham.
If wellsfargo.com is in the received lines and not forged it is ham.
If wellsfargo.com is in the received headers and it is forged it is spam.
If wellsfargo.com is in the received lines and there are IP in received
with invalid FCrDNS then it is forged.
If wellsfargo.com is not in the received headers then it is spam.
Aren't you just massively over-complicating something that should be
really simple. Wells Fargo publish an SPF record that will tell you if
it's real or forged and SA already checks that. You really don't need to
look any further. Wells Fargo are telling you with some authority, these
are the IP addresses we authorise to send mail from our domain.
Most all banks can be detected with 100% accuracy with these rules.
For banks that let 3rd parties send email for them we can add specific
exceptions including if the SFP lists it, or a list of known 3rd parties
that pass the bank's email.
Here's why this is important. It hits the fraud community hard. Takes
the money out. Makes spam less profitable.
