John Hardin wrote:
On Mon, 11 May 2009, Marc Perkel wrote:
mouss wrote:
Is phishing really a problem for banks? I don't think so.
You're kidding right?
I think mouss' point is that if banks considered phishing "their
problem" they would be pursuing effective technological and policy
solutions like proper SPF and DKIM signing of their customer
communications and not using random third-party mailing services for
their email marketing, thus training their customers to accept email
from any source as legitimate bank communication.
Some do, but even then it's not easy to find. Take a popular UK bank
(Barclays, for example) - they send emails from email.barclays.co.uk
which does have an spf record and mails are signed. However, many phish
claim to be from the primary domain which has no spf record so how would
one know that subdomain even exists if one didn't have access to
legitimate mails from this particular bank? They may send mails from
other (sub)domains too for all I know.
Another - natwest.com has an spf record but natwest.co.uk doesn't. So
may I safely drop all email claiming to be from natwest.co.uk on the
assumption that domain doesn't send mail? If it doesn't send mail, set
the spf record to say so.
Some banks provide minimal information on phishing, but it's more aimed
at consumers and not the type of information that is of much use to
email admins.
My point is it's really not easy to track down such information even
when banks do occasionally try to do the right thing. Maybe there is
already a list out there. If not, maybe we should compile one? It's hard
work trying to do it by yourself, but done as a group it would make the
task a lot easier.
I'm just frustrated at bank phish emails slipping through the system -
they are so easy for us to spot yet there doesn't seem to be an easy
reliable way to catch them. Really I just view them as more unwanted
spam that I'd rather not have reach the inbox. I had to laugh earlier
today - I saw one slip past virtually everything other than clamav that
claimed to be from one bank in the subject, another in the From address,
and contained a URL to a third bank!
Then you get phish where the From address is a bank domain, and the
envelope address is from a completely unrelated domain with a valid spf
record so even a simple From_Bank && spf_pass isn't going to work.
