I was a little bit surprised to see a phishing email today from
nationwide.co.uk that passed SPF!
So, upon further investigation we see:
$ dig txt nationwide.co.uk
;; ANSWER SECTION:
nationwide.co.uk. 5648 IN TXT "v=spf1 mx
a:mailhost.nationet.com a:mailhost2.nationet.com include:messagelabs.com
~all"
Great, at least they have an SPF record, but then messagelabs.com lets
the side down:
$ dig txt messagelabs.com
;; ANSWER SECTION:
messagelabs.com. 84771 IN TXT "v=spf1 +all"
So all mail from nationwide.co.uk will pass SPF. Great. And banks
wonder why they get so many phishing emails. Are they really that
incompetent or do they just not care?
I really don't understand why banks don't implement DKIM and/or SPF and
make it easier for us to filter phishing emails.
My solution is to just filter ALL mail from bank or bank-like domains.
The vast majority are phishing anyway with only a few marketing emails
(often not from a bank domain) or "your online statement is ready"
notifications that I'm sure users can do without. Those that do
implement DKIM/SPF etc can then be whitelisted.
