Re: How not to implement SPF (nationwide.co.uk)

Mon, 05 Jul 2010 11:01:56 -0700 

On ons 30 jun 2010 17:37:01 CEST, Ned Slider wrote
I was a little bit surprised to see a phishing email today from nationwide.co.uk that passed SPF! 


contact them to solve it then, provide the evidence for them, might be  
next step to stop such spam mails



So, upon further investigation we see:

$ dig txt nationwide.co.uk

;; ANSWER SECTION:

nationwide.co.uk.       5648    IN      TXT     "v=spf1 mx  
a:mailhost.nationet.com a:mailhost2.nationet.com  
include:messagelabs.com ~all"



include to a 3dr party domain makes it less spf secure since 3dr party  
can use +all as seen below



suggest make bug in bugzilla for test more strongly in spamassassin  
for this, but it should be possible to see its not sent from the mx,  
with or without spf



Great, at least they have an SPF record, but then messagelabs.com  
lets the side down:


$ dig txt messagelabs.com

;; ANSWER SECTION:
messagelabs.com.        84771   IN      TXT     "v=spf1 +all"


+all is spf valid


So all mail from  nationwide.co.uk will pass SPF. Great. And banks  
wonder why they get so many phishing emails. Are they really that  
incompetent or do they just not care?


banks are clueless :)

really any tld co.uk is


I really don't understand why banks don't implement DKIM and/or SPF  
and make it easier for us to filter phishing emails.


or pgp/smime, here i still have to see a spam mail that is pgp signed !


My solution is to just filter ALL mail from bank or bank-like  
domains. The vast majority are phishing anyway with only a few  
marketing emails (often not from a bank domain) or "your online  
statement is ready" notifications that I'm sure users can do  
without. Those that do implement DKIM/SPF etc can then be whitelisted.



bingo, there are to many softfails and domains not using openspf  
wizard, and follow the guide strictly, it does not mean that spf is  
bad, if used properly



i got my own bank to use spf properly by talk with my supporter about  
it, it was typicly seen after mail forges of mail for end users belive  
when from is bank domain then its there bank that sent it no matter  
that enveloppe sender or ip was outside of danmark :(


--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
























					Reply via email to