On 3/20/2011 9:57 AM, Ned Slider wrote:
On 20/03/11 16:29, Marc Perkel wrote:
Just throwing this out there to see if people like this rule and if you
would like to improve it. Bank phishing usually involves a lot of
phrases to get you to give up your information. This rule looks for 5
matches out of the following list.
Hi Marc,
I get hit with a lot of bank phish and had tried this approach. In the
end I gave up as I found it not very effective.
For me, a far more effective approach was to compile a list of bank
and bank-like domains that bank phish is typically sent from and to
score them at 6 points. Easy, job done.
Seriously, I see very little legitimate mail from banks, and what I do
see is almost never sent from the primary domain (e.g, bank.com) but
always from a subdomain such as *.email.bank.com. Conversely, nearly
all phishing attempts I see are sent from the primary domain (e.g,
bank.com). If you block or score @bank.com you will instantly stop
most bank phish with very few FPs.
Further, those banks that use SPF and/or dkim sign their mail can be
added to whitelist_from_spf and whitelist_from_dkim etc. As it's
difficult to determine information on SPF/DKIM records without
examples of ham this would benefit from a community effort.
So what I would propose is firstly a list of all banking domains and
secondly a list of faked banking-type domains used for phish. A
freemail type plugin for this might be useful (bankmail maybe)? Score
those as you see fit
Then lets keep a whitelist of SPF and dkim for bank domains. Score the
whitelist to counteract the score you just added to mail from a
banking domain.
So by default you now only accept mail from whitelisted banks (by SPF
and/or DKIM).
In the interests of sharing, here are my rules. I'm sure they could be
improved with community input but with these I've never felt the need
to filter on actual content which IMHO is far more troublesome.
Want to share your bank list? Here's mine:
2checkout.com
2co.com
abbey.co.uk
abbey.com
aib.ie
amazon.com
anz.com
anz.com.au
aplfcu.org
authorize.net
banknorth.com
bankofamerica.com
bankofoklahoma.com
bankofthewest.com
bankwest.com
bankwest.com.au
barclays.co.uk
bmm.com.au
bmo.com
boh.com
cahoot.co.uk
cahoot.com
capitalone.com
careerbuilder.com
careercantre.com
centralbank.net
charterone.com
charteronebank.com
chase.com
chasebank.com
cibc.ca
citibank.com
citizensbank.com
clearmountainbank.com
commbank.com.au
compassbank.com
csfcu.coop
cu.org
cua.com.au
cuna.org
downeysavings.com
e-gold.com
egg.com
eppicard.com
fbi.gov
firstbanks.com
fleetbank.com
fmb.com
fnb.co.za
halifax-online.co.uk
hsbc.co.uk
hsbc.com
huntington.com
irs.gov
iub.com
lasallebank.com
lcnb.com
lloydstsb.co.uk
mashreqbank.com
matasano.com
maxfcu.com
mazuma.org
mbna.com
moneygram.com
nab.com.au
nafcu.org
natwest.co.uk
natwest.com
navyfcu.org
ncacu.org
nwolb.com
orangesavingsbank.com
paypal.com
pvfcu.org
raiffeisen.ro
rbc.com
rbcroyalbank.ca
rbcroyalbank.com
rbs.co.uk
regionsbank.com
royalbank.ca
royalbank.com
royalbankofcanada.com
santander.co.uk
schwab.com
secu.com
security.com
southtrust.com
sprint.com
stgeorge.com.au
suncoastfcu.org
suntrust.com
suntrustbank.com
tcfbank.com
td.ca
treas.gov
uboc.com
uc.com
unionplanters.com
usbank.com
visa.com
vonage.com
wamu.com
wellsfargo.co.uk
wellsfargo.com
westernunion.com
worldbank.org
--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
