On 23/08/12 00:07, RW wrote:
On Wed, 22 Aug 2012 17:40:23 +0100
Ned Slider wrote:
On 22/08/12 16:22, Marc Perkel wrote:
I'd like to make a suggestion as to how to block a lot of fraud.
This would involve making a list of domains similar to the
successful freemail list plugin. The idea is to block email that
spoofs major institutions such as banks, credit cards, ebay, and
other organizations that want to try to get your password.
So - we start by compiling a list of banks that are often spoofed
and look at the received lines. The idea being that good email from
these institutions will come from host names that either match
their domains, or match the SPF. If it matches it's good - if it
doesn't - it's bad.
I've already done it and I can confirm it works brilliantly.
By default I score mail from all such domains with an arbitrary high
score which will cause them to be tagged as spam (say 8 points) and
then whitelist them with SPF and/or DKIM which negates the above
score allowing legitimate mail to pass untagged.
If commonly forged/spoofed/phished domains don't use SPF or DKIM then
I have little sympathy for them and it makes it harder for us to help
them.
My bank outsources it's email to a email marketing company. I think
this sort of thing is quite common. The received header has nothing to
do with the the bank. It passes spf, but the domain is not one it
uses for anything else.
But mail from the bank should still be sent using one of their own
domains (envelope from address) regardless of who is responsible for
handing the delivery. In this case the bank should set up an SPF record
on their domain that includes IP address/range of the email marketing
company responsible for delivery.
This is exactly what SPF is intended for. The fact mail bight be
delivered by a 3rd party marketing company is completely irrelevant.
If mail claiming to be from "my bank" passes SPF (or DKIM) then there is
a good chance it was actually sent by them. If it fails SPF (or DKIM)
then you should assume that it's not really from them (although
unfortunately it seems even some banks have a hard time getting SPF right).
Lots of spam passes SPF, so this sounds fairly limited to me.
This is *not* what SPF is intended for.
We are not proposing testing all mail with SPF/DKIM, only mail claiming
to be from those domains that are regularly the targets of
fraud/phish/spoofing. Probably only 20-50 domains max I'd guess.
Take a recent example, and not even one that's banking related. My
spamtraps are currently inundated with spam claiming to be from fedex
with an attachment (virus) for me to open about a parcel delivery. A
common scam for sure.
Now without even knowing what a valid email from fedex looks like I can
see fedex.com has an SPF record:
$ dig txt fedex.com
;; ANSWER SECTION:
fedex.com. 10658 IN TXT "v=spf1
redirect=_spf.infosec.fedex.com"
So if I hit all mail claiming to be sent from fedex.com that fails SPF I
can easily weed out all the fakes:
# Fedex
header __LOCAL_FROM_FEDEX Return-Path:addr =~ /\@fedex\.com$/i
meta LOCAL_SPF_FEDEX ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_FEDEX)
describe LOCAL_SPF_FEDEX Fedex SPF Fail
and if I want to make sure all the legit fedex mail gets through I can
further whitelist mail from fedex that passes SPF
whitelist_from_spf *@fedex.com
whitelist_from_spf *@*.fedex.com
and that will virtually guarantee all the spam/viruses claiming to be
from fedex are blocked and all the legitimate mail from fedex gets
through. It's no different with banks.
However, this approach doesn't scale particularly well. It's OK for 10
or 20 domains, but for many more it would be far easier to manage using
a plugin.
