spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelson <kel...@speed.net>
Subject Re: List of Banks often spoofed in Phishing scams
Date Tue, 03 Jun 2008 16:32:18 GMT
Marc Perkel wrote:
> If the FCrDNS matches one of these domains it is ham.
> If the sender or from address matches one of these domains and the 
> domain doesn't appear in the Received headers - it's a phish.
> <snip>
> citibank.com

It's worth noting that Citibank still sometimes uses other domains. 
I've seen legit mail from them that uses a citibank.com address, but is 
sent from a citigroup.com server.

It could be worse -- a few years ago, they'd use about 5 or 6 domains on 
a regular basis, including the defunct c2it.com.  Take a look at the 
SARE_FORGED_CITI rule in 70_sare_spoof.cf.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>

Mime
View raw message