spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph Brennan <bren...@columbia.edu>
Subject Re: List of Banks often spoofed in Phishing scams
Date Tue, 03 Jun 2008 17:31:43 GMT


--On Tuesday, June 3, 2008 9:32 -0700 Kelson <kelson@speed.net> wrote:

> Marc Perkel wrote:
>> If the FCrDNS matches one of these domains it is ham.
>> If the sender or from address matches one of these domains and the
>> domain doesn't appear in the Received headers - it's a phish.
>> <snip>
>> citibank.com
>
> It's worth noting that Citibank still sometimes uses other domains. I've
> seen legit mail from them that uses a citibank.com address, but is sent
> from a citigroup.com server.


Many banks also send mail from third-party servers.  Bank of America
sends from customercenter.com and par3.com.  American Express sends
from aexp.com (which is theirs) and cheetahmail.com.  Some send from
bigfoot.  It's only personal bank account information-- why keep the
data in-house?  :-)

I've noticed those citi mismatches too.  Sometimes the PTR and A
records are even confused as to which citi* domain the host is in.

Anyway-- not finding the bank domain a Received header is _not_ good
enough to call it a phish.  It would be nice if it were so.  They
_usually_ have good SPF records, but I've seen a major bank leave
off their third-party mailer.


Joseph Brennan
Columbia University Information Technology



Mime
View raw message