spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph Brennan <>
Subject Re: List of Banks often spoofed in Phishing scams
Date Tue, 03 Jun 2008 17:31:43 GMT

--On Tuesday, June 3, 2008 9:32 -0700 Kelson <> wrote:

> Marc Perkel wrote:
>> If the FCrDNS matches one of these domains it is ham.
>> If the sender or from address matches one of these domains and the
>> domain doesn't appear in the Received headers - it's a phish.
>> <snip>
> It's worth noting that Citibank still sometimes uses other domains. I've
> seen legit mail from them that uses a address, but is sent
> from a server.

Many banks also send mail from third-party servers.  Bank of America
sends from and  American Express sends
from (which is theirs) and  Some send from
bigfoot.  It's only personal bank account information-- why keep the
data in-house?  :-)

I've noticed those citi mismatches too.  Sometimes the PTR and A
records are even confused as to which citi* domain the host is in.

Anyway-- not finding the bank domain a Received header is _not_ good
enough to call it a phish.  It would be nice if it were so.  They
_usually_ have good SPF records, but I've seen a major bank leave
off their third-party mailer.

Joseph Brennan
Columbia University Information Technology

View raw message