Return-Path: 
 <users-return-70372-apmail-spamassassin-users-archive=spamassassin.apache.org@spamassassin.apache.org>
Delivered-To: apmail-spamassassin-users-archive@www.apache.org
Received: (qmail 39335 invoked from network); 3 Jun 2008 16:33:02 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 3 Jun 2008 16:33:02 -0000
Received: (qmail 39668 invoked by uid 500); 3 Jun 2008 16:32:55 -0000
Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org
Received: (qmail 39645 invoked by uid 500); 3 Jun 2008 16:32:55 -0000
Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:users-help@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 39634 invoked by uid 99); 3 Jun 2008 16:32:55 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jun 2008 09:32:55 -0700
X-ASF-Spam-Status: No, hits=2.4 required=10.0
	tests=DNS_FROM_OPENWHOIS,SPF_HELO_PASS,SPF_PASS,WHOIS_NETSOLPR
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of kelson@speed.net designates
 204.212.42.4 as permitted sender)
Received: from [204.212.42.4] (HELO speed3.speed.net) (204.212.42.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jun 2008 16:32:04 +0000
X-Scanned-By: MIMEDefang 2.64 on 204.212.42.4
Received: from [198.99.175.42] (gatekeeper.unitech.com [205.162.151.2])
	(authenticated bits=0)
	by speed3.speed.net (8.13.8/8.13.8) with ESMTP id m53GWI7F001772
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <users@spamassassin.apache.org>; Tue, 3 Jun 2008 09:32:20 -0700
Message-ID: <48457212.4020008@speed.net>
Date: Tue, 03 Jun 2008 09:32:18 -0700
From: Kelson <kelson@speed.net>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: users@spamassassin.apache.org
Subject: Re: List of Banks often spoofed in Phishing scams
References: <48454D21.2070006@perkel.com>
In-Reply-To: <48454D21.2070006@perkel.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

Marc Perkel wrote:
> If the FCrDNS matches one of these domains it is ham.
> If the sender or from address matches one of these domains and the 
> domain doesn't appear in the Received headers - it's a phish.
> <snip>
> citibank.com

It's worth noting that Citibank still sometimes uses other domains. 
I've seen legit mail from them that uses a citibank.com address, but is 
sent from a citigroup.com server.

It could be worse -- a few years ago, they'd use about 5 or 6 domains on 
a regular basis, including the defunct c2it.com.  Take a look at the 
SARE_FORGED_CITI rule in 70_sare_spoof.cf.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>