Re: [exim] Need help writing an anti-phishing trick

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim User's Mailing List
Date:  
À: Marc Perkel
CC: Exim User's Mailing List
Sujet: Re: [exim] Need help writing an anti-phishing trick
[ On Sunday, June 19, 2005 at 12:51:59 (-0700), Marc Perkel wrote: ]
> Subject: [exim] Need help writing an anti-phishing trick
>
> For example - all paypal real email with come from paypal servers.
>
> So - my thinking is - create a list of institutions that are frequently
> impersonated. If the sender address is one of those domains then the
> received lines are searched for that domain. If there is no match then
> we deny the message at the ACL level.
>
> For example, paypal.com with be in the list. If the sender is paypal,
> but none of the received lines contain paypal, we nuke the message.


Why make it so complicated? Why choose to implement a costly scheme
that forces you to manually maintain an ever growing list?

If you verify the hostname properly in the first place then you have a
reasonably certainty about the source of the message and you can
therefore at least go to that source for help tracking down the culprit
if they do send you a scam.

For example Paypal's own SMTP source host(s) have valid, verifiable,
100% correct, reverse DNS, and they know their own proper hostnames,
such as:

    Received: from smtp-outbound.nix.paypal.com([64.4.240.67] port=63884)


    $ host -v -A 64.4.240.67
    Query about 64.4.240.67 for record types PTR
    Address 64.4.240.67 maps to hostname smtp-outbound.nix.paypal.com
    Found 1 hostname for 64.4.240.67
    Checking smtp-outbound.nix.paypal.com address 64.4.240.67


    $ host -v -A smtp-outbound.nix.paypal.com
    Query about smtp-outbound.nix.paypal.com for record types A
    Found 1 address for host smtp-outbound.nix.paypal.com
    Hostname smtp-outbound.nix.paypal.com maps to address 64.4.240.67
    Checking smtp-outbound.nix.paypal.com address 64.4.240.67


I.e. if you don't allow any idiot spambot to claim to be from a host
they are clearly not connecting from then you won't even have to talk to
any such host that might try spewing phishing frauds at your users.

Yes, this does mean you may have to whitelist quite a few servers who's
administrators are ignorant of the ways of setting up correct DNS
(assuming you don't want to force them to fix their mess), but at least
by using a default-deny-if-broken policy then you don't have to worry
about some other new scam coming along attacking some new domain you
haven't set up special checks for. Furthermore this whitelist is an
ever-decreasing list since clue does eventuallyspread to the ignorant,
especially if you give it a little push every once in a while.

-- 
                        Greg A. Woods


H:+1 416 218-0098  W:+1 416 489-5852 x122  VE3TCP  RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>