[ On Sunday, June 19, 2005 at 12:51:59 (-0700), Marc Perkel wrote: ]
> Subject: [exim] Need help writing an anti-phishing trick
>
> For example - all paypal real email with come from paypal servers.
>
> So - my thinking is - create a list of institutions that are frequently
> impersonated. If the sender address is one of those domains then the
> received lines are searched for that domain. If there is no match then
> we deny the message at the ACL level.
>
> For example, paypal.com with be in the list. If the sender is paypal,
> but none of the received lines contain paypal, we nuke the message.
Why make it so complicated? Why choose to implement a costly scheme
that forces you to manually maintain an ever growing list?
If you verify the hostname properly in the first place then you have a
reasonably certainty about the source of the message and you can
therefore at least go to that source for help tracking down the culprit
if they do send you a scam.
For example Paypal's own SMTP source host(s) have valid, verifiable,
100% correct, reverse DNS, and they know their own proper hostnames,
such as:
Received: from smtp-outbound.nix.paypal.com([64.4.240.67] port=63884)
$ host -v -A 64.4.240.67
Query about 64.4.240.67 for record types PTR
Address 64.4.240.67 maps to hostname smtp-outbound.nix.paypal.com
Found 1 hostname for 64.4.240.67
Checking smtp-outbound.nix.paypal.com address 64.4.240.67
$ host -v -A smtp-outbound.nix.paypal.com
Query about smtp-outbound.nix.paypal.com for record types A
Found 1 address for host smtp-outbound.nix.paypal.com
Hostname smtp-outbound.nix.paypal.com maps to address 64.4.240.67
Checking smtp-outbound.nix.paypal.com address 64.4.240.67
I.e. if you don't allow any idiot spambot to claim to be from a host
they are clearly not connecting from then you won't even have to talk to
any such host that might try spewing phishing frauds at your users.
Yes, this does mean you may have to whitelist quite a few servers who's
administrators are ignorant of the ways of setting up correct DNS
(assuming you don't want to force them to fix their mess), but at least
by using a default-deny-if-broken policy then you don't have to worry
about some other new scam coming along attacking some new domain you
haven't set up special checks for. Furthermore this whitelist is an
ever-decreasing list since clue does eventuallyspread to the ignorant,
especially if you give it a little push every once in a while.
--
Greg A. Woods
H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>