> > Here's an anti phishing trick I came up with. The idea is
> that major
> > corps will have received lines that match the domain in the from
> > address. Paypal email must come from paypal servers. This is driven
> > from a list of institutions to test. Feedback appreciated.
> >
>
> Good idea. I've been doing a similar thing with mail from
> Hotmail and Yahoo for some time:
These are what I use in the Mail ACL (and
sometimes something similar in other sections,
like From: in the Data section)...
(I borrowed parts of these from others on the Internet):
accept condition = ${if match_domain{lc:$sender_helo_name}{\\.(\
yahoo.com|bankofamerica.com|ebay.com|paypal.com|\
msn.com|mail.yahoo.co.jp|globetrotter.net|relativequantity.com|\
mosquitonet.com|atd-clan.de|9bit.qc.ca|weblnk.net|\
online-bill.com|notmydesk.com|cisco.com|excite.com|lycos.com|\
mail.com|bankofthewest.com|\
aol.com|outblaze.com|tnet.com|cox.net|\
gmail.com|rr.com|adelphia.net\
)\$} {yes}{no}}
log_message = X-Forgery: NOT A $sender_helo_name SERVER (OR TEMPORARY DNS
FAILURE)
verify = helo
endpass
verify = reverse_host_lookup
logwrite = :reject: H=$sender_fullhost listed forged domain?
## Some of the above cannot tolerate "verify=help".
accept message = NOT A $sender_address_domain/$return_path SERVER (OR
TEMPORARY DNS FAILURE)
log_message = NOT A $sender_address_domain/$return_path SERVER (OR
TEMPORARY DNS FAILURE)
condition = ${if or { \
{match{lc:$return_path}{\\.(EBAY_AND_BANKS)\$}} \
{match{lc:$sender_address_domain}{\\.(EBAY_AND_BANKS)\$}}\
} }
###### verify = helo
endpass
verify = reverse_host_lookup
logwrite = :reject: H=$sender_fullhost listed forged domain?
--
Herb Martin
