Re: [exim] Anti Phishing Trick

I think I was wrong below:

On Wed, 24 Aug 2005, Marilyn Davis wrote:

> On Wed, 24 Aug 2005, David Woodhouse wrote:
>
> > On Wed, 2005-08-24 at 09:37 -0700, Marilyn Davis wrote:
> > > Another thought: it could be considered legitimate for a bank to
> > > expect that the email address you list with them is a direct email
> > > address. Certainly you change your snail mail address with them when
> > > you move.
> >
> > $DEITY no. I don't have the wit or patience to remember to change my
>
> Ha ha. $DIETY. I really like that.
>
> > snail mail address with people when I move. I certainly wouldn't want to
>
> Anyway, my suggestion only rejects failed-SPF messages when the
> received address is in the To: header. So, forwarded phish goes right
> through.
>
> And, rethinking, even if you have 2 addresses with your bank, where
> one forwards to the other, this also is not a problem. When your bank
> sends legitimate mail to the 2 addresses, the one that is not
> forwarded will pass SPF. The one that is forwarded will fail, since
> it will seem to be not forwarded. But you'll get one message from the
> bank, which is enough.
>
> And with phish, you'll only get one of the messages, the forwarded one.

With phish, both will be rejected. Both will have the recipient on
the To: line and be considered to be not-forwarded. Both will flunk
SPF.

Marilyn

>
> So, this is looking somewhat valuable to me, a little bit of baby in
> the bathwater.
>
> Thank you again.
>
> Marilyn
>
> > change my email address too -- one lifetime address which forwards to
> > wherever I happen to be is what these people will be given.
> >
> >
>
>

--