Re: [exim] Anti Phishing Trick

On Wed, 31 Aug 2005, David wrote:

> Hi !!
>
> > Yes. Another point, however, is that, for your bank, you might want
> > to give (just) them your unforwarded email address, or an address that
> > forwards from a system does rely on SPF, ... or you'll get phish
> > unless it is caught via some other mechanism. It's something to
> > suggest to customers who get phish forwarded to them.
>
> all of this requires a great effort, and at the end pishers could easly
> pass through this systems.

Please tell me how. That's what I'm asking... before I go to the
great effort.

> The real problem with pishing are dumb users,
> they also will end giving their bank details when pishing comes from
> senders outside the bank's domain or from domains similar to the bank's
> domain (bbvanet.com -> bbvacom.net). At the end the users don't see the

Yes. Good point.

But if you're using a healthy variation of C/R, that mail won't get
through unless the phisher answers the challenge. Mail from
bbvanet.com will be in your white list and get through, if it doesn't
fail the healthy variation of SPF.

> envelope sender, they only see the To: header, and in turn every
> misspelled variation of the real bank's domain could also be used on
> the To: and many users will not realize of this.

You mean on the From:, I think. The To: will have the user's own
address.

Thank you.

Marilyn

>
>

--