Hi;
I've been trying to stop these bank phishing mails. Rather than trying
to get the banks to implement DK, DKIM or SPF so I can check against
that, I have the snippet below.
I was wondering if this is of any use to anyone else or if it could be
made better. I've checked the list and cant see anything similar.
## set up a list of banks
domainlist banks = partial-lsearch;/usr/exim/banks
acl_check_rcpt:
## if they send from bank domain but not from a bank IP then drop them
## override with our local white list for companies that do mail shots
for banks
drop log_message = DENIED BANK PHISHING from: $sender_address @
$sender_host_address
message = DENIED $sender_address @
$sender_host_address You appear to be Phishing. \n\
$tod_full on host
$interface_address
sender_domains = +banks
!dnslists = list.dnswl.org=127.0.2.0,
127.0.2.1, 127.0.2.2, 127.0.2.3
!dnslists = my-local-whitelist.example.com
Note: Not all UK banks are in DNSWL. When I can be certain of the
sending IPs of the commented out banks then I will add them to our white
list.
cat /usr/exim/banks
#abbey.co.uk
#abbeynational.co.uk
#abbey.com
alliance-leicester.co.uk
americanexpress.com
#barclays.com
barclays.co.uk
egg.com
halifax.co.uk
#hsbc.co.uk
hsbc.com
#lloydstsb.co.uk
lloydstsb.com
#natwest.com
#natwest.co.uk
#nwolb.com
paypal.com
rbs.com
#rbs.co.uk
#rbsdigital.com
#rbsdigital.co.uk
#sainsburysonline.com
#ybonline.co.uk
I have log entries like:
2008-10-30 11:53:39 H=dns01.labmoreira.com.mx (mail.labmoreira.com)
[201.134.16.230] F=<onlineservices@???> rejected
RCPT <USER1@???>: DENIED BANK PHISHING from:
onlineservices@??? @ 201.134.16.230
2008-10-30 11:53:40 H=(221-128-205-92.static.exatt.net)
[221.128.206.156] F=<customer_support-num-095pc@???> rejected
RCPT <USER2@???>: DENIED BANK PHISHING from:
customer_support-num-095pc@??? @ 221.128.206.156
2
008-10-30 11:53:40 H=bb121-6-53-48.singnet.com.sg (lloydstsb.com)
[121.6.53.48] F=<onlinesupport_ref_832ppn@???> rejected RCPT
<USER3@???>: DENIED BANK PHISHING from:
onlinesupport_ref_832ppn@??? @ 121.6.53.48
(I have replaced recipients USER name and DOMAIN for privacy.)
