neil wrote:
> Hi;
> I've been trying to stop these bank phishing mails. Rather than trying
> to get the banks to implement DK, DKIM or SPF so I can check against
> that, I have the snippet below.
>
> I was wondering if this is of any use to anyone else or if it could be
> made better. I've checked the list and cant see anything similar.
>
There may be sound reason for that.
- For the most part, phishing will come from criminally-run zombot farms.
- As these are generally compromised Winboxen, not compromised 'proper'
MTA, vanishingly few will have a valid PTR RR - eg will not survive
forward/reverse DSN, rDNS, FQDN HELO, or RBL checks.
- For those that might do so, perhaps by comandeering MUA UID:PWD and
UTH'ing and relaying thru the victim's ISP, ClamAV, to name just one,
will catch many of the survivors.
We don't let those pass any further, so SpamAssassin sees even fewer.
Those few, when pulled up from logs and such, were found to not even be
*attempting* to forge a bank as a source at the level Exim 'sees'.
Only in the message body did they do that. And badly so.
Now - given our extensive blocking before they get into the front
hallway, I have only a miniscule sample (17 in the past 12 months) on
which to base that last part.
But that was, after all, the purpose of the stringent qualifying of
correspondent 'servers' in the first instance.
Bottom Line:
Your submitted code would have the most value where, and only where,
more general - and 'resource cheaper' - anti-bot filtering was absent.
or had to be bypassed for one or more clients who insist they must never
risk losing an incoming message, no matter how 'dirty' the source.
Those folks cannot be protected effectively by ordinary means.
JM2CW,
Bill Hacker
>
> ## set up a list of banks
> domainlist banks = partial-lsearch;/usr/exim/banks
>
> acl_check_rcpt:
>
> ## if they send from bank domain but not from a bank IP then drop them
> ## override with our local white list for companies that do mail shots
> for banks
>
> drop log_message = DENIED BANK PHISHING from: $sender_address @
> $sender_host_address
> message = DENIED $sender_address @
> $sender_host_address You appear to be Phishing. \n\
> $tod_full on host
> $interface_address
> sender_domains = +banks
> !dnslists = list.dnswl.org=127.0.2.0,
> 127.0.2.1, 127.0.2.2, 127.0.2.3
> !dnslists = my-local-whitelist.example.com
>
>
> Note: Not all UK banks are in DNSWL. When I can be certain of the
> sending IPs of the commented out banks then I will add them to our white
> list.
>
> cat /usr/exim/banks
>
> #abbey.co.uk
> #abbeynational.co.uk
> #abbey.com
> alliance-leicester.co.uk
> americanexpress.com
> #barclays.com
> barclays.co.uk
> egg.com
> halifax.co.uk
> #hsbc.co.uk
> hsbc.com
> #lloydstsb.co.uk
> lloydstsb.com
> #natwest.com
> #natwest.co.uk
> #nwolb.com
> paypal.com
> rbs.com
> #rbs.co.uk
> #rbsdigital.com
> #rbsdigital.co.uk
> #sainsburysonline.com
> #ybonline.co.uk
>
> I have log entries like:
>
> 2008-10-30 11:53:39 H=dns01.labmoreira.com.mx (mail.labmoreira.com)
> [201.134.16.230] F=<onlineservices@???> rejected
> RCPT <USER1@???>: DENIED BANK PHISHING from:
> onlineservices@??? @ 201.134.16.230
>
> 2008-10-30 11:53:40 H=(221-128-205-92.static.exatt.net)
> [221.128.206.156] F=<customer_support-num-095pc@???> rejected
> RCPT <USER2@???>: DENIED BANK PHISHING from:
> customer_support-num-095pc@??? @ 221.128.206.156
> 2
> 008-10-30 11:53:40 H=bb121-6-53-48.singnet.com.sg (lloydstsb.com)
> [121.6.53.48] F=<onlinesupport_ref_832ppn@???> rejected RCPT
> <USER3@???>: DENIED BANK PHISHING from:
> onlinesupport_ref_832ppn@??? @ 121.6.53.48
>
> (I have replaced recipients USER name and DOMAIN for privacy.)
>
>
>