[Dshield] Banks Openly Inviting Email Fraud

Doug White doug at clickdoug.com
Mon Feb 23 22:10:05 GMT 2004

You are correct, and the proper response for the recipient of these mails is to
complain loudly and repeatedly for violations of privacy rules. Threaten
lawsuits, and report them to the Feds.  Publish the emails and the source on a
web site with a page title of Bank Fraud, and send the link to every contact
address at the bank you can find.

Thus far, my bank uses their own servers and the Director if IT is a friend of
mine - we have discussed at length the problems with hiring email marketing
entities, especially those offshore. and they don't do it.  Several of their
officers are even using my filtering server for incoming email.

Stop spam on your domain, Anti-spam solutions
For hosting solutions http://www.clickdoug.com
Aspire to Inspire before you Retire or Expire!

----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Monday, February 23, 2004 3:06 PM
Subject: [Dshield] Banks Openly Inviting Email Fraud

: All:
: It deeply concerns me how many financial institutions, especially banks, are
: themselves wide open to email fraud. In fact, they are training their users to
: as legitimate, email that under most circumstances would be clearly
red-flagged as
: potentially fraudulent.
: What is occurring is that many financial institutions are sending newsletters
: business-related email from unverifiable sources. They are sending email to
: customers from sources such as:
:    1) MTAs that do not have a hostname. When querying the MTA's IP in the
:       database, often these IPs report as being owned by someone other than
:       financial institution claiming to be (and who actually is) the sender of
:       the email.
:    2) MTAs that have forged hostnames. That is, the IP address of the
:       MTA claims to have a hostname that either does not resolve or resolves
:       an IP address other than the IP address of the connection.
:    3) Bulk mailing services (often offshore). These services often also do not
:       valid MTA hostnames (missing or forged). The email address in the
:       header is often different than the envelope sender address, and the
domain in
:       both addresses is often a domain such as "bankabc03.com" instead of the
:       domain "bankabc.com" that would more clearly be viewed as possibly
:    4) URLs embedded into these emails are sometimes in IP address notation
:       and point to legitimate financial institution web services that simply
:       not have a valid hostname.
: On several occasions we have contacted the appropriate administrators for
: institutions and received the response "this is not a problem." It never
ceases to
: amaze me how security ignorant are these senior IT professionals!
: Why are the above a problem? Because the institutions are training their
: to EXPECT to receive official bank email that originates from clearly
: sources. This allows anyone to set up a mail system and web site that claims
: be that institution, but is instead fraudulent.
: Customers can look at the email headers of a fraudulent email, and see that
: contain the same types of data -- including errors -- that they find in email
: they know is legitimate. Same thing with URLs. Using such sloppy practices,
: financial institutions are simply inviting fraud.
: Do yourself a favor: CLOSELY examine the emails that you get from your bank,
: broker, credit card company, retirement account, etc. Pull up some of these
: and do a "show all headers" and examine the "Received:: lines. Do the headers
: that the email was received by your mail server from a VERIFIED source? In
: words, your header should look something like this:
: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z]) by ...
: and not like:
: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z] (may be forged))
by ...
: or:
: Received: from mail.mybank.com (z.y.x.w.static.abigisp.net [w.x.y.z]) by ...
: or:
: Received: from mail.mybank.com ([w.x.y.z]) by ...
: As a word of explanation, the data you see in a received header is as follows:
: The HELO_GREETING and the HOSTNAME_FROM_IP_LOOKUP can be forged with trivial
: The only reliable information (and it is reliable ONLY in the header added by
: MTA) is the IP_OF_CONNECTION information. Also, depending upon the MTA that
you use,
: your Received header format may vary some from the standard format.
: Does all the email you receive from various financial institutions have
: headers that provide verifiable information? Do all the URLs in these messages
: use hostnames that are that of the financial institution, and not IP addresses
: those of other organizations?
: If all of your email from financial institutions conforms to such expected
: then please consider yourself lucky. The rest of you should start complaining
: and loud to your financial institutions about how insecure they are and how
: are deliberately making themselves ripe targets for fraud!
: Jon Kibler
: -- 
: Jon R. Kibler
: Chief Technical Officer
: A.S.E.T., Inc.
: Charleston, SC  USA
: (843) 849-8214
: ==================================================
: Filtered by: TRUSTEM.COM's Email Filtering Service
: http://www.trustem.com/
: No Spam. No Viruses. Just Good Clean Email.


: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:

More information about the list mailing list