[Dshield] Banks Openly Inviting Email Fraud

Doug White doug at clickdoug.com
Mon Feb 23 22:10:05 GMT 2004


You are correct, and the proper response for the recipient of these mails is to
complain loudly and repeatedly for violations of privacy rules. Threaten
lawsuits, and report them to the Feds.  Publish the emails and the source on a
web site with a page title of Bank Fraud, and send the link to every contact
address at the bank you can find.

Thus far, my bank uses their own servers and the Director if IT is a friend of
mine - we have discussed at length the problems with hiring email marketing
entities, especially those offshore. and they don't do it.  Several of their
officers are even using my filtering server for incoming email.

======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!


----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Monday, February 23, 2004 3:06 PM
Subject: [Dshield] Banks Openly Inviting Email Fraud


: All:
:
: It deeply concerns me how many financial institutions, especially banks, are
leaving
: themselves wide open to email fraud. In fact, they are training their users to
accept
: as legitimate, email that under most circumstances would be clearly
red-flagged as
: potentially fraudulent.
:
: What is occurring is that many financial institutions are sending newsletters
and
: business-related email from unverifiable sources. They are sending email to
their
: customers from sources such as:
:    1) MTAs that do not have a hostname. When querying the MTA's IP in the
whois
:       database, often these IPs report as being owned by someone other than
the
:       financial institution claiming to be (and who actually is) the sender of
:       the email.
:
:    2) MTAs that have forged hostnames. That is, the IP address of the
connecting
:       MTA claims to have a hostname that either does not resolve or resolves
to
:       an IP address other than the IP address of the connection.
:
:    3) Bulk mailing services (often offshore). These services often also do not
have
:       valid MTA hostnames (missing or forged). The email address in the
"From:"
:       header is often different than the envelope sender address, and the
domain in
:       both addresses is often a domain such as "bankabc03.com" instead of the
:       domain "bankabc.com" that would more clearly be viewed as possibly
legitimate.
:
:    4) URLs embedded into these emails are sometimes in IP address notation
format,
:       and point to legitimate financial institution web services that simply
do
:       not have a valid hostname.
:
: On several occasions we have contacted the appropriate administrators for
these
: institutions and received the response "this is not a problem." It never
ceases to
: amaze me how security ignorant are these senior IT professionals!
:
: Why are the above a problem? Because the institutions are training their
customers
: to EXPECT to receive official bank email that originates from clearly
unverifiable
: sources. This allows anyone to set up a mail system and web site that claims
to
: be that institution, but is instead fraudulent.
:
: Customers can look at the email headers of a fraudulent email, and see that
they
: contain the same types of data -- including errors -- that they find in email
that
: they know is legitimate. Same thing with URLs. Using such sloppy practices,
these
: financial institutions are simply inviting fraud.
:
: Do yourself a favor: CLOSELY examine the emails that you get from your bank,
stock
: broker, credit card company, retirement account, etc. Pull up some of these
emails
: and do a "show all headers" and examine the "Received:: lines. Do the headers
show
: that the email was received by your mail server from a VERIFIED source? In
other
: words, your header should look something like this:
: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z]) by ...
: and not like:
: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z] (may be forged))
by ...
: or:
: Received: from mail.mybank.com (z.y.x.w.static.abigisp.net [w.x.y.z]) by ...
: or:
: Received: from mail.mybank.com ([w.x.y.z]) by ...
:
: As a word of explanation, the data you see in a received header is as follows:
: Received: from HELO_GREETING (HOSTNAME_FROM_IP_LOOKUP [IP_OF_CONNECTION]) by
...
:
: The HELO_GREETING and the HOSTNAME_FROM_IP_LOOKUP can be forged with trivial
effort.
: The only reliable information (and it is reliable ONLY in the header added by
your
: MTA) is the IP_OF_CONNECTION information. Also, depending upon the MTA that
you use,
: your Received header format may vary some from the standard format.
:
: Does all the email you receive from various financial institutions have
"Received:"
: headers that provide verifiable information? Do all the URLs in these messages
: use hostnames that are that of the financial institution, and not IP addresses
or
: those of other organizations?
:
: If all of your email from financial institutions conforms to such expected
norms,
: then please consider yourself lucky. The rest of you should start complaining
long
: and loud to your financial institutions about how insecure they are and how
they
: are deliberately making themselves ripe targets for fraud!
:
: Jon Kibler
: -- 
: Jon R. Kibler
: Chief Technical Officer
: A.S.E.T., Inc.
: Charleston, SC  USA
: (843) 849-8214
:
:
:
:
: ==================================================
: Filtered by: TRUSTEM.COM's Email Filtering Service
: http://www.trustem.com/
: No Spam. No Viruses. Just Good Clean Email.
:
:


--------------------------------------------------------------------------------


: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
:




More information about the list mailing list