[Dshield] Banks Openly Inviting Email Fraud

DAN MORRILL dan_20407 at msn.com
Mon Feb 23 22:40:02 GMT 2004

Wells fargo passes the test, everything came from them and identified as 

>From :  <portsnip at wellsfargo.com>
Reply-To :  DoNotReply at chdt-db1be.wellsfargo.com
Sent :  Monday, February 23, 2004 4:44 AM
To :
Subject :

  |  |  | Inbox

Received: from gideons.wellsfargo.com ([]) by 
mc9-f18.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sun, 22 Feb 2004 
20:59:59 -0800
Received: from unixm5.wellsfargo.com (unixm5.wellsfargo.com 
[])by gideons.wellsfargo.com (8.12.9-20030924/8.12.4) with ESMTP 
id i1N4xxNZ010039for <dan_20407 at msn.com>; Sun, 22 Feb 2004 22:59:59 -0600 
Received: from unixm5.wellsfargo.com (localhost [])by 
unixm5.wellsfargo.com (Switch-3.0.5/Switch-3.0.0) with ESMTP id 
i1N4ix29025502for <dan_20407 at msn.com>; Sun, 22 Feb 2004 21:45:00 -0700 (MST)
Received: from kara.wellsfargo.com (kara.wellsfargo.com [])by 
unixm5.wellsfargo.com (Switch-3.0.5/Switch-3.0.0) with SMTP id 
i1N4ix29025499for <dan_20407 at msn.com>; Sun, 22 Feb 2004 21:44:59 -0700 (MST)
Received: from chdt-db1be.wellsfargo.com ([]) by 
kara.wellsfargo.com via smtpd (for mail.wellfargo.com []) with 
SMTP; 23 Feb 2004 04:44:59 UT
Received: from (chdt-app3 [])by 
chdt-db1be.wellsfargo.com (8.11.6+Sun/8.11.6) with SMTP id i1N4iwK18661for 
dan_20407 at msn.com; Sun, 22 Feb 2004 23:44:59 -0500 (EST)
X-Message-Info: JGTYoYF78jEgL9hzCF1TA1V02C8B6l2J
Message-Id: <200402230444.i1N4iwK18661 at chdt-db1be.wellsfargo.com>
Return-Path: portsnip at wellsfargo.com
X-OriginalArrivalTime: 23 Feb 2004 04:59:59.0992 (UTC) 

>From: "Doug White" <doug at clickdoug.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: "General DShield Discussion List" <list at dshield.org>
>Subject: Re: [Dshield] Banks Openly Inviting Email Fraud
>Date: Mon, 23 Feb 2004 16:10:05 -0600
>MIME-Version: 1.0
>Received: from mail.giac.net ([]) by mc3-f8.hotmail.com with 
>Microsoft SMTPSVC(5.0.2195.6824); Mon, 23 Feb 2004 14:22:37 -0800
>Received: (qmail 16175 invoked from network); 23 Feb 2004 22:21:33 -0000
>Received: from  (HELO dshield.com) (@)  by 0 with SMTP; 23 Feb 2004 
>22:21:33 -0000
>Received: from maverick12.sans.org (localhost.localdomain [])by 
>dshield.com (8.11.6/8.11.6) with ESMTP id i1NMLSi00954;Mon, 23 Feb 2004 
>22:21:28 GMT
>Received: from mail.giac.net (iceman1 [])by dshield.com 
>(8.11.6/8.11.6) with SMTP id i1NMBSi32391for <list at maverick12.sans.org>; 
>Mon, 23 Feb 2004 22:11:28 GMT
>Received: (qmail 9697 invoked from network); 23 Feb 2004 22:11:28 -0000
>Received: from  (HELO dshield.org) (@)by 0 with SMTP; 23 Feb 2004 22:11:28 
>X-Message-Info: JGTYoYF78jHqj2Euuvp4I0vuu9RbbB1I
>Old-Received: (qmail 8853 invoked from network); 23 Feb 2004 22:10:47 -0000
>Old-Received: from mail2.giac.net (HELO iceman.incidents.org) 
>( 0 with SMTP; 23 Feb 2004 22:10:47 -0000
>Old-Received: (qmail 10963 invoked from network); 23 Feb 2004 22:10:45 
>Old-Received: from adsl-66-139-91-40.dsl.snantx.swbell.net 
>(HELOclickdoug.com) ( 0 with SMTP; 23 Feb 2004 22:10:45 
>Old-Received: from lakeside [] by clickdoug.com with 
>ESMTP(SMTPD32-8.05) id A9C5C40058; Mon, 23 Feb 2004 16:08:05 -0600
>Message-ID: <057d01c3fa59$caaacb50$2a5b8b42 at clickdoug.com>
>References: <403A6B53.FCB2D433 at aset.com>
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Old-X-Envelope-To: list at dshield.org
>X-Seen-By: bob list
>X-Envelope-To: UNKNOWN
>X-Mailman-Approved-At: Mon, 23 Feb 2004 22:17:01 +0000
>X-BeenThere: list at dshield.org
>X-Mailman-Version: 2.1.4
>Precedence: list
>List-Id: General DShield Discussion List <list.dshield.org>
><http://www.dshield.org/mailman/listinfo/list>,<mailto:list-request at dshield.org?subject=unsubscribe>
>List-Archive: <http://www.dshield.org/pipermail/list>
>List-Post: <mailto:list at dshield.org>
>List-Help: <mailto:list-request at dshield.org?subject=help>
><http://www.dshield.org/mailman/listinfo/list>,<mailto:list-request at dshield.org?subject=subscribe>
>Errors-To: list-bounces at dshield.org
>Return-Path: list-bounces at dshield.org
>X-OriginalArrivalTime: 23 Feb 2004 22:22:38.0144 (UTC) 
>You are correct, and the proper response for the recipient of these mails 
>is to
>complain loudly and repeatedly for violations of privacy rules. Threaten
>lawsuits, and report them to the Feds.  Publish the emails and the source 
>on a
>web site with a page title of Bank Fraud, and send the link to every 
>address at the bank you can find.
>Thus far, my bank uses their own servers and the Director if IT is a friend 
>mine - we have discussed at length the problems with hiring email marketing
>entities, especially those offshore. and they don't do it.  Several of 
>officers are even using my filtering server for incoming email.
>Stop spam on your domain, Anti-spam solutions
>For hosting solutions http://www.clickdoug.com
>Aspire to Inspire before you Retire or Expire!
>----- Original Message -----
>From: "Jon R. Kibler" <Jon.Kibler at aset.com>
>To: <list at dshield.org>
>Sent: Monday, February 23, 2004 3:06 PM
>Subject: [Dshield] Banks Openly Inviting Email Fraud
>: All:
>: It deeply concerns me how many financial institutions, especially banks, 
>: themselves wide open to email fraud. In fact, they are training their 
>users to
>: as legitimate, email that under most circumstances would be clearly
>red-flagged as
>: potentially fraudulent.
>: What is occurring is that many financial institutions are sending 
>: business-related email from unverifiable sources. They are sending email 
>: customers from sources such as:
>:    1) MTAs that do not have a hostname. When querying the MTA's IP in the
>:       database, often these IPs report as being owned by someone other 
>:       financial institution claiming to be (and who actually is) the 
>sender of
>:       the email.
>:    2) MTAs that have forged hostnames. That is, the IP address of the
>:       MTA claims to have a hostname that either does not resolve or 
>:       an IP address other than the IP address of the connection.
>:    3) Bulk mailing services (often offshore). These services often also 
>do not
>:       valid MTA hostnames (missing or forged). The email address in the
>:       header is often different than the envelope sender address, and the
>domain in
>:       both addresses is often a domain such as "bankabc03.com" instead of 
>:       domain "bankabc.com" that would more clearly be viewed as possibly
>:    4) URLs embedded into these emails are sometimes in IP address 
>:       and point to legitimate financial institution web services that 
>:       not have a valid hostname.
>: On several occasions we have contacted the appropriate administrators for
>: institutions and received the response "this is not a problem." It never
>ceases to
>: amaze me how security ignorant are these senior IT professionals!
>: Why are the above a problem? Because the institutions are training their
>: to EXPECT to receive official bank email that originates from clearly
>: sources. This allows anyone to set up a mail system and web site that 
>: be that institution, but is instead fraudulent.
>: Customers can look at the email headers of a fraudulent email, and see 
>: contain the same types of data -- including errors -- that they find in 
>: they know is legitimate. Same thing with URLs. Using such sloppy 
>: financial institutions are simply inviting fraud.
>: Do yourself a favor: CLOSELY examine the emails that you get from your 
>: broker, credit card company, retirement account, etc. Pull up some of 
>: and do a "show all headers" and examine the "Received:: lines. Do the 
>: that the email was received by your mail server from a VERIFIED source? 
>: words, your header should look something like this:
>: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z]) by ...
>: and not like:
>: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z] (may be 
>by ...
>: or:
>: Received: from mail.mybank.com (z.y.x.w.static.abigisp.net [w.x.y.z]) by 
>: or:
>: Received: from mail.mybank.com ([w.x.y.z]) by ...
>: As a word of explanation, the data you see in a received header is as 
>: The HELO_GREETING and the HOSTNAME_FROM_IP_LOOKUP can be forged with 
>: The only reliable information (and it is reliable ONLY in the header 
>added by
>: MTA) is the IP_OF_CONNECTION information. Also, depending upon the MTA 
>you use,
>: your Received header format may vary some from the standard format.
>: Does all the email you receive from various financial institutions have
>: headers that provide verifiable information? Do all the URLs in these 
>: use hostnames that are that of the financial institution, and not IP 
>: those of other organizations?
>: If all of your email from financial institutions conforms to such 
>: then please consider yourself lucky. The rest of you should start 
>: and loud to your financial institutions about how insecure they are and 
>: are deliberately making themselves ripe targets for fraud!
>: Jon Kibler
>: --
>: Jon R. Kibler
>: Chief Technical Officer
>: A.S.E.T., Inc.
>: Charleston, SC  USA
>: (843) 849-8214
>: ==================================================
>: Filtered by: TRUSTEM.COM's Email Filtering Service
>: http://www.trustem.com/
>: No Spam. No Viruses. Just Good Clean Email.
>: _______________________________________________
>: list mailing list
>: list at dshield.org
>: To change your subscription options (or unsubscribe), see:
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Get fast, reliable access with MSN 9 Dial-up. Click here for Special Offer! 

More information about the list mailing list