[Dshield] Banks Openly Inviting Email Fraud
dan_20407 at msn.com
Mon Feb 23 22:40:02 GMT 2004
Wells fargo passes the test, everything came from them and identified as
>From : <portsnip at wellsfargo.com>
Reply-To : DoNotReply at chdt-db1be.wellsfargo.com
Sent : Monday, February 23, 2004 4:44 AM
| | | Inbox
Received: from gideons.wellsfargo.com ([18.104.22.168]) by
mc9-f18.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sun, 22 Feb 2004
Received: from unixm5.wellsfargo.com (unixm5.wellsfargo.com
[10.27.11.167])by gideons.wellsfargo.com (8.12.9-20030924/8.12.4) with ESMTP
id i1N4xxNZ010039for <dan_20407 at msn.com>; Sun, 22 Feb 2004 22:59:59 -0600
Received: from unixm5.wellsfargo.com (localhost [127.0.0.1])by
unixm5.wellsfargo.com (Switch-3.0.5/Switch-3.0.0) with ESMTP id
i1N4ix29025502for <dan_20407 at msn.com>; Sun, 22 Feb 2004 21:45:00 -0700 (MST)
Received: from kara.wellsfargo.com (kara.wellsfargo.com [10.0.29.199])by
unixm5.wellsfargo.com (Switch-3.0.5/Switch-3.0.0) with SMTP id
i1N4ix29025499for <dan_20407 at msn.com>; Sun, 22 Feb 2004 21:44:59 -0700 (MST)
Received: from chdt-db1be.wellsfargo.com ([192.168.38.110]) by
kara.wellsfargo.com via smtpd (for mail.wellfargo.com [10.27.11.167]) with
SMTP; 23 Feb 2004 04:44:59 UT
Received: from 192.168.38.110 (chdt-app3 [192.168.38.81])by
chdt-db1be.wellsfargo.com (8.11.6+Sun/8.11.6) with SMTP id i1N4iwK18661for
dan_20407 at msn.com; Sun, 22 Feb 2004 23:44:59 -0500 (EST)
Message-Id: <200402230444.i1N4iwK18661 at chdt-db1be.wellsfargo.com>
Return-Path: portsnip at wellsfargo.com
X-OriginalArrivalTime: 23 Feb 2004 04:59:59.0992 (UTC)
>From: "Doug White" <doug at clickdoug.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: "General DShield Discussion List" <list at dshield.org>
>Subject: Re: [Dshield] Banks Openly Inviting Email Fraud
>Date: Mon, 23 Feb 2004 16:10:05 -0600
>Received: from mail.giac.net ([22.214.171.124]) by mc3-f8.hotmail.com with
>Microsoft SMTPSVC(5.0.2195.6824); Mon, 23 Feb 2004 14:22:37 -0800
>Received: (qmail 16175 invoked from network); 23 Feb 2004 22:21:33 -0000
>Received: from (HELO dshield.com) (@) by 0 with SMTP; 23 Feb 2004
>Received: from maverick12.sans.org (localhost.localdomain [127.0.0.1])by
>dshield.com (8.11.6/8.11.6) with ESMTP id i1NMLSi00954;Mon, 23 Feb 2004
>Received: from mail.giac.net (iceman1 [126.96.36.199])by dshield.com
>(8.11.6/8.11.6) with SMTP id i1NMBSi32391for <list at maverick12.sans.org>;
>Mon, 23 Feb 2004 22:11:28 GMT
>Received: (qmail 9697 invoked from network); 23 Feb 2004 22:11:28 -0000
>Received: from (HELO dshield.org) (@)by 0 with SMTP; 23 Feb 2004 22:11:28
>Old-Received: (qmail 8853 invoked from network); 23 Feb 2004 22:10:47 -0000
>Old-Received: from mail2.giac.net (HELO iceman.incidents.org)
>(188.8.131.52)by 0 with SMTP; 23 Feb 2004 22:10:47 -0000
>Old-Received: (qmail 10963 invoked from network); 23 Feb 2004 22:10:45
>Old-Received: from adsl-66-139-91-40.dsl.snantx.swbell.net
>(HELOclickdoug.com) (184.108.40.206)by 0 with SMTP; 23 Feb 2004 22:10:45
>Old-Received: from lakeside [220.127.116.11] by clickdoug.com with
>ESMTP(SMTPD32-8.05) id A9C5C40058; Mon, 23 Feb 2004 16:08:05 -0600
>Message-ID: <057d01c3fa59$caaacb50$2a5b8b42 at clickdoug.com>
>References: <403A6B53.FCB2D433 at aset.com>
>X-Mailer: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Old-X-Envelope-To: list at dshield.org
>X-Seen-By: bob list
>X-Mailman-Approved-At: Mon, 23 Feb 2004 22:17:01 +0000
>X-BeenThere: list at dshield.org
>List-Id: General DShield Discussion List <list.dshield.org>
><http://www.dshield.org/mailman/listinfo/list>,<mailto:list-request at dshield.org?subject=unsubscribe>
>List-Post: <mailto:list at dshield.org>
>List-Help: <mailto:list-request at dshield.org?subject=help>
><http://www.dshield.org/mailman/listinfo/list>,<mailto:list-request at dshield.org?subject=subscribe>
>Errors-To: list-bounces at dshield.org
>Return-Path: list-bounces at dshield.org
>X-OriginalArrivalTime: 23 Feb 2004 22:22:38.0144 (UTC)
>You are correct, and the proper response for the recipient of these mails
>complain loudly and repeatedly for violations of privacy rules. Threaten
>lawsuits, and report them to the Feds. Publish the emails and the source
>web site with a page title of Bank Fraud, and send the link to every
>address at the bank you can find.
>Thus far, my bank uses their own servers and the Director if IT is a friend
>mine - we have discussed at length the problems with hiring email marketing
>entities, especially those offshore. and they don't do it. Several of
>officers are even using my filtering server for incoming email.
>Stop spam on your domain, Anti-spam solutions
>For hosting solutions http://www.clickdoug.com
>Aspire to Inspire before you Retire or Expire!
>----- Original Message -----
>From: "Jon R. Kibler" <Jon.Kibler at aset.com>
>To: <list at dshield.org>
>Sent: Monday, February 23, 2004 3:06 PM
>Subject: [Dshield] Banks Openly Inviting Email Fraud
>: It deeply concerns me how many financial institutions, especially banks,
>: themselves wide open to email fraud. In fact, they are training their
>: as legitimate, email that under most circumstances would be clearly
>: potentially fraudulent.
>: What is occurring is that many financial institutions are sending
>: business-related email from unverifiable sources. They are sending email
>: customers from sources such as:
>: 1) MTAs that do not have a hostname. When querying the MTA's IP in the
>: database, often these IPs report as being owned by someone other
>: financial institution claiming to be (and who actually is) the
>: the email.
>: 2) MTAs that have forged hostnames. That is, the IP address of the
>: MTA claims to have a hostname that either does not resolve or
>: an IP address other than the IP address of the connection.
>: 3) Bulk mailing services (often offshore). These services often also
>: valid MTA hostnames (missing or forged). The email address in the
>: header is often different than the envelope sender address, and the
>: both addresses is often a domain such as "bankabc03.com" instead of
>: domain "bankabc.com" that would more clearly be viewed as possibly
>: 4) URLs embedded into these emails are sometimes in IP address
>: and point to legitimate financial institution web services that
>: not have a valid hostname.
>: On several occasions we have contacted the appropriate administrators for
>: institutions and received the response "this is not a problem." It never
>: amaze me how security ignorant are these senior IT professionals!
>: Why are the above a problem? Because the institutions are training their
>: to EXPECT to receive official bank email that originates from clearly
>: sources. This allows anyone to set up a mail system and web site that
>: be that institution, but is instead fraudulent.
>: Customers can look at the email headers of a fraudulent email, and see
>: contain the same types of data -- including errors -- that they find in
>: they know is legitimate. Same thing with URLs. Using such sloppy
>: financial institutions are simply inviting fraud.
>: Do yourself a favor: CLOSELY examine the emails that you get from your
>: broker, credit card company, retirement account, etc. Pull up some of
>: and do a "show all headers" and examine the "Received:: lines. Do the
>: that the email was received by your mail server from a VERIFIED source?
>: words, your header should look something like this:
>: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z]) by ...
>: and not like:
>: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z] (may be
>: Received: from mail.mybank.com (z.y.x.w.static.abigisp.net [w.x.y.z]) by
>: Received: from mail.mybank.com ([w.x.y.z]) by ...
>: As a word of explanation, the data you see in a received header is as
>: Received: from HELO_GREETING (HOSTNAME_FROM_IP_LOOKUP [IP_OF_CONNECTION])
>: The HELO_GREETING and the HOSTNAME_FROM_IP_LOOKUP can be forged with
>: The only reliable information (and it is reliable ONLY in the header
>: MTA) is the IP_OF_CONNECTION information. Also, depending upon the MTA
>: your Received header format may vary some from the standard format.
>: Does all the email you receive from various financial institutions have
>: headers that provide verifiable information? Do all the URLs in these
>: use hostnames that are that of the financial institution, and not IP
>: those of other organizations?
>: If all of your email from financial institutions conforms to such
>: then please consider yourself lucky. The rest of you should start
>: and loud to your financial institutions about how insecure they are and
>: are deliberately making themselves ripe targets for fraud!
>: Jon Kibler
>: Jon R. Kibler
>: Chief Technical Officer
>: A.S.E.T., Inc.
>: Charleston, SC USA
>: (843) 849-8214
>: Filtered by: TRUSTEM.COM's Email Filtering Service
>: No Spam. No Viruses. Just Good Clean Email.
>: list mailing list
>: list at dshield.org
>: To change your subscription options (or unsubscribe), see:
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
Get fast, reliable access with MSN 9 Dial-up. Click here for Special Offer!
More information about the list