[Dshield] Banks Openly Inviting Email Fraud

DAN MORRILL dan_20407 at msn.com
Mon Feb 23 22:40:02 GMT 2004


Wells fargo passes the test, everything came from them and identified as 
them.


>From :  <portsnip at wellsfargo.com>
Reply-To :  DoNotReply at chdt-db1be.wellsfargo.com
Sent :  Monday, February 23, 2004 4:44 AM
To :
Subject :

  |  |  | Inbox


Received: from gideons.wellsfargo.com ([171.72.5.146]) by 
mc9-f18.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sun, 22 Feb 2004 
20:59:59 -0800
Received: from unixm5.wellsfargo.com (unixm5.wellsfargo.com 
[10.27.11.167])by gideons.wellsfargo.com (8.12.9-20030924/8.12.4) with ESMTP 
id i1N4xxNZ010039for <dan_20407 at msn.com>; Sun, 22 Feb 2004 22:59:59 -0600 
(CST)
Received: from unixm5.wellsfargo.com (localhost [127.0.0.1])by 
unixm5.wellsfargo.com (Switch-3.0.5/Switch-3.0.0) with ESMTP id 
i1N4ix29025502for <dan_20407 at msn.com>; Sun, 22 Feb 2004 21:45:00 -0700 (MST)
Received: from kara.wellsfargo.com (kara.wellsfargo.com [10.0.29.199])by 
unixm5.wellsfargo.com (Switch-3.0.5/Switch-3.0.0) with SMTP id 
i1N4ix29025499for <dan_20407 at msn.com>; Sun, 22 Feb 2004 21:44:59 -0700 (MST)
Received: from chdt-db1be.wellsfargo.com ([192.168.38.110]) by 
kara.wellsfargo.com via smtpd (for mail.wellfargo.com [10.27.11.167]) with 
SMTP; 23 Feb 2004 04:44:59 UT
Received: from 192.168.38.110 (chdt-app3 [192.168.38.81])by 
chdt-db1be.wellsfargo.com (8.11.6+Sun/8.11.6) with SMTP id i1N4iwK18661for 
dan_20407 at msn.com; Sun, 22 Feb 2004 23:44:59 -0500 (EST)
X-Message-Info: JGTYoYF78jEgL9hzCF1TA1V02C8B6l2J
Message-Id: <200402230444.i1N4iwK18661 at chdt-db1be.wellsfargo.com>
Return-Path: portsnip at wellsfargo.com
X-OriginalArrivalTime: 23 Feb 2004 04:59:59.0992 (UTC) 
FILETIME=[E3AB8F80:01C3F9C9]





>From: "Doug White" <doug at clickdoug.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: "General DShield Discussion List" <list at dshield.org>
>Subject: Re: [Dshield] Banks Openly Inviting Email Fraud
>Date: Mon, 23 Feb 2004 16:10:05 -0600
>MIME-Version: 1.0
>Received: from mail.giac.net ([65.173.218.103]) by mc3-f8.hotmail.com with 
>Microsoft SMTPSVC(5.0.2195.6824); Mon, 23 Feb 2004 14:22:37 -0800
>Received: (qmail 16175 invoked from network); 23 Feb 2004 22:21:33 -0000
>Received: from  (HELO dshield.com) (@)  by 0 with SMTP; 23 Feb 2004 
>22:21:33 -0000
>Received: from maverick12.sans.org (localhost.localdomain [127.0.0.1])by 
>dshield.com (8.11.6/8.11.6) with ESMTP id i1NMLSi00954;Mon, 23 Feb 2004 
>22:21:28 GMT
>Received: from mail.giac.net (iceman1 [65.173.218.103])by dshield.com 
>(8.11.6/8.11.6) with SMTP id i1NMBSi32391for <list at maverick12.sans.org>; 
>Mon, 23 Feb 2004 22:11:28 GMT
>Received: (qmail 9697 invoked from network); 23 Feb 2004 22:11:28 -0000
>Received: from  (HELO dshield.org) (@)by 0 with SMTP; 23 Feb 2004 22:11:28 
>-0000
>X-Message-Info: JGTYoYF78jHqj2Euuvp4I0vuu9RbbB1I
>Old-Received: (qmail 8853 invoked from network); 23 Feb 2004 22:10:47 -0000
>Old-Received: from mail2.giac.net (HELO iceman.incidents.org) 
>(63.100.47.43)by 0 with SMTP; 23 Feb 2004 22:10:47 -0000
>Old-Received: (qmail 10963 invoked from network); 23 Feb 2004 22:10:45 
>-0000
>Old-Received: from adsl-66-139-91-40.dsl.snantx.swbell.net 
>(HELOclickdoug.com) (66.139.91.40)by 0 with SMTP; 23 Feb 2004 22:10:45 
>-0000
>Old-Received: from lakeside [66.139.91.42] by clickdoug.com with 
>ESMTP(SMTPD32-8.05) id A9C5C40058; Mon, 23 Feb 2004 16:08:05 -0600
>Message-ID: <057d01c3fa59$caaacb50$2a5b8b42 at clickdoug.com>
>References: <403A6B53.FCB2D433 at aset.com>
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Old-X-Envelope-To: list at dshield.org
>X-Seen-By: bob list
>X-Envelope-To: UNKNOWN
>X-Mailman-Approved-At: Mon, 23 Feb 2004 22:17:01 +0000
>X-BeenThere: list at dshield.org
>X-Mailman-Version: 2.1.4
>Precedence: list
>List-Id: General DShield Discussion List <list.dshield.org>
>List-Unsubscribe: 
><http://www.dshield.org/mailman/listinfo/list>,<mailto:list-request at dshield.org?subject=unsubscribe>
>List-Archive: <http://www.dshield.org/pipermail/list>
>List-Post: <mailto:list at dshield.org>
>List-Help: <mailto:list-request at dshield.org?subject=help>
>List-Subscribe: 
><http://www.dshield.org/mailman/listinfo/list>,<mailto:list-request at dshield.org?subject=subscribe>
>Errors-To: list-bounces at dshield.org
>Return-Path: list-bounces at dshield.org
>X-OriginalArrivalTime: 23 Feb 2004 22:22:38.0144 (UTC) 
>FILETIME=[8B3C0400:01C3FA5B]
>
>You are correct, and the proper response for the recipient of these mails 
>is to
>complain loudly and repeatedly for violations of privacy rules. Threaten
>lawsuits, and report them to the Feds.  Publish the emails and the source 
>on a
>web site with a page title of Bank Fraud, and send the link to every 
>contact
>address at the bank you can find.
>
>Thus far, my bank uses their own servers and the Director if IT is a friend 
>of
>mine - we have discussed at length the problems with hiring email marketing
>entities, especially those offshore. and they don't do it.  Several of 
>their
>officers are even using my filtering server for incoming email.
>
>======================================
>Stop spam on your domain, Anti-spam solutions
>http://www.clickdoug.com/mailfilter.cfm
>For hosting solutions http://www.clickdoug.com
>======================================
>Aspire to Inspire before you Retire or Expire!
>
>
>----- Original Message -----
>From: "Jon R. Kibler" <Jon.Kibler at aset.com>
>To: <list at dshield.org>
>Sent: Monday, February 23, 2004 3:06 PM
>Subject: [Dshield] Banks Openly Inviting Email Fraud
>
>
>: All:
>:
>: It deeply concerns me how many financial institutions, especially banks, 
>are
>leaving
>: themselves wide open to email fraud. In fact, they are training their 
>users to
>accept
>: as legitimate, email that under most circumstances would be clearly
>red-flagged as
>: potentially fraudulent.
>:
>: What is occurring is that many financial institutions are sending 
>newsletters
>and
>: business-related email from unverifiable sources. They are sending email 
>to
>their
>: customers from sources such as:
>:    1) MTAs that do not have a hostname. When querying the MTA's IP in the
>whois
>:       database, often these IPs report as being owned by someone other 
>than
>the
>:       financial institution claiming to be (and who actually is) the 
>sender of
>:       the email.
>:
>:    2) MTAs that have forged hostnames. That is, the IP address of the
>connecting
>:       MTA claims to have a hostname that either does not resolve or 
>resolves
>to
>:       an IP address other than the IP address of the connection.
>:
>:    3) Bulk mailing services (often offshore). These services often also 
>do not
>have
>:       valid MTA hostnames (missing or forged). The email address in the
>"From:"
>:       header is often different than the envelope sender address, and the
>domain in
>:       both addresses is often a domain such as "bankabc03.com" instead of 
>the
>:       domain "bankabc.com" that would more clearly be viewed as possibly
>legitimate.
>:
>:    4) URLs embedded into these emails are sometimes in IP address 
>notation
>format,
>:       and point to legitimate financial institution web services that 
>simply
>do
>:       not have a valid hostname.
>:
>: On several occasions we have contacted the appropriate administrators for
>these
>: institutions and received the response "this is not a problem." It never
>ceases to
>: amaze me how security ignorant are these senior IT professionals!
>:
>: Why are the above a problem? Because the institutions are training their
>customers
>: to EXPECT to receive official bank email that originates from clearly
>unverifiable
>: sources. This allows anyone to set up a mail system and web site that 
>claims
>to
>: be that institution, but is instead fraudulent.
>:
>: Customers can look at the email headers of a fraudulent email, and see 
>that
>they
>: contain the same types of data -- including errors -- that they find in 
>email
>that
>: they know is legitimate. Same thing with URLs. Using such sloppy 
>practices,
>these
>: financial institutions are simply inviting fraud.
>:
>: Do yourself a favor: CLOSELY examine the emails that you get from your 
>bank,
>stock
>: broker, credit card company, retirement account, etc. Pull up some of 
>these
>emails
>: and do a "show all headers" and examine the "Received:: lines. Do the 
>headers
>show
>: that the email was received by your mail server from a VERIFIED source? 
>In
>other
>: words, your header should look something like this:
>: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z]) by ...
>: and not like:
>: Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z] (may be 
>forged))
>by ...
>: or:
>: Received: from mail.mybank.com (z.y.x.w.static.abigisp.net [w.x.y.z]) by 
>...
>: or:
>: Received: from mail.mybank.com ([w.x.y.z]) by ...
>:
>: As a word of explanation, the data you see in a received header is as 
>follows:
>: Received: from HELO_GREETING (HOSTNAME_FROM_IP_LOOKUP [IP_OF_CONNECTION]) 
>by
>...
>:
>: The HELO_GREETING and the HOSTNAME_FROM_IP_LOOKUP can be forged with 
>trivial
>effort.
>: The only reliable information (and it is reliable ONLY in the header 
>added by
>your
>: MTA) is the IP_OF_CONNECTION information. Also, depending upon the MTA 
>that
>you use,
>: your Received header format may vary some from the standard format.
>:
>: Does all the email you receive from various financial institutions have
>"Received:"
>: headers that provide verifiable information? Do all the URLs in these 
>messages
>: use hostnames that are that of the financial institution, and not IP 
>addresses
>or
>: those of other organizations?
>:
>: If all of your email from financial institutions conforms to such 
>expected
>norms,
>: then please consider yourself lucky. The rest of you should start 
>complaining
>long
>: and loud to your financial institutions about how insecure they are and 
>how
>they
>: are deliberately making themselves ripe targets for fraud!
>:
>: Jon Kibler
>: --
>: Jon R. Kibler
>: Chief Technical Officer
>: A.S.E.T., Inc.
>: Charleston, SC  USA
>: (843) 849-8214
>:
>:
>:
>:
>: ==================================================
>: Filtered by: TRUSTEM.COM's Email Filtering Service
>: http://www.trustem.com/
>: No Spam. No Viruses. Just Good Clean Email.
>:
>:
>
>
>--------------------------------------------------------------------------------
>
>
>: _______________________________________________
>: list mailing list
>: list at dshield.org
>: To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>:
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Get fast, reliable access with MSN 9 Dial-up. Click here for Special Offer! 
http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/




More information about the list mailing list