One good way to fight bank email phishing is to send all your official bank email from servers whose forward confirmed reverse DNS resolves back to their domain name. For example, Wells Fargo Bank does it right. Everything that comes from Wells Fargo is sent by a host named *.wellsfargo.com. So if it matches that, it’s good and if it doesn’t — it’s spam. Same is true for PayPal, but not Bank of America. I have an email from them that is real, but the host name it came from is tr202154.cv47.net. So as a spam filtering operation how am I supposed to know that cv47.net is really Bank of America? Why can’t they send email from *.bankofamerica.com servers like secure banks do?
But – I guess it doesn’t matter because they are getting bailout money so they can afford to subsidize the Russian mafia and make it up in higher credit card fees to honest people. But it’s clear to me that their IT department doesn’t give a f**k about fraud or security or they would at least take some minimal precautions to help people avoid getting ripped off.
Imagine how bad it would be if you actually did have a bank account in Russia, Ukraine or Nigeria.
Glad I’m not with BOA. Now you know why the banking industry is screwed.
Marc – I totally agree with you. This is a huge tech pet peeve of mine.
Most likely BOA outsourced an email campaign, and then that company outsourced the sending.
I’ve had to tone down the settings to accept if there is a valid PTR record only.
I hate to remove the lookup on the HELO, yet, many large Co’s have set their HELO to be their internal machine name, kinda like “ntemail.thiscompany.local”, which doesn’t match the IP of the originator.
The worst are the people that use grey listing w/o setting it up properly, causing lots of delays and large log files for nothing.
Like grey listing by originating email address instead of by server/IP, use caching with a 30 day expiry.
Curious. cv47.net belongs to Conversen, a marketing company. Did the email have any actual account info in it?
If not it is spam. Just spam from someone you know.
Yield on BAC is 20%. At least it is currently.
“So as a spam filtering operation how am I supposed to know that cv47.net is really Bank of America?”
So, what does an MX lookup reveal?
#4 – yes – the email knew what my credit limit was on the card I quit using several years ago so the third party had my available balance information. Something that I did NOT authorize BofA to give out.
In fact the only reason I have any BofA relationship is that I used to have a card with MBNA and they got bought by BofA.
Mark,
tr202154.cv47.net reports the MX record:
office.conversen.com 64.119.133.165 3600
Any decent anti-spam server s/w would have told you this. What s/w do you use?
Paddy-o,
I think you are missing the point. BofA email should come from IP addresses whose FCrDNS resolves back to a *.bankofamerica.com host name. That way I can tell valid email 100% of the time.
Forward confirmed RDNS can’t be spoofed. But BofA email can come from anywhere and I can’t determine if it’s real like I can with Wells Fargo or PayPal. I only had one email from a PayPal employee that came from a non-paypal server and I just told him, spam or not, that there was no fucking way that I’m passing paypal.com email unless it comes from a paypal.com server. And he backed down.
#9 “# 9 Marc Perkel said, “I think you are missing the point. BofA email should come from IP addresses whose FCrDNS resolves back to a *.bankofamerica.com host name.”
I do understand. However, BofA didn’t originate the email (as far as I can tell) a mktg company did. Now, BofA shouldn’t have given them your data, but if I were BofA IT I wouldn’t allow another company to send email that references my servers…
The email was supposedly from BofA.
From: “Bank of America”
Sender: BankofAmerica@customerloyalty.bankofamerica.com
To: “Marc Perkel”
Reply-To: customerservice@card.bankofamerica.com
Date: 27 Jan 2009 13:07:49 -0500
Subject: Use your Platinum Plus(R) credit card today.
Received: from tr202154.cv47.net ([216.75.202.154])
by venus.junkemailfilter.com with esmtp (Exim 4.69)
id 1LRsMQ-0006cA-IQ on interface=65.49.42.50
for marc@perkel.com; Tue, 27 Jan 2009 10:08:47 -0800
#11 Holy crap. customerloyalty.bankofamerica.com resolves to conversen.com
Yes Paddy-O – you see my point then?
#13, Marc,
I really am sorry, but, Cow-Paddy has this comprehension problem. Even worse, he thinks he knows what this is about. It doesn’t matter, he is going to suggest this is your fault.
Scank of America deserves to go down the tubes. They practice predatory lending on a daily basis.
Oooooooo don’t get me started!
everyone join a credit union…. enough said
# 13 Marc Perkel said, “Yes Paddy-O – you see my point then?”
Oh, yes.
Check it out!
Bailout Recipients Hosted Call To Defeat Key Labor Bill
http://tr.im/d5rn
“Three days after receiving $25 billion in federal bailout funds, Bank of America Corp. hosted a conference call with conservative activists and business officials to organize opposition to the U.S. labor community’s top legislative priority.”
Heh I agree Marc. Keep in mind this is also the bank that came up with that horribly stupid “SiteKey” feature… Which is totally susceptible to man in the middle if you’re not the bank of america website.
#16
That is a great solution. MY bank has started charging me (on a free account) a monthly charge and I’m taking everything over to a credit union.
Screw the banks.
As soon as you introduce third party email services you’re going to see cases where clue-impaired and sketchy operators can’t properly maintain DNS entries for each campaign.
Have to wonder what your Authentication-Results: headers look like though. Did the message pass an SPF check? I can see that BofA created a record to delegate that to Conversen, but maybe Conversen screwed the pooch. Also, was any signing technology like DK/DKIM used, and did that verify?
You ultimately have to make your own choices about what you’ll accept, and if you’ll only accept FCrDNS-checked messages then good luck. But BofA isn’t the only company you’ll have an issue with…
I think ther’s some confusion here about messages that are “spam” versus messages that are “phish.” There is a very important distinction: the definition of SPAM is pretty subjective. However the definition of phish is not. Which one are we talking about here?
Marc seems like a smart enough guy that he took a look at the e-mail headers and figured out that an e-mail from bank of america came from a third-party sender. He seems to want all e-mail from bank of america to come from a machine that has a DNS record with something like .bankofamerica.com in it. Sounds fair, but also difficult especially since it’s a fairly large company. Here’s another idea.
How about if bank of america used some kind of tag on their messages to indicate they were legitimately from them?
I took a look at some legit e-mail I got from Bank of America, the customer loyalty e-mail similar to what Marc received, and there are SPF records authorizing those for bank of america’s domains. So, they actually *have* done something to allow systems to validate e-mail from them. Some other e-mail I get from them has DKIM signatures on it, so I know they are working on that too.
Maybe instead of switching banks, we should also go to our ISPs and spam vendors and ask them to start paying attention to the e-mail authentication protocols as well?
# 18 ran6110 said, “Check it out! Bailout Recipients Hosted Call To Defeat Key Labor Bill”
God! I read “the Employee Free Choice Act “. Amazing that they want to do away with secret balloting for Unions. How scary is that? Bunch of thugs.
bankofamerica.online_link@emailaccount.com
is this a valid email account of boa
Hi,
Really Fantastic post, just found This blogpost feed from Digg upcomming New Story Section. Great post & Very usefull all of us.
Keep it up!
David