Monday, 28. February 2005
SPF - a custom more honoured in the breach than the observance
Here is a routine phish found in a trap here this morning. It contains an in-line image shown at reduced size here (click it for a full size view). Underneath that image, it also has text containing a crudely obfuscated URL purporting to be on a barclays.co.uk server but actually somewhere else (where else is anyone's guess because the attempt to obfuscate the URL has broken it anyway).
- The most casual look at the presentation and wording of this should be enough to deter victims from blindly acceding to any request to hand over information. But are they deterred? (rhetorical - but answer anyway if you feel strongly enough)
- The email "from" field and the RFC2821 sender envelope (identical to each other as it happens) were both in barclays.com, a domain belonging to Barclays Bank. The source IP was in an AOL dynamic pool and the delivering MTA was an AOL relay.
AOL is both a founder member of ASTA and an proponent of SPF. So why were they unable to discern this obvious abuse of their service at the time of transmission?
On that last point, I have at least a partial answer for you. barclays.com offers no SPF record. While the value of SPF as an anti-spam tool has been overstated, its value as an anti-phishing device ought to be somewhat higher. But of course that would depend on those organisations at risk from phishing attacks actually publishing SPF and a quick trawl through DNS for a substantial number of UK banks turns up not one which does.
Category: Phish
Technorati: Phish
Comments :
None yet...
Unable to post a comment? Please read this for a possible explanation...
-