funsec mailing list archives
Re: Is it phish, or is it Amex?
From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 4 Nov 2009 16:32:34 -0500
On Wed, Nov 04, 2009 at 09:32:12AM -0800, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
I am a bit freaked.
And you should be.
But banks and other financial instituations are among the most stunningly
clueless people out there when it comes to email. They do any number of
things that are only done by spammers, phishers and idiots.
They send in HTML.
They include "disclaimers" with no legal validity.
They don't send from replyable addresses.
Instead of sending from a subdomain, they sometimes register another
domain just for email.
They outsource email to known spamming operations. (One of my banks did this.
Thanks, idiots, for handing over useful data on me to my enemies.)
They fail to close the loop on submitted email addresses.
They fail to process rejects of SMTP traffic to email addresses. (I had
a customer who's been dead for four years, and his bank keeps hammering
his address. Just one example of many.)
They fail to have working postmaster and abuse role addresses.
They (as you pointed out) include information that should never
transit a mail server.
They repurpose addresses provided to them for business correspondence
as targets for self-promotional material.
And so on, and so on.
Now, if you go to them, and you point out any of this, and note that
there are some very good reasons to do some things differently, you
will get a politely worded response that is 100% content-free, cites
their expensive security staff and their many worthless certifications,
explains that their policy is...their policy, and tells you to stuff it,
because there's no possible way that they're ever going to admit that
they just might possibly be doing something ill-advised. And of course,
should the day come when something bad happens as a result of their
studient intransigence, then they will -- with straight faces -- issue
a press release that includes the key phrase of our time, used by everyone
who should have known better but made sure that they didn't by ignoring
everyone who tried to tell them:
"No one could have foreseen..."
---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Current thread:
- Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 04)
- Re: Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 05)
- Re: Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- <Possible follow-ups>
- Re: Is it phish, or is it Amex? Aryeh Goretsky (home) (Nov 05)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 04)