Re: [Asrg] whitelisting links (was Re: misconception in SPF)

Paul Smith <paul@pscs.co.uk> Tue, 11 December 2012 16:00 UTC

Return-Path: <prvs=0692BCD7DA=paul@pscs.co.uk>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8B5621F877B for <asrg@ietfa.amsl.com>; Tue, 11 Dec 2012 08:00:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U+LZJmbO4gQE for <asrg@ietfa.amsl.com>; Tue, 11 Dec 2012 08:00:38 -0800 (PST)
Received: from mail.pscs.co.uk (mail.pscs.co.uk [188.65.177.237]) by ietfa.amsl.com (Postfix) with ESMTP id DD30121F86BB for <asrg@irtf.org>; Tue, 11 Dec 2012 08:00:36 -0800 (PST)
Received: from lmail.pscs.co.uk ([82.68.5.206]) by mail.pscs.co.uk ([188.65.177.237] running VPOP3) with ESMTP for <asrg@irtf.org>; Tue, 11 Dec 2012 16:13:01 -0000
Received: from [192.168.57.155] ([217.155.61.157]) by lmail.pscs.co.uk ([192.168.66.70] running VPOP3) with ESMTP for <asrg@irtf.org>; Tue, 11 Dec 2012 15:53:54 -0000
Message-ID: <50C75711.20805@pscs.co.uk>
Date: Tue, 11 Dec 2012 15:53:53 +0000
From: Paul Smith <paul@pscs.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <0D79787962F6AE4B84B2CC41FC957D0B20ACFFE1@ABN-EXCH1A.green.sophos> <50C5A9A0.105@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD01B2@ABN-EXCH1A.green.sophos> <20121210145627.GA21217@gsp.org> <50C6121D.9040607@dcrocker.net> <50C617A2.8090602@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD5E36@ABN-EXCH1A.green.sophos> <50C644F6.3090901@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD737F@ABN-EXCH1A.green.sophos> <50C6BDB2.1010407@mustelids.ca> <20121211133727.GA8759@gsp.org> <50C7414C.3030203@mtcc.com> <50C748C7.3080104@jdmc.org>
In-Reply-To: <50C748C7.3080104@jdmc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V6.0 - Registered
X-Organisation: Paul Smith Computer Services
Subject: Re: [Asrg] whitelisting links (was Re: misconception in SPF)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2012 16:00:38 -0000

On 11/12/2012 14:52, John Johnson wrote:
> Michael Thomas wrote:
>
>> Anybody who thinks that using HTML or outsourcers are "worst
>> practices" is part of the problem, not part of the solution.
>    I highly disagree.  A local bank just hired an outside firm to
>    spam a "newsletter" to their customers in my area. It was quite
>    difficult to tell if it was legitimate, as the bank had published
>    SPF records, yet failed to provide the ip's of the outsourcers
>    servers. And then used the banks domain name as the source.
>
>    This should not be acceptable behavior, especially for a financial
>    institution. It trains their customers to just accept anything
>    and everything, they should be setting the bar, not lowering it.
>
+1

Banks can use outsourcing for their mail, that's fine, but they should 
seriously consider the implications. It's fairly obvious that most banks 
don't.

There are things that an email outsource & bank can do together to keep 
things secure - and OBVIOUSLY secure, but it's clear that neither most 
banks nor email newsletter companies actually understand email enough to 
be using it in this way.



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53