Bank of America Email policies invite fraud

Published on January 27th, 2009

http://www.rgmgroupinc.com/rgm/clients/BankOfAmerica.png

One good way to fight bank email phishing is to send all your official bank email from servers whose forward confirmed reverse DNS resolves back to their domain name. For example, Wells Fargo Bank does it right. Everything that comes from Wells Fargo is sent by a host named *.wellsfargo.com. So if it matches that, it’s good and if it doesn’t — it’s spam. Same is true for PayPal, but not Bank of America. I have an email from them that is real, but the host name it came from is tr202154.cv47.net. So as a spam filtering operation how am I supposed to know that cv47.net is really Bank of America? Why can’t they send email from *.bankofamerica.com servers like secure banks do?

But – I guess it doesn’t matter because they are getting bailout money so they can afford to subsidize the Russian mafia and make it up in higher credit card fees to honest people. But it’s clear to me that their IT department doesn’t give a f**k about fraud or security or they would at least take some minimal precautions to help people avoid getting ripped off.

25 users responded in " Bank of America Email policies invite fraud "

Subscribe to this post comment rss or trackback url

# 1 sargasso said, on January 27th, 2009 at 12:00 pm

Imagine how bad it would be if you actually did have a bank account in Russia, Ukraine or Nigeria.

# 2 Lou said, on January 27th, 2009 at 12:01 pm

Glad I’m not with BOA. Now you know why the banking industry is screwed.

# 3 Mark Derail said, on January 27th, 2009 at 12:02 pm

Marc – I totally agree with you. This is a huge tech pet peeve of mine.

Most likely BOA outsourced an email campaign, and then that company outsourced the sending.

I’ve had to tone down the settings to accept if there is a valid PTR record only.

I hate to remove the lookup on the HELO, yet, many large Co’s have set their HELO to be their internal machine name, kinda like “ntemail.thiscompany.local”, which doesn’t match the IP of the originator.

The worst are the people that use grey listing w/o setting it up properly, causing lots of delays and large log files for nothing.
Like grey listing by originating email address instead of by server/IP, use caching with a 30 day expiry.

# 4 WmDE said, on January 27th, 2009 at 12:11 pm

Curious. cv47.net belongs to Conversen, a marketing company. Did the email have any actual account info in it?

If not it is spam. Just spam from someone you know.

Yield on BAC is 20%. At least it is currently.

# 5 Mr. Fusion said, on January 27th, 2009 at 12:19 pm

America’s best reason for why capitalism succeeds. Can you imagine if some socialist agency ran the banks?

# 6 Paddy-O said, on January 27th, 2009 at 12:27 pm

“So as a spam filtering operation how am I supposed to know that cv47.net is really Bank of America?”

So, what does an MX lookup reveal?

# 7 Marc Perkel said, on January 27th, 2009 at 12:33 pm

#4 – yes – the email knew what my credit limit was on the card I quit using several years ago so the third party had my available balance information. Something that I did NOT authorize BofA to give out.

In fact the only reason I have any BofA relationship is that I used to have a card with MBNA and they got bought by BofA.

# 8 Paddy-O said, on January 27th, 2009 at 12:42 pm

Mark,

tr202154.cv47.net reports the MX record:
office.conversen.com 64.119.133.165 3600

Any decent anti-spam server s/w would have told you this. What s/w do you use?

# 9 Marc Perkel said, on January 27th, 2009 at 12:50 pm

Paddy-o,

I think you are missing the point. BofA email should come from IP addresses whose FCrDNS resolves back to a *.bankofamerica.com host name. That way I can tell valid email 100% of the time.

Forward confirmed RDNS can’t be spoofed. But BofA email can come from anywhere and I can’t determine if it’s real like I can with Wells Fargo or PayPal. I only had one email from a PayPal employee that came from a non-paypal server and I just told him, spam or not, that there was no fucking way that I’m passing paypal.com email unless it comes from a paypal.com server. And he backed down.

# 10 Paddy-O said, on January 27th, 2009 at 12:57 pm

#9 “# 9 Marc Perkel said, “I think you are missing the point. BofA email should come from IP addresses whose FCrDNS resolves back to a *.bankofamerica.com host name.”

I do understand. However, BofA didn’t originate the email (as far as I can tell) a mktg company did. Now, BofA shouldn’t have given them your data, but if I were BofA IT I wouldn’t allow another company to send email that references my servers…

# 11 Marc Perkel said, on January 27th, 2009 at 1:35 pm

The email was supposedly from BofA.

From: “Bank of America”
Sender: BankofAmerica@customerloyalty.bankofamerica.com
To: “Marc Perkel”
Reply-To: customerservice@card.bankofamerica.com
Date: 27 Jan 2009 13:07:49 -0500
Subject: Use your Platinum Plus(R) credit card today.
Received: from tr202154.cv47.net ([216.75.202.154])
by venus.junkemailfilter.com with esmtp (Exim 4.69)
id 1LRsMQ-0006cA-IQ on interface=65.49.42.50
for marc@perkel.com; Tue, 27 Jan 2009 10:08:47 -0800

# 12 Paddy-O said, on January 27th, 2009 at 1:39 pm

#11 Holy crap. customerloyalty.bankofamerica.com resolves to conversen.com

# 13 Marc Perkel said, on January 27th, 2009 at 3:19 pm

Yes Paddy-O – you see my point then?

# 14 Mr. Fusion said, on January 27th, 2009 at 4:20 pm

#13, Marc,

I really am sorry, but, Cow-Paddy has this comprehension problem. Even worse, he thinks he knows what this is about. It doesn’t matter, he is going to suggest this is your fault.

# 15 the real billybob said, on January 27th, 2009 at 4:38 pm

Scank of America deserves to go down the tubes. They practice predatory lending on a daily basis.
Oooooooo don’t get me started!

# 16 AdmFubar said, on January 27th, 2009 at 4:58 pm

everyone join a credit union…. enough said

# 17 Paddy-O said, on January 27th, 2009 at 5:19 pm

# 13 Marc Perkel said, “Yes Paddy-O – you see my point then?”

Oh, yes.

# 18 ran6110 said, on January 27th, 2009 at 7:40 pm

Check it out!

Bailout Recipients Hosted Call To Defeat Key Labor Bill

http://tr.im/d5rn

“Three days after receiving $25 billion in federal bailout funds, Bank of America Corp. hosted a conference call with conservative activists and business officials to organize opposition to the U.S. labor community’s top legislative priority.”

# 19 LtSiver said, on January 28th, 2009 at 6:19 am

Heh I agree Marc. Keep in mind this is also the bank that came up with that horribly stupid “SiteKey” feature… Which is totally susceptible to man in the middle if you’re not the bank of america website.

# 20 Mr Diesel said, on January 28th, 2009 at 6:58 am

#16

That is a great solution. MY bank has started charging me (on a free account) a monthly charge and I’m taking everything over to a credit union.

Screw the banks.

# 21 J Random said, on January 28th, 2009 at 9:20 am

As soon as you introduce third party email services you’re going to see cases where clue-impaired and sketchy operators can’t properly maintain DNS entries for each campaign.

Have to wonder what your Authentication-Results: headers look like though. Did the message pass an SPF check? I can see that BofA created a record to delegate that to Conversen, but maybe Conversen screwed the pooch. Also, was any signing technology like DK/DKIM used, and did that verify?

You ultimately have to make your own choices about what you’ll accept, and if you’ll only accept FCrDNS-checked messages then good luck. But BofA isn’t the only company you’ll have an issue with…

# 22 tahos said, on January 28th, 2009 at 9:22 am

I think ther’s some confusion here about messages that are “spam” versus messages that are “phish.” There is a very important distinction: the definition of SPAM is pretty subjective. However the definition of phish is not. Which one are we talking about here?

Marc seems like a smart enough guy that he took a look at the e-mail headers and figured out that an e-mail from bank of america came from a third-party sender. He seems to want all e-mail from bank of america to come from a machine that has a DNS record with something like .bankofamerica.com in it. Sounds fair, but also difficult especially since it’s a fairly large company. Here’s another idea.

How about if bank of america used some kind of tag on their messages to indicate they were legitimately from them?

I took a look at some legit e-mail I got from Bank of America, the customer loyalty e-mail similar to what Marc received, and there are SPF records authorizing those for bank of america’s domains. So, they actually *have* done something to allow systems to validate e-mail from them. Some other e-mail I get from them has DKIM signatures on it, so I know they are working on that too.

Maybe instead of switching banks, we should also go to our ISPs and spam vendors and ask them to start paying attention to the e-mail authentication protocols as well?

# 23 Paddy-O said, on January 28th, 2009 at 9:25 am

# 18 ran6110 said, “Check it out! Bailout Recipients Hosted Call To Defeat Key Labor Bill”

God! I read “the Employee Free Choice Act “. Amazing that they want to do away with secret balloting for Unions. How scary is that? Bunch of thugs.

# 24 jjtr.internet said, on February 12th, 2009 at 5:36 pm

bankofamerica.online_link@emailaccount.com

is this a valid email account of boa

# 25 fraud said, on September 12th, 2009 at 1:24 pm

Be aware of Domainsponsor scam company. This company operates under domainsponsor and oversee names and washes money via oversee company. Tax fraud and cheating is what they do. Stay away from them. Classaction lawsuit is coming.

Leave Your Reply Below...

Comment Moderation is Active, so if your comment doesn't
show up immediately, please don't submit it again.

Special Deals 4U

25% off eHarmony subscription with code EHTECH
12-percent discount forever with code TECH
10-percent discount and free month using TECH10
10-percent or 30 dollars off weekly car rental!
Get 10-percent discount on car rental!
Get 10% off rental cars!
Get 10% off Dollar rentals!
Discounts on domain names!