We can make this work

“Mainstream politicians, intellectuals, journalists, businesspeople, sports heroes — all should mobilize to convince the public that so long as people abide by the ground rules of a free society, they have as much right to be full and equal citizens as anyone else, whether they be Muslim, Christian, atheist or Zoroastrian. And that we can make this work.”

Timothy Garton Ash, vandaag in de Los Angeles Times

Hee, een oude bekende!

Als je je afvraagt waar dit over gaat: zie hier.

Update: helaas was ik niet de eerste met dit idee. Gisteren heeft iemand hier het idee al gelanceerd, en eerder vandaag postte iemand deze variant.

Soms moet ‘t even

 

Filmpje

“Martijn, de man die precies even snel snowboardt als zijn schaduw”

Anti-phishing idea

More or less the only ‘spam’ that reaches my inbox, is the occasional phishing mail, made to appear to be sent from a Dutch bank, trying to find out my online banking credentials. I want to get rid of those.

Now, the solution that I came up with, is somewhat crude, but I wonder if it will result in any false positives. I don’t think I have ever received a legitimate mail from a bank I do business, but I have been told by friends, and by ABN AMRO bank itself, that they do sometimes send out mail to (potential) customers. The question is: do theses mails originate from the Netherlands?

What I did was the following. My MTA is Exim, and it is already configured to identify the originating country for a given email, using a GeoIP lookup. Every mail coming in through my MTA has headers like these:

X-GeoIP-Code: US
X-GeoIP-Country: United States

So, if I want to block mails from a certain sender (and I want to be looking at the From: header rather than the envelope sender here), unless it came from inside the Netherlands, I can just implement a simple SpamAssassin check:

# Phishing from Dutch banks
header    __GEO_FROM_NL          X-GeoIP-Code =~ /^NL$/
header    __FROM_DUTCH_BANK      From =~ /(ING Bank|Rabobank|ABN AMRO)/i
meta      DUTCH_BANK_FOREIGN_IP  (__FROM_DUTCH_BANK && !__GEO_FROM_NL)
describe  DUTCH_BANK_FOREIGN_IP  Dutch bank mailed from a foreign IP
score     DUTCH_BANK_FOREIGN_IP  2.5

Anything with a score of 3.1 or higher is considered SPAM, so adding 2.5 points can still get the message through, if nothing else is wrong with it. However, this is hardly ever the case. If necessary, I could raise the score a little, but in the mean time, it’s nice to know that a legitimate mail, even if it came from abroad, could still have a chance to come through.

Is this a good idea, or would this result in false positives for sure?