Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Santander gets it mostly right

2011-10-03 14:43:00 GMT, by Quentin Jenkins
Recent News Articles

Spamhaus launches CERT Insight Portal

The Spamhaus Policy Block List now covers One Billion IP addresses

Resilans Incident Report

ICANN SSAC on DDoS, DNS and BCP 38

The return of the open relays

The DMA kicks spam up a notch

Celebrating The First Birthday Of The Spamhaus BGPf

An arrest in response to March DDoS attacks on Spamhaus


Older News Articles:
Spamhaus News INDEX

If one admonishes for poor practice, one should encourage better practice. On Friday we wrote about an email sent by the UK tax office the formatting of which was ill advised (see UK Tax Office Sends an Invitation to Phishers). The following Monday, Santander UK sends an email which gets it mostly right:


So why's this better?

Somewhat unfairly, much of that which makes it better is hidden from view but one obvious good point is plain for all to see:

'simply log on to Santander Online Banking and select "e-Documents" from the left-hand menu from the "My Accounts & Transactions" tab'

No URLs, no links. You have to fire up a browser, type in Santander's URL and then navigate to the appropriate page. Not quite as convenient as a baked in link - but a lot more convenient if it avoids you losing significant amounts of money*.

While you wouldn't know it looking at the screen shot above, all the other links are simple text links which our email client has recognised as email addresses or URLs and has auto-magically converted into clickable links. As this is done on our machine by our email client, these links are going to be a case of what you see is what you get.

Another good point is that if one's security minded, one can check the email headers to see quite clearly that the email has come from santander.co.uk:

Received: from mm.sedoc.santander.co.uk (mm.sedoc.santander.co.uk [195.43.49.130])
  by [cut] (Postfix) with ESMTP id [cut]
  for <[cut]>; Mon,  3 Oct 2011 13:59:09 +0100 (BST)

Good stuff. (To be absolutely clear here, the received header has to end with "santander.co.uk". If you see something like "santander.co.uk.somethingelse.com", run screaming for the hills).

The not so good stuff is partly to do with better security and partly to do with style

Security: Sending a message "To: undisclosed-recipients:;" is very generic and also used by spammers and phishers. Using the client's email address and name on the "To:" line is better practice. Also, good as the headers may look, using DKIM to validate the message & sender, or even SPF to validate the sending IP address & domain is strongly suggested.

Style: If you say you're sending a multipart message, send a multipart message rather than a single part one.

And how many times do you need to declare a font?

<font size=2 face="Arial"><br><br><font size=2 face="Arial"><br><br><br><font size=2 face="Arial"><br><font size=2 face="Arial"><font color="#000000">3 October 2011</font></font></font></font></font>

But this is picking nits. From a security perspective, Santander's following good practice.

(Next week, DKIM, SPF and secure DNS. Nah. Joking).

 

*To recap here, a favourite phishing trick is to offer a link in an email which when clicked on sends you to a destination website which impersonates the site you think you're going to. Unaware, you type in your access details and there you go, the bad guys have your access details to the legitimate site.



Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Santander gets it mostly right
http://www.spamhaus.org/news/article/672/santander-gets-it-mostly-right

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy