The Spamhaus Project

blog

Santander gets it mostly right

by The Spamhaus TeamOctober 03, 20113 minutes reading time
Phishing
Deliverability

If one admonishes for poor practice, one should encourage better practice.

On Friday we wrote about an email sent by the UK tax office the formatting of which was ill advised (see UK Tax Office Sends an Invitation to Phishers). The following Monday, Santander UK sends an email which gets it mostly right:

So why's this better?

Somewhat unfairly, much of that which makes it better is hidden from view but one obvious good point is plain for all to see:

'simply log on to Santander Online Banking and select "e-Documents" from the left-hand menu from the "My Accounts & Transactions" tab'

No URLs, no links. You have to fire up a browser, type in Santander's URL and then navigate to the appropriate page. Not quite as convenient as a baked in link - but a lot more convenient if it avoids you losing significant amounts of money*.

While you wouldn't know it looking at the screen shot above, all the other links are simple text links which our email client has recognised as email addresses or URLs and has auto-magically converted into clickable links. As this is done on our machine by our email client, these links are going to be a case of what you see is what you get.

Another good point is that if one's security minded, one can check the email headers to see quite clearly that the email has come from santander.co.uk:

Received: from mm.sedoc.santander.co.uk (mm.sedoc.santander.co.uk [195.43.49.130])
  by [cut] (Postfix) with ESMTP id [cut]
  for <[cut]>; Mon,  3 Oct 2011 13:59:09 +0100 (BST)

Good stuff. (To be absolutely clear here, the received header has to end with "santander.co.uk". If you see something like "santander.co.uk.somethingelse.com", run screaming for the hills).

The not so good stuff is partly to do with better security and partly to do with style

Security: Sending a message "To: undisclosed-recipients:;" is very generic and also used by spammers and phishers. Using the client's email address and name on the "To:" line is better practice. Also, good as the headers may look, using DKIM to validate the message & sender, or even SPF to validate the sending IP address & domain is strongly suggested.

Style: If you say you're sending a multipart message, send a multipart message rather than a single part one.

And how many times do you need to declare a font?

But this is picking nits. From a security perspective, Santander's following good practice.

(Next week, DKIM, SPF and secure DNS. Nah. Joking).

*To recap here, a favourite phishing trick is to offer a link in an email which when clicked on sends you to a destination website which impersonates the site you think you're going to. Unaware, you type in your access details and there you go, the bad guys have your access details to the legitimate site.

Help and recommended content

See below for helpful articles and recommended content

UK Tax Office Sends an Invitation to Phishers

Phishing. Broadly speaking, sending out emails which misdirect people to supply confidential information to miscreants. One such ruse in the UK has been to send out tax rebate emails purporting to come from the UK tax office, HMRC. So on Friday, in a stroke of genius, HMRC sent out the...

Phishing
Blog • September 30, 2011 • The Spamhaus Team

Abuse takes its “toll” on .top: But who is paying the price?

Despite ICANN issuing a formal notice to .top citing a breach of contract for failing to address DNS abuse, the situation has not improved. Over the last six months, abuse of .top hasn’t just persisted, it’s gotten 50% worse! So, why is this happening, and what can be done to stop it?

Service providers
Phishing
Blog • May 08, 2025 • The Spamhaus Team
Domain Reputation Update Oct 2024 - Mar 2025

Domain Reputation Update Oct 2024 - Mar 2025

Domain reputation
Service providers
Report • April 10, 2025 • The Spamhaus Team
Home
Home
...
Home