The Spamhaus Project


Santander gets it mostly right

by The Spamhaus TeamOctober 03, 20113 minutes reading time

If one admonishes for poor practice, one should encourage better practice.

On Friday we wrote about an email sent by the UK tax office the formatting of which was ill advised (see UK Tax Office Sends an Invitation to Phishers). The following Monday, Santander UK sends an email which gets it mostly right:

So why's this better?

Somewhat unfairly, much of that which makes it better is hidden from view but one obvious good point is plain for all to see:

'simply log on to Santander Online Banking and select "e-Documents" from the left-hand menu from the "My Accounts & Transactions" tab'

No URLs, no links. You have to fire up a browser, type in Santander's URL and then navigate to the appropriate page. Not quite as convenient as a baked in link - but a lot more convenient if it avoids you losing significant amounts of money*.

While you wouldn't know it looking at the screen shot above, all the other links are simple text links which our email client has recognised as email addresses or URLs and has auto-magically converted into clickable links. As this is done on our machine by our email client, these links are going to be a case of what you see is what you get.

Another good point is that if one's security minded, one can check the email headers to see quite clearly that the email has come from

Received: from ( [])
  by [cut] (Postfix) with ESMTP id [cut]
  for <[cut]>; Mon,  3 Oct 2011 13:59:09 +0100 (BST)

Good stuff. (To be absolutely clear here, the received header has to end with "". If you see something like "", run screaming for the hills).

The not so good stuff is partly to do with better security and partly to do with style

Security: Sending a message "To: undisclosed-recipients:;" is very generic and also used by spammers and phishers. Using the client's email address and name on the "To:" line is better practice. Also, good as the headers may look, using DKIM to validate the message & sender, or even SPF to validate the sending IP address & domain is strongly suggested.

Style: If you say you're sending a multipart message, send a multipart message rather than a single part one.

And how many times do you need to declare a font?

But this is picking nits. From a security perspective, Santander's following good practice.

(Next week, DKIM, SPF and secure DNS. Nah. Joking).

*To recap here, a favourite phishing trick is to offer a link in an email which when clicked on sends you to a destination website which impersonates the site you think you're going to. Unaware, you type in your access details and there you go, the bad guys have your access details to the legitimate site.