Re: [Full-disclosure] simple phishing fix
To cut to the chase, approx 80% of all phish target 1 of 20 or less companies. [1] [2] [7] [8] [9] I also found a paper which suggests the blacklist might work. [6] I found three other papers that reviewed phish detection in-depth, however none of them seemed to mention filtering on the FROM field. [4] [5] [10] I also detail a fix for unblocked senders (eg. to selectively allow mail from spoofed domains, such as Paypal), see below. Nick says the blacklist won't stop phishing, per se, because phishers will begin to target unlisted companies. While I agree that phishers will begin to target unlisted companies, it does not follow that phishing will continue to be profitable. It MAY still be profitable to be a phisher in these circumstances. What will definitely be true is that such a blacklist will make phishing less profitable, this being because the total amount of funds available to phish has been substantially reduced, while at the same time, locating new victims is more difficult. What will also be true is the list will stop phish from listed companies from clogging mail systems, particularly as most users never have any need to receive mail from those companies. I accept that the blacklist MAY NOT make phishing unprofitable, and the blacklist WILL NOT stop phish from unlisted companies. So, the list WILL reduce junk and WILL hit phishers in the back pocket. And this is a bad idea? Assumptions: 1. the phisher does NOT know which bank his potential victims use 2. the phisher is seeking to maximise revenue, and minimise costs 3. creating the fake mail and site is time-consuming --- likely factors affecting phishing profitability: Here's a description of the phishing business model, there's no reference cos I made it up. As you can see there's a few more costs than actually spamming out the phish, which I agree may be without cost. total cost = time + money to create the fake mail PLUS time + money to create the fake web site PLUS time + money to obtain hosting for the fake web site PLUS time + money to obtain/maintain/rent the botnet used to send the fake mail PLUS time + money to launder the cash PLUS time + money on personal security total revenue = total number of mails sent MINUS mails blocked - bad recipient address MINUS mails blocked - filtered (anti-spam/phish filter etc) MINUS mails deleted - end-user not a customer of target institution MINUS mails deleted - end-user not fooled MINUS mails deleted - end-user not interested MINUS mails deleted - technical issue MULTIPLY average profit per successful phish Most articles on phishing describe how the fake mail and fake website are "carefully" designed, and "carefully" selected recipient lists are used. Careful means slow, AFAIK. The more careful you are, the more successful your phish, BUT the longer it takes you to make, the more money you need to make to break even. So the rational phisher will find a balance there. The point is, the rational phisher will not bang out a new site every five minutes. The site needs to be convincing, the email needs to be convincing, and being convincing takes time. I might be wrong. The kits Nick mentioned might make it all easy. But Nick also mentions that those kits are backdoored. So I think that means the rational phisher is going to have to make his own pages from scratch. And that is gonna take time. Time = money. If the phisher makes $20/hr from phishing, but he could be making $50/hr spamming, it's costing him $30/hr to be a phisher. The rational phisher would cease phishing in these circumstances. statistics showing that blocking the top 20 brands will have a big impact: "..These brands exhibited Pareto-type properties in that a small number of brands accounts for a large number of actual phishing sites." [9] Approx 80% of all phish target 1 of 20 or less companies. [1] [2] [7] [8] [9] If those companies were widely blacklisted, 80% of all phish/phishers would need to make new phishing sites, and find new victims. Note that 20 is a very small number and a blacklist of this size, including variants, is manageable. Note that although 20 is a very small number, it covers all of the most-profitable-to-phish companies currently being phished (assuming that profitability-to-phish is proportionate to total phishing attempts, this may be wrong, but if it is wrong, some phishers are wasting their time). Although the top 20 account for 80% of total phish, blacklisting mail from those companies will not stop 80% of phish, because phishers will presumably move on to target companies that are not blacklisted. However, those companies are less profitable for phishers - if they were more profitable, then those companies would be in the top 80% already. There are many reasons why they might be less profitable: - ease of execution - size of customerbase - total funds available - additional benefits or penalties Th
Re: [Full-disclosure] simple phishing fix
On Sunday 27 Jul 2008, lsi wrote: > Soo y'all know not to click on those emails from your bank, or from > any other bank, in your inbox and now you just delete them ... why > not automate this process? It's easy, just filter a whole bunch of > banking names straight to your deleted items. > > All you do is create a rule for each bank, which deletes any mail > from that bank, automatically. > > The rule should read something like "if the FROM field contains the > string X then DELETE message". Hey, I also used to receive a lot of spam from Yahoo. Based on your research, I've blocked all @yahoo.com mails in my client and now I have 2398% less spam! Thank you! Regards, -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
nowhere near "a few hundred thousand" On 30-Jul-08, at 12:29 PM, Exibar wrote: There are quite a few credit unions and smaller "savings institutions" that are not FDIC insured. Not to mention all the FDIC insured "savings institutions" that are worth less than $100 million Exibar - Original Message - From: Dragos Ruiu To: Exibar Cc: [EMAIL PROTECTED] ; full-disclosure@lists.grok.org.uk Sent: Wednesday, July 30, 2008 2:36 PM Subject: Re: [Full-disclosure] simple phishing fix On 30-Jul-08, at 9:19 AM, Exibar wrote: No time to comment on most, but just to throw this in there: Here in the states we have a few hundred thousand different banks at least. 500 is WAY too small of a number. Credit Unions are banks, small banks, and almost every city has at least one credit union. The city I grew up in has 12 or so different credit unions, along with all the major bank branches FDIC says: 4,893 banks or savings institutions have more than $100 million in assets; 3,517 have $100 to $500 million; 859 have $500 million to $5 billion; 150 have $5 to $50 billion; and 22 have more than $50 billion. Circa 2003. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
There are quite a few credit unions and smaller "savings institutions" that are not FDIC insured. Not to mention all the FDIC insured "savings institutions" that are worth less than $100 million Exibar - Original Message - From: Dragos Ruiu To: Exibar Cc: [EMAIL PROTECTED] ; full-disclosure@lists.grok.org.uk Sent: Wednesday, July 30, 2008 2:36 PM Subject: Re: [Full-disclosure] simple phishing fix On 30-Jul-08, at 9:19 AM, Exibar wrote: No time to comment on most, but just to throw this in there: Here in the states we have a few hundred thousand different banks at least. 500 is WAY too small of a number. Credit Unions are banks, small banks, and almost every city has at least one credit union. The city I grew up in has 12 or so different credit unions, along with all the major bank branches FDIC says: 4,893 banks or savings institutions have more than $100 million in assets; 3,517 have $100 to $500 million; 859 have $500 million to $5 billion; 150 have $5 to $50 billion; and 22 have more than $50 billion. Circa 2003.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
On 30-Jul-08, at 9:19 AM, Exibar wrote: No time to comment on most, but just to throw this in there: Here in the states we have a few hundred thousand different banks at least. 500 is WAY too small of a number. Credit Unions are banks, small banks, and almost every city has at least one credit union. The city I grew up in has 12 or so different credit unions, along with all the major bank branches FDIC says: 4,893 banks or savings institutions have more than $100 million in assets; 3,517 have $100 to $500 million; 859 have $500 million to $5 billion; 150 have $5 to $50 billion; and 22 have more than $50 billion. Circa 2003.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
No time to comment on most, but just to throw this in there: Here in the states we have a few hundred thousand different banks at least. 500 is WAY too small of a number. Credit Unions are banks, small banks, and almost every city has at least one credit union. The city I grew up in has 12 or so different credit unions, along with all the major bank branches You mentioned it's not a problem to list all the major banks, and many of the smaller banks as well. I'll pose a challenge to you, list half of the banks and credit unions here in the states by the weekend and you'll win the prize :-) Cost of sending the phishing mail is ZERO... I'll repeat, it costs the bad guys NOTHING, ZERO, ZILTCH, NADA to send out their phishing messages. They mainly use 'bot nets and compromised machines to send the mail. It doesn't matter if they send 1 message or 1 billion messages, still costs them the same, nothing. So, even if they get to scam one person, it's all profit for them. So ya, you're right on your ARPM thoughts. When it falls to nothing forever, they will stop sending their messages and move onto another scam like a 419 scam, that's been around in one form or another since the late 50's I'll tell you one thing that will help prevent Phishing... User Awareness... but even that, won't stop it Exibar - Original Message - From: "lsi" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 30, 2008 4:14 AM Subject: Re: [Full-disclosure] simple phishing fix > Thank you all for your comments. However, I cannot disagree more > fully. > > It doesn't matter that the blacklist is not complete, if a scammer > tries to phish a bank that's not on the list, eg. is not popular, he > won't make much money, because it's a small bank and the probability > of him hitting an email address which works, and is an address of a > customer of that tiny bank, and the customer gets suckered, and all > other security mechanisms fail, is very small. > > The scammer knows this and so he targets the popular banks. > > Therefore, the blacklist only needs to contain popular banks. > However there is almost no penalty to add another 500 to the list, > it's a simple filter, it's fast. > > I do agree that the more banks on the list, the better, but there are > not millions of banks in the world, it's not a problem to list all > the major banks, and many of the smaller banks as well. > > As the blacklist is deployed, the average revenue per mail (ARPM) > will fall. The more it is deployed, the more the ARPM will fall. > The ARPM does not need to hit zero. As soon as the ARPM falls below > the average cost to send each mail, phishing will be economically > unviable. > > Eg. it might still be technically feasible, however it will no longer > be profitable to be a phisher. > > Repeat, phish do not need to be completely eliminated. Once they are > reduced below a certain level, it will become economically infeasible > to be a phisher. The invisible hand [1] will do the rest of the work > for us. > > Other bits: > > I agree that by opening a hole in your phish firewall (eg. permitting > traffic from the Bank of Foo) you are making yourself slightly less > protected, however if a user has a blacklist where he has to > specifically ALLOW traffic from a certain bank that user will be well > aware that he has opened a hole in his phish wall and will be > extremely attentive when he actually gets a mail. (I'm appalled that > some banks actually use email, how cheap are they? If my bank did > that, I'd complain, and consider changing banks.) As with a real > firewall, it's not a total solution, but one layer of several. > > The blacklist catches variations, of course the common variations are > listed as well, again, every combination is not required, because the > probabilities of failure rapidly stack up once the scammers start to > get too imaginative with their variations (eg. they will have to use > more and more obscure variations, which will trick less and less > users). I hear unicode will make life interesting, I'm looking > forward to some samples. > > Blacklists do work. They are successfully used in many applications, > the Spamhaus blocklist, the denyhosts SSH tool and desktop AV > software all spring to mind. Blacklists don't work *when the content > they are checking is polymorphic*. Phish, by definition are NOT > polymorphic. We are talking banks here, they do not change their > names very often. > > I think that is an important point. The problem space is a lot > smaller once you start working with a finite list of domainnames. A > blackl
Re: [Full-disclosure] simple phishing fix
On Tuesday 29 July 2008 23:27:45 Nick FitzGerald wrote: > You really have no f*&ing clue how "ordinary users'" tiny little brains > work, have you??? I got an inkling when a phishing spam asked me for the usual information, and also requested my "future password." -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
On Wed, Jul 30, 2008 at 1:14 AM, lsi <[EMAIL PROTECTED]> wrote: > Thank you all for your comments. However, I cannot disagree more > fully. The simple fact that you said, put all banks on the list except the one you actually use, really demonstrates how poorly some of this has been thought out. Because then, phish emails get through, and the end user is at greater risk. Perhaps even more so with the false sense of security you gave them by setting up "filters". Your smart move would be to acknowledge some of the glaring holes in the statements you have made. However, to continue to defend some of the really bad ideas you've proposed bolsters the recently stated opinion that you're simply trolling. I think it's always great to toss an idea out there to see its reception. That doesn't mean you have to defend it to the death, but only to the point that it's been proven to be unviable. That point has been made, as you have not addressed some of the glaring weaknesses in your statements. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
I think you are the new greatest troll of FD On Wed, Jul 30, 2008 at 3:14 AM, lsi <[EMAIL PROTECTED]> wrote: > Thank you all for your comments. However, I cannot disagree more > fully. > > It doesn't matter that the blacklist is not complete, if a scammer > tries to phish a bank that's not on the list, eg. is not popular, he > won't make much money, because it's a small bank and the probability > of him hitting an email address which works, and is an address of a > customer of that tiny bank, and the customer gets suckered, and all > other security mechanisms fail, is very small. > > The scammer knows this and so he targets the popular banks. > > Therefore, the blacklist only needs to contain popular banks. > However there is almost no penalty to add another 500 to the list, > it's a simple filter, it's fast. > > I do agree that the more banks on the list, the better, but there are > not millions of banks in the world, it's not a problem to list all > the major banks, and many of the smaller banks as well. > > As the blacklist is deployed, the average revenue per mail (ARPM) > will fall. The more it is deployed, the more the ARPM will fall. > The ARPM does not need to hit zero. As soon as the ARPM falls below > the average cost to send each mail, phishing will be economically > unviable. > > Eg. it might still be technically feasible, however it will no longer > be profitable to be a phisher. > > Repeat, phish do not need to be completely eliminated. Once they are > reduced below a certain level, it will become economically infeasible > to be a phisher. The invisible hand [1] will do the rest of the work > for us. > > Other bits: > > I agree that by opening a hole in your phish firewall (eg. permitting > traffic from the Bank of Foo) you are making yourself slightly less > protected, however if a user has a blacklist where he has to > specifically ALLOW traffic from a certain bank that user will be well > aware that he has opened a hole in his phish wall and will be > extremely attentive when he actually gets a mail. (I'm appalled that > some banks actually use email, how cheap are they? If my bank did > that, I'd complain, and consider changing banks.) As with a real > firewall, it's not a total solution, but one layer of several. > > The blacklist catches variations, of course the common variations are > listed as well, again, every combination is not required, because the > probabilities of failure rapidly stack up once the scammers start to > get too imaginative with their variations (eg. they will have to use > more and more obscure variations, which will trick less and less > users). I hear unicode will make life interesting, I'm looking > forward to some samples. > > Blacklists do work. They are successfully used in many applications, > the Spamhaus blocklist, the denyhosts SSH tool and desktop AV > software all spring to mind. Blacklists don't work *when the content > they are checking is polymorphic*. Phish, by definition are NOT > polymorphic. We are talking banks here, they do not change their > names very often. > > I think that is an important point. The problem space is a lot > smaller once you start working with a finite list of domainnames. A > blacklist is feasible in these circumstances. > > I agree my list is small, you'll note however it contains most of the > biggest banks, I didn't choose them, they self-selected, by being > sent to me. That's why they are the biggest banks, because the > scammers target those banks. There's obviously no reason why the > list could not contain every large bank in the world. I could maybe > hunt down some stats to add banks I don't get phished for, but that > would just slow down my filter! If others were to use it they'd want > to customise it. Because the blacklist is on the client machine, the > user is free to add banks they get hammered with, and free to remove > banks they want to correspond with. > > Don't forget that "achovia." can be listed, to catch wachovia.com, > vvachovia.com, vvachovia.co.uk etc. > > Think about it, most people have no need to accept mail from every > bank in the world. That is accept ALL. Using the blacklist means > they are now denying all bank traffic. (OK, denying all on the list, > I agree that it's not a complete deny all, because we cannot know the > names of all banks in advance. I do regret confusing the discussion > by mentioning DENY ALL, I was hoping to explain my analogy to a > firewall, eg., it blocks everything by default and then lets in what > you tell it to let in, I do accept that unlike a real firewall it can > be got around by using an unlisted name, it's really DENY MOST.) > > > "(x) Mailing lists and other legitimate email uses would be affected > > Irrelevant. They are affected already. They are the victims of > spoofing. It's either block their mails, or users suffer the spoofs. > Given than suffering the spoofs means bank-originated mails are > useless in any case, that
Re: [Full-disclosure] simple phishing fix
lsi wrote: > Thank you all for your comments. However, I cannot disagree more > fully. Ignorance does that for people... > It doesn't matter that the blacklist is not complete, if a scammer > tries to phish a bank that's not on the list, eg. is not popular, he > won't make much money, because it's a small bank and the probability > of him hitting an email address which works, and is an address of a > customer of that tiny bank, and the customer gets suckered, and all > other security mechanisms fail, is very small. So, the spammer just sends _A LOT MORE_ phishing spam targetting that bank. There are US credit unions with only a few tens of thousands of customers that have been targets of (LARGE) phishing campigns. The phishers in at least some of those cases got several, to several dozen, known victims and helped themselves to the contents of their accounts, in the few hours between the beginning of the spam run and the CU becoming aware of it and disabling their online banking interface. Those few successful targets were more than reward enough... And I once got a phishing scam Email for a small US bank that only had _two_ physical branches according to the real bank's website (and no, they weren't a large "mostly online" bank but an old-style, small-town, bricks-and-mortar operation). Oh -- and those were _BEFORE_ some of the much more highly targetted, and thus _MUCH_ smaller phishing spam runs we have seen more recently. As you do not understand how these folk work, what a triflingly small successful victim rate they have to hit for their effort to be worthwhile, and so on, you are going to keep making the dumb-ass n00b mistakes in your reasoning that we've been seeing from you for the last few days. Phishing still exists _BECAUSE_ it is a hard problem to solve. Not because those who know how it works are lazy. Not because those who know how it works are stupid. Not because some, or even many, of those who know how it works are employed by companies that a conspiracy theorist will ignorantly argue have a vested interest in NOT solving the problem. No -- phishing still exists _BECAUSE it is a hard problem to solve_. If widely implemented, your trivial suggestions might, _just might_, ever so slightly reduce the total world-wide cost of bank losses due to phishing. But they would do so at a significantly greater cost in the effort required to implement your suggestions across the planet than they would save. Yes, the banks will spend a lot of money failing to entirely stamp out phishing, BUT they generally try to spend that money in ways that at least have some pay-off in terms of reassuring their customers that they are doing something to help... So, can you guess why your suggestions have not already been implemented? > The scammer knows this and so he targets the popular banks. Nope -- the scammers target pretty much any and every bank they can be bothered targeting. Yes -- the pre-packaged scams centre on the bigger targets, but those are probably not the bigger scammers in terms of actual impact -- I mean, a skiddie too stupid to know or be able to work out that the "free" phishing kits (that he has just downloaded off a more or less open web site) are backdoored and also sending his phished data to someone else is not goingto be a major figure in the underworld scam scene... And as further evidence of the breadth of opportunity scammers are prepared to deploy/employ, just this afternoon I uncovered a single phishing site hosting eleven different UK-only banks involving close to 1.5MB of phishing site code, images, scripts, etc, etc to fake the eleven target banks' sites. > Therefore, the blacklist only needs to contain popular banks. > However there is almost no penalty to add another 500 to the list, > it's a simple filter, it's fast. > > I do agree that the more banks on the list, the better, but there are > not millions of banks in the world, it's not a problem to list all > the major banks, and many of the smaller banks as well. Off you go then -- list 10% of the bank domains by this time tomorrow... > As the blacklist is deployed, the average revenue per mail (ARPM) > will fall. The more it is deployed, the more the ARPM will fall. > The ARPM does not need to hit zero. As soon as the ARPM falls below > the average cost to send each mail, phishing will be economically > unviable. As virtually all (phishing) spam is sent by "criminal gangs" using their own bot-nets effectively for free, your simple view of the economics of this fails rather badly. History has a lesson for us here -- as the amount of spam-filtering in use increased, so did the amount of spam being sent. If your economics argument had any validity that should not be the case, but what happened is that the spammers and associated scammers coalesced _AND_ changed hwo they sent the vast bulk of their spam. Now, sending spam is essentially fr
Re: [Full-disclosure] simple phishing fix
Thank you all for your comments. However, I cannot disagree more fully. It doesn't matter that the blacklist is not complete, if a scammer tries to phish a bank that's not on the list, eg. is not popular, he won't make much money, because it's a small bank and the probability of him hitting an email address which works, and is an address of a customer of that tiny bank, and the customer gets suckered, and all other security mechanisms fail, is very small. The scammer knows this and so he targets the popular banks. Therefore, the blacklist only needs to contain popular banks. However there is almost no penalty to add another 500 to the list, it's a simple filter, it's fast. I do agree that the more banks on the list, the better, but there are not millions of banks in the world, it's not a problem to list all the major banks, and many of the smaller banks as well. As the blacklist is deployed, the average revenue per mail (ARPM) will fall. The more it is deployed, the more the ARPM will fall. The ARPM does not need to hit zero. As soon as the ARPM falls below the average cost to send each mail, phishing will be economically unviable. Eg. it might still be technically feasible, however it will no longer be profitable to be a phisher. Repeat, phish do not need to be completely eliminated. Once they are reduced below a certain level, it will become economically infeasible to be a phisher. The invisible hand [1] will do the rest of the work for us. Other bits: I agree that by opening a hole in your phish firewall (eg. permitting traffic from the Bank of Foo) you are making yourself slightly less protected, however if a user has a blacklist where he has to specifically ALLOW traffic from a certain bank that user will be well aware that he has opened a hole in his phish wall and will be extremely attentive when he actually gets a mail. (I'm appalled that some banks actually use email, how cheap are they? If my bank did that, I'd complain, and consider changing banks.) As with a real firewall, it's not a total solution, but one layer of several. The blacklist catches variations, of course the common variations are listed as well, again, every combination is not required, because the probabilities of failure rapidly stack up once the scammers start to get too imaginative with their variations (eg. they will have to use more and more obscure variations, which will trick less and less users). I hear unicode will make life interesting, I'm looking forward to some samples. Blacklists do work. They are successfully used in many applications, the Spamhaus blocklist, the denyhosts SSH tool and desktop AV software all spring to mind. Blacklists don't work *when the content they are checking is polymorphic*. Phish, by definition are NOT polymorphic. We are talking banks here, they do not change their names very often. I think that is an important point. The problem space is a lot smaller once you start working with a finite list of domainnames. A blacklist is feasible in these circumstances. I agree my list is small, you'll note however it contains most of the biggest banks, I didn't choose them, they self-selected, by being sent to me. That's why they are the biggest banks, because the scammers target those banks. There's obviously no reason why the list could not contain every large bank in the world. I could maybe hunt down some stats to add banks I don't get phished for, but that would just slow down my filter! If others were to use it they'd want to customise it. Because the blacklist is on the client machine, the user is free to add banks they get hammered with, and free to remove banks they want to correspond with. Don't forget that "achovia." can be listed, to catch wachovia.com, vvachovia.com, vvachovia.co.uk etc. Think about it, most people have no need to accept mail from every bank in the world. That is accept ALL. Using the blacklist means they are now denying all bank traffic. (OK, denying all on the list, I agree that it's not a complete deny all, because we cannot know the names of all banks in advance. I do regret confusing the discussion by mentioning DENY ALL, I was hoping to explain my analogy to a firewall, eg., it blocks everything by default and then lets in what you tell it to let in, I do accept that unlike a real firewall it can be got around by using an unlisted name, it's really DENY MOST.) > "(x) Mailing lists and other legitimate email uses would be affected Irrelevant. They are affected already. They are the victims of spoofing. It's either block their mails, or users suffer the spoofs. Given than suffering the spoofs means bank-originated mails are useless in any case, that means the only available course of action is to deny all bank email traffic. > my Bayesian filter gets these anyway My spam filter misses some, hence my post, however following this comment I have checked my config
Re: [Full-disclosure] simple phishing fix
> As for email, judge by its content. This posting for example will do > nothing to your money, sells you nothing. Nor does it ask any information > of you. If it were spoofed it would be harmless. I might also add that Bogofilter didn't flag it as spam, either (X-Bogosity: Ham, tests=bogofilter, spamicity=0.00). ;) I stand by my assertion, however, that banks should not communicate with their customers via e-mail. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
On Tue, July 29, 2008 2:31 pm, [EMAIL PROTECTED] wrote: > You might eliminate phishing but there are occasionally messages from > people at these institutions also. This sort of thing is in essence > allowing phishers a denial of service attack against anyone they choose > to make themselves a nuisance with. > > I am not well pleased with any bank authentication I have seen so far > personally; seems to me finance-related messages should be authenticated > both ways and preferably a confirming authentication to demonstrate the > subject agrees with the transaction should be done before such are > accepted. That kind of thing would be hard to spoof and if done right > pretty useless to someone who could record entire transactions. > > As for email, judge by its content. This posting for example will do > nothing to your money, sells you nothing. Nor does it ask any information > of you. If it were spoofed it would be harmless. > > Glenn Everhart > But it is from Chase and nothing good comes from Chase ;-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
You might eliminate phishing but there are occasionally messages from people at these institutions also. This sort of thing is in essence allowing phishers a denial of service attack against anyone they choose to make themselves a nuisance with. I am not well pleased with any bank authentication I have seen so far personally; seems to me finance-related messages should be authenticated both ways and preferably a confirming authentication to demonstrate the subject agrees with the transaction should be done before such are accepted. That kind of thing would be hard to spoof and if done right pretty useless to someone who could record entire transactions. As for email, judge by its content. This posting for example will do nothing to your money, sells you nothing. Nor does it ask any information of you. If it were spoofed it would be harmless. Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Besenbruch Sent: Tuesday, July 29, 2008 2:04 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] simple phishing fix On Monday 28 July 2008 20:55:10 Stian Øvrevåge wrote: > You mention phising, but I think quite a few points from the > why-your-spam-solution-wont-work-list are relevant: > > "(x) Mailing lists and other legitimate email uses would be affected If we stick with the narrowly focused problem of bank phishing spam, I doubt mailing lists would be affected. Yes, stuart, the original poster, spoke of "deny all" tactics, but he certainly wasn't implementing anything like that in practice. At least, I couldn't see it. > (x) It will stop spam for two weeks and then we'll be stuck with it Yes, you would need to add a new filter from time to time. This would work on your own e-mail account, but I would see problems generalizing to more people. > (x) Users of email will not put up with it On the other hand, it sounded like the original poster wanted to share lists, so that anyone who wanted to could tweak theirs. People sharing such lists would "put up with it." > (x) Ideas similar to yours are easy to come up with, yet none have ever > been shown practical I get my share of phishing spam, and most involve about a dozen domains, or less. These domains have remained relatively stable over the last two years. Paypal still dominates. So yes, a list of the common banking sites might reduce the annoyance factor. > (x) Whitelists suck" They do indeed. > http://craphound.com/spamsolutions.txt > > 1. Your filter will never be complete, there are too many > banks/institutions (with ever-changing domains etc). See above. > 2. Banks/institutions actually sends legitimate mail. Yes, but I would not do business with a bank that did. Phishing spam has eliminated e-mail as a viable means of communication between banks and their customers. My bank doesn't know my e-mail address, and I don't bank on-line (but that's a whole other kettle of fish). > 3. Phishers will find ways to get around the filters, either by > registering similar domain-names or by numerous browser/MTA tricks. > 4. Users likely to fall for a phish is not very likely to even know > what a filter is. What we are talking about here is the sharing of filter material on a small list of people who can spot a phish from a mile off. Full Disclosure isn't big enough to change the habits of spammers. That said, I haven't made use of any filters specifically to weed out phishing spam. I use Kmail and Bogofilter, and they have caught almost every phishing spam I have received in the last year. Such spam was one of the firsts things that the Bayesian based Bogofilter learned to flag reliably. Bogofilter flags a far greater variety of spam reliably than flagging domains in the "from" field could ever hope to accomplish. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chas
Re: [Full-disclosure] simple phishing fix
On Monday 28 July 2008 20:55:10 Stian Øvrevåge wrote: > You mention phising, but I think quite a few points from the > why-your-spam-solution-wont-work-list are relevant: > > "(x) Mailing lists and other legitimate email uses would be affected If we stick with the narrowly focused problem of bank phishing spam, I doubt mailing lists would be affected. Yes, stuart, the original poster, spoke of "deny all" tactics, but he certainly wasn't implementing anything like that in practice. At least, I couldn't see it. > (x) It will stop spam for two weeks and then we'll be stuck with it Yes, you would need to add a new filter from time to time. This would work on your own e-mail account, but I would see problems generalizing to more people. > (x) Users of email will not put up with it On the other hand, it sounded like the original poster wanted to share lists, so that anyone who wanted to could tweak theirs. People sharing such lists would "put up with it." > (x) Ideas similar to yours are easy to come up with, yet none have ever > been shown practical I get my share of phishing spam, and most involve about a dozen domains, or less. These domains have remained relatively stable over the last two years. Paypal still dominates. So yes, a list of the common banking sites might reduce the annoyance factor. > (x) Whitelists suck" They do indeed. > http://craphound.com/spamsolutions.txt > > 1. Your filter will never be complete, there are too many > banks/institutions (with ever-changing domains etc). See above. > 2. Banks/institutions actually sends legitimate mail. Yes, but I would not do business with a bank that did. Phishing spam has eliminated e-mail as a viable means of communication between banks and their customers. My bank doesn't know my e-mail address, and I don't bank on-line (but that's a whole other kettle of fish). > 3. Phishers will find ways to get around the filters, either by > registering similar domain-names or by numerous browser/MTA tricks. > 4. Users likely to fall for a phish is not very likely to even know > what a filter is. What we are talking about here is the sharing of filter material on a small list of people who can spot a phish from a mile off. Full Disclosure isn't big enough to change the habits of spammers. That said, I haven't made use of any filters specifically to weed out phishing spam. I use Kmail and Bogofilter, and they have caught almost every phishing spam I have received in the last year. Such spam was one of the firsts things that the Bayesian based Bogofilter learned to flag reliably. Bogofilter flags a far greater variety of spam reliably than flagging domains in the "from" field could ever hope to accomplish. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
lsi wrote: > Of all the approaches below I like the simple list of strings in the > email client (the first link). This is because it's a DENY ALL > policy. ... "simple" -- yes. "DENY ALL" -- nope... >From your first post, it's clear that you receive samples from a _VERY_ limited sliver of the bank, credit union and other financial target phishing that goes on each and every day... >From a purely theoretical perspective, to make your preferred approach "DENY ALL" you would have to have ongoing access to an oracle identifying the domains of ALL financial institutions, so your block list could be updated in a timely manner as domains are added and removed... As no such oracle exists, a "deny all" approach along the lines you suggest is _practically_ impossible. > ... The other approaches below, AFAICS, use ACCEPT ALL and then > try and find reasons to block the mail. ... Which is actually what your suggested approach does, even if it could be practically implemented -- it accepts all Email (or at least all incoming Email delivery connections) then tries to find a reason to block it (From address domain on block list). > ... The first approach simply > blocks them all! ... ...for some interesting and unknowably odd value of "all". > ... Sure, you want to receive mail from the Bank of > Foo, just don't put bankoffoo.com in your list! Thereby letting through the phish for the target(s) of most danger to you -- get suckered by a Foo Bank phish as a Foo Bank customer and you may be in trouble, but getting suckered by a Bar Bank phish when you are only a Foo Bank customer and no harm is done. Also, your preferred approach entirely fails to deal with "close but not quite" domain "spoofing" -- [EMAIL PROTECTED] rather than [EMAIL PROTECTED], [EMAIL PROTECTED] rather than [EMAIL PROTECTED] (the real Foo Bank domain), etc, etc, etc. In short, as is commonly the case in such matters, the quick'n'dirty, I- just-thought-of-the-ultimate-solution-to-the-phishing-problem-AND-it's- REALLY-SIMPLE solution is so far from complete that it's all but useless... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
On Mon, Jul 28, 2008 at 9:52 AM, lsi <[EMAIL PROTECTED]> wrote: > Please post the list of strings you use in your phishing filter. > > Or don't you have one? > > Seriously dude, if phishing was so simple to fix then why is it "on > the rise" according to recent news articles? > > I mean, if all the admins out there in the world are blocking them, > when why are they still being sent out by scammers? > > Either the admins don't know how to block them, or the scammers don't > know they are being blocked. > > My message can solve both problems. > > I seem to recall a time when email-borne viruses were a problem, once > it was pointed out they were simple to block, they rapidly dropped > out of fashion. > > I would indeed like to repeat that success and save the associated > electricity, bandwidth and CPU time for something more important, > such as replying to bone-headed posts in fd, for a start. > > Stu > > On 28 Jul 2008 at 10:57, Biz Marqee wrote: > > Date sent: Mon, 28 Jul 2008 10:57:06 +1000 > From: "Biz Marqee" <[EMAIL PROTECTED]> > To: full-disclosure@lists.grok.org.uk > Subject:RE: [Full-disclosure] simple phishing fix > Copies to: [EMAIL PROTECTED] > >> Wow, you our are savior.. no, no our e-Hero! Forget patches for software >> bugs.. This guy can teach us how to set up a mail filter!! >> >> Seriously dude.. do you think we care about, or are too inept to set up mail >> filter rules? Go find another list to contribute to, you are a joke. >> > You mention phising, but I think quite a few points from the why-your-spam-solution-wont-work-list are relevant: "(x) Mailing lists and other legitimate email uses would be affected (x) It will stop spam for two weeks and then we'll be stuck with it (x) Users of email will not put up with it Specifically, your plan fails to account for (x) Eternal arms race involved in all filtering approaches and the following philosophical objections may also apply: (x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical (x) Blacklists suck (x) Whitelists suck" http://craphound.com/spamsolutions.txt 1. Your filter will never be complete, there are too many banks/institutions (with ever-changing domains etc). 2. Banks/institutions actually sends legitimate mail. 3. Phishers will find ways to get around the filters, either by registering similar domain-names or by numerous browser/MTA tricks. 4. Users likely to fall for a phish is not very likely to even know what a filter is. -- Stian Øvrevåge ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
[This is a repost, the original was blocked by Spamhaus as it contained a link to blacklisted blogspot server. Also, I mangled the formatting. Apologies. Finally I added item #9, not mentioned previously.] summary --- Of all the approaches below I like the simple list of strings in the email client (the first link). This is because it's a DENY ALL policy. The other approaches below, AFAICS, use ACCEPT ALL and then try and find reasons to block the mail. The first approach simply blocks them all! Sure, you want to receive mail from the Bank of Foo, just don't put bankoffoo.com in your list! Frankly, email should not be used by banks, due to the risk of impersonation, and if this DENY ALL approach causes them to stop using email to send messages to customers, good. So let's not waste time on fancy error-prone algorithms, purleeze! a quick review of deployed anti-phishing technologies - 0. filter against the FROM field using a blacklist in the email client: http://seclists.org/fulldisclosure/2008/Jul/0488.html 1. software from Symantec, McAfee etc, integrated into their desktop security suites, filtering method not disclosed. 2. there's anti-phishing filters for IE, Firefox and maybe Opera - filtering method not researched (we want to stop the phish before the user even opens the email, they should never see the link that takes them to their browser), 3. article says CMU have developed an unreleased filter, using pretty standard anti-spam techniques, plus some attempt at matching the stated domainname against URLs listed in the bodytext: http://itmanagement.earthweb.com/columns/executive_tech/article.php/36 20741 The phishing filter in Thunderbird apparently uses a similar technique (eg. comparing the sender's domainname against URLs in the bodytext, a technique which reportedly is a bit flaky. 4. article says GoDaddy filter scans URLs in bodytext against a blacklist: http://help.godaddy.com/article/645 5. software says it uses some kind of user-generated database (eg. users report stats to a central server via client software): http://spam-fighter.qarchive.org/ 6. post says google are using DKIM to detect phish: [link removed due to spamhaus issue, search for this on the web] (gmail's phish detection reportedly suffers from false-positives) 7. article says to use a Bayesian filter (unspecified): http://ezinearticles.com/?Phishing-Filter---How-to-Use-Phishing- Filters-to-Prevent-Any-Information-Theft&id=919156 8. product claims to use "rate controls" (eg. mails/minute) to detect phish: http://www.moonslice.com/hosting/spamds.htm 9. sigs for clamAV, seem to be an MD5 of the bodytext http://www.sanesecurity.com/clamav/ On 27 Jul 2008 at 14:10, lsi wrote: From: "lsi" <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Date sent: Sun, 27 Jul 2008 14:10:38 +0100 Priority: normal Subject:[Full-disclosure] simple phishing fix > Soo y'all know not to click on those emails from your bank, or from > any other bank, in your inbox and now you just delete them ... why > not automate this process? It's easy, just filter a whole bunch of > banking names straight to your deleted items. > > All you do is create a rule for each bank, which deletes any mail > from that bank, automatically. > > The rule should read something like "if the FROM field contains the > string X then DELETE message". > > Here's a list of strings to enter into your rules... > > Royal Bank of Scotland > HSBC > NatWest > halifax.co.uk > abbeynational.co.uk > @abbey.co.uk > @abbey.com > barclays.co.uk > barclays.com > CitiBusiness > @citi.com > equifax.com > commercebank.com > bankofamerica.com > wachovia.com > capitalone.com > @nationalcity.com > .chase.com > @chase.com > > The funny part is that because phish are trying to look as legitimate > as possible, you can bet that they will use the correct domainname > for the bank. Which means they are extremely easy to filter... end > of problem > > Stu > > --- > Stuart Udall > stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ > > --- > * Origin: lsi: revolution through evolution (192:168/0.2) > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ --- Stuart Udall stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
summary --- Of all the approaches below I like the simple list of strings in the email client (the first link). This is because it's a DENY ALL policy. The other approaches below, AFAICS, use ACCEPT ALL and then try and find reasons to block the mail. The first approach simply blocks them all! Sure, you want to receive mail from the Bank of Foo, just don't put bankoffoo.com in your list! Frankly, email should not be used by banks, due to the risk of impersonation, and if this DENY ALL approach causes them to stop using email to send messages to customers, good. So let's not waste time on fancy error-prone algorithms, purleeze! a quick review of deployed anti-phishing technologies - 0. filter against the FROM field using a blacklist in the email client: http://seclists.org/fulldisclosure/2008/Jul/0488.html 1. software from Symantec, McAfee etc, integrated into their desktop security suites, filtering method not disclosed. 2. there's anti-phishing filters for IE, Firefox and maybe Opera - filtering method not researched (we want to stop the phish before the user even opens the email, they should never see the link that takes them to their browser), 3. article says CMU have developed an unreleased filter, using pretty standard anti-spam techniques, plus some attempt at matching the stated domainname against URLs listed in the bodytext: http://itmanagement.earthweb.com/columns/executive_tech/article.php/36 2074 1 The phishing filter in Thunderbird apparently uses a similar technique (eg. comparing the sender's domainname against URLs in the bodytext, a technique which reportedly is a bit flaky. 4. article says GoDaddy filter scans URLs in bodytext against a blacklist: http://help.godaddy.com/article/645 5. software says it uses some kind of user-generated database (eg. users report stats to a central server via client software): http://spam-fighter.qarchive.org/ 6. post says google are using DKIM to detect phish: http://gmailblog.blogspot.com/2008/07/fighting-phishing-with-ebay-and- payp al.html (gmail's phish detection reportedly suffers from false-positives) 7. article says to use a Bayesian filter (unspecified): http://ezinearticles.com/?Phishing-Filter---How-to-Use-Phishing- Filters-to -Prevent-Any-Information-Theft&id=919156 8. product claims to use "rate controls" (eg. mails/minute) to detect phish: http://www.moonslice.com/hosting/spamds.htm On 28 Jul 2008 at 18:32, Biz Marqee wrote: Date sent: Mon, 28 Jul 2008 18:32:48 +1000 From: "Biz Marqee" <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Subject:Re: [Full-disclosure] simple phishing fix Copies to: [EMAIL PROTECTED] > Post my mail filter strings? LOL. That just proves how insignificant you and > your ideas are. I do real security research work like write exploits and > patches. Do you know how to mmap @ 0x on current kernels? Do you > even know why that would be useful? > > How does this fix the problem? If it were that black and white ISP's would > implement it at their MX's.. on top of that what about all the LEGITIMATE > emails banks send out? > > Anyone who knows how to set up mail filters would have already done so > without your "message". Maybe you should stop posting trying to puff up your > image on a mailing list and go back to your "research". Who knows maybe one > day you can graduate to XSS... lmao. > > Leave security work to the experts you untalented, fame seeking, peice of > shit... > > > On Mon, Jul 28, 2008 at 5:52 PM, lsi <[EMAIL PROTECTED]> wrote: > > > Please post the list of strings you use in your phishing filter. > > > > Or don't you have one? > > > > Seriously dude, if phishing was so simple to fix then why is it "on > > the rise" according to recent news articles? > > > > I mean, if all the admins out there in the world are blocking them, > > when why are they still being sent out by scammers? > > > > Either the admins don't know how to block them, or the scammers don't > > know they are being blocked. > > > > My message can solve both problems. > > > > I seem to recall a time when email-borne viruses were a problem, once > > it was pointed out they were simple to block, they rapidly dropped > > out of fashion. > > > > I would indeed like to repeat that success and save the associated > > electricity, bandwidth and CPU time for something more important, > > such as replying to bone-headed posts in fd, for a start. > > > > Stu > > > > On 28 Jul 2008 at 10:57, Biz Marqee wrote: > > > > Date sent: Mon, 28 Jul
Re: [Full-disclosure] simple phishing fix
Post my mail filter strings? LOL. That just proves how insignificant you and your ideas are. I do real security research work like write exploits and patches. Do you know how to mmap @ 0x on current kernels? Do you even know why that would be useful? How does this fix the problem? If it were that black and white ISP's would implement it at their MX's.. on top of that what about all the LEGITIMATE emails banks send out? Anyone who knows how to set up mail filters would have already done so without your "message". Maybe you should stop posting trying to puff up your image on a mailing list and go back to your "research". Who knows maybe one day you can graduate to XSS... lmao. Leave security work to the experts you untalented, fame seeking, peice of shit... On Mon, Jul 28, 2008 at 5:52 PM, lsi <[EMAIL PROTECTED]> wrote: > Please post the list of strings you use in your phishing filter. > > Or don't you have one? > > Seriously dude, if phishing was so simple to fix then why is it "on > the rise" according to recent news articles? > > I mean, if all the admins out there in the world are blocking them, > when why are they still being sent out by scammers? > > Either the admins don't know how to block them, or the scammers don't > know they are being blocked. > > My message can solve both problems. > > I seem to recall a time when email-borne viruses were a problem, once > it was pointed out they were simple to block, they rapidly dropped > out of fashion. > > I would indeed like to repeat that success and save the associated > electricity, bandwidth and CPU time for something more important, > such as replying to bone-headed posts in fd, for a start. > > Stu > > On 28 Jul 2008 at 10:57, Biz Marqee wrote: > > Date sent: Mon, 28 Jul 2008 10:57:06 +1000 > From: "Biz Marqee" <[EMAIL PROTECTED]> > To: full-disclosure@lists.grok.org.uk > Subject:RE: [Full-disclosure] simple phishing fix > Copies to: [EMAIL PROTECTED] > > > Wow, you our are savior.. no, no our e-Hero! Forget patches for software > > bugs.. This guy can teach us how to set up a mail filter!! > > > > Seriously dude.. do you think we care about, or are too inept to set up > mail > > filter rules? Go find another list to contribute to, you are a joke. > > > > > > --- > Stuart Udall > stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ > > --- > * Origin: lsi: revolution through evolution (192:168/0.2) > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
Please post the list of strings you use in your phishing filter. Or don't you have one? Seriously dude, if phishing was so simple to fix then why is it "on the rise" according to recent news articles? I mean, if all the admins out there in the world are blocking them, when why are they still being sent out by scammers? Either the admins don't know how to block them, or the scammers don't know they are being blocked. My message can solve both problems. I seem to recall a time when email-borne viruses were a problem, once it was pointed out they were simple to block, they rapidly dropped out of fashion. I would indeed like to repeat that success and save the associated electricity, bandwidth and CPU time for something more important, such as replying to bone-headed posts in fd, for a start. Stu On 28 Jul 2008 at 10:57, Biz Marqee wrote: Date sent: Mon, 28 Jul 2008 10:57:06 +1000 From: "Biz Marqee" <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] simple phishing fix Copies to: [EMAIL PROTECTED] > Wow, you our are savior.. no, no our e-Hero! Forget patches for software > bugs.. This guy can teach us how to set up a mail filter!! > > Seriously dude.. do you think we care about, or are too inept to set up mail > filter rules? Go find another list to contribute to, you are a joke. > --- Stuart Udall stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
Wow, you our are savior.. no, no our e-Hero! Forget patches for software bugs.. This guy can teach us how to set up a mail filter!! Seriously dude.. do you think we care about, or are too inept to set up mail filter rules? Go find another list to contribute to, you are a joke. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
And yet some banks do, in fact, send real emails to their clients ... Sent from my Verizon Wireless BlackBerry -Original Message- From: "lsi" <[EMAIL PROTECTED]> Date: Sun, 27 Jul 2008 14:10:38 To: Subject: [Full-disclosure] simple phishing fix Soo y'all know not to click on those emails from your bank, or from any other bank, in your inbox and now you just delete them ... why not automate this process? It's easy, just filter a whole bunch of banking names straight to your deleted items. All you do is create a rule for each bank, which deletes any mail from that bank, automatically. The rule should read something like "if the FROM field contains the string X then DELETE message". Here's a list of strings to enter into your rules... Royal Bank of Scotland HSBC NatWest halifax.co.uk abbeynational.co.uk @abbey.co.uk @abbey.com barclays.co.uk barclays.com CitiBusiness @citi.com equifax.com commercebank.com bankofamerica.com wachovia.com capitalone.com @nationalcity.com .chase.com @chase.com The funny part is that because phish are trying to look as legitimate as possible, you can bet that they will use the correct domainname for the bank. Which means they are extremely easy to filter... end of problem Stu --- Stuart Udall stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] simple phishing fix
Soo y'all know not to click on those emails from your bank, or from any other bank, in your inbox and now you just delete them ... why not automate this process? It's easy, just filter a whole bunch of banking names straight to your deleted items. All you do is create a rule for each bank, which deletes any mail from that bank, automatically. The rule should read something like "if the FROM field contains the string X then DELETE message". Here's a list of strings to enter into your rules... Royal Bank of Scotland HSBC NatWest halifax.co.uk abbeynational.co.uk @abbey.co.uk @abbey.com barclays.co.uk barclays.com CitiBusiness @citi.com equifax.com commercebank.com bankofamerica.com wachovia.com capitalone.com @nationalcity.com .chase.com @chase.com The funny part is that because phish are trying to look as legitimate as possible, you can bet that they will use the correct domainname for the bank. Which means they are extremely easy to filter... end of problem Stu --- Stuart Udall stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
