Re: Phish detection (was Re: [Mimedefang] for mcafee lovers)
It's a good idea. I'd love to see some statistics about it's effectiveness / false positive rate. At the very worst, if it disabled the link, it wouldn't be that bad. Regards, KAm a href=http://bogus.site.com/.cgi/ebay/cgi;https://secure.ebay.com/a Got that? If the URL *text* in the hyperlink doesn't match the URL in the HREF parameter (modulo some canonicalization and other munging), flag as a phish. Dead simple algorithm, and I'd guess it catches about 75% of phishing attempts. The ones it doesn't catch are the ones where the URL looks like this: ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Phish detection (was Re: [Mimedefang] for mcafee lovers)
The other phishing it does not catch are the ones where the end users hosts file has been altered to point secure.ebay.com to a different IP. The only reliable way to catch those I have seen is to compare the originating relayed server with a list of known good ones... which is a kludge as this breaks every time one of the banks, etc changes an IP or adds a server... etc. DCC and SURBL are useless againts these as the URLs and the emails are esseentially legit and will take the user to the correct place if their hosts file is not munged. Jim On Tue, 22 Mar 2005 17:37:09 -0500, David F. Skoll wrote The Mailscanner guy has a fairly effective heuristic that really should be plugged into SpamAssassin. He looks for something like this: a href=http://bogus.site.com/.cgi/ebay/cgi;https://secure.ebay.com/a Got that? If the URL *text* in the hyperlink doesn't match the URL in the HREF parameter (modulo some canonicalization and other munging), flag as a phish. -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Phish detection (was Re: [Mimedefang] for mcafee lovers)
Date: Wed, 23 Mar 2005 10:27:26 -0500 From: James Ebright [EMAIL PROTECTED] Subject: Re: Phish detection (was Re: [Mimedefang] for mcafee lovers) I agree... unfortunately most of our clients use windoze and most IE and even with auto updates it seems many still manage to get spyware etc on their PC once in a while... I don't think auto updates will do anything to prevent spy ware. That's not a threat or a critical vulnerability, just an annoyance. Now, worms and viruses, M$ seems to put those a little higher up on the pecking order, sometimes. The only way to prevent spy ware is to disable the accessibility features and remove the end users abilities to interact with the computer (may involve surgically removing appendages). And that's provided you're fully patched... Otherwise, you adopt strict usability guild lines blessed by management, you heavily restrict permissions in the registry and on the file system, you turn off everything they don't need, firewall, scan, hoopa jupta stick it, dance a special dance, and pray or be prey. Its as the saying goes.. give me strength to change what I can change, give me courage to accept the things I cannot change, and grant me wisdom to know the difference! Figure that out, and you'll be rich beyond your wildest dreams ;) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Phish detection (was Re: [Mimedefang] for mcafee lovers)
Hehe, you have never dealt with the newer forms of the browser hijacks then, they usually exploit a vunderability in windows or use social engineering to get on a PC (not much I can do but educate customers on the latter, auto-updates are hopefully taking care of the former as best it can). Once a browser hijack is in place they do many nasty things to your PC allowing TONS of things in... Typically they add urls to the trusted zones in IE. They turn off firewalls. They disable av and anti-spyware tools (some of the nastier ones have). They change your internet zone to low. They make numerous registry changes that make it extremly hard to get them removed once they have called home and installed their poppup software. poppupper is nasty about this. The point here is.. the spyware just opened the door to even a simple website with some php or java in it to edit the /etc/hosts... not to mention driveby downloaders that will infect your PC with all kinds of viri... I have no control over my end users PCs, platform, etc.. I am a service provider, I give you this challenge, you lock down a windows PC as tight as you can while still allowing it to get on the web, I will show you a customer of mine capable of infecting it unkowingly in less than 15 minutes... :-) Jim On Wed, 23 Mar 2005 09:45:45 -0600 (CST), Ian Mitchell wrote I don't think auto updates will do anything to prevent spy ware. That's not a threat or a critical vulnerability, just an annoyance. Now, worms and viruses, M$ seems to put those a little higher up on the pecking order, sometimes. The only way to prevent spy ware is to disable the accessibility features and remove the end users abilities to interact with the computer (may involve surgically removing appendages). And that's provided you're fully patched... Otherwise, you adopt strict usability guild lines blessed by management, you heavily restrict permissions in the registry and on the file system, you turn off everything they don't need, firewall, scan, hoopa jupta stick it, dance a special dance, and pray or be prey. -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Phish detection (was Re: [Mimedefang] for mcafee lovers)
We are and it is there in two different places if I remember right! As I mentioned before, out TOS allows us to charge a customer cleanup fees if we catch them spamming as well. Anyway, we tell our attorneys what we want to accomplish... they put it down in legaleze. ;-) Jim On Wed, 23 Mar 2005 10:48:13 -0500, David F. Skoll wrote If you're an ISP, then I would definitely include in your Terms of Service a disclaimer stating that you cannot offer protection against spyware, viruses, etc. to end-users. -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
