Re: Adding SpamBouncer phishing data to ph.surbl.org
Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker. On the other hand, I just got a phish insisting I had to update my wellsfargo account (which if course I've never had). There are only two urls in the message body: pimg src=http://a248.e.akamai.net/7/248/1856/6fbc90232ac38d/www.wellsfargo.com/i mg/eal_logo_gen.gif/p pDear Wells Fargo customer,/p p As you may already know, we at Wells Fargo guarantee your a href=http://aurum.vup.hr/%7Ewolf/cgi-bin/wellsfargo/signon/CONSERROR_CODE/ index.htm The akamai site is really common in phish these days, since it seems to have all of the logos for the various financial institutions readily available to phishers. The other site, you will not, is NOT using a dotquad. Loren
Re: Adding SpamBouncer phishing data to ph.surbl.org
On Sunday, July 31, 2005, 11:37:44 PM, Loren Wilton wrote: pimg src=http://a248.e.akamai.net/7/248/1856/6fbc90232ac38d/www.wellsfargo.com/i mg/eal_logo_gen.gif/p pDear Wells Fargo customer,/p p As you may already know, we at Wells Fargo guarantee your a href=http://aurum.vup.hr/%7Ewolf/cgi-bin/wellsfargo/signon/CONSERROR_CODE/ index.htm The akamai site is really common in phish these days, since it seems to have all of the logos for the various financial institutions readily available to phishers. The other site, you will not, is NOT using a dotquad. Sure. Phishes probably have three categories of target URIs: 1. IPs: http://1.2.3.4/ 2. self-registered domains: http://fake-paypal.foo/ 3. hacked sites: http://victim-domain.foo/hacked/subdirectory/ Your example appears to be #3. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: Adding SpamBouncer phishing data to ph.surbl.org
It seems like this would be a hard thing to do by IPs. If you were to use Clamav and the Spamassassin hook (see wiki for it), you may get better near real-time phishing protection. That is what I do here any way. I give Clamav a 100 score. That's my 2 cents anyway. -Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: Saturday, July 30, 2005 10:23 PM To: SURBL Discuss; SpamAssassin Users; SpamAssassin Developers Subject: RFC: Adding SpamBouncer phishing data to ph.surbl.org Catherine Hampton of SpamBouncer (welcome to the SURBL Discuss list Catherine!) is kindly making available her carefully checked phishing domains and IPs for our inclusion in the SURBL phishing list. They're not currently added to ph.surbl.org, but the hooks are in place to make it live after some discussion here. Catherine's data come from antiphishing.org plus her own trapped phishes. All are hand checked about once a day. When I reviewed a recent snapshot of the data: http://www.spambouncer.org/dist/standalone/phishdata/current.txt I found that 124 of the 193 domains were already listed on various SURBLs. The other new 69 looked quite phishy and probably ok to list. For the IPs, we had 22 of the 74 listed, and I'll assume the others are probably zombies, etc. as Catherine suggested. Generally speaking there's little harm in listing IPs since most legitimate sites don't get referenced by IP, so there's good upside and little downside for listing them. Please take a look at the data for yourself and comment. Regarding expiring the data, Catherine told me: I expire Phish IP listings every month. Phishers move around a LOT, probably because most of the IPs are on compromised or trojaned hosts and tend to get fixed within a couple of weeks. I don't expire Phish domains formally right now, although eventually I plan to run them through regular has this domain expired and not been renewed checks. Since I only list domains designed specifically for phishing and used only by phishers as Phish domains, they aren't likely to be used for anything else. (Domains like paypalll.com don't seem to have much legitimate use to me.) which sound like reasonable policies to me. Does anyone have comments on adding these to the PH list? Am I forgetting anything Catherine? :-) Jeff C. -- Don't harm innocent bystanders.
Re: Adding SpamBouncer phishing data to ph.surbl.org
On Saturday, July 30, 2005, 11:47:40 PM, Greg Allen wrote: It seems like this would be a hard thing to do by IPs. If you were to use Clamav and the Spamassassin hook (see wiki for it), you may get better near real-time phishing protection. That is what I do here any way. I give Clamav a 100 score. That's my 2 cents anyway. Not exactly sure what you mean by by IPs. SURBLs list whatever appears in spam message body URI (host portions). For most spams those are domain names, but for many phishes, they're IP addresses (i.e. http://1.2.3.4/). If they have IPs in them, we list the IPs. If they have domain names, we list the domain names. ClamAV is designed to protect against viruses. While their anti-phishing function works well, phishes and spam are not viruses. They probably felt the need to do something because the phishing threat is pretty serious, or can be if people get tricked by them, but we've had a SURBL phishing list for about a year: http://www.surbl.org/lists.html#ph SURBLs are designed to check message body URIs, which is what spammers and phishers are usually trying to direct victims with, therefore our tool is a much better fit for the problem than a virus tool, IMO. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: Adding SpamBouncer phishing data to ph.surbl.org
ClamAV is designed to protect against viruses. While their anti-phishing function works well, phishes and spam are not viruses. They probably felt the need to do something because the phishing threat is pretty serious, or can be if people get tricked by them, but we've had a SURBL phishing list for about a year: SURBLs are designed to check message body URIs, which is what spammers and phishers are usually trying to direct victims with, therefore our tool is a much better fit for the problem than a virus tool, IMO. Whatever works most reliably is the best. (And that may be a combination.) In ClamAV's case, they have designed it to catch some proportion of phish and an appeal to ClamAV is designed... to restrict it to some limited category just doesn't past muster -- it does what it was designed to do -- catch (most) virus and catch many phish. Also, with a simple blacklist you don't have logic built in for things like people mentioning the URIBL on a list like this so recourse to whitelists, and the program logic of SpamAssassin or some other meta evaulation method. Presumably -- now you have me interested so I am going to check -- ClamAV does more than a naive pattern match on the URI and apparently they even have (had) endless debates in the ClamAV newsgroups/lists on this subject. It's sort of like Tastes Great -- Less Filling. Silly argument when what we really want is great taste without getting fat. grin (Or pick one: revolvers vs. automatics, Macs vs. PCs, blonds vs. redheads, etc) Whatever works -- works. And by the way: I REALLY appreciate your SURBL lists and hard work even if I think other tools supplement and help make your stuff even better. My security principles include (but are not limited to): 1) Stop as much as possible at the outer perimeter (earlier the better) 2) Defense in depth For us, the virus scanning happens before the Spam tests; early is good. -- Herb Martin
RE: Adding SpamBouncer phishing data to ph.surbl.org
I agree, we definitely need SURBL black lists. They have helped tremendously against spam! I just feel that it would be chasing one's tail a bit to try to catch phishing in SURBL. People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows. Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker. So it just seems to me that an antivirus program is better for detecting HTML code patter of these schemes rather than the IP address of the day/week that they would be sending from in South Korea, Russia or China, etc. There is a very simple ClamAV plugin that does this (see the SA Wiki). I am using it on my SA system and it does the job of sending it on to my next downstream systems marked as spam. I have more antivirus on downstream systems that will delete real viruses as well since I just use ClamAV for spam tagging for simplicity sake. (I don't want to put a ton of programs on the computer to call SA, such as Amavis-new, etc., so that is why I do this.) And by the way: I REALLY appreciate your SURBL lists and hard work even if I think other tools supplement and help make your stuff even better. My security principles include (but are not limited to): 1) Stop as much as possible at the outer perimeter (earlier the better) 2) Defense in depth For us, the virus scanning happens before the Spam tests; early is good. -- Herb Martin
RE: Adding SpamBouncer phishing data to ph.surbl.org
I agree, we definitely need SURBL black lists. They have helped tremendously against spam! I just feel that it would be chasing one's tail a bit to try to catch phishing in SURBL. People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows. Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker. Hi, whatever does the job :) I have suggested before to implement a check of visible vs. actual url. While it seems that some legit sites use that as well, probably a little relationship between the two addresses should exist. e.g. an url with something like ?id=4711 and with /some_product_name can be accepted, if both servers belong to the same netblock or are served by the same nameservers. I do not really feel bad about a big this might be a phish warning on legit mail, and legit senders should hopefully be interested in changing their mails so that they do not get trapped. If a big company really feels the need to launch an ad campaign created by an outside company which looks phishy, and definitely matches everybody's idea of unsolicited commercial mail, I would not really feel any sympathy just because they get an extra phish tag attached :) While catching phish is not the primary job of SA, nor that of an antivirus, SA already has the infrastructure to check urls against the dns So it just seems to me that an antivirus program is better for detecting HTML code patter of these schemes rather than the IP address of the day/week that they would be sending from in South Korea, Russia or China, etc. There is a very simple ClamAV plugin that does this (see the SA Wiki). I am using it on my SA system and it does the job of sending it on to my next downstream systems marked as spam. I have more antivirus on downstream systems that will delete real viruses as well since I just use ClamAV for spam tagging for simplicity sake. (I don't want to put a ton of programs on the computer to call SA, such as Amavis-new, etc., so that is why I do this.) Checking whether apparent and actual url are related should detect all cases where the real url points at a zombie Wolfgang Hamann And by the way: I REALLY appreciate your SURBL lists and hard work even if I think other tools supplement and help make your stuff even better. My security principles include (but are not limited to): 1) Stop as much as possible at the outer perimeter (earlier the better) 2) Defense in depth For us, the virus scanning happens before the Spam tests; early is good. -- Herb Martin
Re: Adding SpamBouncer phishing data to ph.surbl.org
On Sunday, July 31, 2005, 3:52:53 AM, Herb Martin wrote: Presumably -- now you have me interested so I am going to check -- ClamAV does more than a naive pattern match on the URI and apparently they even have (had) endless debates in the ClamAV newsgroups/lists on this subject. Sure, and any additional pattern matching is probably useful for detecting phishes, but every phish I've seen has tried to direct someone to a fake web site. Web sites mentioned in spams, including phishing spams, are *precisely* what SURBLs are designed to detect. SURBLs are not designed to detect viruses at all, just web sites. Phishes don't usually have viruses, but they do have web sites. Draw your own conclusions :-) And by the way: I REALLY appreciate your SURBL lists and hard work On behalf of the many people helping out with the SURBL project in various ways, thanks for your kind words. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Adding SpamBouncer phishing data to ph.surbl.org
On Sunday, July 31, 2005, 10:39:14 AM, Greg Allen wrote: People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows. Yes, they're probably using some zombies. Many phishes also use fake domain names (like updatepaypals .com). We list both domain names and IPs in the SURBL phishing list. Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker. Yes, and we're whitelisting those legitimate sites, so they're non-issues as far as false positives in SURBLs. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RFC: Adding SpamBouncer phishing data to ph.surbl.org
Catherine Hampton of SpamBouncer (welcome to the SURBL Discuss list Catherine!) is kindly making available her carefully checked phishing domains and IPs for our inclusion in the SURBL phishing list. They're not currently added to ph.surbl.org, but the hooks are in place to make it live after some discussion here. Catherine's data come from antiphishing.org plus her own trapped phishes. All are hand checked about once a day. When I reviewed a recent snapshot of the data: http://www.spambouncer.org/dist/standalone/phishdata/current.txt I found that 124 of the 193 domains were already listed on various SURBLs. The other new 69 looked quite phishy and probably ok to list. For the IPs, we had 22 of the 74 listed, and I'll assume the others are probably zombies, etc. as Catherine suggested. Generally speaking there's little harm in listing IPs since most legitimate sites don't get referenced by IP, so there's good upside and little downside for listing them. Please take a look at the data for yourself and comment. Regarding expiring the data, Catherine told me: I expire Phish IP listings every month. Phishers move around a LOT, probably because most of the IPs are on compromised or trojaned hosts and tend to get fixed within a couple of weeks. I don't expire Phish domains formally right now, although eventually I plan to run them through regular has this domain expired and not been renewed checks. Since I only list domains designed specifically for phishing and used only by phishers as Phish domains, they aren't likely to be used for anything else. (Domains like paypalll.com don't seem to have much legitimate use to me.) which sound like reasonable policies to me. Does anyone have comments on adding these to the PH list? Am I forgetting anything Catherine? :-) Jeff C. -- Don't harm innocent bystanders.
