RE: Adding SpamBouncer phishing data to ph.surbl.org

[ha...@t-online.de]

>> 
>> I agree, we definitely need SURBL black lists. They have helped tremendously
>> against spam! I just feel that it would be chasing one's tail a bit to try
>> to catch phishing in SURBL.
>> 
>> People who do phishing are going to change their IP address (IP where the
>> actual target/sucker is sent) frequently. They are also probably going to
>> use random and ever changing computer IPs outside the US for obvious legal
>> reasons. Maybe zombies even, who knows.
>> 
>> Any domain names in a phishing email code are most likely going to be legit
>> domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc..
>> These are the domains visible to the target/sucker.
>> 

Hi,

whatever does the job :)
I have suggested before to implement a check of visible vs. actual url.
While it seems that some legit sites use that as well, probably a little relationship
between the two addresses should exist. e.g.
an url with something like ?id=4711 and with /some_product_name can be accepted, if
both servers belong to the same netblock or are served by the same nameservers.
I do not really feel bad about a big "this might be a phish" warning on legit mail,
and legit senders should hopefully be interested in changing their mails so that they
do not get trapped.
If a big company really feels the need to launch an ad campaign created by an outside
company which looks phishy, and definitely matches everybody's idea of unsolicited
commercial mail, I would not really feel any sympathy just because they get an extra phish tag
attached :)

While catching phish is not the primary job of SA, nor that of an antivirus,
SA already has the infrastructure to check urls against the dns

>> So it just seems to me that an antivirus program is better for detecting
>> HTML code patter of these schemes rather than the IP address of the day/week
>> that they would be sending from in South Korea, Russia or China, etc. There
>> is a very simple ClamAV plugin that does this (see the SA Wiki). I am using
>> it on my SA system and it does the job of sending it on to my next
>> downstream systems marked as spam. I have more antivirus on downstream
>> systems that will delete real viruses as well since I just use ClamAV for
>> spam tagging for simplicity sake. (I don't want to put a ton of programs on
>> the computer to call SA, such as Amavis-new, etc., so that is why I do
>> this.)
>> 
Checking whether apparent and actual url are related should detect all cases where
the real url points at a zombie

Wolfgang Hamann

>> 
>> 
>> 
>> >And by the way:  I REALLY appreciate your SURBL lists and hard
>> >work even if I think other tools supplement and help make your
>> >stuff even better.
>> >
>> >My security principles include (but are not limited to):
>> >
>> >	1) Stop as much as possible at the outer perimeter
>> >		(earlier the better)
>> >
>> >	2) Defense in depth
>> >
>> >For us, the virus scanning happens before the Spam tests;
>> >early is good.
>> >
>> >--
>> >Herb Martin
>> 
>> 
>> 
>>