You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Albert Whale <ae...@ABS-CompTech.com> on 2004/08/03 14:47:57 UTC
Re: Detecting Phishers is not working.
Moving to the Users List.
Jeff Chan wrote:
>On Monday, August 2, 2004, 6:00:21 AM, Albert Whale wrote:
>
>
>>Jeff Chan wrote:
>>
>>
>
>
>
>>>uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
>>>describe WS_URI_RBL URI's domain appears in sa-blacklist
>>>tflags WS_URI_RBL net
>>>
>>>score WS_URI_RBL 3.0
>>>
>>>
>
>
>
>>Well, if the RBL contains a score of 3.0 and the minimum for detection
>>is a 5 or a 6, how is this of any value? Do you see a little of what I
>>mean?
>>
>>
>
>The reason for a score below the threshold is to mitigate false
>positives by requiring other rules to also fire. That's a basic
>feature of Spam Assassin, and it's more of a diverse, collaborative
>approach to detecting spam than outright blocking based on a
>single characteristic. Certainly, if you're comfortable with the
>lack of false positives in a given SURBL rule, or any other rules
>for that matter, you can raise the score of that rule. Adjusting
>scores and choosing rules is how you can tune SA to your liking
>and to the type of mail you get.
>
>
Agreed, I understnad this wholey.
>
>
>>I guess the issue here Jeff, is that there are a few million injections
>>of the message before it makes it into the Database. I want to detect
>>it as soon as it occurs (and not require that it be relying on any other
>>device externally for the detection).
>>
>>
>>How does the IP Address make it into the SURBL List?
>>
>>
>
>Well first, SURBLs don't have many IP addresses. Most entries
>in the lists are domain names.
>
>
Most Phishers are based on IP Addresses. Is the SURBL a Good Match, or
am I attempting to develop a New Detection Tool?
>Second it doesn't take "a few million" messages for an entry
>to get onto a SURBL list. For some of the lists it requires
>only one to be detected. Please see the Lists document on
>our site for more information:
>
>
Well, I say a Few million get out of the Phishers, before someone
reports it. I want to detect it, and stop it before needing to rely on
a first responder acting on behalf of someone else. I guess I am
looking for this new Detection tool to be the First Responder.
This certainly is NOT going to replace the lists in the SURBL, but is
may also permit that this detection could 'feed' data into the SURBL.
Back to a previous point. Since most Phishers are using IP Addresses in
the Web Link, is there an existing test for this, or do I need to
develop it?
> http://www.surbl.org/lists.html
>
>Also unless there's a specific development issue here, this
>discussion should probably move to the spamassassin-users
>list.
>
>Jeff C.
>
>
>
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
President of the Pittsburgh InfraGard
Re: Detecting Phishers is not working.
Posted by Jeff Chan <je...@surbl.org>.
On Tuesday, August 3, 2004, 5:47:57 AM, Albert Whale wrote:
> Jeff Chan wrote:
>>Well first, SURBLs don't have many IP addresses. Most entries
>>in the lists are domain names.
> Most Phishers are based on IP Addresses. Is the SURBL a Good Match,
Yes, our phishing data have disproportionately more IP
addresses than the regular spam web site data do.
>>Second it doesn't take "a few million" messages for an entry
>>to get onto a SURBL list. For some of the lists it requires
>>only one to be detected. Please see the Lists document on
>>our site for more information:
> Well, I say a Few million get out of the Phishers, before someone
> reports it. I want to detect it, and stop it before needing to rely on
> a first responder acting on behalf of someone else. I guess I am
> looking for this new Detection tool to be the First Responder.
Remember though that there are several sources of data for
SURBLs. Some of the data sources such as the OutBlaze
spam traps probably pick up phishing spams pretty quickly,
along with other kinds of spams. Spamtrap processing is
probably all automatic and pretty fast. There are spamtraps
feeding into WS also.
> This certainly is NOT going to replace the lists in the SURBL, but is
> may also permit that this detection could 'feed' data into the SURBL.
If you develop a good phishing data source we would be
interested in carrying it in a SURBL.
> Back to a previous point. Since most Phishers are using IP Addresses in
> the Web Link, is there an existing test for this, or do I need to
> develop it?
SURBLs handle both domains and IP addresses currently.
No new coding is needed for that.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Detecting Phishers is not working.
Posted by David Hooton <da...@gmail.com>.
On Tue, 03 Aug 2004 08:47:57 -0400, Albert Whale
<ae...@abs-comptech.com> wrote:
> Moving to the Users List.
>
> >>I guess the issue here Jeff, is that there are a few million injections
> >>of the message before it makes it into the Database. I want to detect
> >>it as soon as it occurs (and not require that it be relying on any other
> >>device externally for the detection).
> >>
> >>
> >>How does the IP Address make it into the SURBL List?
Hi Albert,
Well if you're talking Phishing Data I would be the person to talk to.
Data is collected from a reasonable set of information streams
including customer message intercepts, end user reported messages,
spamtraps and a couple of somewhat abstract however effective methods.
If you've got something to report please shoot it to postmaster at
corp.mailsecurity.net.au
> >Well first, SURBLs don't have many IP addresses. Most entries
> >in the lists are domain names.
> >
> >
> Most Phishers are based on IP Addresses. Is the SURBL a Good Match, or
> am I attempting to develop a New Detection Tool?
The Phishing list is mainly IP's, we will list whatever the malicious
URL is domain based or otherwise.
> >Second it doesn't take "a few million" messages for an entry
> >to get onto a SURBL list. For some of the lists it requires
> >only one to be detected. Please see the Lists document on
> >our site for more information:
> >
> Well, I say a Few million get out of the Phishers, before someone
> reports it.
You'd be incredibly surprised how fast some are caught. We're still
working on a 100% reliable 98% automated solution but until then the
updates are still made as submissions arrive.
> I want to detect it, and stop it before needing to rely on
> a first responder acting on behalf of someone else. I guess I am
> looking for this new Detection tool to be the First Responder.
I'm interested - can you outline what you're planning?
> This certainly is NOT going to replace the lists in the SURBL, but is
> may also permit that this detection could 'feed' data into the SURBL.
Again, tell me more :)
> Back to a previous point. Since most Phishers are using IP Addresses in
> the Web Link, is there an existing test for this, or do I need to
> develop it?
Reversed octet IP addresses can be fed into SURBL's we use them all
day every day..
--
Regards,
David Hooton