You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Greg Allen <sa...@floridacpu.com> on 2005/07/31 08:47:40 UTC
RE: Adding SpamBouncer phishing data to ph.surbl.org
It seems like this would be a hard thing to do by IPs. If you were to use
Clamav and the Spamassassin hook (see wiki for it), you may get better near
real-time phishing protection. That is what I do here any way. I give Clamav
a 100 score. That's my 2 cents anyway.
-----Original Message-----
From: Jeff Chan [mailto:jeffc@surbl.org]
Sent: Saturday, July 30, 2005 10:23 PM
To: SURBL Discuss; SpamAssassin Users; SpamAssassin Developers
Subject: RFC: Adding SpamBouncer phishing data to ph.surbl.org
Catherine Hampton of SpamBouncer (welcome to the SURBL Discuss
list Catherine!) is kindly making available her carefully checked
phishing domains and IPs for our inclusion in the SURBL phishing
list. They're not currently added to ph.surbl.org, but the hooks
are in place to make it live after some discussion here.
Catherine's data come from antiphishing.org plus her own trapped
phishes. All are hand checked about once a day. When I reviewed
a recent snapshot of the data:
http://www.spambouncer.org/dist/standalone/phishdata/current.txt
I found that 124 of the 193 domains were already listed on
various SURBLs. The other new 69 looked quite phishy and
probably ok to list.
For the IPs, we had 22 of the 74 listed, and I'll assume the
others are probably zombies, etc. as Catherine suggested.
Generally speaking there's little harm in listing IPs since most
legitimate sites don't get referenced by IP, so there's good
upside and little downside for listing them.
Please take a look at the data for yourself and comment.
Regarding expiring the data, Catherine told me:
> I expire "Phish IP" listings every month. Phishers move around a
> LOT, probably because most of the IPs are on compromised or trojaned
> hosts and tend to get fixed within a couple of weeks.
>
> I don't expire Phish domains formally right now, although eventually
> I plan to run them through regular "has this domain expired and not
> been renewed" checks. Since I only list domains designed specifically
> for phishing and used only by phishers as "Phish domains", they aren't
> likely to be used for anything else. (Domains like paypalll.com
> don't seem to have much legitimate use to me.)
which sound like reasonable policies to me.
Does anyone have comments on adding these to the PH list?
Am I forgetting anything Catherine? :-)
Jeff C.
--
Don't harm innocent bystanders.
Re: Adding SpamBouncer phishing data to ph.surbl.org
Posted by Jeff Chan <je...@surbl.org>.
On Sunday, July 31, 2005, 3:52:53 AM, Herb Martin wrote:
> Presumably -- now you have me interested so I am going to check
> -- ClamAV does more than a naive pattern match on the URI and
> apparently they even have (had) endless debates in the ClamAV
> newsgroups/lists on this subject.
Sure, and any additional pattern matching is probably useful for
detecting phishes, but every phish I've seen has tried to direct
someone to a fake web site. Web sites mentioned in spams,
including phishing spams, are *precisely* what SURBLs are designed
to detect.
SURBLs are not designed to detect viruses at all, just web sites.
Phishes don't usually have viruses, but they do have web sites.
Draw your own conclusions.... :-)
> And by the way: I REALLY appreciate your SURBL lists and hard
> work
On behalf of the many people helping out with the SURBL project
in various ways, thanks for your kind words.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Adding SpamBouncer phishing data to ph.surbl.org
Posted by Jeff Chan <je...@surbl.org>.
On Sunday, July 31, 2005, 11:37:44 PM, Loren Wilton wrote:
> <p><img
> src="http://a248.e.akamai.net/7/248/1856/6fbc90232ac38d/www.wellsfargo.com/i
> mg/eal_logo_gen.gif"></p>
> <p>Dear Wells Fargo customer,</p>
> <p> As you may already know, we at Wells Fargo guarantee your <a
> href="http://aurum.vup.hr/%7Ewolf/cgi-bin/wellsfargo/signon/CONS&ERROR_CODE/
index.htm">>
> The akamai site is really common in phish these days, since it seems to have
> all of the logos for the various financial institutions readily available to
> phishers.
> The other site, you will not, is NOT using a dotquad.
Sure. Phishes probably have three categories of target URIs:
1. IPs: http://1.2.3.4/
2. self-registered domains: http://fake-paypal.foo/
3. hacked sites: http://victim-domain.foo/hacked/subdirectory/
Your example appears to be #3.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Adding SpamBouncer phishing data to ph.surbl.org
Posted by Loren Wilton <lw...@earthlink.net>.
> > Any domain names in a phishing email code are most likely going to be
legit
> > domain names such as, ebay.com, bankofamerica,com, southtrustbank.com
etc..
> > These are the domains visible to the target/sucker.
On the other hand, I just got a phish insisting I had to update my
wellsfargo account (which if course I've never had). There are only two
urls in the message body:
<p><img
src="http://a248.e.akamai.net/7/248/1856/6fbc90232ac38d/www.wellsfargo.com/i
mg/eal_logo_gen.gif"></p>
<p>Dear Wells Fargo customer,</p>
<p> As you may already know, we at Wells Fargo guarantee your <a
href="http://aurum.vup.hr/%7Ewolf/cgi-bin/wellsfargo/signon/CONS&ERROR_CODE/
index.htm">
The akamai site is really common in phish these days, since it seems to have
all of the logos for the various financial institutions readily available to
phishers.
The other site, you will not, is NOT using a dotquad.
Loren
Re: Adding SpamBouncer phishing data to ph.surbl.org
Posted by Jeff Chan <je...@surbl.org>.
On Sunday, July 31, 2005, 10:39:14 AM, Greg Allen wrote:
> People who do phishing are going to change their IP address (IP where the
> actual target/sucker is sent) frequently. They are also probably going to
> use random and ever changing computer IPs outside the US for obvious legal
> reasons. Maybe zombies even, who knows.
Yes, they're probably using some zombies. Many phishes also use
fake domain names (like updatepaypals .com). We list both domain
names and IPs in the SURBL phishing list.
> Any domain names in a phishing email code are most likely going to be legit
> domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc..
> These are the domains visible to the target/sucker.
Yes, and we're whitelisting those legitimate sites, so they're
non-issues as far as false positives in SURBLs.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
RE: Adding SpamBouncer phishing data to ph.surbl.org
Posted by Greg Allen <sa...@floridacpu.com>.
I agree, we definitely need SURBL black lists. They have helped tremendously
against spam! I just feel that it would be chasing one's tail a bit to try
to catch phishing in SURBL.
People who do phishing are going to change their IP address (IP where the
actual target/sucker is sent) frequently. They are also probably going to
use random and ever changing computer IPs outside the US for obvious legal
reasons. Maybe zombies even, who knows.
Any domain names in a phishing email code are most likely going to be legit
domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc..
These are the domains visible to the target/sucker.
So it just seems to me that an antivirus program is better for detecting
HTML code patter of these schemes rather than the IP address of the day/week
that they would be sending from in South Korea, Russia or China, etc. There
is a very simple ClamAV plugin that does this (see the SA Wiki). I am using
it on my SA system and it does the job of sending it on to my next
downstream systems marked as spam. I have more antivirus on downstream
systems that will delete real viruses as well since I just use ClamAV for
spam tagging for simplicity sake. (I don't want to put a ton of programs on
the computer to call SA, such as Amavis-new, etc., so that is why I do
this.)
>And by the way: I REALLY appreciate your SURBL lists and hard
>work even if I think other tools supplement and help make your
>stuff even better.
>
>My security principles include (but are not limited to):
>
> 1) Stop as much as possible at the outer perimeter
> (earlier the better)
>
> 2) Defense in depth
>
>For us, the virus scanning happens before the Spam tests;
>early is good.
>
>--
>Herb Martin
RE: Adding SpamBouncer phishing data to ph.surbl.org
Posted by Herb Martin <He...@learnquick.com>.
> ClamAV is designed to protect against viruses. While their
> anti-phishing function works well, phishes and spam are not
> viruses. They probably felt the need to do something because
> the phishing threat is pretty serious, or can be if people
> get tricked by them, but we've had a SURBL phishing list for
> about a year:
> SURBLs are designed to check message body URIs, which is what
> spammers and phishers are usually trying to direct victims
> with, therefore our tool is a much better fit for the problem
> than a virus tool, IMO.
Whatever works most reliably is the best. (And that may be a
combination.)
In ClamAV's case, they have designed it to catch some proportion
of phish and an appeal to "ClamAV is designed..." to restrict it
to some limited category just doesn't past muster -- it does what
it was designed to do -- catch (most) virus and catch many phish.
Also, with a simple blacklist you don't have logic built in for
things like people mentioning the URIBL on a list like this so
recourse to whitelists, and the program logic of SpamAssassin or
some other "meta evaulation" method.
Presumably -- now you have me interested so I am going to check
-- ClamAV does more than a naive pattern match on the URI and
apparently they even have (had) endless debates in the ClamAV
newsgroups/lists on this subject.
It's sort of like Tastes Great -- Less Filling. Silly argument
when what we really want is great taste without getting fat.
<grin> (Or pick one: revolvers vs. automatics, Macs vs. PCs,
blonds vs. redheads, etc....)
Whatever works -- works.
And by the way: I REALLY appreciate your SURBL lists and hard
work even if I think other tools supplement and help make your
stuff even better.
My security principles include (but are not limited to):
1) Stop as much as possible at the outer perimeter
(earlier the better)
2) Defense in depth
For us, the virus scanning happens before the Spam tests;
early is good.
--
Herb Martin
Re: Adding SpamBouncer phishing data to ph.surbl.org
Posted by Jeff Chan <je...@surbl.org>.
On Saturday, July 30, 2005, 11:47:40 PM, Greg Allen wrote:
> It seems like this would be a hard thing to do by IPs. If you were to use
> Clamav and the Spamassassin hook (see wiki for it), you may get better near
> real-time phishing protection. That is what I do here any way. I give Clamav
> a 100 score. That's my 2 cents anyway.
Not exactly sure what you mean by "by IPs". SURBLs list whatever
appears in spam message body URI (host portions). For most spams
those are domain names, but for many phishes, they're IP
addresses (i.e. http://1.2.3.4/). If they have IPs in them, we
list the IPs. If they have domain names, we list the domain names.
ClamAV is designed to protect against viruses. While their
anti-phishing function works well, phishes and spam are not
viruses. They probably felt the need to do something because
the phishing threat is pretty serious, or can be if people
get tricked by them, but we've had a SURBL phishing list for
about a year:
http://www.surbl.org/lists.html#ph
SURBLs are designed to check message body URIs, which is
what spammers and phishers are usually trying to direct victims
with, therefore our tool is a much better fit for the problem
than a virus tool, IMO.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/