Google anti-phishing code project

[Alex <my...@gmail.com>]

Hi all, for some time I've been using the following Google code
project for a list of thousands of addresses used in phishing attacks:

https://code.google.com/archive/p/anti-phishing-email-reply/

It appears to no longer be active, as some time yesterday. Anyone have
any idea if something has replaced it, or do you know of another
similar service?

Thanks,
Alex

Re: Google anti-phishing code project

[Andrew <sk...@gmail.com>]

I've not come across these before.. I am too interested in how to integrate
them in to SA.... thanks.

On 20 February 2017 at 21:56, Alex <my...@gmail.com> wrote:

> Hi,
>
> On Mon, Feb 20, 2017 at 2:32 PM, Dianne Skoll <df...@roaringpenguin.com>
> wrote:
> > On Mon, 20 Feb 2017 14:21:08 -0500
> > Alex <my...@gmail.com> wrote:
> >
> >> Maybe we're using something different. This is the link I was using to
> >> download the phishing addresses until the other day, when it became a
> >> dead link:
> >
> >> https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses
> >
> > That URL works for me.  However, I am currently pulling the SVN repo from
> > svn://svn.code.sf.net/p/aper/code (also can use
> http://svn.code.sf.net/p/aper/code)
> >
> > It looks like the list of addresses has not been updated since
> 2017-02-16, but
> > the list of phishing URLs has an entry dated 2017-02-20.
>
> It looks like the URL has just now become available again. Do you
> happen to know the script that can be used to convert the
> phishing_links file into SA rules in the same way as the
> phishing_reply_addresses are converted?
>
> Thanks,
> Alex
>
>
>
>
> >
> > Regards,
> >
> > Dianne.
>

Re: Google anti-phishing code project

[Alex <my...@gmail.com>]

Hi,

On Mon, Feb 20, 2017 at 2:32 PM, Dianne Skoll <df...@roaringpenguin.com> wrote:
> On Mon, 20 Feb 2017 14:21:08 -0500
> Alex <my...@gmail.com> wrote:
>
>> Maybe we're using something different. This is the link I was using to
>> download the phishing addresses until the other day, when it became a
>> dead link:
>
>> https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses
>
> That URL works for me.  However, I am currently pulling the SVN repo from
> svn://svn.code.sf.net/p/aper/code (also can use http://svn.code.sf.net/p/aper/code)
>
> It looks like the list of addresses has not been updated since 2017-02-16, but
> the list of phishing URLs has an entry dated 2017-02-20.

It looks like the URL has just now become available again. Do you
happen to know the script that can be used to convert the
phishing_links file into SA rules in the same way as the
phishing_reply_addresses are converted?

Thanks,
Alex




>
> Regards,
>
> Dianne.

Re: Google anti-phishing code project

[Dianne Skoll <df...@roaringpenguin.com>]

On Mon, 20 Feb 2017 14:21:08 -0500
Alex <my...@gmail.com> wrote:

> Maybe we're using something different. This is the link I was using to
> download the phishing addresses until the other day, when it became a
> dead link:

> https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses

That URL works for me.  However, I am currently pulling the SVN repo from
svn://svn.code.sf.net/p/aper/code (also can use http://svn.code.sf.net/p/aper/code)

It looks like the list of addresses has not been updated since 2017-02-16, but
the list of phishing URLs has an entry dated 2017-02-20.

Regards,

Dianne.

Re: Google anti-phishing code project

[Alex <my...@gmail.com>]

On Mon, Feb 20, 2017 at 12:16 PM, Dianne Skoll <df...@roaringpenguin.com> wrote:
> On Sun, 19 Feb 2017 12:21:14 -0500
> Alex <my...@gmail.com> wrote:
>
>> https://code.google.com/archive/p/anti-phishing-email-reply/
>> It appears to no longer be active, as some time yesterday.
>
> It's still active.  The most recent commit is dated today, and I still
> have commit privileges.

Maybe we're using something different. This is the link I was using to
download the phishing addresses until the other day, when it became a
dead link:

https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses

Would you otherwise share the links you are using?

Thanks,
Alex

Re: Google anti-phishing code project

[Dianne Skoll <df...@roaringpenguin.com>]

On Sun, 19 Feb 2017 12:21:14 -0500
Alex <my...@gmail.com> wrote:

> https://code.google.com/archive/p/anti-phishing-email-reply/
> It appears to no longer be active, as some time yesterday.

It's still active.  The most recent commit is dated today, and I still
have commit privileges.

Regards,

Dianne.

Re: Google anti-phishing code project

[Dianne Skoll <df...@roaringpenguin.com>]

On Fri, 24 Feb 2017 16:26:38 -0500
Alex <my...@gmail.com> wrote:

> We've actually had false-positives due to how the list is built into
> rules. In other words, "info@ca.com" is still on the list from 2011.
> They're also not bounded by default, so noinfo@ca.com and
> moreinfo@ca.com would also be caught, for example.

We use MIMEDefang's Perl integration, so we don't compile the list into
SA rules.  We use a database lookup instead, which does not suffer
from the partial-match problem, and we don't load anything older than 6
months into the database.

> How do you build the phishing URLs list into rules similar to how the
> addresses2spamassassin.pl does for the phishing emails?

Same idea; we do it in Perl integration code around SpamAssassin with
a database lookup.

Regards,

Dianne.

Re: Google anti-phishing code project

[Alex <my...@gmail.com>]

Hi,

On Fri, Feb 24, 2017 at 1:24 PM, Dianne Skoll <df...@roaringpenguin.com> wrote:
> On Fri, 24 Feb 2017 18:07:50 +0000
> RW <rw...@googlemail.com> wrote:
>
>> > OK.  Any FPs, though?  That's the other half of the test.
>
>> No, but it's pretty unlikely there would be.
>
> Actually, it's very likely there will be a lot of FPs, but it's also
> very likely that any given user of the list won't see them.  That's
> because when someone's email address gets compromised and then the
> system administrator clears it up, the only recipients to suffer
> false-positives are those with whom the sender would normally
> correspond.
>
> We have seen a few of these cases happen.

We've actually had false-positives due to how the list is built into
rules. In other words, "info@ca.com" is still on the list from 2011.
They're also not bounded by default, so noinfo@ca.com and
moreinfo@ca.com would also be caught, for example.

>> It seems like a lot of hassle for little benefit.
>
> The APER doesn't catch all that much, nor do the known-phishing URLs catch
> much, but every little bit helps.

How do you build the phishing URLs list into rules similar to how the
addresses2spamassassin.pl does for the phishing emails?

> As a data point, one of our installations scanned 4 million messages
> yesterday.  Of those, only 262 hit our known-phishing URL list (which
> uses APER and additional sources) and 155 hit APER's known-phishing
> email address list.
>
> But maybe those few hundred were really worth stopping because they
> prevented phishing attacks.  Who knows?

The phishing_emails file builds almost 1100 meta rules. Is there a
point where it's too many and affects processing? I mean, of course
there's a point, but does 1100 plus all others approach that on any
reasonable system?

Re: Google anti-phishing code project

[Dianne Skoll <df...@roaringpenguin.com>]

On Fri, 24 Feb 2017 18:07:50 +0000
RW <rw...@googlemail.com> wrote:

> > OK.  Any FPs, though?  That's the other half of the test.

> No, but it's pretty unlikely there would be. 

Actually, it's very likely there will be a lot of FPs, but it's also
very likely that any given user of the list won't see them.  That's
because when someone's email address gets compromised and then the
system administrator clears it up, the only recipients to suffer
false-positives are those with whom the sender would normally
correspond.

We have seen a few of these cases happen.

> It seems like a lot of hassle for little benefit.

The APER doesn't catch all that much, nor do the known-phishing URLs catch
much, but every little bit helps.

As a data point, one of our installations scanned 4 million messages
yesterday.  Of those, only 262 hit our known-phishing URL list (which
uses APER and additional sources) and 155 hit APER's known-phishing
email address list.

But maybe those few hundred were really worth stopping because they
prevented phishing attacks.  Who knows?

Regards,

Dianne.

Re: Google anti-phishing code project

[RW <rw...@googlemail.com>]

On Wed, 22 Feb 2017 15:22:17 -0500
Dianne Skoll wrote:

> On Wed, 22 Feb 2017 20:14:33 +0000
> RW <rw...@googlemail.com> wrote:
> 
> > FWIW I ran that list against 3k spams received from late 2015
> > onwards. I got 2 hits on 2 separate addesses both timestamped with
> > 2012.  
> 
> OK.  Any FPs, though?  That's the other half of the test.


No, but it's pretty unlikely there would be. 

It seems like a lot of hassle for little benefit.

Re: Google anti-phishing code project

[Dianne Skoll <df...@roaringpenguin.com>]

On Wed, 22 Feb 2017 20:14:33 +0000
RW <rw...@googlemail.com> wrote:

> FWIW I ran that list against 3k spams received from late 2015
> onwards. I got 2 hits on 2 separate addesses both timestamped with
> 2012.

OK.  Any FPs, though?  That's the other half of the test.

Regards,

Dianne.

Re: Google anti-phishing code project

[RW <rw...@googlemail.com>]

On Wed, 22 Feb 2017 09:23:07 -0500
Dianne Skoll wrote:

> On Wed, 22 Feb 2017 08:45:07 +0000
> Vincent Fox <vb...@ucdavis.edu> wrote:
> 
> > Come on, look at the datestamps on the addresses in that list!
> > Plenty from 2009.  
> 
> The reason they datestamp the addresses is so that sites making use of
> the list can determine on their own when data is stale enough to
> ignore.
> 
> I do agree that they should auto-remove anything older than about 90
> days since some sites using the list probably ignore the datestamp.
> I will bring it up with the admins.

FWIW I ran that list against 3k spams received from late 2015
onwards. I got 2 hits on 2 separate addesses both timestamped with 2012.

Re: Google anti-phishing code project

[Dianne Skoll <df...@roaringpenguin.com>]

On Wed, 22 Feb 2017 08:45:07 +0000
Vincent Fox <vb...@ucdavis.edu> wrote:

> Come on, look at the datestamps on the addresses in that list!
> Plenty from 2009.

The reason they datestamp the addresses is so that sites making use of
the list can determine on their own when data is stale enough to ignore.

I do agree that they should auto-remove anything older than about 90
days since some sites using the list probably ignore the datestamp.
I will bring it up with the admins.

Regards,

Dianne.

Re: Google anti-phishing code project

[Vincent Fox <vb...@ucdavis.edu>]

Come on, look at the datestamps on the addresses in that list!  Plenty from 2009.  I only know of this project because a few compromised accounts from our campus were once listed there, and were rejected by other sites.  Went through tedious process of trying to find email for owners, and get them removed.   Any list with no auto-expiration policy and data so stale should not be considered.   Black Hats today wear snowshoes and consider how many MINUTES they can operate before they start to get shut down, not years.


________________________________
From: Alex <my...@gmail.com>
Sent: Sunday, February 19, 2017 9:21:14 AM
To: SA Mailing list
Subject: Google anti-phishing code project

Hi all, for some time I've been using the following Google code
project for a list of thousands of addresses used in phishing attacks:

https://code.google.com/archive/p/anti-phishing-email-reply/

It appears to no longer be active, as some time yesterday. Anyone have
any idea if something has replaced it, or do you know of another
similar service?

Thanks,
Alex