[SURBL-Discuss] RE: Adding SpamBouncer phishing data to ph.surbl.org

Catherine Hampton ariel at spambouncer.org
Mon Aug 1 00:26:34 CEST 2005


Hi, folks.  (And thanks to Jeff for the invite/push to join
the list.) <G>

> I agree, we definitely need SURBL black lists. They have helped tremendously
> against spam! I just feel that it would be chasing one's tail a bit to try
> to catch phishing in SURBL.

> People who do phishing are going to change their IP address (IP where the
> actual target/sucker is sent) frequently. They are also probably going to
> use random and ever changing computer IPs outside the US for obvious legal
> reasons. Maybe zombies even, who knows.

I read a lot of phishing emails and follow a lot of phishing IPs.
Phishers who use IPs do move around, but not quite as fast as you
seem to think.  I see significant numbers of phishes referring
to IPs that have been in phishing use for at least a month.  

> Any domain names in a phishing email code are most likely going to be legit
> domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc..
> These are the domains visible to the target/sucker.

Not the case, from what I've seen.  There are a bunch of phishers that
create "typosquat" domain names or other domains that look to an
ignorant or careless user like a legitimate part of a URL in an email
from their bank, and use them in phishes.  

Some phish URIs including phish domains I saw in today's "take" are:

PHISH URI                                    PHISH DOMAIN
-----------------------------------------------------------------------
bankofthewest.com.update-user7117.info       update-user7117.info
www.updatepaypals.com                        updatepaypals.com
bankofthewest.com.update-user5115.info       update-user5115.info
paypal.com.login-user2112.info               login-user2112.info
paypal.com.login-user5225.info               login-user5225.info
www.signin-ebay-update.com                   signin-ebay-update.com
etimebanker.tv                               etimebanker.tv

With many of the actual "Phish domains" I see (domains that clearly
exist for phishing and no other purpose), the hosting site is at
Hotmail or Yahoo.  Both are *slowly* coming up to speed in nuking
these domains, but they nonetheless usually remain active anywhere 
from a day to three or four days. :/  

There are two other common types of Phish URI: URIs containing a
legitimate domain, but on a host that has been trojaned/compromized/
0wn3D, and URIs at an IP.  

An example of a URL containing an IP I list as a Phish IP, seen in 
today's Phish take, is:

http://61.185.208.66/ebay/

If you open this URL, it is live and looks enough like a legitimate
eBay web page to fool people.  If you open the IP alone as a URL,
you get a blank screen.  RedHat Linux running Apache 2.0x, by the
way -- a lot of trojaned/compromised hosts are running Linux and
Apache, not Windoze and IIS, as uch as we might prefer to think
otherwise. <sigh>

With a URL like this, before I list the IP itself, I do an rDNS
check on it.  If the rDNS comes up non-existent, as it does in this
case, or resolves to a host that clearly should not/does not
contain a real web server, I list it.  If it resolves to a host
that might contain a legitimate web server, I usually stop there
and list it, not in the Phish IPs list, but in the Phish URLs
list.  (Different list, one Jeff isn't using for SURBL.)

An example of a URL containing a host and domain that I do not list
as a Phish Domain, seen in today's Phish take, is:

http://paypal.uswebscr.com/usa/cgi-bin/webscr/login.php

If you open either http://paypal.uswebscr.com or http://www.uswebscr.com
in your browser, you see a placeholder web page.  This site is hosted
at Yahoo, but no content has been uploaded yet.  My guess is that the
domain belongs to someone other than the phisher, and that the phisher
has compromised the site, although I could be wrong about this.  For
that reason, I did not list uswebscr.com as a Phish Domain -- I listed
paypal.uswebscr.com as a Phish URL.

> So it just seems to me that an antivirus program is better for detecting
> HTML code patter of these schemes rather than the IP address of the day/week
> that they would be sending from in South Korea, Russia or China, etc. There
> is a very simple ClamAV plugin that does this (see the SA Wiki). I am using
> it on my SA system and it does the job of sending it on to my next
> downstream systems marked as spam. I have more antivirus on downstream
> systems that will delete real viruses as well since I just use ClamAV for
> spam tagging for simplicity sake. (I don't want to put a ton of programs on
> the computer to call SA, such as Amavis-new, etc., so that is why I do
> this.)

Personally, I don't think an AV program should attempt to detect
anything other than a virus or trojan -- actual malicious code.
ClamAV's doing so has made it more than a bit of a nuisance for
some administrators, who found that complaints about phishes sent
to their abuse address were getting filtered by their AV program.

I don't think a SURBL is the right thing to catch all phishes,
or all spam in general. It is *definitely* the right thing to 
catch a significant number of them, however.  That's why I offered
to hand the data to Jeff.  (Heck, that means I'm automatically
updating the SpamBouncer directly on the servers of most of my
users, too -- SURBLs are enabled by default in SB.) <G>


-- 
Catherine Hampton <ariel at spambouncer.org>
The SpamBouncer         *     <http://www.spambouncer.org/>
Personal Home Page      *         <http://www.devsite.org/>


More information about the Discuss mailing list