Catherine Hampton of SpamBouncer (welcome to the SURBL Discuss list Catherine!) is kindly making available her carefully checked phishing domains and IPs for our inclusion in the SURBL phishing list. They're not currently added to ph.surbl.org, but the hooks are in place to make it live after some discussion here.
Catherine's data come from antiphishing.org plus her own trapped phishes. All are hand checked about once a day. When I reviewed a recent snapshot of the data:
http://www.spambouncer.org/dist/standalone/phishdata/current.txt
I found that 124 of the 193 domains were already listed on various SURBLs. The other new 69 looked quite phishy and probably ok to list.
For the IPs, we had 22 of the 74 listed, and I'll assume the others are probably zombies, etc. as Catherine suggested. Generally speaking there's little harm in listing IPs since most legitimate sites don't get referenced by IP, so there's good upside and little downside for listing them.
Please take a look at the data for yourself and comment.
Regarding expiring the data, Catherine told me:
I expire "Phish IP" listings every month. Phishers move around a LOT, probably because most of the IPs are on compromised or trojaned hosts and tend to get fixed within a couple of weeks.
I don't expire Phish domains formally right now, although eventually I plan to run them through regular "has this domain expired and not been renewed" checks. Since I only list domains designed specifically for phishing and used only by phishers as "Phish domains", they aren't likely to be used for anything else. (Domains like paypalll.com don't seem to have much legitimate use to me.)
which sound like reasonable policies to me.
Does anyone have comments on adding these to the PH list?
Am I forgetting anything Catherine? :-)
Jeff C. -- Don't harm innocent bystanders.