Hi, folks. (And thanks to Jeff for the invite/push to join the list.) <G>
I agree, we definitely need SURBL black lists. They have helped tremendously against spam! I just feel that it would be chasing one's tail a bit to try to catch phishing in SURBL.
People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows.
I read a lot of phishing emails and follow a lot of phishing IPs. Phishers who use IPs do move around, but not quite as fast as you seem to think. I see significant numbers of phishes referring to IPs that have been in phishing use for at least a month.
Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker.
Not the case, from what I've seen. There are a bunch of phishers that create "typosquat" domain names or other domains that look to an ignorant or careless user like a legitimate part of a URL in an email from their bank, and use them in phishes.
Some phish URIs including phish domains I saw in today's "take" are:
PHISH URI PHISH DOMAIN ----------------------------------------------------------------------- bankofthewest.com.update-user7117.info update-user7117.info www.updatepaypals.com updatepaypals.com bankofthewest.com.update-user5115.info update-user5115.info paypal.com.login-user2112.info login-user2112.info paypal.com.login-user5225.info login-user5225.info www.signin-ebay-update.com signin-ebay-update.com etimebanker.tv etimebanker.tv
With many of the actual "Phish domains" I see (domains that clearly exist for phishing and no other purpose), the hosting site is at Hotmail or Yahoo. Both are *slowly* coming up to speed in nuking these domains, but they nonetheless usually remain active anywhere from a day to three or four days. :/
There are two other common types of Phish URI: URIs containing a legitimate domain, but on a host that has been trojaned/compromized/ 0wn3D, and URIs at an IP.
An example of a URL containing an IP I list as a Phish IP, seen in today's Phish take, is:
If you open this URL, it is live and looks enough like a legitimate eBay web page to fool people. If you open the IP alone as a URL, you get a blank screen. RedHat Linux running Apache 2.0x, by the way -- a lot of trojaned/compromised hosts are running Linux and Apache, not Windoze and IIS, as uch as we might prefer to think otherwise. <sigh>
With a URL like this, before I list the IP itself, I do an rDNS check on it. If the rDNS comes up non-existent, as it does in this case, or resolves to a host that clearly should not/does not contain a real web server, I list it. If it resolves to a host that might contain a legitimate web server, I usually stop there and list it, not in the Phish IPs list, but in the Phish URLs list. (Different list, one Jeff isn't using for SURBL.)
An example of a URL containing a host and domain that I do not list as a Phish Domain, seen in today's Phish take, is:
http://paypal.uswebscr.com/usa/cgi-bin/webscr/login.php
If you open either http://paypal.uswebscr.com or http://www.uswebscr.com in your browser, you see a placeholder web page. This site is hosted at Yahoo, but no content has been uploaded yet. My guess is that the domain belongs to someone other than the phisher, and that the phisher has compromised the site, although I could be wrong about this. For that reason, I did not list uswebscr.com as a Phish Domain -- I listed paypal.uswebscr.com as a Phish URL.
So it just seems to me that an antivirus program is better for detecting HTML code patter of these schemes rather than the IP address of the day/week that they would be sending from in South Korea, Russia or China, etc. There is a very simple ClamAV plugin that does this (see the SA Wiki). I am using it on my SA system and it does the job of sending it on to my next downstream systems marked as spam. I have more antivirus on downstream systems that will delete real viruses as well since I just use ClamAV for spam tagging for simplicity sake. (I don't want to put a ton of programs on the computer to call SA, such as Amavis-new, etc., so that is why I do this.)
Personally, I don't think an AV program should attempt to detect anything other than a virus or trojan -- actual malicious code. ClamAV's doing so has made it more than a bit of a nuisance for some administrators, who found that complaints about phishes sent to their abuse address were getting filtered by their AV program.
I don't think a SURBL is the right thing to catch all phishes, or all spam in general. It is *definitely* the right thing to catch a significant number of them, however. That's why I offered to hand the data to Jeff. (Heck, that means I'm automatically updating the SpamBouncer directly on the servers of most of my users, too -- SURBLs are enabled by default in SB.) <G>