I agree, we definitely need SURBL black lists. They have helped tremendously against spam! I just feel that it would be chasing one's tail a bit to try to catch phishing in SURBL.
People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows.
Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker.
So it just seems to me that an antivirus program is better for detecting HTML code patter of these schemes rather than the IP address of the day/week that they would be sending from in South Korea, Russia or China, etc. There is a very simple ClamAV plugin that does this (see the SA Wiki). I am using it on my SA system and it does the job of sending it on to my next downstream systems marked as spam. I have more antivirus on downstream systems that will delete real viruses as well since I just use ClamAV for spam tagging for simplicity sake. (I don't want to put a ton of programs on the computer to call SA, such as Amavis-new, etc., so that is why I do this.)
And by the way: I REALLY appreciate your SURBL lists and hard work even if I think other tools supplement and help make your stuff even better.
My security principles include (but are not limited to):
Stop as much as possible at the outer perimeter (earlier the better)
Defense in depth
For us, the virus scanning happens before the Spam tests; early is good.
-- Herb Martin
Hi, folks. (And thanks to Jeff for the invite/push to join the list.) <G>
I agree, we definitely need SURBL black lists. They have helped tremendously against spam! I just feel that it would be chasing one's tail a bit to try to catch phishing in SURBL.
People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows.
I read a lot of phishing emails and follow a lot of phishing IPs. Phishers who use IPs do move around, but not quite as fast as you seem to think. I see significant numbers of phishes referring to IPs that have been in phishing use for at least a month.
Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker.
Not the case, from what I've seen. There are a bunch of phishers that create "typosquat" domain names or other domains that look to an ignorant or careless user like a legitimate part of a URL in an email from their bank, and use them in phishes.
Some phish URIs including phish domains I saw in today's "take" are:
PHISH URI PHISH DOMAIN ----------------------------------------------------------------------- bankofthewest.com.update-user7117.info update-user7117.info www.updatepaypals.com updatepaypals.com bankofthewest.com.update-user5115.info update-user5115.info paypal.com.login-user2112.info login-user2112.info paypal.com.login-user5225.info login-user5225.info www.signin-ebay-update.com signin-ebay-update.com etimebanker.tv etimebanker.tv
With many of the actual "Phish domains" I see (domains that clearly exist for phishing and no other purpose), the hosting site is at Hotmail or Yahoo. Both are *slowly* coming up to speed in nuking these domains, but they nonetheless usually remain active anywhere from a day to three or four days. :/
There are two other common types of Phish URI: URIs containing a legitimate domain, but on a host that has been trojaned/compromized/ 0wn3D, and URIs at an IP.
An example of a URL containing an IP I list as a Phish IP, seen in today's Phish take, is:
If you open this URL, it is live and looks enough like a legitimate eBay web page to fool people. If you open the IP alone as a URL, you get a blank screen. RedHat Linux running Apache 2.0x, by the way -- a lot of trojaned/compromised hosts are running Linux and Apache, not Windoze and IIS, as uch as we might prefer to think otherwise. <sigh>
With a URL like this, before I list the IP itself, I do an rDNS check on it. If the rDNS comes up non-existent, as it does in this case, or resolves to a host that clearly should not/does not contain a real web server, I list it. If it resolves to a host that might contain a legitimate web server, I usually stop there and list it, not in the Phish IPs list, but in the Phish URLs list. (Different list, one Jeff isn't using for SURBL.)
An example of a URL containing a host and domain that I do not list as a Phish Domain, seen in today's Phish take, is:
http://paypal.uswebscr.com/usa/cgi-bin/webscr/login.php
If you open either http://paypal.uswebscr.com or http://www.uswebscr.com in your browser, you see a placeholder web page. This site is hosted at Yahoo, but no content has been uploaded yet. My guess is that the domain belongs to someone other than the phisher, and that the phisher has compromised the site, although I could be wrong about this. For that reason, I did not list uswebscr.com as a Phish Domain -- I listed paypal.uswebscr.com as a Phish URL.
So it just seems to me that an antivirus program is better for detecting HTML code patter of these schemes rather than the IP address of the day/week that they would be sending from in South Korea, Russia or China, etc. There is a very simple ClamAV plugin that does this (see the SA Wiki). I am using it on my SA system and it does the job of sending it on to my next downstream systems marked as spam. I have more antivirus on downstream systems that will delete real viruses as well since I just use ClamAV for spam tagging for simplicity sake. (I don't want to put a ton of programs on the computer to call SA, such as Amavis-new, etc., so that is why I do this.)
Personally, I don't think an AV program should attempt to detect anything other than a virus or trojan -- actual malicious code. ClamAV's doing so has made it more than a bit of a nuisance for some administrators, who found that complaints about phishes sent to their abuse address were getting filtered by their AV program.
I don't think a SURBL is the right thing to catch all phishes, or all spam in general. It is *definitely* the right thing to catch a significant number of them, however. That's why I offered to hand the data to Jeff. (Heck, that means I'm automatically updating the SpamBouncer directly on the servers of most of my users, too -- SURBLs are enabled by default in SB.) <G>
Most antivirus companies appear to disagree with you for now. At this point in time it is a competitive thing. They do it or they will not survive. My McAfee saw your example ebay page as a Trojan "js/cardsteeler'.
This has been a debate for some time and the antivirus companies have decided the debate. Can you look at it with SURBL also? Sure, but I am just saying it is a lot of effort to add these disposable IP addresses into any database. Who goes back and cleans up these databases 2 years from now when maybe a real user gets one? It's your system, I am just giving you my prospective, which could of course be wrong or...right. Time will tell.
Personally, I don't think an AV program should attempt to detect anything other than a virus or trojan -- actual malicious code. ClamAV's doing so has made it more than a bit of a nuisance for some administrators, who found that complaints about phishes sent to their abuse address were getting filtered by their AV program.
Personally, I don't think an AV program should attempt to detect anything other than a virus or trojan -- actual malicious code. ClamAV's doing so has made it more than a bit of a nuisance for some administrators, who found that complaints about phishes sent to their abuse address were getting filtered by their AV program.
Most antivirus companies appear to disagree with you for now. At this point in time it is a competitive thing. They do it or they will not survive. My McAfee saw your example ebay page as a Trojan "js/cardsteeler'.
<nod> That one did have a javascript on it. I missed that because I don't check for it; JS doesn't run on the browsers I normally use unless I explicitly allow it on a particular site.
Most AV companies follow what each other do. Unfortunately, in this case -- they're making their products less useful to many of us. :/
This has been a debate for some time and the antivirus companies have decided the debate. Can you look at it with SURBL also? Sure, but I am just saying it is a lot of effort to add these disposable IP addresses into any database. Who goes back and cleans up these databases 2 years from now when maybe a real user gets one? It's your system, I am just giving you my prospective, which could of course be wrong or...right. Time will tell.
I'm adding the IPs to SpamBouncer anyway; it isn't any more work to add them to SURBL. Since I expire them by default in a month, unless they still appear, and since Jeff is expiring anything he gets from me on the same schedule I do, nobody needs to go back and clean up the database -- in two years or any other time. So I don't see any disadvantage here, especially since a number of decent AVs still aren't listing phish URLs as viruses/dangerous content.
On Sunday, July 31, 2005, 6:52:44 PM, Catherine Hampton wrote: (Greg Allen wrote:)
This has been a debate for some time and the antivirus companies have decided the debate. Can you look at it with SURBL also? Sure, but I am just saying it is a lot of effort to add these disposable IP addresses into any database. Who goes back and cleans up these databases 2 years from now when maybe a real user gets one? It's your system, I am just giving you my prospective, which could of course be wrong or...right. Time will tell.
I'm adding the IPs to SpamBouncer anyway; it isn't any more work to add them to SURBL. Since I expire them by default in a month, unless they still appear, and since Jeff is expiring anything he gets from me on the same schedule I do, nobody needs to go back and clean up the database -- in two years or any other time. So I don't see any disadvantage here, especially since a number of decent AVs still aren't listing phish URLs as viruses/dangerous content.
Actually I'm not expiring them, so it's good that you are.
But the key thing is that as long as they keep appearing in live spams/phishes we can keep listing them. After they've been inactive for a while it makes sense to delist them. We can always add them back on if they start appearing again.
It is a valid concern that Greg makes about the sizes of lists. The same question comes up for any blacklist; they can't keep adding records indefinitely. Inactive ones need to get purged to keep the sizes reasonable.
But in practical terms, RBL-type lists can grow to at least a few million records before they become impractical if the name servers are using rbldnsd. Right now multi.surbl.org, the combined SURBL list has about 150k records. sbl.spamhaus.org has about 5k records. xbl.spamhaus.org has about 2 million records. So SURBLs are not running up against size limits any time soon.
Jeff C. -- Don't harm innocent bystanders.
I'm adding the IPs to SpamBouncer anyway; it isn't any more work to add them to SURBL. Since I expire them by default in a month, unless they still appear, and since Jeff is expiring anything he gets from me on the same schedule I do, nobody needs to go back and clean up the database -- in two years or any other time. So I don't see any disadvantage here, especially since a number of decent AVs still aren't listing phish URLs as viruses/dangerous content.
Actually I'm not expiring them, so it's good that you are.
<nod> As I understood it, you were going to expire anything I removed from the list.... Or are you just expiring anything that's more than a certain number of days/weeks/months old, and then just updating the list date based on when it last appears in my list of data? Either way should work fine....
Based on a discussion with Paul, I think we shouldn't expire actual "Phish domains" very fast because, apparently, some phishers re-register these domains if they're deregistered by the registrar. In other words, some of them reappear. :/ My first thoughts on this are that, since these domains are generally typosquatted/deliberately similar to a legitimate domain owned by a phish target, or deliberately mimic elements in the URLs in a phish target's legitimate email, it's unlikely that keeping them listed will hit an innocent bystander. These domains don't seem to have any legitimate uses.
But I'm open to persuasion otherwise. :)
But the key thing is that as long as they keep appearing in live spams/phishes we can keep listing them. After they've been inactive for a while it makes sense to delist them. We can always add them back on if they start appearing again.
<nod> Makes sense.
It is a valid concern that Greg makes about the sizes of lists. The same question comes up for any blacklist; they can't keep adding records indefinitely. Inactive ones need to get purged to keep the sizes reasonable.
But in practical terms, RBL-type lists can grow to at least a few million records before they become impractical if the name servers are using rbldnsd. Right now multi.surbl.org, the combined SURBL list has about 150k records. sbl.spamhaus.org has about 5k records. xbl.spamhaus.org has about 2 million records. So SURBLs are not running up against size limits any time soon.
Thanks -- that is useful information. :)
On Monday, August 1, 2005, 11:35:13 AM, Catherine Hampton wrote:
I'm adding the IPs to SpamBouncer anyway; it isn't any more work to add them to SURBL. Since I expire them by default in a month, unless they still appear, and since Jeff is expiring anything he gets from me on the same schedule I do, nobody needs to go back and clean up the database -- in two years or any other time. So I don't see any disadvantage here, especially since a number of decent AVs still aren't listing phish URLs as viruses/dangerous content.
Actually I'm not expiring them, so it's good that you are.
<nod> As I understood it, you were going to expire anything I removed from the list.... Or are you just expiring anything that's more than a certain number of days/weeks/months old, and then just updating the list date based on when it last appears in my list of data? Either way should work fine....
Actually I'm just using your list. Whatever is in it gets added to ph.surbl.org. If it comes out of your list (and the other sources) then it's no longer on ph.surbl.org. There is no formal expiration procedure.
I should ask the other data sources to expire their data on their end also so that the list does not grow indefinitely with old data.
Based on a discussion with Paul, I think we shouldn't expire actual "Phish domains" very fast because, apparently, some phishers re-register these domains if they're deregistered by the registrar. In other words, some of them reappear. :/ My first thoughts on this are that, since these domains are generally typosquatted/deliberately similar to a legitimate domain owned by a phish target, or deliberately mimic elements in the URLs in a phish target's legitimate email, it's unlikely that keeping them listed will hit an innocent bystander. These domains don't seem to have any legitimate uses.
Agreed.
Consider expiring spam domains after 1 year perhaps, since spammers often don't renew them. Most spammers seem to only use a domain for a few weeks. The ones that get re-used just before the registrations expire may be somewhat unusual.
Jeff C. -- Don't harm innocent bystanders.
-----Original Message-----
Greg Allen>
Most antivirus companies appear to disagree with you for now. At this point in time it is a competitive thing. They do it or they will not survive. My McAfee saw your example ebay page as a Trojan "js/cardsteeler'.
Previous poster > >
Personally, I don't think an AV program should attempt to detect anything other than a virus or trojan -- actual malicious code. ClamAV's doing so has made it more than a bit of a nuisance for some administrators, who found that complaints about phishes sent
to their
abuse address were getting filtered by their AV program.
And quality software allows you to have it "your way" -- as I understand it ClamAV 0.9 (we're on 0.84-2) will add an option.
I like it, so does Greg --others don't like it; good software let's us choose when possible.
-- Herb Martin
And quality software allows you to have it "your way" -- as I understand it ClamAV 0.9 (we're on 0.84-2) will add an option.
<chuckle> Some ClamAV developers are active on several anti-spam lists and forums, and have been hearing complaints about their anti-phishing filters from some of their best customers/users. Since they *are* reasonable folks, they listened.
I like it, so does Greg --others don't like it; good software let's us choose when possible.
Actually, I like it and regularly recommend it to users who are running SpamBouncer on small company, academic, or ISP mailservers. SB's own anti-virus filters aren't bad for getting the cr*p out of your mailbox, but they do NOT constitute a full AV program, and aren't updated as quickly as a good AV program. Despite my annoyance with one policy decision, I'm not dumb enough not to recognize that ClamAV is a good AV program. (Better than merely good, according to friends of mine who work at other AV companies and should know.)
On Sunday, July 31, 2005, 7:53:00 PM, Catherine Hampton wrote:
And quality software allows you to have it "your way" -- as I understand it ClamAV 0.9 (we're on 0.84-2) will add an option.
<chuckle> Some ClamAV developers are active on several anti-spam lists and forums, and have been hearing complaints about their anti-phishing filters from some of their best customers/users. Since they *are* reasonable folks, they listened.
I like it, so does Greg --others don't like it; good software let's us choose when possible.
Actually, I like it and regularly recommend it to users who are running SpamBouncer on small company, academic, or ISP mailservers. SB's own anti-virus filters aren't bad for getting the cr*p out of your mailbox, but they do NOT constitute a full AV program, and aren't updated as quickly as a good AV program. Despite my annoyance with one policy decision, I'm not dumb enough not to recognize that ClamAV is a good AV program. (Better than merely good, according to friends of mine who work at other AV companies and should know.)
FWIW We use ClamAV and SpamAssassin, and ClamAV certainly catches a lot of wild viruses for us. We probably also use ClamAV for detecting phishes if that's the default behavior, and that's fine by me too. The more protection the better. But my point is that viruses and phishes are really two very different kinds of things and tools for handling one may not always be appropriate for handling the other.
As Catherine points out there are real-world operational issues that can sometimes occur when these kinds of functions are (unexpectedly) combined in the same application.
Jeff C. -- Don't harm innocent bystanders.
On Sunday, July 31, 2005, 10:39:14 AM, Greg Allen wrote:
People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows.
Yes, they're probably using some zombies. Many phishes also use fake domain names (like updatepaypals .com). We list both domain names and IPs in the SURBL phishing list.
Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker.
Yes, and we're whitelisting those legitimate sites, so they're non-issues as far as false positives in SURBLs.
Jeff C.
-
ariel@spambouncer.org -
Greg Allen -
Herb Martin -
Jeff Chan