We have been having an increase in the number of phishing messages that slip through our antispam solution. We currently use Can-IT which includes an instance of SpamAssasin which has active scanning on for SURBL.
We recognize that no current solution is going to be 100% effective - however one of the most recent phishing messages that got through was for a link which appeared to already be in phishtank.com data (see http://www.phishtank.com/phish_detail.php?phish_id=1068849)
We had been working to see if we could incorporate phishtank.com data in the Can-IT environment to add one more source of blocks for these messages to plug some more holes when we noticed per http://www.phishtank.com/friends.php that SURBL appeared to already be listed as using (in some way) phishtank data.
We presumed that http://www.surbl.org/lists.html#ph probably used it - but tests seem to have test messages with that url receiving no points inbound.
Further testing on the SURBL lookup returned that w3t.org wasn't listed (which makes sense as the underlying url above is a shortener so it's only the extended url that is listed in phishtank and worth flagging on - does SURBL only accept root domains for listing?
Basically we're just trying to figure out if this is a config error on our part or a misunderstanding on our part of how SURBL uses phishtank.com data and/or classifies reported phishing sites and subdirectories in the first place.
Thanks in advance for any insight!
Ken Johnson Information Technology LeTourneau University
On Thu, Oct 21, 2010 at 7:26 AM, Johnson, Ken kenjohnson@letu.edu wrote:
We have been having an increase in the number of phishing messages that slip through our antispam solution. We currently use Can-IT which includes an instance of SpamAssasin which has active scanning on for SURBL.
We recognize that no current solution is going to be 100% effective - however one of the most recent phishing messages that got through was for a link which appeared to already be in phishtank.com data (see http://www.phishtank.com/phish_detail.php?phish_id=1068849)
We had been working to see if we could incorporate phishtank.com data in the Can-IT environment to add one more source of blocks for these messages to plug some more holes when we noticed per http://www.phishtank.com/friends.php that SURBL appeared to already be listed as using (in some way) phishtank data.
We presumed that http://www.surbl.org/lists.html#ph probably used it - but tests seem to have test messages with that url receiving no points inbound.
Further testing on the SURBL lookup returned that w3t.org wasn't listed (which makes sense as the underlying url above is a shortener so it's only the extended url that is listed in phishtank and worth flagging on - does SURBL only accept root domains for listing?
The quick answer is yes. However see also:
http://lists.surbl.org/pipermail/announce/2010-February/000202.html
SURBL may look into listing subdomains and paths more generally in future. There were important design decisions for not doing that before.