[SURBL-Discuss] Proposal to add some anti-phishing data to SURBL

[Jeff Chan]

On Tuesday, May 4, 2004, 3:49:06 AM, David Hooton wrote:
>> On Tuesday, May 4, 2004, 2:48:17 AM, David Hooton wrote:
>> >Jeff Chan wrote:
>> >> 1.  Merge into ws:  probably no specific code for phishing
>> >> 2.  Merge into combined list:  could have a separate code
>> >> 2a.  (With no separate list for phishing if it's small.)
>> 
>> > I personally think 2 is the preferred option as it provides domain &
>> > netblock owners with a possible means of becoming unlisted.  Further
>> helping
>> > us remove false positives and mopped up incidents as soon as we can.

> The concept being a custom reponse (txt record) would facilitate the person
> whose mail is altered knows why - ie. phishing not Spam.

Aha, you were more concerned about a specific reason (i.e.
phishing) being presented.  I misunderstood.  That would
probably be better if I did the combining.

>> That said, processing things here automatically may be a bit
>> quicker than going through Bill's more manual procedure.  Maybe
>> I should assume we will do the merging here.
>> 
>> Also I'm somewhat concerned about "netblocks" going to SURBLs

> I understand this, and as the listing policy states we are only planning on
> listing individual IP addresses and domains that are included in phishing
> attacks.  

> No pre-emptive blocking will be conducted on IP ranges.

Sounds good.

> I think where the confusion has come in is that I have referred to allowing
> "Netblock Owners" ie. people who own the IP space to request removal of
> their individual IP addresses from the SURBL once the IP has been mopped up.

Got it. I read that as discussing input data for the list as
opposed to describing resulting actions taken to get off the list.

> There is a much higher incidence of IP based urls in phishing attacks than
> in general spam, due in part to the majority of attacks being built on
> stolen bandwidth and on hacked/trojaned servers.

Thanks for the added background.  Multiple, individual IP-based
URIs scattered around the Internet would work fine as a SURBL.

> I can't
> see it hitting much more than 1500 records at any one time.  This is mainly
> due to the fact that we're planning on running an expiry process as outlined
> on the policy page & because we hope to provide a means of notification &
> removal for ISP's and machine owners.

OK good to know.

> I have not seen the same IP address used more than once and have only seen
> individual domains used for around a week or two in phishes.  I think the
> self expiring model is probably a wise approach due to this.

Yes, that sounds very appropriate to the data.

Jeff C.