Full Disclosure mailing list archives
Re: simple phishing fix
From: "lsi" <stuart () cyberdelix net>
Date: Mon, 28 Jul 2008 10:53:18 +0100
summary ------- Of all the approaches below I like the simple list of strings in the email client (the first link). This is because it's a DENY ALL policy. The other approaches below, AFAICS, use ACCEPT ALL and then try and find reasons to block the mail. The first approach simply blocks them all! Sure, you want to receive mail from the Bank of Foo, just don't put bankoffoo.com in your list! Frankly, email should not be used by banks, due to the risk of impersonation, and if this DENY ALL approach causes them to stop using email to send messages to customers, good. So let's not waste time on fancy error-prone algorithms, purleeze! a quick review of deployed anti-phishing technologies ----------------------------------------------------- 0. filter against the FROM field using a blacklist in the email client: http://seclists.org/fulldisclosure/2008/Jul/0488.html 1. software from Symantec, McAfee etc, integrated into their desktop security suites, filtering method not disclosed. 2. there's anti-phishing filters for IE, Firefox and maybe Opera - filtering method not researched (we want to stop the phish before the user even opens the email, they should never see the link that takes them to their browser), 3. article says CMU have developed an unreleased filter, using pretty standard anti-spam techniques, plus some attempt at matching the stated domainname against URLs listed in the bodytext: http://itmanagement.earthweb.com/columns/executive_tech/article.php/36 2074 1 The phishing filter in Thunderbird apparently uses a similar technique (eg. comparing the sender's domainname against URLs in the bodytext, a technique which reportedly is a bit flaky. 4. article says GoDaddy filter scans URLs in bodytext against a blacklist: http://help.godaddy.com/article/645 5. software says it uses some kind of user-generated database (eg. users report stats to a central server via client software): http://spam-fighter.qarchive.org/ 6. post says google are using DKIM to detect phish: http://gmailblog.blogspot.com/2008/07/fighting-phishing-with-ebay-and- payp al.html (gmail's phish detection reportedly suffers from false-positives) 7. article says to use a Bayesian filter (unspecified): http://ezinearticles.com/?Phishing-Filter---How-to-Use-Phishing- Filters-to -Prevent-Any-Information-Theft&id=919156 8. product claims to use "rate controls" (eg. mails/minute) to detect phish: http://www.moonslice.com/hosting/spamds.htm On 28 Jul 2008 at 18:32, Biz Marqee wrote: Date sent: Mon, 28 Jul 2008 18:32:48 +1000 From: "Biz Marqee" <biz.marqee () gmail com> To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] simple phishing fix Copies to: stuart () cyberdelix net
Post my mail filter strings? LOL. That just proves how insignificant you and your ideas are. I do real security research work like write exploits and patches. Do you know how to mmap @ 0x00000000 on current kernels? Do you even know why that would be useful? How does this fix the problem? If it were that black and white ISP's would implement it at their MX's.. on top of that what about all the LEGITIMATE emails banks send out? Anyone who knows how to set up mail filters would have already done so without your "message". Maybe you should stop posting trying to puff up your image on a mailing list and go back to your "research". Who knows maybe one day you can graduate to XSS... lmao. Leave security work to the experts you untalented, fame seeking, peice of shit... On Mon, Jul 28, 2008 at 5:52 PM, lsi <stuart () cyberdelix net> wrote:Please post the list of strings you use in your phishing filter. Or don't you have one? Seriously dude, if phishing was so simple to fix then why is it "on the rise" according to recent news articles? I mean, if all the admins out there in the world are blocking them, when why are they still being sent out by scammers? Either the admins don't know how to block them, or the scammers don't know they are being blocked. My message can solve both problems. I seem to recall a time when email-borne viruses were a problem, once it was pointed out they were simple to block, they rapidly dropped out of fashion. I would indeed like to repeat that success and save the associated electricity, bandwidth and CPU time for something more important, such as replying to bone-headed posts in fd, for a start. Stu On 28 Jul 2008 at 10:57, Biz Marqee wrote: Date sent: Mon, 28 Jul 2008 10:57:06 +1000 From: "Biz Marqee" <biz.marqee () gmail com> To: full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] simple phishing fix Copies to: stuart () cyberdelix netWow, you our are savior.. no, no our e-Hero! Forget patches for software bugs.. This guy can teach us how to set up a mail filter!! Seriously dude.. do you think we care about, or are too inept to set upfilter rules? Go find another list to contribute to, you are a joke.--- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2)
--- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- simple phishing fix lsi (Jul 27)
- Re: simple phishing fix trejrco (Jul 27)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Nick FitzGerald (Jul 29)
- Re: simple phishing fix Raj Mathur (Jul 30)
- <Possible follow-ups>
- Re: simple phishing fix Biz Marqee (Jul 27)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Biz Marqee (Jul 28)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Stian Øvrevåge (Jul 29)
- Re: simple phishing fix Peter Besenbruch (Jul 29)
- Re: simple phishing fix lsi (Jul 30)
- Re: simple phishing fix Nick FitzGerald (Jul 30)
- Re: simple phishing fix Peter Besenbruch (Jul 30)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Robert Holgstad (Jul 30)
- Re: simple phishing fix blah (Jul 30)
- Re: simple phishing fix Exibar (Jul 30)
- Re: simple phishing fix Dragos Ruiu (Jul 30)
- Re: simple phishing fix Exibar (Jul 30)