Re: phishing sites report - March/2005

[Daniel Golding <dgolding () burtongroup com>]

Gadi,

This report isn't terribly useful without the IP addresses (or URLs) in
question. How could an ISP start investigating and/or null routing these
addresses without having the list?

I suppose I'm skeptical because some of those ASNs are not big content
hosters. Some are transit-only ASN's.

Also, if you are using WHOIS to check the IP addresses for their owner, how
are you correlating to ASN? Through an IRR? Or is there a route lookup
somewhere in the mix?

Even if you won't release full data (although I can't imagine why not), you
need to fully disclose the methodology. "Digested" is insufficient when ISPs
and hosters are being called out by name.

- Dan


On 3/28/05 2:19 PM, "Gadi Evron" <gadi () tehila gov il> wrote:

> Daniel Golding wrote:
> > Forgive me for being skeptical, but...
>
> I would prefer you being skeptical. Please don't take my word on any of
> this.
>
> > How do you come up with these? Are these the direct upstream ISPs of the
>
> These are the digested results from the reports sent to the malicious
> websites and phishing research and mitigation list.
>
> > phishing sites or the next hop AS's from your test site?
>
> Plainly put, these are the results you get when you feed the IP's of the
> hosting web sites to the Cymru whois.
>
> > Is there a link to the original data?
>
> Nope. We hope to release more data in our next reports. Please let us
> know what kind of data you'd like available. We'll do our best to
> provide it.
>
> One of our main goals is public awareness, so we are very interested in
> feedback.
> If you have further questions on the process itself, I'd gladly direct
> you to the guy who actually does the data mining and statistics - but
> the list data itself is not open to the public.
>
> Gadi.