Full Disclosure mailing list archives
Re: simple phishing fix
From: "lsi" <stuart () cyberdelix net>
Date: Tue, 29 Jul 2008 02:29:14 +0100
[This is a repost, the original was blocked by Spamhaus as it contained a link to blacklisted blogspot server. Also, I mangled the formatting. Apologies. Finally I added item #9, not mentioned previously.] summary ------- Of all the approaches below I like the simple list of strings in the email client (the first link). This is because it's a DENY ALL policy. The other approaches below, AFAICS, use ACCEPT ALL and then try and find reasons to block the mail. The first approach simply blocks them all! Sure, you want to receive mail from the Bank of Foo, just don't put bankoffoo.com in your list! Frankly, email should not be used by banks, due to the risk of impersonation, and if this DENY ALL approach causes them to stop using email to send messages to customers, good. So let's not waste time on fancy error-prone algorithms, purleeze! a quick review of deployed anti-phishing technologies ----------------------------------------------------- 0. filter against the FROM field using a blacklist in the email client: http://seclists.org/fulldisclosure/2008/Jul/0488.html 1. software from Symantec, McAfee etc, integrated into their desktop security suites, filtering method not disclosed. 2. there's anti-phishing filters for IE, Firefox and maybe Opera - filtering method not researched (we want to stop the phish before the user even opens the email, they should never see the link that takes them to their browser), 3. article says CMU have developed an unreleased filter, using pretty standard anti-spam techniques, plus some attempt at matching the stated domainname against URLs listed in the bodytext: http://itmanagement.earthweb.com/columns/executive_tech/article.php/36 20741 The phishing filter in Thunderbird apparently uses a similar technique (eg. comparing the sender's domainname against URLs in the bodytext, a technique which reportedly is a bit flaky. 4. article says GoDaddy filter scans URLs in bodytext against a blacklist: http://help.godaddy.com/article/645 5. software says it uses some kind of user-generated database (eg. users report stats to a central server via client software): http://spam-fighter.qarchive.org/ 6. post says google are using DKIM to detect phish: [link removed due to spamhaus issue, search for this on the web] (gmail's phish detection reportedly suffers from false-positives) 7. article says to use a Bayesian filter (unspecified): http://ezinearticles.com/?Phishing-Filter---How-to-Use-Phishing- Filters-to-Prevent-Any-Information-Theft&id=919156 8. product claims to use "rate controls" (eg. mails/minute) to detect phish: http://www.moonslice.com/hosting/spamds.htm 9. sigs for clamAV, seem to be an MD5 of the bodytext http://www.sanesecurity.com/clamav/ On 27 Jul 2008 at 14:10, lsi wrote: From: "lsi" <stuart () cyberdelix net> To: full-disclosure () lists grok org uk Date sent: Sun, 27 Jul 2008 14:10:38 +0100 Priority: normal Subject: [Full-disclosure] simple phishing fix
Soo y'all know not to click on those emails from your bank, or from any other bank, in your inbox and now you just delete them ... why not automate this process? It's easy, just filter a whole bunch of banking names straight to your deleted items. All you do is create a rule for each bank, which deletes any mail from that bank, automatically. The rule should read something like "if the FROM field contains the string XXXXX then DELETE message". Here's a list of strings to enter into your rules... Royal Bank of Scotland HSBC NatWest halifax.co.uk abbeynational.co.uk @abbey.co.uk @abbey.com barclays.co.uk barclays.com CitiBusiness @citi.com equifax.com commercebank.com bankofamerica.com wachovia.com capitalone.com @nationalcity.com .chase.com @chase.com The funny part is that because phish are trying to look as legitimate as possible, you can bet that they will use the correct domainname for the bank. Which means they are extremely easy to filter... end of problem.... Stu --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
--- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- simple phishing fix lsi (Jul 27)
- Re: simple phishing fix trejrco (Jul 27)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Nick FitzGerald (Jul 29)
- Re: simple phishing fix Raj Mathur (Jul 30)
- <Possible follow-ups>
- Re: simple phishing fix Biz Marqee (Jul 27)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Biz Marqee (Jul 28)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Stian Øvrevåge (Jul 29)
- Re: simple phishing fix Peter Besenbruch (Jul 29)
- Re: simple phishing fix lsi (Jul 30)
- Re: simple phishing fix Nick FitzGerald (Jul 30)
- Re: simple phishing fix lsi (Jul 28)