Full Disclosure: Re: simple phishing fix

["lsi" <stuart () cyberdelix net>]

[This is a repost, the original was blocked by Spamhaus as it 
contained a link to blacklisted blogspot server.  Also, I mangled the 
formatting.  Apologies.  Finally I added item #9, not mentioned 
previously.]


summary
-------

Of all the approaches below I like the simple list of strings in the 
email client (the first link).  This is because it's a DENY ALL 
policy.  The other approaches below, AFAICS, use ACCEPT ALL and then 
try and find reasons to block the mail.  The first approach simply 
blocks them all!  Sure, you want to receive mail from the Bank of 
Foo, just don't put bankoffoo.com in your list!   

Frankly, email should not be used by banks, due to the risk of 
impersonation, and if this DENY ALL approach causes them to stop 
using email to send messages to customers, good.   

So let's not waste time on fancy error-prone algorithms, purleeze!  


a quick review of deployed anti-phishing technologies
-----------------------------------------------------

0. filter against the FROM field using a blacklist in the email 
client:

http://seclists.org/fulldisclosure/2008/Jul/0488.html

1. software from Symantec, McAfee etc, integrated into their desktop 
security suites, filtering method not disclosed.  

2. there's anti-phishing filters for IE, Firefox and maybe Opera - 
filtering method not researched (we want to stop the phish before the 
user even opens the email, they should never see the link that takes 
them to their browser),  

3. article says CMU have developed an unreleased filter, using pretty 
standard anti-spam techniques, plus some attempt at matching the 
stated domainname against URLs listed in the bodytext:  

http://itmanagement.earthweb.com/columns/executive_tech/article.php/36
20741

The phishing filter in Thunderbird apparently uses a similar 
technique (eg. comparing the sender's domainname against URLs in the 
bodytext, a technique which reportedly is a bit flaky.  

4. article says GoDaddy filter scans URLs in bodytext against a 
blacklist:

http://help.godaddy.com/article/645

5. software says it uses some kind of user-generated database (eg. 
users report stats to a central server via client software):  

http://spam-fighter.qarchive.org/

6. post says google are using DKIM to detect phish:

[link removed due to spamhaus issue, search for this on the web]

(gmail's phish detection reportedly suffers from false-positives)

7. article says to use a Bayesian filter (unspecified):

http://ezinearticles.com/?Phishing-Filter---How-to-Use-Phishing-
Filters-to-Prevent-Any-Information-Theft&id=919156

8. product claims to use "rate controls" (eg. mails/minute) to detect 
phish:

http://www.moonslice.com/hosting/spamds.htm

9. sigs for clamAV, seem to be an MD5 of the bodytext

http://www.sanesecurity.com/clamav/


On 27 Jul 2008 at 14:10, lsi wrote:

From:                   "lsi" <stuart () cyberdelix net>
To:                     full-disclosure () lists grok org uk
Date sent:              Sun, 27 Jul 2008 14:10:38 +0100
Priority:               normal                                               
Subject:                [Full-disclosure] simple phishing fix

> Soo y'all know not to click on those emails from your bank, or from 
> any other bank, in your inbox and now you just delete them ... why 
> not automate this process?  It's easy, just filter a whole bunch of 
> banking names straight to your deleted items.  
>
> All you do is create a rule for each bank, which deletes any mail  
> from that bank, automatically.
>
> The rule should read something like "if the FROM field contains the  
> string XXXXX then DELETE message".
>
> Here's a list of strings to enter into your rules...
>
> Royal Bank of Scotland
> HSBC
> NatWest
> halifax.co.uk
> abbeynational.co.uk
> @abbey.co.uk
> @abbey.com
> barclays.co.uk
> barclays.com
> CitiBusiness
> @citi.com
> equifax.com
> commercebank.com
> bankofamerica.com
> wachovia.com
> capitalone.com
> @nationalcity.com
> .chase.com
> @chase.com
>
> The funny part is that because phish are trying to look as legitimate 
> as possible, you can bet that they will use the correct domainname 
> for the bank.  Which means they are extremely easy to filter... end 
> of problem....  
>
> Stu
>
> ---
> Stuart Udall
> stuart at () cyberdelix dot net - http://www.cyberdelix.net/
>
> --- 
>  * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/