Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: simple phishing fix
From: "lsi" <stuart () cyberdelix net>
Date: Tue, 29 Jul 2008 02:29:14 +0100

[This is a repost, the original was blocked by Spamhaus as it 
contained a link to blacklisted blogspot server.  Also, I mangled the 
formatting.  Apologies.  Finally I added item #9, not mentioned 
previously.]


summary
-------

Of all the approaches below I like the simple list of strings in the 
email client (the first link).  This is because it's a DENY ALL 
policy.  The other approaches below, AFAICS, use ACCEPT ALL and then 
try and find reasons to block the mail.  The first approach simply 
blocks them all!  Sure, you want to receive mail from the Bank of 
Foo, just don't put bankoffoo.com in your list!   

Frankly, email should not be used by banks, due to the risk of 
impersonation, and if this DENY ALL approach causes them to stop 
using email to send messages to customers, good.   

So let's not waste time on fancy error-prone algorithms, purleeze!  


a quick review of deployed anti-phishing technologies
-----------------------------------------------------

0. filter against the FROM field using a blacklist in the email 
client:

http://seclists.org/fulldisclosure/2008/Jul/0488.html

1. software from Symantec, McAfee etc, integrated into their desktop 
security suites, filtering method not disclosed.  

2. there's anti-phishing filters for IE, Firefox and maybe Opera - 
filtering method not researched (we want to stop the phish before the 
user even opens the email, they should never see the link that takes 
them to their browser),  

3. article says CMU have developed an unreleased filter, using pretty 
standard anti-spam techniques, plus some attempt at matching the 
stated domainname against URLs listed in the bodytext:  

http://itmanagement.earthweb.com/columns/executive_tech/article.php/36
20741

The phishing filter in Thunderbird apparently uses a similar 
technique (eg. comparing the sender's domainname against URLs in the 
bodytext, a technique which reportedly is a bit flaky.  

4. article says GoDaddy filter scans URLs in bodytext against a 
blacklist:

http://help.godaddy.com/article/645

5. software says it uses some kind of user-generated database (eg. 
users report stats to a central server via client software):  

http://spam-fighter.qarchive.org/

6. post says google are using DKIM to detect phish:

[link removed due to spamhaus issue, search for this on the web]

(gmail's phish detection reportedly suffers from false-positives)

7. article says to use a Bayesian filter (unspecified):

http://ezinearticles.com/?Phishing-Filter---How-to-Use-Phishing-
Filters-to-Prevent-Any-Information-Theft&id=919156

8. product claims to use "rate controls" (eg. mails/minute) to detect 
phish:

http://www.moonslice.com/hosting/spamds.htm

9. sigs for clamAV, seem to be an MD5 of the bodytext

http://www.sanesecurity.com/clamav/


On 27 Jul 2008 at 14:10, lsi wrote:

From:                   "lsi" <stuart () cyberdelix net>
To:                     full-disclosure () lists grok org uk
Date sent:              Sun, 27 Jul 2008 14:10:38 +0100
Priority:               normal                                               
Subject:                [Full-disclosure] simple phishing fix

Soo y'all know not to click on those emails from your bank, or from 
any other bank, in your inbox and now you just delete them ... why 
not automate this process?  It's easy, just filter a whole bunch of 
banking names straight to your deleted items.  

All you do is create a rule for each bank, which deletes any mail  
from that bank, automatically.

The rule should read something like "if the FROM field contains the  
string XXXXX then DELETE message".

Here's a list of strings to enter into your rules...

Royal Bank of Scotland
HSBC
NatWest
halifax.co.uk
abbeynational.co.uk
@abbey.co.uk
@abbey.com
barclays.co.uk
barclays.com
CitiBusiness
@citi.com
equifax.com
commercebank.com
bankofamerica.com
wachovia.com
capitalone.com
@nationalcity.com
.chase.com
@chase.com

The funny part is that because phish are trying to look as legitimate 
as possible, you can bet that they will use the correct domainname 
for the bank.  Which means they are extremely easy to filter... end 
of problem....  

Stu

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault