Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: simple phishing fix
From: "lsi" <stuart () cyberdelix net>
Date: Wed, 30 Jul 2008 09:14:46 +0100

Thank you all for your comments.  However, I cannot disagree more 

It doesn't matter that the blacklist is not complete, if a scammer 
tries to phish a bank that's not on the list, eg. is not popular, he 
won't make much money, because it's a small bank and the probability 
of him hitting an email address which works, and is an address of a 
customer of that tiny bank, and the customer gets suckered, and all 
other security mechanisms fail, is very small.

The scammer knows this and so he targets the popular banks.

Therefore, the blacklist only needs to contain popular banks.  
However there is almost no penalty to add another 500 to the list, 
it's a simple filter, it's fast.

I do agree that the more banks on the list, the better, but there are 
not millions of banks in the world, it's not a problem to list all 
the major banks, and many of the smaller banks as well.

As the blacklist is deployed, the average revenue per mail (ARPM) 
will fall.  The more it is deployed, the more the ARPM will fall.  
The ARPM does not need to hit zero.  As soon as the ARPM falls below 
the average cost to send each mail, phishing will be economically 

Eg. it might still be technically feasible, however it will no longer 
be profitable to be a phisher.

Repeat, phish do not need to be completely eliminated.  Once they are 
reduced below a certain level, it will become economically infeasible 
to be a phisher.  The invisible hand [1] will do the rest of the work 
for us.

Other bits:

I agree that by opening a hole in your phish firewall (eg. permitting 
traffic from the Bank of Foo) you are making yourself slightly less 
protected, however if a user has a blacklist where he has to 
specifically ALLOW traffic from a certain bank that user will be well 
aware that he has opened a hole in his phish wall and will be 
extremely attentive when he actually gets a mail.  (I'm appalled that 
some banks actually use email, how cheap are they?  If my bank did 
that, I'd complain, and consider changing banks.)  As with a real 
firewall, it's not a total solution, but one layer of several.

The blacklist catches variations, of course the common variations are 
listed as well, again, every combination is not required, because the 
probabilities of failure rapidly stack up once the scammers start to 
get too imaginative with their variations (eg. they will have to use 
more and more obscure variations, which will trick less and less 
users).  I hear unicode will make life interesting, I'm looking 
forward to some samples.

Blacklists do work.  They are successfully used in many applications, 
the Spamhaus blocklist, the denyhosts SSH tool and desktop AV 
software all spring to mind.  Blacklists don't work *when the content 
they are checking is polymorphic*.  Phish, by definition are NOT 
polymorphic.  We are talking banks here, they do not change their 
names very often.

I think that is an important point.  The problem space is a lot 
smaller once you start working with a finite list of domainnames.  A 
blacklist is feasible in these circumstances.

I agree my list is small, you'll note however it contains most of the 
biggest banks, I didn't choose them, they self-selected, by being 
sent to me.  That's why they are the biggest banks, because the 
scammers target those banks.  There's obviously no reason why the 
list could not contain every large bank in the world.  I could maybe 
hunt down some stats to add banks I don't get phished for, but that 
would just slow down my filter!  If others were to use it they'd want 
to customise it.  Because the blacklist is on the client machine, the 
user is free to add banks they get hammered with, and free to remove 
banks they want to correspond with.

Don't forget that "achovia." can be listed, to catch wachovia.com, 
vvachovia.com, vvachovia.co.uk etc.

Think about it, most people have no need to accept mail from every 
bank in the world.  That is accept ALL. Using the blacklist means 
they are now denying all bank traffic. (OK, denying all on the list, 
I agree that it's not a complete deny all, because we cannot know the 
names of all banks in advance.  I do regret confusing the discussion 
by mentioning DENY ALL, I was hoping to explain my analogy to a 
firewall, eg., it blocks everything by default and then lets in what 
you tell it to let in, I do accept that unlike a real firewall it can 
be got around by using an unlisted name, it's really DENY MOST.)

"(x) Mailing lists and other legitimate email uses would be affected

Irrelevant.  They are affected already. They are the victims of 
spoofing.  It's either block their mails, or users suffer the spoofs. 
 Given than suffering the spoofs means bank-originated mails are 
useless in any case, that means the only available course of action 
is to deny all bank email traffic.

my Bayesian filter gets these anyway

My spam filter misses some, hence my post, however following this 
comment I have checked my config and the Bayesian plugin is disabled 
;)  Thank you for the suggestion.

[1] http://en.wikipedia.org/wiki/Invisible_hand

Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

 * Origin: lsi: revolution through evolution (192:168/0.2)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]