| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jul 2008 02:29:14 +0100 From: "lsi" <stuart@...erdelix.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: simple phishing fix [This is a repost, the original was blocked by Spamhaus as it contained a link to blacklisted blogspot server. Also, I mangled the formatting. Apologies. Finally I added item #9, not mentioned previously.] summary ------- Of all the approaches below I like the simple list of strings in the email client (the first link). This is because it's a DENY ALL policy. The other approaches below, AFAICS, use ACCEPT ALL and then try and find reasons to block the mail. The first approach simply blocks them all! Sure, you want to receive mail from the Bank of Foo, just don't put bankoffoo.com in your list! Frankly, email should not be used by banks, due to the risk of impersonation, and if this DENY ALL approach causes them to stop using email to send messages to customers, good. So let's not waste time on fancy error-prone algorithms, purleeze! a quick review of deployed anti-phishing technologies ----------------------------------------------------- 0. filter against the FROM field using a blacklist in the email client: http://seclists.org/fulldisclosure/2008/Jul/0488.html 1. software from Symantec, McAfee etc, integrated into their desktop security suites, filtering method not disclosed. 2. there's anti-phishing filters for IE, Firefox and maybe Opera - filtering method not researched (we want to stop the phish before the user even opens the email, they should never see the link that takes them to their browser), 3. article says CMU have developed an unreleased filter, using pretty standard anti-spam techniques, plus some attempt at matching the stated domainname against URLs listed in the bodytext: http://itmanagement.earthweb.com/columns/executive_tech/article.php/36 20741 The phishing filter in Thunderbird apparently uses a similar technique (eg. comparing the sender's domainname against URLs in the bodytext, a technique which reportedly is a bit flaky. 4. article says GoDaddy filter scans URLs in bodytext against a blacklist: http://help.godaddy.com/article/645 5. software says it uses some kind of user-generated database (eg. users report stats to a central server via client software): http://spam-fighter.qarchive.org/ 6. post says google are using DKIM to detect phish: [link removed due to spamhaus issue, search for this on the web] (gmail's phish detection reportedly suffers from false-positives) 7. article says to use a Bayesian filter (unspecified): http://ezinearticles.com/?Phishing-Filter---How-to-Use-Phishing- Filters-to-Prevent-Any-Information-Theft&id=919156 8. product claims to use "rate controls" (eg. mails/minute) to detect phish: http://www.moonslice.com/hosting/spamds.htm 9. sigs for clamAV, seem to be an MD5 of the bodytext http://www.sanesecurity.com/clamav/ On 27 Jul 2008 at 14:10, lsi wrote: From: "lsi" <stuart@...erdelix.net> To: full-disclosure@...ts.grok.org.uk Date sent: Sun, 27 Jul 2008 14:10:38 +0100 Priority: normal Subject: [Full-disclosure] simple phishing fix > Soo y'all know not to click on those emails from your bank, or from > any other bank, in your inbox and now you just delete them ... why > not automate this process? It's easy, just filter a whole bunch of > banking names straight to your deleted items. > > All you do is create a rule for each bank, which deletes any mail > from that bank, automatically. > > The rule should read something like "if the FROM field contains the > string XXXXX then DELETE message". > > Here's a list of strings to enter into your rules... > > Royal Bank of Scotland > HSBC > NatWest > halifax.co.uk > abbeynational.co.uk > @abbey.co.uk > @abbey.com > barclays.co.uk > barclays.com > CitiBusiness > @citi.com > equifax.com > commercebank.com > bankofamerica.com > wachovia.com > capitalone.com > @nationalcity.com > .chase.com > @chase.com > > The funny part is that because phish are trying to look as legitimate > as possible, you can bet that they will use the correct domainname > for the bank. Which means they are extremely easy to filter... end > of problem.... > > Stu > > --- > Stuart Udall > stuart at@...erdelix.dot net - http://www.cyberdelix.net/ > > --- > * Origin: lsi: revolution through evolution (192:168/0.2) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ --- Stuart Udall stuart at@...erdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists