Full Disclosure mailing list archives
Re: simple phishing fix
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 29 Jul 2008 20:12:42 +1200
lsi wrote:
Of all the approaches below I like the simple list of strings in the email client (the first link). This is because it's a DENY ALL policy. ...
"simple" -- yes. "DENY ALL" -- nope...
From your first post, it's clear that you receive samples from a _VERY_
limited sliver of the bank, credit union and other financial target phishing that goes on each and every day...
From a purely theoretical perspective, to make your preferred approach
"DENY ALL" you would have to have ongoing access to an oracle identifying the domains of ALL financial institutions, so your block list could be updated in a timely manner as domains are added and removed... As no such oracle exists, a "deny all" approach along the lines you suggest is _practically_ impossible.
... The other approaches below, AFAICS, use ACCEPT ALL and then try and find reasons to block the mail. ...
Which is actually what your suggested approach does, even if it could be practically implemented -- it accepts all Email (or at least all incoming Email delivery connections) then tries to find a reason to block it (From address domain on block list).
... The first approach simply blocks them all! ...
...for some interesting and unknowably odd value of "all".
... Sure, you want to receive mail from the Bank of Foo, just don't put bankoffoo.com in your list!
Thereby letting through the phish for the target(s) of most danger to you -- get suckered by a Foo Bank phish as a Foo Bank customer and you may be in trouble, but getting suckered by a Bar Bank phish when you are only a Foo Bank customer and no harm is done. Also, your preferred approach entirely fails to deal with "close but not quite" domain "spoofing" -- info () vvachovia com rather than info () wachovia com, suport@foo_bank.com rather than support () foo-bank com (the real Foo Bank domain), etc, etc, etc. In short, as is commonly the case in such matters, the quick'n'dirty, I- just-thought-of-the-ultimate-solution-to-the-phishing-problem-AND-it's- REALLY-SIMPLE solution is so far from complete that it's all but useless... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- simple phishing fix lsi (Jul 27)
- Re: simple phishing fix trejrco (Jul 27)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Nick FitzGerald (Jul 29)
- Re: simple phishing fix Raj Mathur (Jul 30)
- <Possible follow-ups>
- Re: simple phishing fix Biz Marqee (Jul 27)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Biz Marqee (Jul 28)
- Re: simple phishing fix lsi (Jul 28)
- Re: simple phishing fix Stian Øvrevåge (Jul 29)
- Re: simple phishing fix Peter Besenbruch (Jul 29)
- Re: simple phishing fix lsi (Jul 30)
- Re: simple phishing fix Nick FitzGerald (Jul 30)
- Re: simple phishing fix Peter Besenbruch (Jul 30)
- Re: simple phishing fix lsi (Jul 28)