RE: anti-phishing implementation

["wilsonc" <wilsonc () mantech-wva com>]

Bjorn,
        An approach to take for home users (consumers) would probably have
to be like the home user spam tools today, where the scanner 'scores' an
email/website in a range from 1-7 (1 being a legitimate site, 7 being an
identified phishing attempt) and letting the user pick a score where they
want the email/web site flagged and immediately notified about the security
risk. You could assign points for things like:
        *Hex encoded URLs
        *Site's existence less then 1 year
        *Forms without SSL
        *Site/Sender Certificate Issues (revocation, etc -- I don't know
enough about certificates to say what would types of misuse would indicate a
phishing attack, but I'm sure someone from this list could elaborate).
        *Country of Origin does not match specified DNS record
        *Site/Sender exists in phishing database
        
Each one of those 'violations' could be assigned a point or more, and when
the threshold is met, the user is notified that they're more then likely at
a phishing site.
There's other interesting things you could do with it, like tie it into the
existing anti-phishing tools (like Netcraft's Toolbar) or even a
comprehensive grammar checker (5 (or n) or more errors could result in being
flagged as a 'bad forgery', like those lovely 419 emails).

Just some thoughts I thought I'd share. I used a system like that for
flagging email spam at the university I attended and it worked well for me.
HTH,
Chris.

-----Original Message-----
From: Lyal Collins [mailto:lyal.collins () key2it com au] 
Sent: Sunday, August 21, 2005 5:24 AM
To: 'Bjorn Borg'
Cc: 'Irene Abezgauz'; pen-test () securityfocus com;
webappsec () securityfocus com
Subject: RE: anti-phishing implementation

The scenario/solution decribed is intended for customers of a company (e.g.
a bank) to tell that a phishing-like email is from the bank, or not.  If
not, its untrusted=phishing.
Personal emails (e.g friends and family etc) are a whole different story,
altough the same solution works.

Lyal


-----Original Message-----
From: Bjorn Borg [mailto:bjorn.brg () gmail com] 
Sent: Sunday, 21 August 2005 7:00 PM
To: Lyal Collins
Cc: Irene Abezgauz; pen-test () securityfocus com; webappsec () securityfocus com
Subject: Re: anti-phishing implementation


Hi,

Actually my goal of developing this tool is just to protect home users who
are negligent and unsuspecting with phishing scams. Those users may use
different email services, web-based or mail clients,... its not for the
company's scenairo. I thought about this project since not all mail servers
have the ability as you describe.

Best Regards,

Bjorn

On 8/21/05, Lyal Collins <lyal.collins () key2it com au> wrote:
> The recipient trusts the gateway (or sending server) to verify the 
> sender is known and trusted to not send spam.
>
> The gateway, or more likely, a company's mail server is configured to 
> authenticate the sender's ID before passing the mail. And of course, 
> to perform spam/virus checking on low-trust mail (that is. mail from 
> senders who  do not identify themselves, just like the difference 
> between addressed mail and bulk mail in letterboxes )
>
> Gateways can easily authenticate senders by simple extensions to SMTP.
>
> Ciphire has done it, my company has done it, as have numerous other 
> entities. Phishers won't be able to be trusted by the gateways, there 
> no phishing mail reaches any recipient except as low-trust email.  
> This distinction allows even low-skilled recipients to see the 
> phisher's email is suspect.
>
> If the sender identity can be verified by the recipient, and the 
> gateway is trusted, the recipient is able to have a greater level of 
> confidence in the email.
>
> Lyal
>
> On Sat, 2005-08-20 at 12:55 +0200, Irene Abezgauz wrote:
> > Lyal,
> >
> > I am not sure I quite understand the concept you have introduced of 
> > gateway-recipient trust. The recipient trusts his gateway and 
> > therefore trusts that gateway that all email sent from that gateway 
> > is indeed valid and not malicious in any way?
> >
> > What I'm trying to understand mainly is feasibility. How is the 
> > gateway going to determine between "right" and "wrong". How can the 
> > gateway authenticate senders? That will require a large database of 
> > who is who and good anti-spoofing mechanisms since the whole system 
> > is going to rely on the information of who the sender is.
> >
> > Have I completely misunderstood you?
> >
> > Irene
> >
> > ----------------
> > Irene Abezgauz
> > Application Security Consultant
> > Hacktics Ltd.
> > Mobile: +972-54-6545405
> > Web: www.hacktics.com
> >
> >
> > -----Original Message-----
> > From: Lyal Collins [mailto:lyal.collins () key2it com au]
> > Sent: Saturday, August 20, 2005 7:33 AM
> > To: 'Bjorn Borg'; bugtraq () securityfocus com; 
> > focus-virus () securityfocus com; focus-ms () securityfocus com; 
> > honeypots () securityfocus com; pen-test () securityfocus com; 
> > security-basics () securityfocus com;
> > security-management () securityfocus com; forensics () securityfocus com; 
> > webappsec () securityfocus com; secureshell () securityfocus com
> > Subject: RE: anti-phishing implementation
> >
> > There is another strategy that the industry has almost totally 
> > ignored - allow the recipient to verify the sender's identity.  Not 
> > verifed -> delete the email.
> > This does not mean S/MIME, PGP or added email headers etc, but may also
> > use
> > those techniques as well.
> > It means the sender and recipient can trust each other that the email
> > they
> > send each other, and thus can treat all other email as suspect.
> > In the distributed internet, this would probably be best implemented in
> > selected gateways that authenticate senders, so the trust is
> > gateway-recipient, rather than the more complex sender-recipient, sicne
> > the
> > former scenario has less trust paths than the latter.
> >
> > This needs no databases, and no arms race of trying to keep up with 
> > spammers tools.
> >
> > Lyal
> >
> >
> >
> > -----Original Message-----
> > From: Bjorn Borg [mailto:bjorn.brg () gmail com]
> > Sent: Friday, 19 August 2005 11:30 PM
> > To: bugtraq () securityfocus com; focus-virus () securityfocus com; 
> > focus-ms () securityfocus com; honeypots () securityfocus com; 
> > pen-test () securityfocus com; security-basics () securityfocus com;
> > security-management () securityfocus com; forensics () securityfocus com; 
> > webappsec () securityfocus com; secureshell () securityfocus com
> > Subject: anti-phishing implementation
> >
> >
> > Hi everyone,
> >
> > I just started to develop an anti-phishing tool for my thesis.
> >
> > The tool should have two tasks. First one is to detect and prevent 
> > known attacks from web-based and POP3 emails. Second is to analyze 
> > emails' content to identify unknown phishing email and spoofed link.
> >
> > To make the first task work, I need a full database of known 
> > phishing emails, links. Anybody know where I can get this database?
> >
> > I really appreciate any suggestion about how to make this tool work, 
> > sources,...
> >
> > Many thanks,
> >
> > Bjorn
> > Kungliga Tekniska Hogskolan, Stockholm, Sweden
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date: 
> > 8/19/2005