Hi everyone,

I was thinking about this over the last few days. The more I think about it the more I think it might be a beneficial thing. I'm posting in here to get some feedback from the masses so to speak.

What if we create a database of sorts here on CastleCops with known phishing scams? It would work like an encyclopedia, so items would be listed alphabetically, and in some cases would include actual examples of the emails being sent out to folks.

Does anyone have any thoughts on the idea?

It is a good idea, Robin, especially if the database is searchable rather than simply retrievable.

I have documented a few in the past and have a backlog of others waiting to be added. The problems that I have encountered so far are trying to establish criteria for what constitutes a unique threat as opposed to a variation of an existing threat and what data to collect and publish for each threat.

I have done this in a forum/topic format and I am continually amazed at the referrals that I draw from Google. Some of the search strings are very surprising.

Anyway, I'll be happy to contribute in any way possible.

_________________
MS MVP Security 2006-2008

It occured to me because we got a feedback recently about someone getting nailed by a scam, I'd done an article on previously. I thought maybe if the database was there and searchable like you suggest it would help people, because they can google just the names or associated companies and get results back for it.

People are definitely out there searching for the info. Given CC's already respectable search engine ranking this would be a great place for it.

_________________
MS MVP Security 2006-2008

Search by subject or search by first 10 words would make it easy to match your spam to the database.

After muddling about with several ideas, formats, and approaches I am considering settling on one that includes the following:

1) Screenshot of e-mail unless sent as plain text
2) Complete source of email including headers
3) Whois information on the originating IP
4) Whois on the target URL (and reverse DNS, if appropriate)
5) Comments as appropriate.

After receiving multiple different attempts from the same originating IP I have thought about adding entries for these cross referenced to the corresponding emails.

_________________
MS MVP Security 2006-2008

As long as none of the links in the mail are live and addreses are munged to protect the innocent that would be good.

Yeah, I always delete the actual recipient's address. The message source goes into quotes so the links aren't live.

_________________
MS MVP Security 2006-2008

I was also concerned about forged senders but you seem to have the plan well together.

I hadn't actually thought about the forged senders aspect. Thanks for pointing that out. Most of the ones that I have dealt with have been fake institutional emails so no individual privacy issues were involved.

_________________
MS MVP Security 2006-2008

Oldfrog, If you haven't used spamcop.net recently they have added a pretty good forgery detection tool to the submission process, called mailhosts there, that you could use to track your personal message headers for forgeries but its not much good for stuff forwarded to you even with full headers.

Most of what I get seems to be forged anymore with only the links inside going anywhere. I'll look at a few of the scammy messages and see if I can see anything. With MailWasher running well now I usually only look at about 1% of my incoming spam and delete the rest of it without looking.

I will check out the spamcop tool and see how it works. SamSpade also has a built in email header parsing tool that is fairly decent. I normally follow the from/to chains until I find a break either by address inconsistency or reverse DNS failure.

Here is a sample of the format that I am using at the moment.

_________________
MS MVP Security 2006-2008