I found these two links over the weekend and don't recall anyone talking about them here.

List of suspect IP addresses extracted from phises avaliable here:
http://www.no-phishing.org/phish.txt

ROKSO (Register of known spam operations) List here:
http://www.spamhaus.org/rokso/index.lasso

Would one take the list of IP addresses and add them to a list of banned or restricted sites in their browser?

_________________

The first list appears to be raw data as it contains many duplications. I am not really sure how that could be used other than for statistical purposes. While one could probably build a block list for the included addresses that would not seem to be overly productive. If you look through the "Current Phishes" announcement at the top of this forum you will see that these sites typically have a very short life span. Over time one could accumulate a very large blocking list which accomplished very little.

okay. Thanks

_________________

As you can all see the link was in text format without any other information. I did not even know how old it was.

I thought I should at least bring it to everyone's attention to check out and get some feedback rather than just ignore it.

By all means! While of limited use to an individual information such as this is used very productively in discovering "hot spots" either geographically or by ISP that are used by phishers. This in turn allows a heightened level of surveillance on those areas.

When I first became interested in this area I frequently saw fraudulent sites that were accessible for 2 weeks or more. I have seen a marked reduction in the life cycles for these sites and have even found some that had already been taken offline by the time that I received the solicitation email. Something that someone is doing appears to be working.

_________________
MS MVP Security 2006-2008

It would be nice if someone would create a DNSBL for these messages, sort of a mini spamcop.net

Blocking at the browser is nice but I was thinking blocking either at a mail server by the ISP or by a mail filter client like MWP.

The sooner the phish is stopped the better, waiting until you have clicked a link is way late in the process but necessary since the phishes are getting through.

Ah, I understand now. That would be a real challenge to implement in a timely manner. You would, as you indicated, have to scan for the fraudulent IP address or domain since the originating email addresses and servers would be useless for that. You would also have to have multiple rules for every threat as they can come with a variety of obfuscation techniques employed.

_________________
MS MVP Security 2006-2008

The obfuscusion can't hide the web site host address to which a click-through is being sought. That's analogous to the SPAMversized address that Stan and I have been advocating as a feature for MWP.

I am not familiar with MWP, but if we were writing filters in Perl RegEx we would have to write for the plain text, the base 64, and for various combinations of HTML entities depicting ASCII. My only real failure with Netcraft was in reporting a fraudulent site and having them block the plain text while the actual link was encoded with entities and continued to get through the toolbar.

_________________
MS MVP Security 2006-2008

Trying to filter on the un-decoded link is a problem, decoding it to a url and then finding the IP behind that is the best way to go.

It is not a trivial project but killing the phish by identifying the server hosting it is probably the most effective way to stop it.

This decode and report is what the spamcop.net system does so well, they end up with a list of IP addresses for sites hosting the spamvertised products.

Sounds like a winner to me!

_________________
MS MVP Security 2006-2008