North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: phishing sites report - March/2005
- From: Daniel Golding
- Date: Mon Mar 28 15:21:11 2005
This report isn't terribly useful without the IP addresses (or URLs) in
question. How could an ISP start investigating and/or null routing these
addresses without having the list?
I suppose I'm skeptical because some of those ASNs are not big content
hosters. Some are transit-only ASN's.
Also, if you are using WHOIS to check the IP addresses for their owner, how
are you correlating to ASN? Through an IRR? Or is there a route lookup
somewhere in the mix?
Even if you won't release full data (although I can't imagine why not), you
need to fully disclose the methodology. "Digested" is insufficient when ISPs
and hosters are being called out by name.
On 3/28/05 2:19 PM, "Gadi Evron" <email@example.com> wrote:
> Daniel Golding wrote:
>> Forgive me for being skeptical, but...
> I would prefer you being skeptical. Please don't take my word on any of
>> How do you come up with these? Are these the direct upstream ISPs of the
> These are the digested results from the reports sent to the malicious
> websites and phishing research and mitigation list.
>> phishing sites or the next hop AS's from your test site?
> Plainly put, these are the results you get when you feed the IP's of the
> hosting web sites to the Cymru whois.
>> Is there a link to the original data?
> Nope. We hope to release more data in our next reports. Please let us
> know what kind of data you'd like available. We'll do our best to
> provide it.
> One of our main goals is public awareness, so we are very interested in
> If you have further questions on the process itself, I'd gladly direct
> you to the guy who actually does the data mining and statistics - but
> the list data itself is not open to the public.