North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: phishing sites report - March/2005
- From: Gadi Evron
- Date: Mon Mar 28 15:54:17 2005
Daniel Golding wrote:
To answer all your above welcomed questions...
This report isn't terribly useful without the IP addresses (or URLs) in
question. How could an ISP start investigating and/or null routing these
addresses without having the list?
I suppose I'm skeptical because some of those ASNs are not big content
hosters. Some are transit-only ASN's.
Also, if you are using WHOIS to check the IP addresses for their owner, how
are you correlating to ASN? Through an IRR? Or is there a route lookup
somewhere in the mix?
Even if you won't release full data (although I can't imagine why not), you
need to fully disclose the methodology. "Digested" is insufficient when ISPs
and hosters are being called out by name.
We will release the data we can, sorry.
That said -
We are looking for ways to release the actual IP's (phishing web pages)
information in a sort of a blacklisting service. Currently the data is
mixed with suspected CP sites and that's a no-no for release.
There are steps to take, and you are right - that's one of them, and
perhaps even more important than we currently believe.
As to the usefulness of this particular report, it is about showing the
problem, not killing sites.
As to "proving" to the ISP's -
Each of the respected service providers can contact us and get the
information directly, and then make up their own minds.
As to the exact methodology used, I'll have to refuse to divulge that
information publicly at this time. You don't have to believe the data.
You can believe in some of the public names associated with this work.
Statistics may be a "blown out of proportions" word here, as all we do
in this particular case is count.
And sorry, we'll keep calling these service providers by name, and "put
our money where our mouth is" when they ping us back, like we did with
The Planet, PNAP, KrCERT and others on our botnets C&C report. Also, we
give credit where credit is due to service providers who show they are
Keep in mind, although we won't go for "amateur" work, this is volunteer