I think you are the new greatest troll of FD On Wed, Jul 30, 2008 at 3:14 AM, lsi <[EMAIL PROTECTED]> wrote:
> Thank you all for your comments. However, I cannot disagree more > fully. > > It doesn't matter that the blacklist is not complete, if a scammer > tries to phish a bank that's not on the list, eg. is not popular, he > won't make much money, because it's a small bank and the probability > of him hitting an email address which works, and is an address of a > customer of that tiny bank, and the customer gets suckered, and all > other security mechanisms fail, is very small. > > The scammer knows this and so he targets the popular banks. > > Therefore, the blacklist only needs to contain popular banks. > However there is almost no penalty to add another 500 to the list, > it's a simple filter, it's fast. > > I do agree that the more banks on the list, the better, but there are > not millions of banks in the world, it's not a problem to list all > the major banks, and many of the smaller banks as well. > > As the blacklist is deployed, the average revenue per mail (ARPM) > will fall. The more it is deployed, the more the ARPM will fall. > The ARPM does not need to hit zero. As soon as the ARPM falls below > the average cost to send each mail, phishing will be economically > unviable. > > Eg. it might still be technically feasible, however it will no longer > be profitable to be a phisher. > > Repeat, phish do not need to be completely eliminated. Once they are > reduced below a certain level, it will become economically infeasible > to be a phisher. The invisible hand [1] will do the rest of the work > for us. > > Other bits: > > I agree that by opening a hole in your phish firewall (eg. permitting > traffic from the Bank of Foo) you are making yourself slightly less > protected, however if a user has a blacklist where he has to > specifically ALLOW traffic from a certain bank that user will be well > aware that he has opened a hole in his phish wall and will be > extremely attentive when he actually gets a mail. (I'm appalled that > some banks actually use email, how cheap are they? If my bank did > that, I'd complain, and consider changing banks.) As with a real > firewall, it's not a total solution, but one layer of several. > > The blacklist catches variations, of course the common variations are > listed as well, again, every combination is not required, because the > probabilities of failure rapidly stack up once the scammers start to > get too imaginative with their variations (eg. they will have to use > more and more obscure variations, which will trick less and less > users). I hear unicode will make life interesting, I'm looking > forward to some samples. > > Blacklists do work. They are successfully used in many applications, > the Spamhaus blocklist, the denyhosts SSH tool and desktop AV > software all spring to mind. Blacklists don't work *when the content > they are checking is polymorphic*. Phish, by definition are NOT > polymorphic. We are talking banks here, they do not change their > names very often. > > I think that is an important point. The problem space is a lot > smaller once you start working with a finite list of domainnames. A > blacklist is feasible in these circumstances. > > I agree my list is small, you'll note however it contains most of the > biggest banks, I didn't choose them, they self-selected, by being > sent to me. That's why they are the biggest banks, because the > scammers target those banks. There's obviously no reason why the > list could not contain every large bank in the world. I could maybe > hunt down some stats to add banks I don't get phished for, but that > would just slow down my filter! If others were to use it they'd want > to customise it. Because the blacklist is on the client machine, the > user is free to add banks they get hammered with, and free to remove > banks they want to correspond with. > > Don't forget that "achovia." can be listed, to catch wachovia.com, > vvachovia.com, vvachovia.co.uk etc. > > Think about it, most people have no need to accept mail from every > bank in the world. That is accept ALL. Using the blacklist means > they are now denying all bank traffic. (OK, denying all on the list, > I agree that it's not a complete deny all, because we cannot know the > names of all banks in advance. I do regret confusing the discussion > by mentioning DENY ALL, I was hoping to explain my analogy to a > firewall, eg., it blocks everything by default and then lets in what > you tell it to let in, I do accept that unlike a real firewall it can > be got around by using an unlisted name, it's really DENY MOST.) > > > "(x) Mailing lists and other legitimate email uses would be affected > > Irrelevant. They are affected already. They are the victims of > spoofing. It's either block their mails, or users suffer the spoofs. > Given than suffering the spoofs means bank-originated mails are > useless in any case, that means the only available course of action > is to deny all bank email traffic. > > > my Bayesian filter gets these anyway > > My spam filter misses some, hence my post, however following this > comment I have checked my config and the Bayesian plugin is disabled > ;) Thank you for the suggestion. > > [1] http://en.wikipedia.org/wiki/Invisible_hand > > --- > Stuart Udall > stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ > > --- > * Origin: lsi: revolution through evolution (192:168/0.2) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
