Yet Another Ninja wrote:
I'm trying hard to convince myself this data is really useful.the whole http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses file has 4518 entries, including vintage 2008compared to the big_boyz my trap feed is quite small and I collected 1598 entries during the last 4 hrs
Hello Yet Another Ninja,"big_boyz": as in a small collection of university postmasters? I guess we should be honored, but I have a feeling that you were being condescending.
What exactly are you collecting? Keep in mind that the APER project is very focused on preventing email replies to phishing (hence the name). We aren't trying to stop the phishing itself (directly); there are others that do that.
If you are the opposite of a "big_boy", that must mean that your domain is smaller than a large university's, so you must have less than, say, 50,000 unique active users. Are you truly saying that every 4 hours you have 1598 unique (as in the reply-to is unique) phishing attempts, in which the phisher asks one of your users to reply with their credentials?
If what you are saying is true, then you are standing on a gold mine. Would you mind contributing to the project?
Even the largest password-reply phishing campaign we've seen was only sent to 2500 of our users (and that was using the same reply-to). On average, we see around 200 messages (30 unique reply-to's; not all new) of this type of phishing attempt every day. I assume that the other universities see something similar.
As for the vintage of the addresses. No, I don't have metrics. But most of the addresses are in the freemail domains, and we have no indication that the freemail providers are shutting down this type of account. I don't mind scanning logs for, or blocking mail to, the "old" addresses. But we do include the date (however accurate it is) so you can choose to filter the list any way you desire.
Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thomp...@doit.wisc.edu
smime.p7s
Description: S/MIME Cryptographic Signature
