Comment regarding screenshots: in the past few days I hardly ever get a valid screenshot - 4 out of 5 times it’s “Screenshot has not been taken yet…” Why’s that?

A few points:
a) RSS-feeds by ASN woould be great. Sadly, the ASNs that have the worst track record are the least likely to subscribe. I woould strongly consider automatic notifications to the ASN’s contact info.
b) It would be great if you made an RBL for all the domains so that I can use SU-RBL to filter incoming email. Perhaps separate RBLs for those that are new versus confirmed, so that my spam engine can assign them the appropriate scores.
c) As mentioned by another poster, a whitelist of domains neesd to be generated. In the same way that 8e6 Technologies whitelists the top ### websites, PhishTank ought to do the same.
d) I would encourage PhishTank to work with other Anti-phishing organizations, most notably the “Anti-Phishing Working Group”.
e) I would encourage PhishTank to exchange phish emails and URLs with other competing anti-phish organizations as a measure of good will. Too bad there isn’t one clearing house, with each anti-phish website just leveraging the same basic source set but offering different services.

Frank

Archiving and talking about phishing is one thing, however what do you intend to actually do about it?

We’ve been tracking and stalking phishers since they first appeared on the scene in the late 1990s. For the past two years, we’ve reported as many as 20 phishing attempts per day — but the sad news is, 99% are either never closed down, or the criminal is back at another IP within hours.

One particularly frequent phisher hits with broadcast spam redirected to one of several spoof web sites, then disappears for a week or so, then comes back using the SAME IP addresses. This is clear indication that the ISP community is either out to lunch, or in complicity with the criminal activities. Abuse departments are too closely focused on “WHO” sent the spam/phishing attempt, and NOT the spamvertised site.

I’m probably the ONLY person in the world, advocating these IP blocks be blocked at the DNS level. It’s really the only way to get the ISP’s attention. And, if no one complains, then another open proxy or rogue IP has ceased to exist on the internet.

GO AFTER THE ISP of the SPAMVERTISED SITE. Once the industry learns to police their own act, phishing will be a thing of the past.

The problem is ICANN. They neglect to enforce their own regulations, allowing rogue Registrars to kite domains, and allow forged WHOIS information all of which is very friently to phishing and spamming ISPs. (Joker.com comes to mind.)

Until measures are deployed ‘upstream’ as high as the DNS, then phishing will continue.

Fred

Phishtank seems to pick up URLS from the header of the mail,
which may be useful or not.

While this is the case, please remove all SpamAssassin or other extra headers before submitting. This helped a lot
for my submissions.

Jost |8-))

A site that requests personal information for dubious purposes is ‘phishy’ in my view. Mortgage refinance sites ‘for US residents only’, yet hosted in China, this sort of thing… Some of these sites even follow the usual method of using images, text copy or site layouts ripped from legitimate sites to build trust.

I’ll leave it to PhishTank’s administrators to determine the standard for phishiness though. I’m simply skipping these sites for the time being.

Don’t forget the emails sometimes have quoted-printable and line breaks and stuff. I’ve seen links listed ending in ‘=’ and presumably missing the remainder.

E.g.
http://mail.yahoo.com
http://images.paypal.com/en_US/i/scr/pixel.gif
http://surgemail.com
http://www.w3.org/TR/REC-html40
https://www.paypalobjects.com/en_US/i/scr/pixel.gif
http://paypal.com/en_US/i/scr/pixel.gif

I’ve seen them more than a few times now.

Just my thoughts on the matter.

any thought on the URIBL idea? it’s the “industry standard” way for MTA filters (incl SpamAssassin) to look up these kinds of services.