On a related note, is there a way for a voter to add a note regarding a particular phish? This site: http://www.phishtank.com/phish_detail.php?phish_id=20327
was a phish, but it was not obvious until I checked the URL:
http://israelibrokerageserviceslimired.com/index.php?sect_id=6&form_id=1&position=Financial+manager+for+cooperation+with+private+individuals&country=usa
Note the R substituted for a T in the word “limired”. And after I voted, I discovered that 50% of the voters have been taken in by this phish. A simple note might have helped them recognize phish from legit.

Nice work! One minor detail which would be helpful is: see all timestamps with offset, adjusting to users timezone.

Greetings

We go through the flags, and often change the URL based on the feedback there.

I don’t think this is working. It seems to me that it keeps coming up until I finally give up and mark “I don’t know.”

Here’s one issue. The Phishers are buying domain names, and they take 0-48 hours to broadcast through and clear caches and etcetera. So when a phish URL fails DNS lookup, it might be that my DNS servers don’t have the new data yet. Failing DNS lookup (unknown host) my response should be “I don’t know.” Yet the URL has obvious phish poop in it, such as paypal/https/update — I worry that I should mark these as “Phish” even though the site won’t come up.

Lead us, oh great ones!!

1. Automagic screening of obvious phish.

That is, when the uri includes the name of an obvious phish-target like Ebay or Paypal, but in a way that attempts to mask that it’s not actually that target. If this is the case, then automagically pinging the document to see if it loads should be enough to get it listed — there is no way you’re going to find legitimate sites in those situations.

2. Bayesian Analysis for pre-screening.
A la POPfile for email classification. This could be done on the text of the emails submitted as well as on the source code of the documents themselves. A little bit of training can go a long way in teaching a classifier what is and isn’t phish. This would make it easier for project members who would only need to confirm or reject the program’s classification.

The latter would take a different kind of programming, but there are open source projects using this kind of classification to draw upon. It could also spawn phishers throwing lots of bloating code into sites to try to confuse the classifiers, but it would be less likely to be successful in this environment than it would in email, and it’s not very effective in the world of email as it is. And, if you GPLish it, it could make the basis for a number of products used to classify bad websites of various kinds.

Others with API question… please reach out to me at my first name at opendns dot com.

We’ll consider a mailing list or forum.

Is there a group/mailing list to discuss API issues ? I am trying to hack up a ruby api library for this, but am constantly getting a response “Cant get shared secret.”

–Amit