Comments on: XML data file of online, valid phishes from PhishTank

By: PhishTank Blog » Blog Archive » Data about phishers at the right cost (free)

Tue, 30 Jun 2009 19:55:54 +0000

[...] PhishTank works is because the data is freely available to all, from the free, open API to the XML data file or the lightweight [...]

By: PhishTank Blog » Blog Archive » WOT uses PhishTank data

PhishTank Blog » Blog Archive » WOT uses PhishTank data — Tue, 30 Jun 2009 19:55:35 +0000

[...] WOT uses data from lots of sources, including its users. PhishTank is now part of the mix, via the downloadable data file. [...]

By: PhishTank Blog » Blog Archive » SiteChecker brings PhishTank into Firefox

Tue, 30 Jun 2009 19:54:31 +0000

[...] developer, MASA has built several extensions. With SiteChecker, MASA used the PhishTank data file (details) to bring PhishTank’s judgments right into the [...]

By: PhishTank Blog » Blog Archive » PhishTank data added to SURBL phishing list

Tue, 30 Jun 2009 19:53:58 +0000

[...] PhishTank data file we announced two days ago is already seeing [...]

By: sebastian nielsen

sebastian nielsen — Sat, 25 Oct 2008 23:13:21 +0000

I did a nice perl parser for Phishtank XML data. It parses out all url data, keeping IPs intact, and listing all second level domains that are in phishtank database. The whole thing are then put into the “domains” category of dansguardian’s filter category “phishing”.

It also reads in the “domains” at start, so if some phish site gets temporary offline and gets removed from online-valid.xml, it will still be listed in the dansguardian file. (This to prevent a phish site from temporarly dropping all its connections just to get removed from phishtank, and then reopening the phish site)

With second level domains, I mean that a phising url like:
http://adsl-75-11-237-21.dsl.rcsntx.sbcglobal.net/.irs/stimulus.refund/0,,id=181665,00.html

is converted to:

sbcglobal.net

The reason of why im doing that, is that a phisher can set up like millions of sites aaaaaaa.host.com to zzzzzzz.host.com. He only needs to point *.host.com to his IP in his DNS, and then setting up a *.host.com virtualhost, and then sending a random one to each recipient. This makes the listing at phishtank ineffective, if I don’t block out the whole second level block. The only part the phisher dosen’t have control over, is the second level domain (that he has to purchase), and the TLD.

And here comes the script: http://pastebin.com/f2f4f0f27
You can then use wget to pull down online-valid.xml from phishtank, and then run the script that I have posted. Then you need to restart DG (/etc/rc.d/dansguardian restart) to reload the blacklist. Three lines of code (wget fetching, running perl script and then restarting DG) can be done from cron.hourly or cron.daily

By: sebastian nielsen

sebastian nielsen — Sat, 25 Oct 2008 16:10:37 +0000

What is the purpose of the phish_detail_url, when you only need to take “http://www.phishtank.com/phish_detail.php?phish_id=” and put on the end?
The phish_detail_url entry adds about 100 unneccesary bytes to each entry. In the current file with about 5752 entires, that makes the file about 562 kb bigger = 0,5 MB bigger.

I guess its a safeguard if Phishtank decides to change the format of the Phish detail url, but then it could be made that the current phish detail url format is specified in the metadata, only once per XML file, like:
and then the application developer only needs to replace %1 with the phish ID that the application developer wants to link/send the user to.

I think the “verified” and the “online” tag can be removed too, since they are constant.

By: Sorin

Sorin — Thu, 13 Mar 2008 15:53:11 +0000

Hi,

There are some invalid characters in the URLs.
Have a look at phish IDs: 405396 and 360933

By: iluxan

iluxan — Fri, 29 Feb 2008 17:14:50 +0000

I really like your feed. One thing I do have a problem with, though, is the lack of some kind of “delta” or “versioned” retrieval mechanism.

I have no safe way to know which entries were removed from the list. I toyed with the option of assuming that whatever is missing from the current file but was sent in a previous file is deleted, but since sometimes I may get a truncated or incomplete file (network issues, etc), I run the risk of accidentally deleting all the items that were sent previously.

Is there any way to make this more explicit – some kind of versioning mechanism like the Google Safe Browsing API uses?

Thanks.

By: John Nagle

John Nagle — Sun, 14 Oct 2007 04:54:53 +0000

The XML file started containing useful data again on Friday, October 12th. Thanks.

Incidentally, it would help if the file was updated as an atomic operation. Occasionally, we see a partially written file, if we happen to read it while it’s being rewritten. We have to read the file twice at 30 second intervals and compare, rereading until we get the same contents twice in a row. It would be better to write a new file on each update, then move or link it to the name of the distributed file.

By: John Nagle

John Nagle — Fri, 12 Oct 2007 04:56:35 +0000

Something has gone very wrong with the XML file of PhishTank data at “http://data.phishtank.com/data/online-valid”. Today, it reads:

−
2007-10-12T04:30:01+00:00
0

That’s the entire file. Valid XML, no entries. Something is very broken.