By now, most of the PhishTank community has seen the dramatic surge in submissions. It’s not malicious, but it is quite noticeable.

In the last few days, two different organizations decided, independently, to start submitting the suspicious URLs they receive to PhishTank. They benefit because the data is further validated and distributed far and wide. PhishTank benefits from some high-quality submissions, and broader coverage in its free data distribution.

Clearly, though, the new volume is dramatic.

And it didn’t help that one of the feeds went awry. The submissions were still phish (or possible phish), but the filter wasn’t tight enough. Those have been removed. Still, lots to verify at the moment.

The community has some work to do in catching up. Thank you for your patience. We are digging on small, immediate steps we can take to speed things up and make the volume manageable. Also, we’re revisiting the thorny problem of how to judge a domain.TLD combination (example.com) as a phish, so that all the wildcarded submissions which match that domain.TLD combo gets the same designation. We know this would help dramatically.

This is not simple, but it has been discussed before, so we’re not starting from scratch. The community’s time and attention is valuable; we do not want to waste it. We also don’t want to lose the collaborative human judgment that makes PhishTank so useful to the Internet at large.

Please don’t stop telling us where we can get better, and don’t stop voting/submitting/flagging. I’d remind you all about the mailing lists, especially the user list.

Please do invite your friends to join this fight. We can always use some more help.

Note: the organizations in question would like to remain discreet for now; that’s fine with us, although we like to share where possible. If your organization would like to submit suspected phishing URLs/emails to PhishTank at a higher volume, please let us know.