January 2007 numbers are the best on record. Kudos to the entire community.

A few things I’d like to call out:

• Both total submissions and total votes jumped nearly 50 percent over December numbers.
• The community continues to grow - in December there were 7,984 members of the PhishTank community. In January there were 11,070.
• We see the growth and are responding. We’ve made server upgrades and completed code profiling and refactoring, all to make PhishTank better and easier to use.
• We asked for help and you came forward. We’re thrilled with the enthusiastic response to David’s blog post. PhishTank has a lot more developing power now, and it’s never too late for you to join the team. If you’re interested send us an email: support at phishtank dot com.

All in all the January numbers are a great start to a new year.

On Tuesday, January 30, I’ll be representing PhishTank on a panel about Sharing Phishing Data at the Messaging Anti-Abuse Working Group (aka MAAWG) meeting in San Francisco, California, USA. I know at least one PhishTank member, spamfighter, will be at the meeting. In fact, he’s on the same panel, as part of his “day job.”

I’ll be talking about how PhishTank works, how the data gets used, where it gets shared, and where we hope the community will lead us. If you’re using the data and we haven’t heard from you, I’d love to know about it before Tuesday. More examples help reinforce the success.

The audience is commercial and non-commercial members of the anti-abuse community, focused on email concerns. My goal, beyond raising awareness of PhishTank and participating in a lively panel discussion, is to encourage more organizations to use the data and consider ways they can contribute.

If anyone else from the PhishTank community will be attending the meeting, please introduce yourself. I’d like to thank you in person for your help.

All of us at OpenDNS are thrilled with PhishTank. Over the last couple weeks usage has really soared and PhishTank is unquestionably the most groundbreaking and innovative anti-phishing site on the Internet. You all have helped show that a community of active participants are far more effective than any single monolithic company could ever be in creating a clearinghouse of phishing information.

Now it’s time to step it up.

Our goal has always been to create involvement with the community beyond just submitting and verifying phishes. We have a growing team of users, developers, and moderators who talk on mailing lists and discuss ways of improving PhishTank. Now it’s time to turn some of this energy into action. We don’t want PhishTank to just be a community-visited effort. We want PhishTank to be a community-led and community-run effort.

We’re looking for some people who want to spend some development cycles (PHP and MySQL) helping to improve PhishTank and drive new features. We can help with the feature ideas, but if you have some of your own, that’s both awesome and even better.

I could list a hundred reasons why working on PhishTank would be a really good opportunity. Here’s a few:

1. Working on PhishTank lets you have a big impact on a serious issue. You shape the future of PhishTank when you get involved.
2. PhishTank gets a lot of exposure most projects don’t have which means your efforts will be seen by many people.
3. Being a PhishTank developer lets you see how a community-run site actually operates and grows.
4. For students, you might be able to work on PhishTank for course credit at your school or university. We’re happy to supervise a project.
5. Working on a project like PhishTank can be a great resume booster.
6. Saying you help keep the Internet safe at night is a really good line to use when you have to impress someone. Trust me.

One of the best parts about PhishTank is that you can learn and be active in more than just technology. You will also see the other critical pieces that are required to make it a great site. For example: working with journalists and educating law enforcement are just some of the things that go on at PhishTank. If have a technical background but you want to do more, PhishTank is a great place to broaden your knowledge. We still need the tech help though, so read below and see if you might be qualified.

Here’s what we’re looking for:

• Volunteers with at least some experience with PHP and MySQL.
• People who are able to not just say they want to help out, but actually can and will help out.
• Individuals who are willing to step up and make things happen. We don’t want someone to complain about the lack of forums on the site. We want someone who says, “I’ll set up forums on the site!”
• Familiarity with Linux is a requirement but you don’t need to be some kind of über-sysadmin.

If you are interested in getting involved, send an email to support [at] phishtank.com with some information about yourself (your background, coding experience, etc) and a brief note about why you want to get involved in PhishTank and what you would be most interested in doing.

Thanks!

If you haven’t yet heard, Opera and OpenDNS announced this morning that the latest version of Opera has built-in phishing protection powered by PhishTank. That’s right, the phishing sites you submit to PhishTank, that are then verified as real phishes, are blocked for users of Opera 9.1.

Opera’s community manager, Espen Overdahl, blogged about the addition of PhishTank intelligence to 9.1.

Welcome to PhishTank, Opera community.

When blog comments are not enough... it's time for a mailing list. PhishTank can improve faster if its members and developers are talking directly to each other, not just sharing their ideas or frustrations directly with the team here. With that in mind, here are two mailing lists, one for anyone & everyone involved with PhishTank and one for developers who want to discuss the PhishTank API and data uses.

In both cases, only subscribed members may post to the list. Postings are not moderated. Postings are archived on a corresponding website, which isn't pretty yet, but email addresses are stripped, of course, to prevent harvesting.

Users

For general discussion within the entire PhishTank community: PhishTank Users

To subscribe: blank email to
To post:
Archive: http://phishtank.com/lists/users/

Developers

For discussion about developing with the PhishTank API, and with PhishTank data more broadly.

To subscribe: blank email to
To post:
Archive: http://phishtank.com/lists/developers/

The PhishTank administrators are on both lists, of course.

Wasting no time at all, we added statistics for November 2006 to our stats page today. We also issued a press release about the Tank’s findings.

Highlights include:

• Total number of votes by the PhishTank community: 93,103
• Total number of unique, suspected phishing scams reported: 18,130
• Country hosting the most phishing sites: South Korea
• Percentage of phishing sites hosted in South Korea: 39
• Median time it took for the PhishTank community to verify phishes: 5 hours, 28 minutes

The big change we noticed from last month’s stats was country of host. In October the country hosting the most phishing sites was the United States with 24 percent. In November it was South Korea, with a much higher 39 percent. Don’t interpret this to mean that phishing is a bigger problem in South Korea than in other countries - it doesn’t mean it’s where the target of the phish is and it doensn’t mean it’s where the phisher sent the e-mail from. It just means it’s where the phishing Web site is being hosted.

If there are additional stats you’d like to see, let us know.

You may have noticed that problem submissions are getting resolved and addressed faster than ever. The credit goes, in large part, to a volunteer team which has been quietly contributing for a few weeks now: the PhishTank moderators. I’ve been remiss in calling attention to their additional efforts, so I wanted to wish every member of the community an American “Happy Thanksgiving” and give a public shout out to these moderators. They’ve made our job (as PhishTank administrators) much, much easier.

The first PhishTank moderators

Simurgh, clubjuggle, funchords, micha, Sedna, spamfighter, and Chris1948 are all on the job.

Moderators are noted as such on their public user page.

More information

All of the PhishTank moderators are volunteers. In fact, all of them were asked to participate, and they kindly agreed. There is no set commitment of time or energy, just a sense of stewardship and a willingness to help make the site and community work better.

Moderators have the following extra actions available to them on the site:

• Ability to mark a submission ONLINE or Offline.
• Ability to change the selected phish URL being voted on for a submission.
• Ability to see and resolve the “flags” that any community members can set, whether for ONLINE/Offline status or screenshots or other concerns.
• Ability to scan an admin page to see which submissions have the most “flags.”

These functions are to complement and correct where software is led astray, mostly.

Problems with PhishTank are not the fault of moderators. Keep speaking up about how we can improve… the moderators certainly are, and we welcome the feedback and the energy. Note: We’re not seeking out extra moderators, but we don’t have a limit or a quota.

Be sure that we won’t stop asking for help!

ps - Added Char on November 29, 2006.

I read the SecurityProNews article “Sites Want To Hook And Gut Phishers” with interest this morning. The article’s summary:

A trio of websites offer people the opportunity to report the phish emails they receive in order to thwart the various scams and their perpetrators.

Three different sites are included in the round-up: PhishTank, CastleCops, and Symantec’s Phish Report Network.

At OpenDNS (operators of PhishTank), we’re fans of CastleCops. Their work is excellent, and their efforts in the broader anti-abuse community are notable. We shared our gratitude in July.

However, I don’t think the Phish Report Network site belongs in the same category, for two key reasons: the lack of information about submissions and the hefty price of their data.

Submitting to a black hole

Submitting phish to the Phish Report Network is dumping your submissions into a black hole. (And they didn’t even accept submissions from individuals until October 2006… wonder if PhishTank’s launch had something to do with that?)

I just took a live phish site from PhishTank and submitted it, after agreeing to a license and filling out a Captcha. Those hoops are not necessarily a bad idea to weed out spurious submissions, but here’s all I was told after the submission was received.

CONFIRMATION

Your submission has been sent Tue Nov 14 09:46:06 PST 2006. To make another submission, click here.

Sincerely,

Symantec Security Response

Couldn’t the page at least say thanks?

Outside of the lack of human touch, there is no insight into what the final judgment might be, when such judgment will be rendered, and by whom. There is literally no way to follow up.

PhishTank shows you your activity, and gives you email updates (if you want them) and an RSS feed to track your submissions. Go to your My Account page to learn how your contributions are being judged.

The price of data

The data gathered and verified by Symantec’s site is only available if you pay for it. How much? US$50,000 per year.

On behalf of OpenDNS, I inquired about a license to the data on July 12, 2006. On August 8, 2006, I got an apologetic response for the delay. On August 9, 2006, I got a copy of the contract, with its US$50,000 price tag for the year. I declined to go any further.

I have nothing against businesses charging for a service, and perhaps Symantec is finding customers who find this a valuable source of data. It’s hard to know, since they give out little information about who’s using the data and how much data there is. PhishTank statistics are wide open.

PhishTank was set up to help the Internet at large and solve a business problem for OpenDNS (the common need for better data about phishing sites). The reason PhishTank works is because the data is freely available to all, from the free, open API to the XML data file or the lightweight method.

My suggestion to Symantec? Add data from PhishTank to your Phish Report Network. It’s free. And if you’d like to share your submissions with PhishTank, we’re happy to help make it work.

Mozilla found the data worth testing with, at least.

Why were the OpenDNS offices empty by 4:45 yesterday? Because we were hurrying to a neighborhood haunt to watch PhishTank on TV!

Our very own John Roberts was interviewed for a segment called “ConsumerWatch: How To Fight Back Against Phishing” on KPIX, the local CBS affiliate in San Francisco. The segment came out awesome. You can watch it here. Note that submission #19362 got its 5 seconds of fame. Bet billwake didn’t think it would end up on TV when he submitted it. Thanks to billwake for submitting and Simurgh, krellis, alanjshea, hawk82, jbrunette, polymorp, IntrepidEddie, jkrieger3, irixman, someone1234, miowpurr, bastardblaster, clubjuggle, dr1, Sierran52, lyagushka and jpohl for verifying.

Some of us (not mentioning any names) never made it back to the office, which might explain why this post is just going up now, halfway through the day.

We set up community voting at PhishTank because we think multiple insights make for a better community judgment. This is similar to “Linus’s Law,” as formulated by Eric Raymond: “Given enough eyeballs, all bugs are shallow.”

We’re not the first to re-word that concept, but here’s the PhishTank version:

Given enough eyeballs, all phishes can be identified.

In a related post, Jeff Veen wrote about bloggers and the media and ways of reacting to changing forces:

Or will [organizations] find inspiration in, say, the Digg model, harnessing countless tiny points of participation to harness the collective intelligence of their audience and feeding it back into their product?

PhishTank is certainly about collective intelligence.

But sometimes it’s not that easy. Intelligent people can disagree!

Suspected phish ID 11983 is the first really challenging submission, where the community has not reached consensus yet despite over a week of vigorous voting. As we approach midnight UTC on Tuesday, October 10, this submission has over 315 votes, and it’s nearly 50-50 as to whether this is a phish or not. (Note: The # of votes is never shown publicly to non-admins.)

To me, this is not a phish, and I voted that way. My thinking? The URL is greatstudentloanpayoff.com, and when you get there… it’s for Great Student Loan Payoff. This looks less than beneficial, and I’m not going to give my information, but there is no attempt to pretend to be something other than what it is: an attempt to legally get your Social Security Number and permission to email you marketing messages.

My take? Don’t do it. But it’s not a phish.

For the terminally undecided among you, we have some site changes now live which I’ll talk about in a separate post shortly. While you wait for those words, go ahead and vote.