We’ve got more good news to share.

Andrey Nikishin, the Director of Hosted Security Services at Kaspersky Lab, wrote:

I would like to inform you that Kaspersky Lab uses PhishTank database to detect phishing messages passing through the Kaspersky Hosted Security : mailDefend service. The PhishTank database allowed us to increase the accuracy of detection. Thank you very much for the excellent job you are doing.

Excellent! Nice to see the global PhishTank community helping out an international information security company. It’s also great of Andrey and Kaspersky to let us know.

I would also like to thank one of our moderators, Micha, both for individual contributions (check the stats page!) and for educating Kaspersky about PhishTank.

The following post was written by funchords . If you don’t recognize the username, check the stats page. Without further ado…

Question: What do the following web addresses have in common?

1. http://66.135.40.79/
2. http://1116153935/
3. http://0×42.0207.10319/
4. http://0102.8857679/

Answer: Don’t look here — try them out and see! (Caveat: In most browsers and operating systems — all four URLs will work. If your computer had trouble with a link, see “Something Not Working” below to understand why.)

So why did that happen?

We websurfers are trained to think of Internet sites as Double-U, Double-U, Double-U, Dot, Google, Dot, Com — because that is easier to remember than http://1208941928/. The network translates those names into numbers, so we don’t have to. But, every computer accessible on the Internet has a long and unique number as an address. It’s like a telephone number — uniquely yours.

The hostnames in the four web addresses at the top of this page are all different ways of expressing the same Internet address number.

Just as websurfers use a method that is easy to remember, programmers do, too. If they’re working in a system or programming language that prefers base-16 or hexadecimal numbers, they’re likely to express a 3 like 0×3 and a 12 like 0xC. An octal system would likely replace those with base-8 numbers, expressed as 03 and 014.

Why do this, when the rest of the world speaks in base-10 (decimal)? You’ll see in a moment — multiplication and division are much easier when you’re speaking the same language as the system.

The third example at the top of the page begins with 0×42, which is a hexadecimal number (66 in decimal). The next segment of example 3 is 0207, an octal number equal to 135. But what about that third number?

The “dots” in the address are meant for organization. Twenty-five years ago, our internet founders segmented the IP space into 255 (0xFF) segments. Those segments were split between five address types — large, medium, small, private, and special-use/future. The number before the first dot indicates this segment.

Knowing this, you can begin to do the math to make the above conversions.

If there is a first dot, the number before it is multiplied by 0×1000000 (or 16777216 to us Base-10 users). The number after it is not multiplied. This would work just fine for a very large organization, they would have their unique organizational number and over 16 million IP addresses that they could use on the Internet.

A second dot would help mid-size organizations — the first two segments would be assigned to the business and the final segment was theirs to divide as they pleased. And so on, for smaller businesses and the fourth segment. That sounded good back in the early 1980s, and it worked for a while. But, more importantly for our topic, it set the stage for how IP addressing works.

Let’s untwist our 4th example. 0102 is the octal equal to 66. This means that http://66.8857679/ should work? Does it? So we multiply that 66 by 16777216, and we get 1107296256. We add the last half of example 4 to that. 1107296256 plus 8857679 is 1116153935. That number is hard to remember, but it is the same number we tried in Example 2, above! So, the unique network address to PhishTank is 1116153935!

If there are two or three dots, the first number is multiplied by 0×1000000, the second by 0×10000, and the last is not multiplied. If there are four segments, the third segment is multiplied by 0×100.

Remember that the dots are there for organization — for human convenience. Computers do not need them (as we have shown here).

Now you can turn any dotted decimal (what most would call “normal”) IP address into its actual single-integer address, and back again! Reverse the process using division…

… and that leaves us back at 66.135.40.79, the dotted-decimal IP address that we used in Example 1.

Something not working, or working differently? In twenty-five years, programmers and administrators have grown accustomed to the four-segment dotted-decimal IP addresses, even in the largest organizations. While most network software still accepts these other forms of an address, some do not.

Although these forms of addressing are valid, almost nobody is used to them. Spammers and Phishing Fraudsters are taking advantage of this. They attempt to get around detection by changing the IP address into something other than a dotted-decimal form. It also tends to make a Phishing URL more legitimate. Here are some examples:

• Submission #44124: http://0×4231ddb2/www.amazon.com/login/exec.php?cmd=sign-in
• Submission #48434: http://0xd2.0xf3.0xe9.0×22/www.paypal.com/
• Submission #91296: http://3630742891/cgi-bin/webscr_cmd_login-submit/

So when you see such an address, don’t panic. Know that the address is a number, and not a name that can be resolved in DNS. Submit the Phishing Site to the PhishTank “As-Is,” using the same style address that the Phisher put in his spam email. Then, if you want, deconstruct the dotted decimal IP address and submit the site using the more “normal” form. Doing this will help remove some of the confusion for verifiers, down-stream users, and others who aren’t as smart as you!

Isn’t that cool?

Like to write a post for PhishTank? Let us know.

Back in November, I welcomed the first group of PhishTank moderators.

That first group (Simurgh, clubjuggle, funchords, micha, Sedna, spamfighter, Chris1948) was joined by Char shortly afterwards, and MASA a couple of weeks later.

Last week, a bunch of stalwarts — quite recognizable from the stats page — joined the moderator crew. Please join me in greeting the new moderators: JustaPerson, cleanmx, ruralnetcop, milky, bowlby4, miowpurr, buaya, thelionheart, DougieLawson, polymorp, tetak, and pscs.

This expanded team has helped take charge of site activities, and there are lots of ideas percolating for improvements. On a related note, the users mailing list is quite active, too, with lots of good ideas. Many of the moderators are there, too.

As I type, the first outside developers (still room for more) are getting their development environments set up .

All over, 2007 is going to be a good year for the ‘Tank.

You may have noticed that problem submissions are getting resolved and addressed faster than ever. The credit goes, in large part, to a volunteer team which has been quietly contributing for a few weeks now: the PhishTank moderators. I’ve been remiss in calling attention to their additional efforts, so I wanted to wish every member of the community an American “Happy Thanksgiving” and give a public shout out to these moderators. They’ve made our job (as PhishTank administrators) much, much easier.

The first PhishTank moderators

Simurgh, clubjuggle, funchords, micha, Sedna, spamfighter, and Chris1948 are all on the job.

Moderators are noted as such on their public user page.

More information

All of the PhishTank moderators are volunteers. In fact, all of them were asked to participate, and they kindly agreed. There is no set commitment of time or energy, just a sense of stewardship and a willingness to help make the site and community work better.

Moderators have the following extra actions available to them on the site:

• Ability to mark a submission ONLINE or Offline.
• Ability to change the selected phish URL being voted on for a submission.
• Ability to see and resolve the “flags” that any community members can set, whether for ONLINE/Offline status or screenshots or other concerns.
• Ability to scan an admin page to see which submissions have the most “flags.”

These functions are to complement and correct where software is led astray, mostly.

Problems with PhishTank are not the fault of moderators. Keep speaking up about how we can improve… the moderators certainly are, and we welcome the feedback and the energy. Note: We’re not seeking out extra moderators, but we don’t have a limit or a quota.

Be sure that we won’t stop asking for help!

ps – Added Char on November 29, 2006.