Chris Gleason of Firetrust shared some good news yesterday. Sitehound, their browser toolbar product for warning you about all kinds of malicious websites (not just phishing) is now utilizing PhishTank data as one of their sources.

Sitehound is now able to provide much more accurate and timely detection and protection from phishing websites. In addition to our own sources and users who report sites to us, SiteHound now plugs into PhishTank’s live XML feed of known phishing websites.

As a reminder, here’s all the info about the XML data file, including its location and format. Kudos to Firetrust for taking another step to protect its customers.

Thanks (again) to the PhishTank community for creating a free, high-quality resource for use all over the world.

Marking our fifth phish-fighting month, February 2007 stats are live. The upgrades made to PhishTank in January are paying off: the community was fast in February.

Now that there are several months of PhishTank stats on record, it’s fun to look back at the early days. In October, there were 2,400 community members. Not bad for our first month, but it pales in comparison to the more than 13,000 strong we have now. October saw just over 7,000 submissions. Again, a very impressive start, but nothing like the 25,000 we had last month.

It’s clear. PhishTank works.

Back in November, I shared the first public release of PhishTank SiteChecker, a Firefox extension. Written by PhishTank moderator MASA, SiteChecker has been rapidly updated and enhanced over the last few months. Some of those enhancements have made the extension smarter and more efficient, which saves PhishTank.com some bandwidth (thanks, MASA!).

I encourage those using the extension already to get the latest version, which is 4.03 as I type this.

If you haven’t yet tried it, give SiteChecker a whirl. It’s available in more than 20 languages, and has a detailed features list, and even a screencast (video demo).

What are you waiting for?

Get the latest version of SiteChecker.

The following post was written by funchords . If you don’t recognize the username, check the stats page. Without further ado…

Question: What do the following web addresses have in common?

1. http://66.135.40.79/
2. http://1116153935/
3. http://0×42.0207.10319/
4. http://0102.8857679/

Answer: Don’t look here — try them out and see! (Caveat: In most browsers and operating systems — all four URLs will work. If your computer had trouble with a link, see “Something Not Working” below to understand why.)

So why did that happen?

We websurfers are trained to think of Internet sites as Double-U, Double-U, Double-U, Dot, Google, Dot, Com — because that is easier to remember than http://1208941928/. The network translates those names into numbers, so we don’t have to. But, every computer accessible on the Internet has a long and unique number as an address. It’s like a telephone number — uniquely yours.

The hostnames in the four web addresses at the top of this page are all different ways of expressing the same Internet address number.

Just as websurfers use a method that is easy to remember, programmers do, too. If they’re working in a system or programming language that prefers base-16 or hexadecimal numbers, they’re likely to express a 3 like 0×3 and a 12 like 0xC. An octal system would likely replace those with base-8 numbers, expressed as 03 and 014.

Why do this, when the rest of the world speaks in base-10 (decimal)? You’ll see in a moment — multiplication and division are much easier when you’re speaking the same language as the system.

The third example at the top of the page begins with 0×42, which is a hexadecimal number (66 in decimal). The next segment of example 3 is 0207, an octal number equal to 135. But what about that third number?

The “dots” in the address are meant for organization. Twenty-five years ago, our internet founders segmented the IP space into 255 (0xFF) segments. Those segments were split between five address types — large, medium, small, private, and special-use/future. The number before the first dot indicates this segment.

Knowing this, you can begin to do the math to make the above conversions.

If there is a first dot, the number before it is multiplied by 0×1000000 (or 16777216 to us Base-10 users). The number after it is not multiplied. This would work just fine for a very large organization, they would have their unique organizational number and over 16 million IP addresses that they could use on the Internet.

A second dot would help mid-size organizations — the first two segments would be assigned to the business and the final segment was theirs to divide as they pleased. And so on, for smaller businesses and the fourth segment. That sounded good back in the early 1980s, and it worked for a while. But, more importantly for our topic, it set the stage for how IP addressing works.

Let’s untwist our 4th example. 0102 is the octal equal to 66. This means that http://66.8857679/ should work? Does it? So we multiply that 66 by 16777216, and we get 1107296256. We add the last half of example 4 to that. 1107296256 plus 8857679 is 1116153935. That number is hard to remember, but it is the same number we tried in Example 2, above! So, the unique network address to PhishTank is 1116153935!

If there are two or three dots, the first number is multiplied by 0×1000000, the second by 0×10000, and the last is not multiplied. If there are four segments, the third segment is multiplied by 0×100.

Remember that the dots are there for organization — for human convenience. Computers do not need them (as we have shown here).

Now you can turn any dotted decimal (what most would call “normal”) IP address into its actual single-integer address, and back again! Reverse the process using division…

… and that leaves us back at 66.135.40.79, the dotted-decimal IP address that we used in Example 1.

Something not working, or working differently? In twenty-five years, programmers and administrators have grown accustomed to the four-segment dotted-decimal IP addresses, even in the largest organizations. While most network software still accepts these other forms of an address, some do not.

Although these forms of addressing are valid, almost nobody is used to them. Spammers and Phishing Fraudsters are taking advantage of this. They attempt to get around detection by changing the IP address into something other than a dotted-decimal form. It also tends to make a Phishing URL more legitimate. Here are some examples:

• Submission #44124: http://0×4231ddb2/www.amazon.com/login/exec.php?cmd=sign-in
• Submission #48434: http://0xd2.0xf3.0xe9.0×22/www.paypal.com/
• Submission #91296: http://3630742891/cgi-bin/webscr_cmd_login-submit/

So when you see such an address, don’t panic. Know that the address is a number, and not a name that can be resolved in DNS. Submit the Phishing Site to the PhishTank “As-Is,” using the same style address that the Phisher put in his spam email. Then, if you want, deconstruct the dotted decimal IP address and submit the site using the more “normal” form. Doing this will help remove some of the confusion for verifiers, down-stream users, and others who aren’t as smart as you!

Isn’t that cool?

Like to write a post for PhishTank? Let us know.

Via Stéphane Degor, I found an interesting article in a French publication, Journal du Net, about PhishTank. Four people were asked to comment on PhishTank for “Avis de managers: PhishTank.” (That’s “Opinion of the Managers: PhishTank.”)

The preface, my translation:

A community project in the fight against phishing, PhishTank relies on the reactions and the contribution of Net surfers. Free and effective. However, will it survive in the long term? The opinion of four managers.

The group:

• Stephan Roux, of Sophos (security company)
• Christophe Canonne, of Cyber Networks (security company)
• Guillaume Brossard, of HoaxBuster.com (site for debunking scams)
• Laurent Dupuy, of Freesecurity (security consultancy)

My French is rusty, so I combined my lingering language skills with one of the free online translation tools to get a sense of what each person in the group says. I hesitate to give my own interpretations of what they’ve written, given the language uncertainty. Still, I welcome their comments and attention. And I encourage you to take a look.

Overall, they share kudos and concerns. The former are appreciated, and the latter are something all of us have to consider and address. We are making PhishTank better… and by “we” I mean moderators, developers, administrators, and the active members of the community.

There is no simple declaration of victory, of course. We build tools for the community to efficiently express its judgment through PhishTank. We make sure the data is freely available to the larger Internet community needs. And we keep improving. That’s how PhishTank thrives in the short and long term.

I would encourage these managers (especially at the security companies) to use the data and consider how they can contribute to the community, too.

Back in November, I welcomed the first group of PhishTank moderators.

That first group (Simurgh, clubjuggle, funchords, micha, Sedna, spamfighter, Chris1948) was joined by Char shortly afterwards, and MASA a couple of weeks later.

Last week, a bunch of stalwarts — quite recognizable from the stats page — joined the moderator crew. Please join me in greeting the new moderators: JustaPerson, cleanmx, ruralnetcop, milky, bowlby4, miowpurr, buaya, thelionheart, DougieLawson, polymorp, tetak, and pscs.

This expanded team has helped take charge of site activities, and there are lots of ideas percolating for improvements. On a related note, the users mailing list is quite active, too, with lots of good ideas. Many of the moderators are there, too.

As I type, the first outside developers (still room for more) are getting their development environments set up .

All over, 2007 is going to be a good year for the ‘Tank.

January 2007 numbers are the best on record. Kudos to the entire community.

A few things I’d like to call out:

• Both total submissions and total votes jumped nearly 50 percent over December numbers.
• The community continues to grow - in December there were 7,984 members of the PhishTank community. In January there were 11,070.
• We see the growth and are responding. We’ve made server upgrades and completed code profiling and refactoring, all to make PhishTank better and easier to use.
• We asked for help and you came forward. We’re thrilled with the enthusiastic response to David’s blog post. PhishTank has a lot more developing power now, and it’s never too late for you to join the team. If you’re interested send us an email: support at phishtank dot com.

All in all the January numbers are a great start to a new year.

On Tuesday, January 30, I’ll be representing PhishTank on a panel about Sharing Phishing Data at the Messaging Anti-Abuse Working Group (aka MAAWG) meeting in San Francisco, California, USA. I know at least one PhishTank member, spamfighter, will be at the meeting. In fact, he’s on the same panel, as part of his “day job.”

I’ll be talking about how PhishTank works, how the data gets used, where it gets shared, and where we hope the community will lead us. If you’re using the data and we haven’t heard from you, I’d love to know about it before Tuesday. More examples help reinforce the success.

The audience is commercial and non-commercial members of the anti-abuse community, focused on email concerns. My goal, beyond raising awareness of PhishTank and participating in a lively panel discussion, is to encourage more organizations to use the data and consider ways they can contribute.

If anyone else from the PhishTank community will be attending the meeting, please introduce yourself. I’d like to thank you in person for your help.

Kelly Jackson-Higgins, the always-informed writer at Dark Reading, caught David’s blog post yesterday and wrote an article about PhishTank’s new direction. The gist: Your opportunity is here. If you want to be a part of the PhishTank team, act now.

Take it from me, there is very cool stuff going on at the Tank. This is the first opportunity extended for people to join the team. Look over David’s criteria and if you meet them, send an email to support [at] PhishTank.com. Tell us what you’ve done and why PhishTank would be better with you at the helm.

All of us at OpenDNS are thrilled with PhishTank. Over the last couple weeks usage has really soared and PhishTank is unquestionably the most groundbreaking and innovative anti-phishing site on the Internet. You all have helped show that a community of active participants are far more effective than any single monolithic company could ever be in creating a clearinghouse of phishing information.

Now it’s time to step it up.

Our goal has always been to create involvement with the community beyond just submitting and verifying phishes. We have a growing team of users, developers, and moderators who talk on mailing lists and discuss ways of improving PhishTank. Now it’s time to turn some of this energy into action. We don’t want PhishTank to just be a community-visited effort. We want PhishTank to be a community-led and community-run effort.

We’re looking for some people who want to spend some development cycles (PHP and MySQL) helping to improve PhishTank and drive new features. We can help with the feature ideas, but if you have some of your own, that’s both awesome and even better.

I could list a hundred reasons why working on PhishTank would be a really good opportunity. Here’s a few:

1. Working on PhishTank lets you have a big impact on a serious issue. You shape the future of PhishTank when you get involved.
2. PhishTank gets a lot of exposure most projects don’t have which means your efforts will be seen by many people.
3. Being a PhishTank developer lets you see how a community-run site actually operates and grows.
4. For students, you might be able to work on PhishTank for course credit at your school or university. We’re happy to supervise a project.
5. Working on a project like PhishTank can be a great resume booster.
6. Saying you help keep the Internet safe at night is a really good line to use when you have to impress someone. Trust me.

One of the best parts about PhishTank is that you can learn and be active in more than just technology. You will also see the other critical pieces that are required to make it a great site. For example: working with journalists and educating law enforcement are just some of the things that go on at PhishTank. If have a technical background but you want to do more, PhishTank is a great place to broaden your knowledge. We still need the tech help though, so read below and see if you might be qualified.

Here’s what we’re looking for:

• Volunteers with at least some experience with PHP and MySQL.
• People who are able to not just say they want to help out, but actually can and will help out.
• Individuals who are willing to step up and make things happen. We don’t want someone to complain about the lack of forums on the site. We want someone who says, “I’ll set up forums on the site!”
• Familiarity with Linux is a requirement but you don’t need to be some kind of über-sysadmin.

If you are interested in getting involved, send an email to support [at] phishtank.com with some information about yourself (your background, coding experience, etc) and a brief note about why you want to get involved in PhishTank and what you would be most interested in doing.

Thanks!