> -----Original Message-----
> From: OpenDNS First Responders [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 17, 2006 11:41 PM
> To: Michael Scheidell
> Subject: [OpenDNS #KMP-79041-857]: Michael Scheidell
>
>
Phishtank has a database of url's used in phishing attacks, would this
be of interest to SA? SARES rules?
SA updates?
> We'd love to see that... sounds like a great use of the PhishTank API
> (www.phishtank.com/api.php). We haven't written such a thing, but we
> hope someone does -- we'll be sure to publicize it.
>
> Do you have intentions or experience? Any support we can provide?
It would be simple addition to the spamassassin :URIDNSBL plugin if you
published the records in a dns zone.
Know anyone who can run a big dns farm? :-)?
I'll look into what it takes to add to the current plugin, but a assume
you just publish the records like this:
minellu.com.phishing.opendns.com. with an A record of 127.0.0.2
(see: host -t a minellu.com.multi.uribl.com. For positive hit
minellu.com.multi.uribl.com has address 127.0.0.2.
for negative hit
host -t a secnap.com.multi.uribl.com.
Host secnap.com.multi.uribl.com not found: 3(NXDOMAIN)
SA experts: is integrating with the urldnsbl this easy?
SA integration would be this: ( THE 2 means 127.0.0.2 you could use
different ones for suspected vs verified)
uridnsbl URIBL_PHISHBL phishing.opendns.com. A 2
body URIBL_PHISHBL eval:check_uridnsbl('URIBL_PHISHBL')
describe URIBL_PHISHBL Contains a VERIFIED URL listed in
the PHISHNET blocklist
tflags URIBL_PHISHBL net
score URIBL_PHISHBL 5.0
; returns 127.0.0.4, etc)
uridnsbl URIBL_PHISHBLA phishing.opendns.com. A 4
body URIBL_PHISHBLA
eval:check_uridnsbl('URIBL_PHISHBLA')
describe URIBL_PHISHBLA Contains a SUSPECTED URL listed in
the PHISHNET blocklist
tflags URIBL_PHISHBLA net
score URIBL_PHISHBLA 2.0
--
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Real time security alerts: http://www.secnap.com/news
