phishing sites report - March/2005
Daniel Golding
dgolding at burtongroup.com
Mon Mar 28 20:20:07 UTC 2005
Gadi,
This report isn't terribly useful without the IP addresses (or URLs) in
question. How could an ISP start investigating and/or null routing these
addresses without having the list?
I suppose I'm skeptical because some of those ASNs are not big content
hosters. Some are transit-only ASN's.
Also, if you are using WHOIS to check the IP addresses for their owner, how
are you correlating to ASN? Through an IRR? Or is there a route lookup
somewhere in the mix?
Even if you won't release full data (although I can't imagine why not), you
need to fully disclose the methodology. "Digested" is insufficient when ISPs
and hosters are being called out by name.
- Dan
On 3/28/05 2:19 PM, "Gadi Evron" <gadi at tehila.gov.il> wrote:
> Daniel Golding wrote:
>> Forgive me for being skeptical, but...
>
> I would prefer you being skeptical. Please don't take my word on any of
> this.
>
>> How do you come up with these? Are these the direct upstream ISPs of the
>
> These are the digested results from the reports sent to the malicious
> websites and phishing research and mitigation list.
>
>> phishing sites or the next hop AS's from your test site?
>
> Plainly put, these are the results you get when you feed the IP's of the
> hosting web sites to the Cymru whois.
>
>> Is there a link to the original data?
>
> Nope. We hope to release more data in our next reports. Please let us
> know what kind of data you'd like available. We'll do our best to
> provide it.
>
> One of our main goals is public awareness, so we are very interested in
> feedback.
> If you have further questions on the process itself, I'd gladly direct
> you to the guy who actually does the data mining and statistics - but
> the list data itself is not open to the public.
>
> Gadi.
More information about the NANOG
mailing list