I've been chipping away at the same concept for a while in my spare time, in
hopes of creating a safe and reliable phishing package for NFR's IPS product
line. The biggest trouble with the reverse lookup is that it creates a
covert channel.
However, all is not lost; reverse lookup is not the only dead giveaway that
the phishermen are casting their lures into your network. Here are some
others:
1. Received: header traces back to a domain different than the sender
2. MTA is a known open relay
3. Message body contains certain keywords, like "account" and "suspended"
and "update"
4. Message subject contains same keywords
5. <A HREF="some URL at one domain">http://a legitimate looking, but
different URL at a different domain</A> contained in the message body.
6. onMouseOver() and/or onMouseOut() java calls contained in message body
The reverse lookup is #1, but not the only one. Also, a lot can be learned
from SPAM prevention software such as SpamAssassin. Now of course, how much
Bayesian CPU scratching you want to do in real-time with your IPS is up to
you, but if you ask me, that level of inspection is probably best left to
the mail servers and other non-inline devices. Actually, most of this is
better achieved with a good mail server, but alas, most people don't run
good mail servers.
Numbers 2-6 can be done by a talented IPS with very little drag on
performance, but unfortunately #1 is worth the most points. (Here's the NFR
plug.) NFR's patent-pending Confidence Indexing (TM) is actually perfect
for this situation. Basically, each criterion would be worth a confidence
value, and the total confidence value of a message would determine whether
that SMTP/POP3/IMAP connection is prevented or not. If I can figure out how
to do #1 without creating a covert channel or compromising the stealth
positioning of our IPS appliance, then I will have a great start toward a
silver bullet that reliably kills phishing on the wire. Which IPS are you
working with?
-MAB
--
(nfr)(security)
Michael A Barkett, CISSP
Vice President, Systems Engineering
(www.nfr.com) +1.240.632.9000 Fax: +1.240.747.3512
-----Original Message-----
From: vulnerabilty@gmail.com [mailto:vulnerabilty@gmail.com]
Sent: Tuesday, December 06, 2005 1:43 AM
To: focus-ids@securityfocus.com
Subject: Detecting phising scams on wire
I am working on IPS signatures to detect phising scams on wire.
the points in my mind are
IPS should have capabilty to validate the IP addresses using reverselookup
or by maintaining a list of blacklisted IPs.
to check SSL validation for commercial sites on wire to prevents url
spoofing
i would appreciate your comments and suggestion
thanks in advance
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
