Friday, August 07, 2009

Open letter to PhishTank

3359428532_69e68ec0ef_b Dear PhishTank!

I’m writing this letter / blog post because I couldn’t find any contact addresses on your site or a user forum to voice my concern.

The idea of crowd-sourcing the phish detection great because it lets a human make judgment about threats directed at humans (which is much easier than developing and maintaining an AI system :-)). I first joined PhishTank when I received some phising emails and I wanted to “do the right thing”. However after a couple of days of “verifying” phishes I was filled with an overwhelming sense of futility because of several reasons:

  • The last blogpost on the phishtank blog is from October 2008 (more than 8 moths ago at this moment!). And the comments are closed. Just an other way you can’t give feedback
  • The rules behind the functioning of the site are somewhat mysterious. Sometimes when I’m the first to vote on a site, it goes to 100% in the “is a phish” / “is not a phish” category, other times it remains at zero (as if my vote wasn’t counted)
  • Every time I vote it says “more votes are needed to verify this site”. Does this mean that even though I’ve casted hundreds of votes, I didn’t verify a single site as being a phish? Talk about futility...
  • Many phising sites are taken down quite quickly, so it is not uncommon to only see a “this site has been taken down” message when you want to verify a URL. However there is no way (that I’ve found) to say “this might have been a phish (based on the URL for example), but it seems to be taken down”
  • There are no statistics shown about the number of submissions versus the number of verified sites. It would be nice to see if we (the volunteers) can handle the load or if we need more volunteers
  • It would be nice to offer advice on setting up a safe environment for verifying phishes. Something like: a separate instance of Firefox with Javascript entirely disabled and perhaps Tor.
  • An other idea would be (if the amount of submitted URLs is far greater than the daily verified ones) to prioritize those URLs which are not yet in the Google Safe-Browsing database. This way PhishTank could offer a very good complement to the Google data-set.

If somebody from PhishTank reads this, please fix as many of the issues as possible! It is very sad to see a good idea being hindered by technical problems. BTW, I would be happy to help out (I have considerable experience in some key areas: PHP / MySQL / computer security).

Picture taken Sandy Austin's photostream with permission.

4 comments:

  1. PhishTank is operated by OpenDNS.
    You might want to try to contact OpenDNS, about the issues above:
    http://www.opendns.com/support/contact/

    ReplyDelete
  2. @Yaig: thanks for the suggestion. I already tried to provide feedback trough the "Contact" form. I also looked around on the OpenDNS forum, hoping that there is a section dedicated to Phishtank, however I couldn't find anything. I didn't hear back from the contact form either...

    ReplyDelete
  3. PhishTank User6:51 AM

    You are correct that not much has been done at PhishTank. It doesn't seem that OpenDNS is spending much time or money on PhishTank. I really don't know why - but that sure is the message that I am getting.

    There is an email users group which you may subscribe to by sending an email to
    [email protected]

    There hasn't been much activity there recently but the powers that be do get the emails.

    People will see the email address that you use when you join the list.

    ReplyDelete
  4. @PhishTank user: thank you very much for the info. I've subscribed to the mailing list and I'll post my proposal there.

    ReplyDelete