Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Collecting phish e-mail addresses

Over on the mailing list, there is an ongoing discussion about keeping a list of e-mail addresses used in phishing attacks. The idea is to keep a list of e-mail response addresses used in what I'm going to call "mail-back" phishing, that is, phish attacks that try to trick the victim into mailing his credentials somewhere (as opposed to "click here" phishing). By "response address", I mean the e-mail address that the attacker wants the victim to use. It might be the From, the Reply-To, or an address embedded within the message. The goal of this idea is to be able to spot responses to phishing attempts, that is, users who have taken the bait and been phished.

It's a noble goal, but the current implementation is fraught with problems. There are only about 700 people on the mailing list, so that's not a very large audience for contributing to the list of phishing addresses. It's also an all-volunteer effort, so it suffers from lack of full-time attention. There are some well organized groups which are working to compile lists of phishing URLs (like PhishTank), but there don't seem to be any dedicated to the very similar task of compiling lists of phishing response addresses.

I know that IronPort belongs to the Anti-Phishing Working Group, and I know that some IronPort folks participate here in IronPort Nation. Might any of you IronPort folks be able to assist in this in some way? You folks have the corporate clout. It seems like a very odd oversight to me that phishing URLs are extensively collected, but not phishing e-mail addresses.


New Member

Re: Collecting phish e-mail addresses

Hi, I am the Product Manager for IronPort's Security Applications. First off, thanks for the post.

The email addresses used to collect phishing information are often very short-lived. IronPort uses information like this as part of our overall cocktail approach to phishing. Based on our internal testing to date, any efforts to make lists of phishing addresses have not improved catch rate significantly enough to justify the size of the effort. However, we continue to monitor this and a number of other ideas to ensure we can remain effective in combating phishing and spam effectively.

So, please keep the ideas coming.

New Member

Re: Collecting phish e-mail addresses

Thanks for responding, it's nice to hear from the PM for security applications.

The idea is not to catch more incoming phish attacks by using this list. Rather, the idea is to use the list to catch the responses that the victims are sending to the phishers. Web security products keep track of the web sites run by "click here" phishers in order to prevent victims from visiting those sites and getting phished. I'm arguing that there needs to be an analogous list e-mail addresses used by "mail-back" phishers in order to integrate with e-mail security products to prevent victims from getting phished via that route.

The two are really the same sort of thing: They're the destination that the phisher tries to entice the victim into visiting. For "click here" phishers, the destination is a URL. For mail-back phishers, the destination is an e-mail address. Both need to be documented so that they can be blocked, but right now only phishy URLs are documented.

> The email addresses used to collect phishing information are often very short-lived.

Are they any more short lived than the URLs used by "click here" phishers?

Discussion on HiEd-EmailAdmin has included the assertion that mail-back phishing is mainly targeted at the higher education community, probably since we tend to run mail services that are client-accessible from the entire Internet without need for something like a VPN. I don't know if this is true, but it wouldn't surprise me. I have to wonder if this (allegedly) specialized targeting of the mail-back phishers may in part account for the fact that the anti-spam/anti-phish vendors are overlooking it. I'm not accusing the industry of apathy toward higher ed, but rather that the issue isn't as wide spread as "click here" phishing and so hasn't gotten on the radar.

Just wondering...