John P Mello Jr recently reported at AllSpammedUp that 50% of all information harvested in a phishing campaign is harvested within an hour of the emails hitting the mailbox. Basically, you better be sure that you are blocking those messages for the first hour!
Most anti-spam and anti-phishing software filters block phishing attempts effectively. The vendors of these tools monitor worldwide spam through strategically located and designed honeypots that are usually the first systems to see these messages, well before a typical customer’s system will. Numerous techniques are employed to block these phishing attempts, including DNSBLs, reputation filters, and content analysis. Most of these phishing attempts are blocked immediately, but some might get through, so what happens then?
Effective anti-spam systems have an automatic loop running that quickly detects messages that are not being caught, then runs them through a learning system to regenerate the spam signatures and deploy them to customers servers. This usually happens within seconds, at most a few minutes. In rare cases, the new signatures might not be generated fast enough or the updates deployed fast enough. Most vendors have a bypass system where they can immediately deploy custom scripts to catch and filter these messages. Again, this takes no more than a few minutes from when the phishing wave was detected. Don’t forget, your anti-spam vendor will have seen the wave well ahead of you, and that’s when the clock starts ticking. Blocking a phishing website after 5-10 hours is probably irrelevant.
What if we redirect all banking look-alike emails to a delayed queue for 90-120 minutes? We could rescan messages after that delay, giving security providers an additional chance to act and take down the websites before the user sees the message and is tempted to click on the link! Would users get mad at receiving their bank statements 2 hours late? It’s not like a train delay warning at the end of your workday (sarcasm: I get train delay warnings 2 hours late, once I’m already home).
Leave a Comment