Henrik Nordstrom wrote:
sön 2007-06-24 klockan 23:49 +0200 skrev Andreas Pettersson
I'm not sure I follow you here..
If phisher has control of evil.com he could send out send out unique
urls in each and every spam, all pointing to the same physical host.
Sure, MD5 hashes is efficient, but the number of possible urls is nearly
unlimited. It would be much easier to list the host instead.
And the Google SafeBrowsing lookup algorithm allows just that.. It's not
just an MD5 of the complete URL. The URL is processed in many steps of
varying granularity, each producing an MD5 to look up in the blacklist.
http://code.google.com/apis/safebrowsing/developers_guide.html#PerformingLookups
Note: In the worst case there is 5 * 6 = 30 different lookups per URL.
Normally less than 10 however
[walks away and stands in the corner]
Believe it or not, I actually read that guide before making my initial
post, but apparently it completely vanished from my memory...
Perhaps It happened when Phishtank was brought up.
--
Andreas
