Security

An Extreme Phight Against Phishing

When California ISP DSL Extreme decided to fight phishing, the company realized it already had tools that, with a little tweaking, could do the job.

by Alex Goldman ISP-Planet Managing Editor [April 11, 2005]

"I think ISPs have a responsibility to their subscribers," says Jim Murphy, president of Winnetka, Calif.-based DSL Extreme. Most ISPs would agree, but could perhaps say so more often.

No single incident led the company to institute anti-phishing measures. Doing so just made sense. "We've all received the fraudulent phishing e-mail," says Murphy. "It's obviously a problem. Our help desk gets calls on it; our abuse team gets mail forwarded to it. We could see a groundswell of concern beginning and felt a need to take action early. It's a good thing to do, and it's good business. It reduces helpdesk calls and also increases confidence. It's a win win scenario."

The company developed its anti-phishing system in house. The company's anti-phishing system was a natural extension of its anti-spam system, which is a modified version of SpamAssassin. The SpamAssasin principle, that bad e-mails have suspicious characteristics that can be determined and weighted, measuring the probability that any e-mail is good or bad, seemed ideal for the phishing problem.

There's no simple solution to phishing. "Our first generation of anti-phishing software just checked each link in an e-mail to make sure it went where it said it was going," says Murphy. "Unfortunately, many companies, including the very popular eBay, send malformed messages. We took a cue from our anti-spam systems and developed algorithms for a scoring system for phishing attempts."

Even if the system thinks there's a phishing attempt going on, it does not block the message. "I know google goes into gmail to correct links. We don't alter e-mails. That would get our lawyers nervous. Our approach is to insert an alert and let the customer use their own judgment."

Murphy's aware that customers are worried about the possibility of ISPs reading their e-mail. "Our idea is not to be big brother. We do not want to decide what's good and bad. We just want to help our customers decide what's fraud and what isn't."

The default is off
When new customers get their account, the default account settings have anti-virus turned on, but anti-spam and anti-phishing turned off. "There are three radio buttons on a customer's 'my account' page," says Murphy. "The buttons are red if a service is off and green if the service is on."

The company rolled out the service cautiously, enabling it in selected service areas, in order to learn how to describe it to its subscribers. "We wanted to get a feel of how much subscribers knew about the problem. We found they did understand the problem even if they did not recognize the term 'phishing'," says Murphy.

"We did get calls to tech support from people who had turned it on. They'd say they'd just received a fraud warning and would ask what they should do. Then we'd go to the next step of explaining that the system was about making them aware about fraud, but that the message could be legit."

Communication appears to have been successful. "We've had zero complaints. We encourage people to turn on anti-spam and anti-phishing. A majority of subscribers turn on anti-spam, but a small minority wanted to decide for themselves. We decided to honor their requests and allow them to turn off the anti-spam feature."

The company is working on refining its anti-phishing algorithm. For the moment, it chooses to err on the side of caution, producing false positives. At press time, the false positive rate was over 10 percent, but Murphy was confident the false positive rate could be reduced to a single digit percentage.

— End