Millersmiles Forum - Phishing, email hoaxes and scams discussion

[engenius]

The Fair Trade Authority has just released Phishing Detector v.1.0 for Outlook Express, and since it is a 100% free (no trial periods, no ads, no nag screens) add-on for Outlook Express, i thought that it would have been pertinent to let you guys know in here, about it.
This add-on can recognise phishing emails pretending to come from PayPal, eBay, Chase Bank, Amazon, eGold and many financial institutions and works qute fine also with nigerian letters.

A version for Outlook for Office (will be offered for free as well) is currently under testing and it will be released in the next few days.

Hope it helps.

[mikep]

Be careful. Don't just download anything.

I don't know anything about the Fair Trade Authority. That's the problem. Who are they, how does this tool work, is it effective, has it been checked by a reputable third party?

Don't just download anything, especially since you really can't be sure what you are downloading.

A note to the FTA: (1) you are not an authority, so drop the misleading name; (2) open up the sources of the tool either as open source or have it examined by a reputable third party; (3) describe how this is better than what is out there before; and (4) describe how it will handle newer/ next generation phishing. Virus checkers do so through constant updates - how will you do it.

The lack of information is troubling.

[engenius]

Well, MIKEP....what shall i say....if you did your homework and searched the net about them, you would probably have most of your questions answered...
About having their sources available to the public, you are talking just nonsense imo

A reputable third party can be reputable for you and not reputable for someone else...software is generally checked by users: their judgement about a product is the most reputable one. In fact i have seen "reputable" third parties talking enthusiastically about microsoft products, and users being mad at microsoft about the same products, just to make an example.

Is a piece a software effective? Neither more nor less than a pair of shoes is comfortable before you wear them and walk with them for a while.

With this, i respect your opinion and your advice to not download any software until a fantomatic reputable third party has tested it for you, but let me strongly disagree: with that kind of attitude the net itself would not even exist.

[Doctor_Wibble]

if you did your homework and searched the net about them, you would probably have most of your questions answered

Didn't tell me very much at all - there's not much relevant info out there apart from a few copies of the press release.

MikeP is definitely right about using the word 'Authority', though.

Am I right in thinking that there is no connection whatsoever with the Fair Trade Foundation?

[mikep]

engenious:

Your reply was expremely non-specific and did not address any of the issues I raised. This kind of reply demonstrates a non-professional answer that would in and of itself have not come from a reputable company.

Your reply was rebuffed within a few hours.

The NET was founded on open standards and on reputable software. Enough people have used Perl, PHP, and Apache to make it reputable. The very thing that makes the NET useful is reputation.

The plain truth is that there is NO INFORMATION about your software. To use your poor analogy, I can examine a shoe; I can't examine your software.

So, let's get specific:

1) What is the FTA's policy on updates?

2) Does Phishing Detector open ports? If so what does it send or receive?

3) Where is the User Agreement ? What rights do you claim for this FREE tool?

4) How can I verify that the tool does what it says?

5) We know Phishing Detector reads email. Does it read it on the server for efficiency or at the client after it has been downloaded?

6) How does it distingusih between email from my bank and a bogus email?

There are many parties that can serve as reputable to everyone. For example, you could try asking a well known member of an Open Source project, or a University to review the project. There are many ways to be reputable.

Please note that your software can be tested as-is in a virtual server environment where it can monitored.

[engenius]

Thanks for your questions, mikep. I will try to answer as more exhaustively as possible

1) What is the FTA's policy on updates?
Updates will be released on FTA website as soon as they become available and they will be offered for free as well.

2) Does Phishing Detector open ports? If so what does it send or receive?
Phishing Detector does not open any ports at all and it can be used offline.
FileDudes, among others, has checked and monitored the software about its safety and has awarded it with a Safe To Install award as youmay see at http://www.filedudes.com/phishing_detec ... 40323.html .

3) Where is the User Agreement ? What rights do you claim for this FREE tool?
The EULA can be found on the PAD file for the software at
http://www.fairtradeauthority.com/phishing/phishing_detector_v1_0.xml

4) How can I verify that the tool does what it says?
Well, trying it, i suppose. AT the end of the day, users testing and feedback is what we need in order to release better and more accurate versions. Currently the software is under testing by several software review organizations. I want to make clear that PD is not the end of phishing and that FTA has never or will never claime this: it's a piece of free software intended to help the less experts (you will agree with me that the so called experts will probably always prefer to check things manually when it comes to recognize phishing) to aknowledge the problem of phishing and to reduce the risk of becoming a victim of it. It is not the perfect tool, but it is perfectable, with users constructive feedback.

5) We know Phishing Detector reads email. Does it read it on the server for efficiency or at the client after it has been downloaded?
It reads emails on the client, not on the server. We believe that doing so is much more secure and does not create problems with interactions with other programs such as anitiviruses and anti spyware that read emails on the server.

6) How does it distingusih between email from my bank and a bogus email?
It relies on an algorythm cross checking the body and headers of the email, mail servers, wording and link appearence. I'm certainly not going to reveal the exact parameters, for obvious reasons.

Once again, it is a honest piece of software, offered for free: the more contsructive feedback we can get, the better we can make the next release (that we are already working ata nd that will be offered for free as well).
Initially, we had in mind to go with an open source project, but it soon became clear that an open project about phishing is certainly destined to fail, as it would be open to phishers as well. So, we decided to go with a free version, but with hidden sources.


-------------------------
message edit trying to let the filedudes link work (but insuccessfully, from my browser...don't know why).

[mikep]

Thank you for your comments.

Pardon our concern. Any new product must prove its credibility before it should be recommended. Phishing Detector was posted here by either its author(s) or close friends. It is a sort of spam advertising.

The Internet is full of software that pretends to be one thing, but does another. There are many spyware removal tools that only serve up more spyware, or shareware programs that are free but only cause more harm.

A) The fact that Phishing Detector is available on a shareware site like filedudes.com provides absolutely no comfort. It is a source of concern that you present such a site as an example of trustworthiness.

Anyone can list their software on filedudes.com. They provide no testing and no warranty. Filedudes.com is a fine site. That your software is available from there or from your site is fine. But it isn’t any more trustworthy.

B) Your tool does not offer any better protection than Thunderbird. Thunderbird is a free email client from the mozilla foundation and comes from the same people that make Firefox.

Thunderbird uses a statistical model to look at email and provide a score. They track spam, scams, and phishing attempts.

I use Thunderbird. It has learned enough about spam so that now I receive less than one spam email per week. You download it, run the install and it will automatically preserve all of your folders and email accounts.

Get it at http://www.mozilla.com/. I like it quite a bit.

C) Your statement: "Initially, we had in mind to go with an open source project, but it soon became clear that an open project about phishing is certainly destined to fail, as it would be open to phishers as well."

Thunderbird is fully open sourced. Open sources that uses statistical modeling are not more susceptible to phishing. In fact they are substantially less susceptible.

Any software, from Apache to Microsoft Windows has flaws. Sometimes these flaws can be used as exploitable security holes. One common such flaw is a buffer overflow. With it, a carefully crafted email could be used by an attacker to gain remote control of a system.

I have no idea whether your software has any faults at all. Logic, history and statistics would bet that your program has security holes. By making software open sourced, or at least letting others review your software, you allow the good guys to find and close these holes.

The bad guys can also look at your software. If they find a way to exploit your software, then I would say that this is excellent feedback that will force you to have to update your software. The only difference is the bad publicity that you may endure if it is exploited by the wrong people.

Thunderbird, an open source program, tells you exactly why it flagged an email as phishing or scam. It closes a door to phishers. For this reason, it evolves to become quite sophisticated.

D) I cannot judge whether your software is "an honest piece of software." I can only say that your answers leave me with questions.

E) And finally, I read the End User License Agreement (EULA) provided by the link in your reply. The agreement does not say whether you collect personal information or are free of malware.

I do give your organization credit for not asking permission to install malware, but it clearly does not go far enough in assuring end users what happens to information collected or the exact software installed. I would highly recommend that the EULA be amended to specifically state that: (a) no personal information collected is ever sold or distributed to third-parties or used to send emails; (b) no malware is ever installed; (c) no software which reports surfing habits, or other tracking is installed.

I would want to know a great deal more about this software before I would ever download it.

[engenius]

I am sorry, but after 13 years of internet experience (believe it or not - surely not...), after reading your message, i have to give up. All the best to you and the very best good luck!

[mikep]

Engenius,

Funny. You post that your software is great, but when asked a few questions you cave and give up. The questions remain open, whether you give up or not.

The general public must choose whether to trust your software, or whether you have answered the questions.

My advice is that they should download Thunderbird. It's free, it's open source, it's used by millions.

Mike

[engenius]

I didn't say that it is great...i would expect the public to judge that or not...
I give up based on the concept of what you say: don't download because millions have not yet.
I answered your questions; the fact that you are not satisfied with the answers makes it pointless for me to participate in this discussion any longer. A piece of software becomes reputable when users use it and test it and are happy with it.
Beside, you say a lot of inaccurate things in your post: filedudes DO test software against spyware and malaware and publish results: phishing detector has been tested and passed it and not only with filedudes.
You say that the public before downloading it and testing it should have reassurance that the software does what it says: this reassurance can come only from the public itself: what works for you does not necessarily works for me and viceversa. You say that i spammed this forum: you obviously do not know what spamming is.
1)I have posted a new, FREE resource related to spoof email and phishing scams, exactly what this forum is about.
2)I have not posted anonymously, having previously registered and had my email address verified
3)I haven't spammed about phishing detector more than you have about thunderbird, if you can re-read your posts.

First you write:

I would want to know a great deal more about this software before I would ever download it.

And then you say:

My advice is that they should download Thunderbird. It's free, it's open source, it's used by millions.

A bit of a vicious circle there, for me.

Feel free to use thunderbird (i use it too and i like it) and to never download and try phishing detector, but let me tell you that with this attitude towards new things, Internet would still be a mere military project. And also, don't forget that there are millions of users out there who, like it or not, use Outlook Express as their primary email client.

P.S. Thanks for the advice about the EULA. I see your point about that and agree. I will pass it to my "friends" at the FTA. As you see, trying things can help to improve them

[engenius]

Hello Mike,

I did not turn anything...it seems to me that you don't put much efforts in looking into things.
1)Go to Filedudes.com
2)In the search box, type Phishing Detector
3)In the results, when you see Phishing Detector, click on it
4)On the Phishing Detector listing, scroll a bit down and look on the rightr
5)You will see a graphics stating:
SAFE TO INSTALL, NO VIRUSES, SPYWARE, TROJANS
6)Click on it
7)You can see the safety test results

Sorry, but it was there allthe time, if you just looked...
Anyway, to make it simple, the direct link is
http://www.filedudes.com/Phishing_Detector-safetoinstall-40323.html

It has been tested also by Softpedia with results available at
http://www.softpedia.com/progClean/The-Phishing-Detector-Clean-39354.html

If you had looked just for a second to the PD info page at FTA that is posted at the beginning of this topic, you could have seen those safety awards by yourself, followed and verified them.

Who i am is irrelevant...i am a forums user like you, and like you i post my ideas and thoughts, RESPECTING forums policies, NEVER spamming and ALWAYS posting material pertinent to the forum topic.

My opinion is not of less value than yours and viceversa. This is a forum about phishing and i have posted my experience with a piece of software that i have tried and keep on trying, exactly as you have done and do with thunderbird. Am i happy with it? Yes, i am, because i am verifying that it recognizes phishing emails, it is free and it is not open source, which, from my personal point of view, makes it more secure and safe than open source projects, talking about phishing. I know that you think differently, and i respect that, but that is why if you really wanna judge a software you have to try it by your own. My installations went smooth, but i would not bet that it would go smooth for everybody. In fact i had some trouble installing thunderbird on one of my machines, while i am sure that you did not have any. As you see, what works for some might not work for others. Also, i didn't come here saying that PD is the solution to phishing and the best software ever against phsihing. In fact i keep getting some false positive and i hope that this will be fixed, as i hope the same for thunderbird, for Panda and for any other anti-phishing software i have tried (all of them give me back false positives).

Then, if you are interested in what i post, you can legitemely ask for questions, and i will answer them for what i am able to. If my answers were not satisfactory, if you are interested in phishing detector, you can always goto the FTA site and contact them asking them what you want to know, or you can always make your own homework and research by yourself.

That's how Internet works, you like it or not. Surely, if you are not able to see a safety certificate on the PD listing at filedudes, i understand that it becomes a problem for you to do your homework.

The whole point here is that you said: don't download anything that has not been tried by others, yet. If people listened to you, there would not be "others" that had tried a software = there would not be software at all to try...

PD is there, i have just let you guys know about it. Do your homework, search for the FTA, search for PD on Google or wherever you usually make your searches, try it if you like, do not try it if you don't like, judge it good or bad after you eventually tried it, contact the authors and the publishers if you have unanswered questions about it....and that's it, it seems to me.

[mikep]

Oh geeze! So much diatribe and drama.

1) I never asked you whether your software was a virus or contained malware. I asked you what it does. You have yet to answer in a clear and consistent way.

2) The posting on filedudes is equivalent to performing my own virus checker on your software. I want to know what you do with the information that you scan from email, not whether your software carries viruses. -- That is a huge difference --

3) You are asking us to download a tool that will reside in our computers and read our email. I want to know what you do with the information you collect. I want to know it from an independently verifiable third party.

4) Before we can judge what is an independent third party, we need to know who you are. In one post you claim not to be anonymous, yet in another you claim the right to remain anonymous. The standard definition of anonymous is "having no known name or identity or known source, as in 'anonymous authors'; 'anonymous donors'; 'an anonymous gift'.

So long as you choose to be anonymous, we will not be able to determine who you are. It is absolutely fine with me if you owned FTA and wrote PD yourself.

5) We have a right to know what your tool does. Look at Google Email or Google toolbar. They clearly specify what they do (they read your email and track your surfing habits).

6) We could have done our "homework," or you could have just posted links to filedudes in teh first place. I wonder why you didn't.

I haven't seen much substance in your replies.

When a reader installs any software on their PC, they give that software significant rights. Software can change configurations, download other software, read keystrokes.

Now I am not saying that your software does any of this. All I am saying is that you should find a way to prove to us -- one way or another -- that it is safe. Virus checking at filedudes is not sufficient.


Mike

[mikep]

Here is why Filedudes is not good enough. You just can't trust some shareware. An excellent resource for security experts is spywarewarrior. They list rogue anti-spyware software. See http://www.spywarewarrior.com/rogue_anti-spyware.htm

Spywarewarrior calls this software as bogus, yet it is listed in filedudes:

Example 1
WINANTIVIRUS 2005 PRO from winsoftware.com
(http://www.filedudes.com/WinAntiVirus_2005_Pro-download-21591.html)

Yet spyware says: aggressive advertising (1, 2, 3, 4); false positives work as goad to purchase; inappropriate collection of Personally Identifiable Information; same company as WinAntiSpy 2005, WinAntiSpyware 2005, & WinFixer 9-4-05.

Example 2
Max Privacy Protector esunsofttechnologies.com
(http://www.filedudes.com/Max_Privacy_Protector-download-15160.html)

Yet spyware says: false positives work as goad to purchase; poor scan reporting; same company as MySpyFreePC & iSpyKiller; same app as #1 Spyware Killer, SpyDoctor; SpyFirewall, Spyinator, SpyKiller 2005, SpyLax, SpySpotter, SpywareThis, & Spyware Protection Pro 3-11-05.

Example 2
1CLICK SPYCLEAN 2.4 Secure PC Solutions.Inc
(http://www.filedudes.com/1Click_Spyclean-download-13764.html)

Yet spyware says: Spybot S&D rip-off (1); dubious corp. associations 8-12-04


Enough said

[engenius]

You are truly funny...you obviously don't even read your own posts...

1)I never asked you whether your software was a virus or contained malware. I asked you what it does. You have yet to answer in a clear and consistent way.

False! Read your posts again.
About what it does: it detects phishing emails. It is a called phishing detector. I have posted this on a anti-phishing protection forum. You still asking me what it does? I tell you again: it detects phishing emails. Do you want to know again if it open any ports? No, it does not open any ports. Does collect any data? No, it does not collect any data, in fact as i have said, if you paid attention and read my posts, can be used offline. It does not collect or communicate any data.

2) I did not need a posting on filedudes to tell me about viral load. I can do that with my own virus checker.

Are you kidding me??? You said in your previous post that filedudes does not certify the security of a software and asked me to show you otherwise and now that i have showed you that you did not read at all the listing at filedudes you telling me that you didn't need that?

3) You are asking us to download a tool that will reside in our computers and read or email. I want to know what you do with the information you collect. I want to know from an independent third party.

I don't ask you to downlaod anything. I tell you that this option exists. I don't care if you download it or not. Nothing will change in my life if you or any other will ever download it or not. And once again: it does not collect any information, it does not open any ports, it does not do anything with anything you might have in your pc. About a thirdy party, for what i see, onece again, there are filedudes and softpedia that have certified it spyware and malaware free. If you don't trust them it is not my business.

4) Before we can judge what is an independent third party, we need to know whom you are. In one post you claim not to be anonymous, in another you claim the right to remain anonymous. The standard definition of anonymous is "having no known name or identity or known source, as in 'anonymous authors'; 'anonymous donors'; 'an anonymous gift'.

So long as you choose to be anonymous, we will not be able to determine whom you are. It is absolutely fine with me if you owned FTA and wrote PD yourself.

I don't understand the first part of this...i don't see how any independent third party (whoever you are talking about) has anything to do with me.
About who i am: i am a Internet user who has registered to this forum following the forum policies exactly as you did. I came in here because i have PD on my PCs and i thought that i would have shared with this forum users the fact that there is a free anti phishing tool for outlook express and outlook (the only one i know, free, for those email client): obviously it was a mistake.

5) We have a right to demand know what your tool does. Look at Google Email or Google toolbar. They clearly specify what they do (they read your email and track your surfing habits).

1)It's not my tool.
2)Are you still asking what it does?? It is called Phishing Detector and it is supposed to detect phishing emails. I am sure, if i don'r remember bad, that at the FTA website there is a sort of description telling what something called Phishing Detector does.

6) We could have done our "homework," or you could have just posted the link to sites that have virus scanned your software in the first place. I wonder why you didn't post a link in the first place.

Oh, now you are interested at that link again, while on question number 2 you were not interested..funny. You asking my why i did not post a link on first istance? ROFLMAO! Have you read any of the posts in this topic?
Read my post Posted: Sun May 07, 2006 2:51 pm and you will find that link.

Oh geeze! So much diatribe and drama.

You are just a troll, man. No questions about it.

Looking for your posts in this forum, in have found this:

How is armthemob better than millersmiles.co.uk? Too much fragmantation in this space only helps the bad guys.

I for one have not gone to your web site. I just don't go to random web sites without some sense of their true mission.

Thst is definetely you, yes rofl

But the best one is the following one that i have found at http://www.millersmiles.co.uk/forum/pos ... light=#129 :

I just posted a tool on http://www.sharecube.com to convert urls with %hex encoding to readable form. Expandlink.zip contains all sources and executable. http://www.sharecube.com/downloads/expandlink.zip

Now i should ask you:
1)What does that tool do?
2)Does it opens any ports?
3)Can you provide any reputable third party that has tried it first?
4)Who the hell is sharecube.com?
And so on...

Funny enough, your company sells anti-phishing products: i mean, you want money for your anti-phishing products...
You are definetely a biiig shameless troll, man, and surely the less trustable of us, in here.

I leave you with the last word, so you can be a happy man.
Bye!

[engenius]

Sorry i have to post again....can't rexist..
You write:

Here is why Filedudes is not good enough. You just can't trust some shareware. An excellent resource for security experts is spywarewarrior. They list rogue anti-spyware software. See http://www.spywarewarrior.com/rogue_anti-spyware.htm

Spywarewarrior calls this software as bogus, yet it is listed in filedudes:

Example 1
WINANTIVIRUS 2005 PRO from winsoftware.com
(http://www.filedudes.com/WinAntiVirus_2 ... 21591.html)

Yet spyware says: aggressive advertising (1, 2, 3, 4); false positives work as goad to purchase; inappropriate collection of Personally Identifiable Information; same company as WinAntiSpy 2005, WinAntiSpyware 2005, & WinFixer 9-4-05.

Example 2
Max Privacy Protector esunsofttechnologies.com
(http://www.filedudes.com/Max_Privacy_Pr ... 15160.html)

Yet spyware says: false positives work as goad to purchase; poor scan reporting; same company as MySpyFreePC & iSpyKiller; same app as #1 Spyware Killer, SpyDoctor; SpyFirewall, Spyinator, SpyKiller 2005, SpyLax, SpySpotter, SpywareThis, & Spyware Protection Pro 3-11-05.

LEARN TO REEEEEAAAD!

If you look at the filedudes listing none of those two programs that you mention has been awarded with the SAFE TO INSTALL award, to the contrary of phishing detector.

PHISHING DETECTOR LISTING:
http://www.filedudes.com/Phishing_Detec ... 40323.html


WIN ANTIVIRUS PRO 2005 LISTING:
http://www.filedudes.com/WinAntiVirus_2 ... 21591.html

Can you see the difference?

Jeeze, man...if you have developed your antiphishing product the way you research the net and read postings and listings, that program must be a real danger!

Get a life!