in reply to Re^3: Automatic phish form filler
in thread Automatic phish form filler

There's certainly a difference between a hundred and a thousand. If thousands of people were hitting it thousands of times, it would be a DDOS. What I have proposed is orders of magnitude smaller, because my objective is not to carry out a DDOS.

So yes, there is an effective difference. By design. I have no intention of dragging down the network. Filling out a form is not a high-bandwidth activity, and it will not be an activity that is synchronized among hundreds or thousands of users.

I love the "alleged phishing site". Yeah, those are really hard to recognize definitively. There's always a chance that it's a legitimate site asking for you to "verify your password", despite the warnings posted on the home site of whomever they are spoofing saying that they will never do that.

Caution: Contents may have been coded under pressure.

Replies are listed 'Best First'.
Re^5: Automatic phish form filler
by chromatic (Archbishop) on May 08, 2005 at 17:40 UTC

    I think those are both lame defenses.

    Certainly someone who distributes a program designed to flood an alleged phishing site with false information may not intend that enough people use it to deny service to the target, but once the tool is out of his hands, how can he know how and how many people will use it? It's a destructive tool that may have thousands of simultaneous users. At least, that seems like a bad idea to me.

    I also say alleged because I have no confidence that a program will always identify phishing sites correctly, especially after malicious people realize that they can use the ad-hoc network of tool users to deny service to targets of their choosing by spoofing messages to make their targets look like targets.

    Again, it may not be the intent of the tool's creator to affect the innocent, but that doesn't make the tool a good idea as I see it.

[reply]
      They aren't defenses, they're precautions. The program can be written cautiously so as not to "flood" anything. I find it extremely unlikely that it will have thousands of simultaneous users, but even if it does, it can be self-throttling.

      The program will not identify phishing sites. The user will. The program will only fill out forms on the page the user identifies. Your assumption that the program would try to find phishing sites automatically is a feature I'd never considered.

      Caution: Contents may have been coded under pressure.
[reply]

In Section Seekers of Perl Wisdom