Neal,

Thanks for a good and stimulating article. In the future, it might be helpful for you to ask APWG statisticians about how the numbers are computed before writing an article.

APWG has not revised our methodology for counting. Rather, we have ADDED additional, separately tracked, measures to track the problem. The methodology of counting unique emails by subject line has remained constant since 2003. This method significantly undercounts the actual attacks, because many attacks use the same subject line (eg. "Update your account").

We added Unique Phishing Sites some time ago. This measures phishing sites by unique URL by domain. As you know, this measure now needs to be augmented, because some phishing groups use a unique subdomain for each phishing email.

APWG contribution of phishing attacks is not linearly correlated to the number of members, although there is no doubt some correllation. However, most of our metrics on unique sites come from a small set of providers who use large spamtraps (a billion messages per day) as well as confirmed reports from brand owners themselves. Each attack is confirmed automatically and then confirmed by hand by takedown specialists. This contributing community has not significantly expanded over the last 12 months. Thus the metrics are quite stable.


Many of our Steering Committee members are themselves the victims of phishing attacks. We can track their confirmed attacks over time. This is a highly accurate way to track trends, especially as it relates to the largest brand owners who suffer the most attacks.

The NANAS numbers are clearly nonsense. Recording 17 phishing sites in all of December 2006 is clear evidence that this is a useless metric. The NANAS list doesn't help stop phishing, so people stopped contributing.

APWG members received more than 500 times that number of unique phishing sites and almost 2000 times that number of unique phishing emails.

I would also recommend that you look at the PIRT and PhishTank statistics to get a meaningful measurement of the amount and growth of the problem.

As for tracking the amount of spam, you should attend the MAAWG meetings (Mail Anti-Abuse Working Group). This is a collection of the world's largest ISPs and anti-spam vendors. They create aggregate statistics from their members, and just last month in San Francisco presented global aggregate statistics for spam versus legitimate email, spam originating countries, spam by bots, image spam, spam by type (pump-n-dump versus adult, etc), spam with SPF and DK authentication records, etc. Their metrics cover over 400 million email boxes.

Much of the difference between vendors like Postini and Messagelabs is attributed to their national footprints (Postini primarily USA, Messagelabs primarily UK and Europe), as well as several large mailbox providers that they work with. Same is true of Symantec's Brightmail. The MAAWG consolidated stats help smooth out these variances and give a clearer picture.

- Dave Jevans
Chairman, Anti-Phishing Working Group
www.antiphishing.org


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/435/34380#34380