Gadi, This report isn't terribly useful without the IP addresses (or URLs) in question. How could an ISP start investigating and/or null routing these addresses without having the list? I suppose I'm skeptical because some of those ASNs are not big content hosters. Some are transit-only ASN's. Also, if you are using WHOIS to check the IP addresses for their owner, how are you correlating to ASN? Through an IRR? Or is there a route lookup somewhere in the mix? Even if you won't release full data (although I can't imagine why not), you need to fully disclose the methodology. "Digested" is insufficient when ISPs and hosters are being called out by name. - Dan On 3/28/05 2:19 PM, "Gadi Evron" <gadi@tehila.gov.il> wrote:
Daniel Golding wrote:
Forgive me for being skeptical, but...
I would prefer you being skeptical. Please don't take my word on any of this.
How do you come up with these? Are these the direct upstream ISPs of the
These are the digested results from the reports sent to the malicious websites and phishing research and mitigation list.
phishing sites or the next hop AS's from your test site?
Plainly put, these are the results you get when you feed the IP's of the hosting web sites to the Cymru whois.
Is there a link to the original data?
Nope. We hope to release more data in our next reports. Please let us know what kind of data you'd like available. We'll do our best to provide it.
One of our main goals is public awareness, so we are very interested in feedback. If you have further questions on the process itself, I'd gladly direct you to the guy who actually does the data mining and statistics - but the list data itself is not open to the public.
Gadi.