I’m writing this letter / blog post because I couldn’t find any contact addresses on your site or a user forum to voice my concern.
The idea of crowd-sourcing the phish detection great because it lets a human make judgment about threats directed at humans (which is much easier than developing and maintaining an AI system :-)). I first joined PhishTank when I received some phising emails and I wanted to “do the right thing”. However after a couple of days of “verifying” phishes I was filled with an overwhelming sense of futility because of several reasons:
- The last blogpost on the phishtank blog is from October 2008 (more than 8 moths ago at this moment!). And the comments are closed. Just an other way you can’t give feedback
- The rules behind the functioning of the site are somewhat mysterious. Sometimes when I’m the first to vote on a site, it goes to 100% in the “is a phish” / “is not a phish” category, other times it remains at zero (as if my vote wasn’t counted)
- Every time I vote it says “more votes are needed to verify this site”. Does this mean that even though I’ve casted hundreds of votes, I didn’t verify a single site as being a phish? Talk about futility...
- Many phising sites are taken down quite quickly, so it is not uncommon to only see a “this site has been taken down” message when you want to verify a URL. However there is no way (that I’ve found) to say “this might have been a phish (based on the URL for example), but it seems to be taken down”
- There are no statistics shown about the number of submissions versus the number of verified sites. It would be nice to see if we (the volunteers) can handle the load or if we need more volunteers
- An other idea would be (if the amount of submitted URLs is far greater than the daily verified ones) to prioritize those URLs which are not yet in the Google Safe-Browsing database. This way PhishTank could offer a very good complement to the Google data-set.
If somebody from PhishTank reads this, please fix as many of the issues as possible! It is very sad to see a good idea being hindered by technical problems. BTW, I would be happy to help out (I have considerable experience in some key areas: PHP / MySQL / computer security).
Picture taken Sandy Austin's photostream with permission.