ScamSlam is a system that has been devised to help rapidly mitigate the
effects of fraudulent Internet activity.
How does it work ?
ScamSlam works by maintaining a database of known and current
fraudulent Internet based schemes, of which the large majority
comprise of entries known as "phishing attacks". These occur when a
user is 'tricked' into providing private information such as credit
card data or PIN numbers after being directed to a misleading web
page purporting to be a bank or other finance institution.
ScamSlam has arrangements with ISPs that allow the addresses of the
fraudulent sites to be re-routed over a virtual connection. This
virtual connection leads a user to server content explaining what
has happened (e.g. usually a web page). When IP packets to the
fraudulent web site address are received at an ISPs router, they
are routed over the virtual connection to the ScamSlam servers for
correct handling.
The system re-routes at the IP layer or Layer 3 but it recognises
protocol data in higher layers.
How long does it take to re-route an IP address ?
ScamSlam can re-route an address within two minutes from route
entry. Route propagation can be as fast as 15 seconds.
What about hostnames - they can change with DNS
!
ScamSlam checks for hostname to IP address mapping changes every
45 seconds and reacts accordingly. It also has support for multiple
DNS records for the same hostname and does the appropriate action
for each.
How long is the IP address re-routed for ?
The IP address will be removed from re-routing after 7 days by the
ScamSlam system. If the fraud is still in place after this period
then the relevant organisation will need to re-enter the details.
What safeguards are in place to prevent spurious entry of IP addresses ?
When an IP address is entered, ScamSlam effectivley re-routes a
small part of the Internet (usually one IP address) and then pretends
to be the server hosting the scam. We realise that mis-use or abuse
of this facility could harm Internet operations and we have measures
in place to monitor errant use of the service.
An organisation that enters a scam into the database must verify
details of the scam after 1 hour and before 72 hours. This provides an
opportunity for them to look at the data entered and ensure it is
correct. If the scam is not verified in 72 hours, it will be aged
out of the system at this point.
Where is the user re-routed to ?
If an end user is a victim of a scam and is redirected via the ScamSlam
system, then the page they are redirected to is specified by the agency
entering the scam data. This page will include details such as :
- why they have been redirected
- who entered the inforamtion
- information on the scam
- who they should contact if they are trying to access a site on that IP address that is not a scam (HTTP 1.1 issue -see below)
- other information regarding the scam
Users will be told NOT to contact their ISP but rather be supplied details
for the WHOIS database on who owns the effected IP address and encouraged
to contact them.
What ports does does it work with ?
ScamSlam supports any UDP or TCP port with the exception of TCP/179.
What protocols does it support ?
ScamSlam currently has the ability to intelligently redirect HTTP,
HTTPS and FTP based scams. The modular handler nature of the backend
system allows for plug in modules for other protocols to be written
in a short period of time and inserted quickly.
At times we provide a limited black hole service and therefore we
can block any IP address based on this feature. This is particularly
handy for users effected by trojan, key loggers and other such
nastiness.
How does this work with SSL or HTTPS ?
ScamSlam at the HTTPS level does not and cannot in all cases operate
with the appropriatley issued certificate. As such the end user
that is re-routed will see a series of browser generated warnings
and text boxes about the authenticity of the supplied certificate
(if users really looked at these there would be less successful
phishing attacks). If the user continues they will be redirected
as per normal.
What is to stop false redirection so my web server is redirected to my competitors web server ?
The ScamSlam system has the concept of 'Excluded Subnets'. ISPs
place these into the system and this will prevent any re-direction
occuring for those subnets.
What if my own IP address is re-directed - What do I do ?
When a scam IP address is entered an email is sent to the relevant
contacts in the WHOIS database informing them that a scam has been
reported and the IP address is being re-routed. Details of the
organisation entering the IP address for re-routing will be made
available in order for these issues to be resolved.
How is it different to other RBL type schemes ?
ScamSlam does not blackhole routes as a primary feature as a real
time block list may, for spam for example. ScamSlam redirects the
end user to a web page explaining the incident and telling them how
to remedy attacks in the future.
What about HTTP 1.1 issues with multi site web hosting ?
With HTTP 1.1 host-header based servers, many web sites can exist
on one IP address. As a result, more than just the offending web
site may be redirected.
ScamSlam takes this into account by providing data on the scam at
hand and how end user may be effected, even if they were not a
victim of the scam.
