• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Security

How OpenDNS learns about phishing sites

By OpenDNS Team
Posted on July 24, 2006
Updated on August 4, 2020

Share

Facebook0Tweet0LinkedIn0

Phishing prevention is not a “fire and forget” task. You have to make sure you have great data, double-check the information, and update the data to avoid “false positives.” And you have to do it all the time.
Different folks have wondered publicly where our phishing data comes from and how OpenDNS uses the data. This post helps answer those questions, and more.
Phishing protection is a significant benefit to customers but it’s also a notable responsibility — under no circumstances does OpenDNS want to disrupt its customers’ normal Internet usage.
Note: if you just want speedy, reliable DNS without any protection from phishing, it’s available. (Not recommended, but available.) Use the OpenDNS preferences.
With that background out of the way, let me share what we added to our Frequently Asked Questions earlier this week.

How does OpenDNS decide if a site is a phishing site?
Currently, OpenDNS uses two methods for determining if a site is a phishing site:

  1. Analysis of our network data, based on years of experience with DNS traffic.
  2. Feeds from several network operators and others working against “Internet Bad Guys.”

There are three providers that we may identify and thank publicly for their participation:

  1. Support Intelligence
  2. Team Cymru
  3. CastleCops PIRT

How do I report a phishing site to OpenDNS?
The fight against phishing isn’t just for the banks and big companies to tackle; you can help. Right now [July, 2006], we encourage submission of possible phishing sites via our contact form. Nothing will be blocked unless it’s verified.

How do I tell OpenDNS about a mistakenly-blocked site?
Every time OpenDNS shows the phish-blocked page, we offer the option to tell us to review the site. These requests are treated with urgency; we understand that false positives are painful, too.
Sites which are removed from the phishing list will be available to OpenDNS customers within one hour after review, and hopefully much sooner.

An extra detail: for the data from outside partners, we update our lists every six hours, including removing sites which no longer appear in the feeds.

PhishTank

PhishTank is a site OpenDNS will launch later this summer as a collaborative clearing house for data and information about phishing and malware on the Internet. PhishTank will be a free community site for validating and sharing this kind of data. There will be various statistics and an API, so anyone else who needs solid data to help fight Internet Bad Guys can use PhishTank as a source.
The point? The fight against phishing isn’t just for the banks and big companies to tackle; you can help. Several of you have sent us phishing URLs to add to our lists already — thank you! OpenDNS is selfishly interested in having the best, most up-to-date data available, but we don’t believe that proprietary data in this area is the answer: the API will be open to others, whether they contribute or not.
Too often now, phish reports go into a black hole where no response comes back and none of the aggregated intelligence is shared. PhishTank will be a solution to that problem.

Next steps

Yesterday, we were offered another validated feed of sites to avoid. Thanks! This looks to be a great additional resource, and once it’s confirmed and integrated, we’ll announce it here (with permission).
If you have data that will help us block the “Internet Bad Guys” from OpenDNS customers, please let me know.
p.s. As noted above, here are two blogs which took a look at OpenDNS right as we launched and wondered aloud about our phishing protection.

Another thing OpenDNS should work on ASAP is transparency. I’d really like to know the false positive rate on phishing sites. How many legitimate sites get flagged as a phishing site? (Tyler Longren, July 10, 2006)

Tyler, too early to have that specific stat, yet, but we hear you.

It looks like they are using blocklists to stop you from hitting known phishing sites. They don’t say where the list comes from or how ofter it is updated. (Mike Frank, July 11, 2006)

Mike, thanks for pushing us.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella