Internet Engineering Task Force (IETF) P. Cain
Request for Comments: 5901 The Cooper-Cain Group, Inc.
Category: Standards Track D. Jevans
ISSN: 2070-1721 The Anti-Phishing Working Group
July 2010
Internet Engineering Task Force (IETF) P. Cain
Request for Comments: 5901 The Cooper-Cain Group, Inc.
Category: Standards Track D. Jevans
ISSN: 2070-1721 The Anti-Phishing Working Group
July 2010
Extensions to the IODEF-Document Class for Reporting Phishing
用于报告网络钓鱼的IODEF文档类的扩展
Abstract
摘要
This document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070 to support the reporting of phishing events, which is a particular type of fraud. These extensions are flexible enough to support information gleaned from activities throughout the entire electronic fraud cycle -- from receipt of the phishing lure to the disablement of the collection site. Both simple reporting and complete forensic reporting are possible, as is consolidating multiple incidents.
本文档扩展了RFC 5070中定义的事件对象描述交换格式(IODEF),以支持钓鱼事件的报告,钓鱼事件是一种特殊类型的欺诈。这些扩展足够灵活,可以支持从整个电子欺诈周期的活动中收集到的信息——从收到网络钓鱼诱饵到收集站点的停用。简单的报告和完整的法医报告都是可能的,整合多个事件也是可能的。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5901.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5901.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Why a Common Report Format Is Needed .......................3
1.2. Processing of Exchanged Data Not Defined ...................4
1.3. Relation to the INCH IODEF Data Model ......................4
2. Terminology Used in This Document ...............................4
2.1. Requirements Language ......................................5
3. Interesting Fraud Event Data ....................................5
3.1. The Elements of a Phishing/Fraud Event .....................6
3.2. Useful Data Items in a Fraud Event .........................7
4. Fraud Activity Reporting via IODEF-Documents ....................8
4.1. Fraud Report Types .........................................8
4.2. Fraud Report XML Representation ............................9
4.3. Syntactical Correctness of Fraud Activity Reports ..........9
5. PhraudReport Element Definitions ...............................10
5.1. PhraudReport Structure ....................................10
5.2. Reuse of IODEF-Defined Elements ...........................11
5.3. Element and Attribute Specification Format ................11
5.4. Version Attribute .........................................12
5.5. FraudType Attribute .......................................12
5.6. PhishNameRef Element ......................................13
5.7. PhishNameLocalRef Element .................................13
5.8. FraudedBrandName Element ..................................13
5.9. LureSource Element ........................................14
5.10. OriginatingSensor Element ................................22
5.11. The DCSite Element .......................................23
5.12. TakeDownInfo Element .....................................25
5.13. ArchivedData Element .....................................27
5.14. RelatedData Element ......................................28
5.15. CorrelationData Element ..................................28
5.16. PRComments Element .......................................28
5.17. EmailRecord Element ......................................28
6. Mandatory IODEF and PhraudReport Elements ......................29
6.1. Guidance on Usage .........................................30
7. Security Considerations ........................................31
7.1. Transport-Specific Concerns ...............................31
7.2. Using the iodef:restriction Attribute .....................31
8. IANA Considerations ............................................32
9. Contributors ...................................................32
10. References ....................................................32
10.1. Normative References .....................................32
10.2. Informative References ...................................33
Appendix A. Phishing Extensions XML Schema .......................34
Appendix B. Example Virus Report .................................43
B.1. Received Email ...........................................43
B.2. Generated Report .........................................44
1. Introduction ....................................................3
1.1. Why a Common Report Format Is Needed .......................3
1.2. Processing of Exchanged Data Not Defined ...................4
1.3. Relation to the INCH IODEF Data Model ......................4
2. Terminology Used in This Document ...............................4
2.1. Requirements Language ......................................5
3. Interesting Fraud Event Data ....................................5
3.1. The Elements of a Phishing/Fraud Event .....................6
3.2. Useful Data Items in a Fraud Event .........................7
4. Fraud Activity Reporting via IODEF-Documents ....................8
4.1. Fraud Report Types .........................................8
4.2. Fraud Report XML Representation ............................9
4.3. Syntactical Correctness of Fraud Activity Reports ..........9
5. PhraudReport Element Definitions ...............................10
5.1. PhraudReport Structure ....................................10
5.2. Reuse of IODEF-Defined Elements ...........................11
5.3. Element and Attribute Specification Format ................11
5.4. Version Attribute .........................................12
5.5. FraudType Attribute .......................................12
5.6. PhishNameRef Element ......................................13
5.7. PhishNameLocalRef Element .................................13
5.8. FraudedBrandName Element ..................................13
5.9. LureSource Element ........................................14
5.10. OriginatingSensor Element ................................22
5.11. The DCSite Element .......................................23
5.12. TakeDownInfo Element .....................................25
5.13. ArchivedData Element .....................................27
5.14. RelatedData Element ......................................28
5.15. CorrelationData Element ..................................28
5.16. PRComments Element .......................................28
5.17. EmailRecord Element ......................................28
6. Mandatory IODEF and PhraudReport Elements ......................29
6.1. Guidance on Usage .........................................30
7. Security Considerations ........................................31
7.1. Transport-Specific Concerns ...............................31
7.2. Using the iodef:restriction Attribute .....................31
8. IANA Considerations ............................................32
9. Contributors ...................................................32
10. References ....................................................32
10.1. Normative References .....................................32
10.2. Informative References ...................................33
Appendix A. Phishing Extensions XML Schema .......................34
Appendix B. Example Virus Report .................................43
B.1. Received Email ...........................................43
B.2. Generated Report .........................................44
Appendix C. Sample Phishing Report ...............................46
C.1. Received Lure ............................................46
C.2. Phishing Report ..........................................48
Appendix C. Sample Phishing Report ...............................46
C.1. Received Lure ............................................46
C.2. Phishing Report ..........................................48
Deception activities, such as receiving an email purportedly from a bank requesting you to confirm your account information, are an expanding attack type on the Internet. The terms "phishing" and "fraud" are used interchangeably in this document to characterize broadly-launched social engineering attacks in which an electronic identity is misrepresented in an attempt to trick individuals into revealing their personal credentials (e.g., passwords, account numbers, personal information, ATM PINs, etc.). A successful phishing attack on an individual allows the phisher (i.e., the attacker) to exploit the individual's credentials for financial or other gain. Phishing attacks have morphed from directed email messages from alleged financial institutions to more sophisticated lures that may also include malware.
欺骗活动,如收到据称来自银行的电子邮件,要求您确认您的帐户信息,是互联网上一种不断扩大的攻击类型。在本文件中,术语“网络钓鱼”和“欺诈”交替使用,用于描述广泛发起的社会工程攻击,其中电子身份被歪曲,试图诱骗个人泄露其个人凭证(如密码、账号、个人信息、ATM PIN等)。针对个人的成功网络钓鱼攻击允许网络钓鱼者(即攻击者)利用个人的凭据获取财务或其他利益。网络钓鱼攻击已经从来自被指控的金融机构的定向电子邮件信息演变为更复杂的诱饵,可能还包括恶意软件。
This document defines a data format extension to the Incident Object Description Exchange Format (IODEF) [RFC5070] that can be used to describe information about a phishing or other type of fraudulent incident. Sections 2 and 3 of this document provides an overview of the terminology and process of a phishing event. Section 4 introduces the high-level report format and how to use it. Sections 5 and 6 describe the data elements of the fraud extensions. The appendices include an XML schema for the extensions and a few example fraud reports.
本文档定义了事件对象描述交换格式(IODEF)[RFC5070]的数据格式扩展,可用于描述有关网络钓鱼或其他类型欺诈事件的信息。本文件第2节和第3节概述了网络钓鱼事件的术语和过程。第4节介绍高级报告格式以及如何使用它。第5节和第6节描述了欺诈扩展的数据元素。附录包括扩展的XML模式和一些欺诈报告示例。
The extensions defined in this document may be used to report the social engineering victim lure, the collection site, credential targeted ("spear") phishing, broad multi-recipient phishing, and other evolving Internet-based fraud attempts. Malware and other malicious software included within the lure may also be included within the report.
本文档中定义的扩展可用于报告社会工程受害者诱饵、收集网站、针对凭证的(“矛”)网络钓鱼、广泛的多收件人网络钓鱼以及其他不断发展的基于互联网的欺诈企图。诱饵中包含的恶意软件和其他恶意软件也可能包含在报告中。
To combat the rise in malicious activity on the Internet, service providers and investigative agencies are sharing more and more network and event data in a coordinated effort to identify perpetrators and compromised accounts, coordinate responses, and prosecute attackers. As the number of data-sharing parties increases, the number of party-specific tools, formats, and definitions multiply rapidly until they overwhelm the investigative and coordination abilities of those parties.
为了打击互联网上恶意活动的增加,服务提供商和调查机构正在共享越来越多的网络和事件数据,以协调一致的努力来识别犯罪者和受损账户,协调应对措施,并起诉攻击者。随着数据共享缔约方数量的增加,缔约方专用工具、格式和定义的数量迅速增加,直至超过这些缔约方的调查和协调能力。
By using a common format, it becomes easier for an organization to engage in this coordination as well as correlation of information from multiple data sources or products into a cohesive view. As the number of data sources increases, a common format becomes even more important, since multiple tools would be needed to interpret the different sources of data. A big win in a common format is the ability to automate many of the analysis tasks and significantly speed up the response and prosecution activities.
通过使用通用格式,组织可以更轻松地进行这种协调,并将来自多个数据源或产品的信息关联到一个统一的视图中。随着数据源数量的增加,通用格式变得更加重要,因为需要多种工具来解释不同的数据源。通用格式的一大优势是能够自动化许多分析任务,并显著加快响应和起诉活动。
While the intended use of this specification is to facilitate data sharing between parties, the mechanics of this sharing process and its related political challenges are out of scope for this document.
虽然本规范的预期用途是促进各方之间的数据共享,但该共享过程的机制及其相关的政治挑战不在本文件的范围之内。
Instead of defining a new report format, this document defines an extension to [RFC5070]. The IODEF defines a flexible and extensible format and supports a granular level of specificity. These phishing and fraud extensions reuse subsets of the IODEF data model and, where appropriate, specify new data elements. Leveraging an existing specification allows for more rapid adoption and reuse of existing tools in organizations. For clarity, and in order to eliminate duplication, only the additional structures necessary for describing the exchange of phishing and e-crime activity are provided.
本文档没有定义新的报告格式,而是定义了[RFC5070]的扩展。IODEF定义了一种灵活且可扩展的格式,并支持粒度级别的特定性。这些网络钓鱼和欺诈扩展重用IODEF数据模型的子集,并在适当的情况下指定新的数据元素。利用现有规范可以更快速地采用和重用组织中的现有工具。为清晰起见,为了消除重复,仅提供了描述网络钓鱼和电子犯罪活动交换所需的附加结构。
Since many people use different but similar terms to mean the same thing, we use the following terminology in this document.
由于许多人使用不同但相似的术语来表示同一事物,因此我们在本文档中使用以下术语。
a. Phishing
a. 网络钓鱼
The overall process of identifying victims, contacting them via a lure, causing a victim to send a set of private credentials to a collection site, and storing those credentials is called phishing.
识别受害者、通过诱饵与他们联系、使受害者向收集站点发送一组私人凭据并存储这些凭据的整个过程称为钓鱼。
b. Fraud Event
b. 欺诈事件
A fraud event is the combination of phishing and subsequent fraudulent use of the private credentials.
欺诈事件是网络钓鱼和随后欺诈性使用私人凭证的组合。
c. Lure
c. 劝诱
A lure is the decoy used to trick a victim into performing some activity, such as providing their private credentials. The lure relies on social engineering concepts to convince the victim that the lure is genuine and its instructions should be followed. A lure includes a pointer or link to a collection site.
诱饵是用来诱骗受害者进行某些活动的诱饵,例如提供他们的私人证件。诱饵依赖于社会工程概念,使受害者相信诱饵是真实的,并应遵循其说明。诱饵包括指向收集站点的指针或链接。
d. Collection Site
d. 收集地点
The website, email box, SMS number, phone number, or other place where a phished victim sends their private credentials for later fraudulent use by a criminal.
网站、邮箱、短信号码、电话号码或其他地方,网络钓鱼受害者在其中发送其私人凭证,以供罪犯以后欺诈使用。
e. Credentials
e. 资格证书
A credential is data that is transferred or presented to establish either a claimed identity or the authorizations of a system entity. Many websites require a user name and password -- combined, they are a credential -- to access sensitive content.
凭证是传输或呈现的数据,用于建立声明的身份或系统实体的授权。许多网站需要用户名和密码——两者合起来就是凭证——才能访问敏感内容。
f. Message
f. 消息
Although primarily email, a lure can be transported via any messaging medium, such as instant messages, Voice over IP (VoIP), or text via an SMS service. The term "message" is used as a generic term for any of these transport mediums.
虽然诱饵主要是通过电子邮件发送,但它可以通过任何消息传递媒介进行传输,如即时消息、IP语音(VoIP)或通过SMS服务发送文本。术语“消息”用作任何这些传输介质的通用术语。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
Before defining the structure of the IODEF extensions, we identify the "interesting" data in phishing and other fraudulent activities.
在定义IODEF扩展的结构之前,我们先确定钓鱼和其他欺诈活动中的“有趣”数据。
+-----------+ +------------------+
| Fraudster |<---<-- | Collection Site |<---O--<----<----+
+----+------+ +------------------+ | |
| | |
| +--|-----+ ^
| | Sensor | Credentials
| +-|------+ |
| +---------------+ | +-------+
\--->--| Attack Source |--Lure--->-----O------> | User/ |
+---------------+ |Victim |
+-------+
+-----------+ +------------------+
| Fraudster |<---<-- | Collection Site |<---O--<----<----+
+----+------+ +------------------+ | |
| | |
| +--|-----+ ^
| | Sensor | Credentials
| +-|------+ |
| +---------------+ | +-------+
\--->--| Attack Source |--Lure--->-----O------> | User/ |
+---------------+ |Victim |
+-------+
Figure 3.1. The Components of Internet Fraud
图3.1。网络欺诈的构成要件
Internet-based phishing and fraud activities are normally comprised of at least six components:
基于互联网的网络钓鱼和欺诈活动通常至少由六个部分组成:
1. The phisher, fraudster, or party perpetrating the fraudulent activity. Most times this party is not readily identifiable.
1. 实施欺诈活动的钓鱼者、欺诈者或一方。大多数情况下,这一方不容易识别。
2. The attack source -- the source of the phishing email, virus, trojan, or other attack -- is masked in an enticing manner.
2. 攻击源——网络钓鱼电子邮件、病毒、特洛伊木马或其他攻击的来源——以一种诱人的方式隐藏起来。
3. The lure used to trick the victim into responding.
3. 用来诱骗受害者做出反应的诱饵。
4. The user, victim, or intended target of the fraud or phish.
4. 欺诈或网络钓鱼的用户、受害者或预期目标。
5. The credentials, personal data, or other information the victim has surrendered to the phisher.
5. 受害者向网络钓鱼者提交的凭据、个人数据或其他信息。
6. The collection site, where the victim sends their credentials or personal data if they have been duped by the lure of the phisher. This may be a website, mailbox, phone operator, or database.
6. 收集网站,如果受害者被网络钓鱼者的诱惑所欺骗,他们会在那里发送他们的凭证或个人数据。这可能是网站、邮箱、电话接线员或数据库。
If we take a holistic view of the attack, there are some additional components:
如果我们从整体上看待这次攻击,那么还有一些额外的组成部分:
o The sensor -- the means by which the phish is detected. This element may be an intrusion detection system, firewall, filter, email gateway, or human analyst.
o 传感器——检测网络钓鱼的手段。该元素可能是入侵检测系统、防火墙、过滤器、电子邮件网关或人工分析。
o A forensic or archive site (not pictured), where an investigator has copied or otherwise retained the data used for the fraud attempt or credential collection.
o 法医或档案站点(未显示),调查人员复制或以其他方式保留用于欺诈企图或凭证收集的数据。
Fraud events are reported in a fraud activity report, which is an instance of an XML IODEF-Document Incident element with added EventData and AdditionalData elements. The additional fields in the EventData specific to phishing and fraud are enclosed in a PhraudReport XML element. Fraudulent activity may include multiple emails, instant messages, or network messages, scattered over various times, locations, and methodologies. The PhraudReport within an EventData may include information about the email header and body, details of the actual phishing lure, correlation to other attacks, and details of the removal of the web server or credential collector. As a phishing attack may generate multiple reports to an incident team, multiple PhraudReports may be combined into one EventData structure, and multiple EventData structures may be combined into one incident report. One IODEF incident report may record one or more individual phishing events and may include multiple EventData elements.
欺诈事件在欺诈活动报告中报告,该报告是添加了EventData和AdditionalData元素的XML IODEF文档事件元素的实例。EventData中特定于网络钓鱼和欺诈的其他字段包含在PhraudReport XML元素中。欺诈活动可能包括分散在不同时间、地点和方法的多封电子邮件、即时消息或网络消息。EventData中的PhraudReport可能包括有关电子邮件头和正文的信息、实际钓鱼诱饵的详细信息、与其他攻击的相关性以及删除web服务器或凭据收集器的详细信息。由于网络钓鱼攻击可能会向事件团队生成多个报告,因此多个PhraudReports可能会组合到一个EventData结构中,而多个EventData结构可能会组合到一个事件报告中。一个IODEF事件报告可能记录一个或多个单独的网络钓鱼事件,并可能包括多个EventData元素。
This document defines new extension elements for the EventData IODEF XML elements and identifies those required in a PhraudReport. The appendices contain sample fraud activity reports and a complete schema.
本文档为EventData IODEF XML元素定义了新的扩展元素,并确定了PhraudReport中所需的扩展元素。附录包含欺诈活动报告样本和完整的模式。
The IODEF Extensions defined in this document comply with Section 4, "Extending the IODEF Format" in [RFC5070].
本文件中定义的IODEF扩展符合[RFC5070]第4节“扩展IODEF格式”。
There are a number of subtle and non-obvious data to capture from a fraud event that make the event analysis and correlation with other events more useful. These data can be grouped into categories:
欺诈事件中有许多微妙和不明显的数据需要捕获,这使得事件分析和与其他事件的关联更加有用。这些数据可分为以下几类:
If a lure was presented as part of the fraud event, this category includes the original received lure, the means by which the lure was received (e.g., email, phone, or SMS), and the source addresses that sent the lure. Other useful data includes DNS data about the lure source, identification of any accompanying malware, and the brand name defrauded.
如果诱饵是作为欺诈事件的一部分呈现的,则该类别包括原始收到的诱饵、收到诱饵的方式(如电子邮件、电话或短信)以及发送诱饵的源地址。其他有用的数据包括关于诱饵来源的DNS数据、任何附带恶意软件的标识以及被欺诈的品牌名称。
The collection site contains victim identifications, along with copies of data supplied by the victims, such as account names or numbers, passwords, dates of birth, etc. This category of useful data includes these credentials, along with information about the
收集网站包含受害者身份证明,以及受害者提供的数据副本,如帐户名或号码、密码、出生日期等。这类有用的数据包括这些凭证以及有关受害者的信息
collection site itself, such as its type, site DNS data, DNS registrant data, and site physical location. The location and registrant information is particularly important if law enforcement assistance is expected. Additionally, an entire site archive can be gathered to allow a collector on a shared website to be disabled without impacting other users.
收集站点本身,例如其类型、站点DNS数据、DNS注册人数据和站点物理位置。如果需要执法协助,则位置和注册人信息尤为重要。此外,还可以收集整个站点存档,以便在不影响其他用户的情况下禁用共享网站上的收集器。
This is a non-obvious data category and contains data on how the lure or collection site was detected. Understanding how the lure was detected allows us to design and implement better detection systems.
这是一个不明显的数据类别,包含关于如何检测诱饵或采集站点的数据。了解诱饵是如何被检测到的,有助于我们设计和实施更好的检测系统。
In an environment where time is critical, it is imperative that analysis from one party can be reliably explained to and shared with other investigative parties. This grouping includes data that an investigator found interesting or could be useful to others.
在时间紧迫的环境中,一方的分析必须能够可靠地向其他调查方解释并与之共享。该分组包括研究人员感兴趣或可能对其他人有用的数据。
A fraud activity report is an instance of an XML IODEF-Document with additional extensions and usage guidance, as specified in Section 4 of this document. These additional extensions are implemented through the PhraudReport XML element.
欺诈活动报告是XML IODEF文档的一个实例,具有附加扩展和使用指南,如本文档第4节所述。这些附加扩展是通过PhraudReport XML元素实现的。
As described in the following subsections, reporting fraud activity has three primary components: choosing a report type, a format for the data, and how to check the correctness of the format.
如以下小节所述,报告欺诈活动有三个主要组成部分:选择报告类型、数据格式以及如何检查格式的正确性。
There are three actions relating to reporting phishing events. First, a reporter may *create* and exchange a new report on a new event. Secondly, a reporter may *update* a previously exchanged report to indicate new collection sites, site takedown information, or related activities. Lastly, a reporter may have realized that the report is in error or contains significant incorrect data and that the prudent reaction is to *delete* the report.
有三种行为与报告网络钓鱼事件有关。首先,记者可以*创建*并交换关于新事件的新报告。第二,报告人可以*更新*先前交换的报告,以表明新的收集地点、网站拆除信息或相关活动。最后,报告人可能已经意识到该报告存在错误或包含重大错误数据,谨慎的反应是*删除*该报告。
The three types of reports are denoted through the use of the ext-purpose attribute of an Incident element. A new report contains an empty or a "create" ext-purpose value; an updated report contains an ext-value value of "update"; a request for deletion contains a "delete" ext-purpose value. Note that this is actually an advisory marking for the report originator or recipient, as operating procedures in a report life cycle are very environment specific.
这三种类型的报告通过使用事件元素的ext-purpose属性来表示。新报告包含空值或“创建”外部目的值;更新后的报告包含一个ext值“update”;删除请求包含“删除”外部目的值。请注意,这实际上是对报告发起人或接收人的一种建议性标记,因为报告生命周期中的操作程序非常特定于环境。
The IODEF Incident element ([RFC5070], Section 3.2) is summarized below. It and the rest of the data model presented in Section 4 is expressed in Unified Modeling Language (UML) syntax as used in the IODEF specification. The UML representation is for illustrative purposes only; elements are specified in XML as defined in Appendix A.
IODEF事件要素([RFC5070],第3.2节)总结如下。它和第4节中介绍的其他数据模型用IODEF规范中使用的统一建模语言(UML)语法表示。UML表示仅用于说明目的;元素是用附录A中定义的XML指定的。
+--------------------+
| Incident |
+--------------------+
| ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..1}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ]
| |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ]
| | |<>--[ AdditionalData ]
| | |<>--[ PhraudReport ]
| |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
+--------------------+
| Incident |
+--------------------+
| ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..1}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ]
| |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ]
| | |<>--[ AdditionalData ]
| | |<>--[ PhraudReport ]
| |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
Figure 4.1. The IODEF XML Incident Element (Modified)
图4.1。IODEF XML事件元素(已修改)
A fraud activity report is composed of one iodef:Incident element that contains one or more related PhraudReport elements embedded in the iodef:AdditionalData element of iodef:EventData. The PhraudReport element is added to the IODEF using its defined extension procedure documented in Section 5 of [RFC5070].
欺诈活动报告由一个iodef:Incident元素组成,该元素包含嵌入iodef:EventData的iodef:AdditionalData元素中的一个或多个相关PhraudReport元素。PhraudReport元素使用[RFC5070]第5节中规定的扩展程序添加到IODEF中。
One IODEF-Document may contain information on multiple incidents with information for each incident contained within an iodef:Incident element ([RFC5070], Section 3.12).
一份IODEF文件可能包含多个事件的信息,每个事件的信息包含在一个IODEF:incident元素中([RFC5070],第3.12节)。
The fraud activity report MUST pass XML validation using the schema defined in [RFC5070] and the extensions defined in Appendix A of this document.
欺诈活动报告必须使用[RFC5070]中定义的模式和本文档附录A中定义的扩展通过XML验证。
A PhraudReport consists of an extension to the Incident.EventData.AdditionalData element with a dtype of "xml". The elements of the PhraudReport will specify information about the six components of fraud activity identified in Section 3.1. Additional forensic information and commentary can be added by the reporter as necessary to show relation to other events, to show the output of an investigation, or for archival purposes.
PhraudReport由数据类型为“xml”的Incident.EventData.AdditionalData元素的扩展组成。PhraudReport的要素将详细说明第3.1节中确定的欺诈活动的六个组成部分的信息。必要时,报告人可添加额外的法医信息和评论,以显示与其他事件的关系、显示调查结果或用于存档目的。
A PhraudReport element is structured as follows. The components of a PhraudReport are introduced in functional grouping, as some parameters are related and some elements may not make sense individually.
PhraudReport元素的结构如下所示。PhraudReport的组件是在功能分组中引入的,因为某些参数是相关的,而某些元素单独使用可能没有意义。
+------------------+
| PhraudReport |
+------------------+
| STRING Version |<>--{0..1}--[ PhishNameRef ]
| ENUM FraudType |<>--{0..1}--[ PhishNameLocalRef ]
| STRING ext-value |<>--{0..1}--[ FraudParameter ]
| |<>--{0..*}--[ FraudedBrandName ]
| |<>--{1..*}--[ LureSource ]
| |<>--{1..*}--[ OriginatingSensor ]
| |<>--{0..1}--[ EmailRecord ]
| |<>--{0..*}--[ DCSite ]
| |<>--{0..*}--[ TakeDownInfo ]
| |<>--{0..*}--[ ArchivedData ]
| |<>--{0..*}--[ RelatedData ]
| |<>--{0..*}--[ CorrelationData ]
| |<>--{0..1}--[ PRComments ]
+------------------+
+------------------+
| PhraudReport |
+------------------+
| STRING Version |<>--{0..1}--[ PhishNameRef ]
| ENUM FraudType |<>--{0..1}--[ PhishNameLocalRef ]
| STRING ext-value |<>--{0..1}--[ FraudParameter ]
| |<>--{0..*}--[ FraudedBrandName ]
| |<>--{1..*}--[ LureSource ]
| |<>--{1..*}--[ OriginatingSensor ]
| |<>--{0..1}--[ EmailRecord ]
| |<>--{0..*}--[ DCSite ]
| |<>--{0..*}--[ TakeDownInfo ]
| |<>--{0..*}--[ ArchivedData ]
| |<>--{0..*}--[ RelatedData ]
| |<>--{0..*}--[ CorrelationData ]
| |<>--{0..1}--[ PRComments ]
+------------------+
Figure 5.1. The PhraudReport Element
图5.1。PhraudReport元素
Relevant information about a phishing or fraud event is encoded into six components as follows:
关于网络钓鱼或欺诈事件的相关信息编码为以下六个部分:
a. The PhishNameRef and PhishNameLocalRef elements identify the fraud or class of fraud.
a. PhishNameRef和PhishNameLocalRef元素识别欺诈或欺诈类别。
b. The LureSource element describes the source of the attack or phishing lure, including host information and any included malware.
b. LureSource元素描述攻击或钓鱼诱饵的来源,包括主机信息和任何包含的恶意软件。
c. The DCSite element describes the technical details of the credential collection site.
c. DCSite元素描述凭据收集站点的技术详细信息。
d. The OriginatingSensor element describes the means of detection.
d. 原始传感器元件描述了检测方法。
The RelatedData, ArchivedData, and TakeDownInfo fields allow optional forensics and history data to be included.
RelatedData、ArchivedData和TakeDownInfo字段允许包含可选的取证和历史数据。
A specific phish/fraud activity can be identified using a combination of the FraudType, FraudParameter, FraudedBrandName, LureSource, and PhishNameRef elements.
可以使用FraudType、FraudParameter、FraudedBrandName、LureSource和PhishNameRef元素的组合来识别特定的网络钓鱼/欺诈活动。
Elements, attributes, and parameters defined in the base IODEF specification were used whenever possible in the definition of the PhraudReport XML element. This specification does not introduce any new variable types or encodings to the IODEF data model, but extends the IODEF Contact and System elements.
在PhraudReport XML元素的定义中,尽可能使用基本IODEF规范中定义的元素、属性和参数。本规范没有向IODEF数据模型引入任何新的变量类型或编码,而是扩展了IODEF触点和系统元素。
The data model schema contains a copy of the iodef:System element. Although we would like to just extend the System element, it is defined in RFC 5070 with an unable-to-extend anonymous type, so we copied the element, named its underlying type, and then generated the extension to it.
数据模型架构包含iodef:System元素的副本。尽管我们只想扩展System元素,但它在RFC 5070中定义为无法扩展匿名类型,因此我们复制了该元素,命名为其基础类型,然后为其生成扩展。
Note: Elements that are imported from the base IODEF specification are prefaced with an "iodef" XML namespace and are noted with the section defining that element in [RFC5070]. Each element in a PhraudReport is used as described in the following sections.
注意:从基本IODEF规范导入的元素以“IODEF”XML名称空间开头,并在[RFC5070]中定义该元素的章节中注明。PhraudReport中的每个元素都将按照以下各节所述使用。
The following sections describe the components of a PhraudReport XML element. Each description is structured as follows.
以下各节描述PhraudReport XML元素的组件。每个描述的结构如下。
1. A terse XML-type identifier for the element or attribute.
1. 元素或属性的简洁XML类型标识符。
2. An indication of whether the element or attribute is REQUIRED or optional. Mandatory items are noted as REQUIRED. If not specified, elements are optional. Note that when optional elements are included, they may REQUIRE specific sub-elements.
2. 指示元素或属性是必需的还是可选的。必填项按要求注明。如果未指定,则元素是可选的。注意,当包含可选元素时,它们可能需要特定的子元素。
3. A description of the element or attribute and its intended use.
3. 元素或属性及其预期用途的描述。
Elements that contain sub-elements or enumerated values are further sub-sectioned. Note that there is no "trickle-up" effect in elements. That is, the required elements of a sub-element are only populated if the sub-element is used.
包含子元素或枚举值的元素将进一步细分。请注意,元素中没有“滴流”效应。也就是说,仅当使用子元素时,才会填充子元素的必需元素。
REQUIRED. STRING. The version shall be the value 0.06, to be compliant with this document.
必修的。一串版本应为0.06,以符合本文件的要求。
REQUIRED. One ENUM. The FraudType attribute describes the type of fraudulent activity described in this PhraudReport. The FraudType chosen determines the value of the FraudParameter filed. This field contains one of the following values:
必修的。一个枚举。FraudType属性描述此报告中描述的欺诈活动类型。所选的FraudType确定FraudParameter字段的值。此字段包含以下值之一:
1. phishing. The FraudParameter should be the subject line of the phishing lure email or value of a lure IM or VoIP message. This type is a standard phishing lure, usually sent as email, and is intended to exploit the recipient's credentials for financial gain.
1. 网络钓鱼欺诈参数应该是钓鱼诱饵电子邮件的主题行或诱饵IM或VoIP消息的值。这种类型是一种标准的网络钓鱼诱饵,通常作为电子邮件发送,旨在利用收件人的凭据获取经济利益。
2. recruiting. The FraudParameter is the subject line of the recruit, or mule, email or message.
2. 招聘。欺诈参数是新兵或mule电子邮件或消息的主题行。
3. malware distribution. The FraudParameter is the email subject line of the phishing email. This type of email phish does not pose a risk of financial loss to the recipient, but lures the recipient to an infected site.
3. 恶意软件分发。欺诈参数是钓鱼电子邮件的电子邮件主题行。这种类型的电子邮件钓鱼不会给收件人带来经济损失的风险,但会将收件人引诱到受感染的站点。
4. fraudulent site. This identifies a known fraudulent site that does not necessarily send spam but is used to show lures. The FraudParameter may be used to identify the website.
4. 欺诈网站。这可以识别一个已知的欺诈网站,该网站不一定发送垃圾邮件,但用于显示诱饵。欺诈参数可用于识别网站。
5. dnsspoof. This choice does not have a related FraudParameter. This value is used when a DNS system component responds with an untrue IP address for the requested domain name due to either cache poisoning, ID spoofing, or other manipulation of the DNS system.
5. dnsspoof。此选项没有相关的FraudParameter。由于缓存中毒、ID欺骗或DNS系统的其他操纵,DNS系统组件响应请求的域名的IP地址不真实时,使用此值。
6. archive. There is no required FraudParameter for this choice, although the FraudParameter of the original phish could be entered. The data archived from the phishing server is placed in the ArchivedData element.
6. 档案文件虽然可以输入原始phish的FraudParameter,但此选择不需要FraudParameter。从网络钓鱼服务器存档的数据放在ArchivedData元素中。
7. other. This is used to identify not-yet-enumerated fraud types.
7. 另外这用于识别尚未列举的欺诈类型。
8. unknown. This choice may have an associated FraudParameter. It is used to cover confused cases.
8. 未知的此选项可能有关联的FraudParameter。它被用来覆盖混乱的情况。
9. ext-value. This choice identifies an unidentified FraudType. The FraudType should be captured in the ext-value attribute.
9. 外部值。此选项标识未识别的欺诈类型。应在ext value属性中捕获FraudType。
OPTIONAL. This STRING may be populated with a FraudType that has not been predefined.
可选择的此字符串可能使用未预定义的FraudType填充。
Zero or one value of iodef:MLStringType. The contents of this element are dependent on the FraudType choice. It may be an email subject line, VoIP lure, link in an IM message, or a web URL. Note that some phishers add a number of random characters onto the end of a phish email subject line for uniqueness; reporters should delete those characters before insertion into the FraudParameter field.
iodef:MLStringType的零或一个值。此元素的内容取决于FraudType选择。它可能是电子邮件主题行、VoIP诱惑、IM消息中的链接或web URL。请注意,一些网络钓鱼者会在网络钓鱼电子邮件主题行的末尾添加一些随机字符,以实现唯一性;报告者应在插入FraudParameter字段之前删除这些字符。
Zero or one value of iodef:MLStringType. The PhishNameRef element is the common name used to identify this fraud event. It is often the name agreed upon by involved parties or vendors. Using this name can be a convenient way to reference the activity when collaborating with other parties, the media, or engaging in public education.
iodef:MLStringType的零或一个值。PhishNameRef元素是用于识别此欺诈事件的通用名称。通常是相关方或供应商商定的名称。在与其他各方、媒体合作或参与公共教育时,使用此名称可以方便地引用活动。
Zero or one value of iodef:MLStringType. The PhishNameLocalRef element describes a local name or Unique-IDentifier (UID) that is used by various parties before a commonly agreed-upon term is adopted. This field allows a cross-reference from the submitting organization's system to a central repository.
iodef:MLStringType的零或一个值。PhishNameLocalRef元素描述一个本地名称或唯一标识符(UID),在采用一个共同商定的术语之前,各方使用该名称或唯一标识符。此字段允许从提交组织的系统到中央存储库的交叉引用。
Zero or more values of iodef:MLStringType. This is the identifier of the recognized brand name or company name used in the phishing activity (e.g., XYZ Semiconductor Corp).
iodef:MLStringType的零个或多个值。这是网络钓鱼活动中使用的公认品牌名称或公司名称的标识符(例如,XYZ半导体公司)。
REQUIRED. One or more values. The LureSource element describes the source of the PhraudReport lure. It allows the specification of IP addresses, DNS names, domain registry information, and rudimentary support for the files that might be downloaded or registry keys modified by the crimeware.
必修的。一个或多个值。LureSource元素描述PhraudReport lure的源。它允许指定IP地址、DNS名称、域注册表信息,并对crimeware可能下载的文件或修改的注册表项提供基本支持。
+-------------+
| LureSource |
+-------------+
| |<>--(1..*)--[ System ]
| |<>--(0..*)--[ DomainData ]
| |<>--(0..1)--[ IncludedMalware ]
| |<>--(0..1)--[ FilesDownloaded ]
| |<>--(0..1)--[ WindowsRegistryKeysModified ]
+-------------+
+-------------+
| LureSource |
+-------------+
| |<>--(1..*)--[ System ]
| |<>--(0..*)--[ DomainData ]
| |<>--(0..1)--[ IncludedMalware ]
| |<>--(0..1)--[ FilesDownloaded ]
| |<>--(0..1)--[ WindowsRegistryKeysModified ]
+-------------+
Figure 5.2. The LureSource Element
图5.2。源元素
REQUIRED. One or more values of the iodef:System ([RFC5070], Section 3.15). The system element describes a particular host involved in the phishing activity. If the real IP address can be ascertained, it should be populated. A spoofed address may also be entered, and the spoofed attribute SHALL be set.
必修的。iodef:系统的一个或多个值([RFC5070],第3.15节)。system元素描述参与网络钓鱼活动的特定主机。如果可以确定真实的IP地址,则应填充该地址。还可以输入伪造地址,并设置伪造属性。
Multiple System elements may be used to identify the DNS name and IP address(es) of the lure source.
多个系统元素可用于标识诱惑源的DNS名称和IP地址。
Zero or more element values. The DomainData element describes the registration, delegation, and control of a domain used to source the lure and can identify the IP address associated with the System element URI. Capturing the domain data is very useful when investigating or correlating events.
零个或多个元素值。DomainData元素描述用于获取诱惑的域的注册、委派和控制,并可以识别与系统元素URI关联的IP地址。在调查或关联事件时,捕获域数据非常有用。
The structure of a DomainData element is as follows:
DomainData元素的结构如下所示:
+--------------------+
| DomainData |
+--------------------+
| |<>----------[ Name ]
| |<>--(0..1)--[ DateDomainWasChecked ]
| ENUM SystemStatus |<>--(0..1)--[ RegistrationDate ]
| ENUM DomainStatus |<>--(0..1)--[ ExpirationDate ]
| |<>--(0..*)--[ Nameservers ]
| |<>--(0..1)--[ DomainContacts ]
+--------------------+
+--------------------+
| DomainData |
+--------------------+
| |<>----------[ Name ]
| |<>--(0..1)--[ DateDomainWasChecked ]
| ENUM SystemStatus |<>--(0..1)--[ RegistrationDate ]
| ENUM DomainStatus |<>--(0..1)--[ ExpirationDate ]
| |<>--(0..*)--[ Nameservers ]
| |<>--(0..1)--[ DomainContacts ]
+--------------------+
Figure 5.3. The DomainData Element
图5.3。域数据元素
REQUIRED. One value of iodef:MLStringType. The Name element contains the host DNS name used in this event. Its value should be the complete DNS host address; e.g., if an event targeted www.example.com, the value would be www.example.com.
必修的。iodef的一个值:MLStringType。Name元素包含此事件中使用的主机DNS名称。其值应为完整的DNS主机地址;e、 例如,如果事件以www.example.com为目标,则该值为www.example.com。
Zero or one value of DATETIME. This element includes the timestamp of when this domain data was checked and entered into this report, as many phishers modify their domain data at various stages of a phishing event.
DATETIME的零或一个值。此元素包括检查此域数据并将其输入此报告的时间戳,因为许多钓鱼者在钓鱼事件的不同阶段修改其域数据。
Zero or one value of DATETIME. The RegistrationDate element shows the date of registration for a domain.
DATETIME的零或一个值。RegistrationDate元素显示域的注册日期。
Zero or one value of DATETIME. The ExpirationDate element shows the date the domain will expire.
DATETIME的零或一个值。ExpirationDate元素显示域将过期的日期。
Zero or more values. These fields hold nameservers identified for this domain. Each entry is a sequence of DNSNameType and iodef: Address pairs, as specified below.
零个或多个值。这些字段包含为此域标识的名称服务器。每个条目都是DNSNameType和iodef:地址对的序列,如下所述。
+--------------------+
| Nameservers |
+--------------------+
| |<>----------[ Server]
| |<>--(1..*)--[ iodef:Address ]
+--------------------+
+--------------------+
| Nameservers |
+--------------------+
| |<>----------[ Server]
| |<>--(1..*)--[ iodef:Address ]
+--------------------+
Figure 5.4. The Nameservers Element
图5.4。Nameservers元素
The use of one Server value and multiple Address values is used to note multiple IP addresses associated with one DNS entry for the domain nameserver.
使用一个服务器值和多个地址值来记录与域名称服务器的一个DNS条目关联的多个IP地址。
One value of iodef:MLStringType. This field contains the DNS name of the domain nameserver.
iodef的一个值:MLStringType。此字段包含域名服务器的DNS名称。
One or more values of iodef:Address. This field lists the IP address(es) associated with this Server element.
iodef:Address的一个或多个值。此字段列出与此服务器元素关联的IP地址。
REQUIRED. Choice of either a SameDomainContact or one or more Contact elements. The DomainContacts element allows the reporter to enter contact information supplied by the registrar or returned by whois queries. For efficiency of the reporting party, the domain contact information may be marked to be the same as another domain already reported using the SameDomainContact element.
必修的。选择SameDomain触点或一个或多个触点元素。DomainContacts元素允许报告者输入由注册者提供或由whois查询返回的联系信息。为了提高报告方的效率,可以将域联系人信息标记为与已使用SameDomainContact元素报告的另一个域相同。
+----------------+
| DomainContacts |
+----------------+
| |<>--(0..1)--[ SameDomainContact ]
| |<>--(1..*)--[ Contact ]
+----------------|
+----------------+
| DomainContacts |
+----------------+
| |<>--(0..1)--[ SameDomainContact ]
| |<>--(1..*)--[ Contact ]
+----------------|
Figure 5.5. The DomainContacts Element
图5.5。DomainContacts元素
REQUIRED. One iodef:MLStringType. The SameDomainContact element is populated with a domain name if the contact information for this domain is identical to that name in this or another report. Implementors are cautioned to only use this element when the domain contact data returned by a registrar or registry is identical.
必修的。一个iodef:MLStringType。如果此域的联系人信息与此报告或其他报告中的名称相同,则使用域名填充SameDomainContact元素。提醒实现者仅当注册器或注册表返回的域联系人数据相同时才使用此元素。
REQUIRED. One or more iodef:Contact elements. This element reuses and extends the iodef:Contact elements for its components. Each component may have zero or more values. If only the role attribute and the ContactName component are populated, the same (identical) information is listed for multiple roles.
必修的。一个或多个iodef:触点元件。该元素重用并扩展其组件的iodef:Contact元素。每个组件可能有零个或多个值。如果仅填充角色属性和ContactName组件,则会为多个角色列出相同(相同)的信息。
+--------------------+
| Contact |
+--------------------+
| |<>----------[ iodef:ContactName ]
| |<>--(0..*)--[ iodef:Description ]
| ENUM role |<>--(0..*)--[ iodef:RegistryHandle ]
| |<>--(0..1)--[ iodef:PostalAddress ]
| ENUM restriction |<>--(0..*)--[ iodef:Email ]
| STRING ext-role |<>--(0..*)--[ iodef:Telephone ]
| ENUM type |<>--(0..1)--[ iodef:Fax ]
| STRING ext-type |<>--(0..1)--[ iodef:Timezone ]
| |<->----------[ AdditionalData ]
| | +<-> [ Confidence ]
+--------------------+
+--------------------+
| Contact |
+--------------------+
| |<>----------[ iodef:ContactName ]
| |<>--(0..*)--[ iodef:Description ]
| ENUM role |<>--(0..*)--[ iodef:RegistryHandle ]
| |<>--(0..1)--[ iodef:PostalAddress ]
| ENUM restriction |<>--(0..*)--[ iodef:Email ]
| STRING ext-role |<>--(0..*)--[ iodef:Telephone ]
| ENUM type |<>--(0..1)--[ iodef:Fax ]
| STRING ext-type |<>--(0..1)--[ iodef:Timezone ]
| |<->----------[ AdditionalData ]
| | +<-> [ Confidence ]
+--------------------+
Figure 5.6. The Contact Element
图5.6。接触元件
Each Contact has optional attributes to capture the sensitivity and role for which the contact is listed. Elements reused from [RFC5070] are not discussed in this document.
每个联系人都有可选属性,用于捕获联系人列出的敏感度和角色。本文档中不讨论从[RFC5070]重用的元素。
REQUIRED. ENUM. The Confidence element describes a qualitative assessment of the veracity of the contact information. This attribute is an extension to the iodef:Contact element and is defined in this document. There are five possible Confidence values, as follows.
必修的。枚举。信心要素描述了对联系信息准确性的定性评估。此属性是iodef:Contact元素的扩展,在本文档中定义。有五个可能的置信值,如下所示。
1. known-fraudulent. This contact information has been previously determined to be fraudulent, as either non-existent physical information or containing real information not associated with this domain registration.
1. 已知欺诈。此联系信息之前已被确定为欺诈信息,因为不存在物理信息或包含与此域注册无关的真实信息。
2. looks-fraudulent. The contact information has suspicious information included.
2. 看起来很欺诈。联系信息中包含可疑信息。
3. known-real. The contact information has been previously investigated or determined to be correct.
3. 已知真实。之前已调查或确定联系信息正确。
4. looks-real. The contact information does not arouse suspicion but has not been previously validated.
4. 看起来是真的。联系信息不会引起怀疑,但之前未经验证。
5. unknown. The reporter cannot make a value judgment on the contact data.
5. 未知的报告者无法对联系人数据进行价值判断。
REQUIRED. ENUM. The ext-role attribute is extended from the iodef: ext-role attribute with values identified in RFC 3982 [RFC3982]. The ext-value value of the role attribute should be used, with the ext-role attribute value chosen from one of the following values:
必修的。枚举。ext-role属性是从iodef:ext-role属性扩展而来的,其值在RFC 3982[RFC3982]中标识。应使用角色属性的外部值,外部角色属性值应从以下值中选择:
1. billingContacts
1. billingContacts
2. technicalContacts
2. 技术联系
3. administrativeContacts
3. 行政联系
4. legalContacts
4. 法律关系
5. zoneContacts
5. 区域接触
6. abuseContacts
6. abuseContacts
7. securityContacts
7. 证券合同
8. otherContacts
8. 其他联系人
9. hostingProvider. This contact is the hosting provider of this server. Although not in RFC 3982, it is useful in investigations to note where the server is located and who operates it. Load-balanced, multicast, or anycast servers may have multiple hostingProvider contact entries.
9. 主机提供商。此联系人是此服务器的主机提供商。尽管RFC 3982中没有说明,但在调查中注意服务器的位置和操作它的人是有用的。负载平衡、多播或选播服务器可能有多个hostingProvider联系人条目。
REQUIRED. ENUM. The SystemStatus attribute assesses a system's involvement in this event. The value is chosen from this list:
必修的。枚举。SystemStatus属性评估系统在此事件中的参与程度。该值从以下列表中选择:
1. spoofed. This domain or system did not participate in this event, but its address space or DNS name was simply used by another party.
1. 欺骗。此域或系统未参与此事件,但其地址空间或DNS名称仅由另一方使用。
2. fraudulent. The system is operated with fraudulent intentions, e.g., the domain name is a homophone.
2. 欺骗的该系统具有欺诈意图,例如,域名是同音词。
3. innocent-hacked. The system was compromised by a third party and used in this event.
3. 无辜的黑客。该系统被第三方破坏,并在本次事件中使用。
4. innocent-hijacked. The IP address or domain name was deliberately hijacked via BGP or DNS and used in this event to source the lure or host the collection site.
4. 无辜者被劫持。IP地址或域名被故意通过BGP或DNS劫持,并在本次事件中用于获取诱饵或托管收集站点。
5. unknown. No conclusions are inferred from this event.
5. 未知的未从该事件中推断出任何结论。
ENUM. The DomainStatus attribute describes the registry status of a domain at the time of the report. The following enumerated list is taken from the "domainStatusType" of [RFC3982]. An extra "unknown" value was added in case the status is indeterminable.
枚举。DomainStatus属性描述报告时域的注册表状态。以下枚举列表取自[RFC3982]的“domainStatusType”。如果状态不确定,则添加了额外的“未知”值。
1. reservedDelegation
1. 保留公使
2. assignedAndActive
2. 指定的和活动的
3. assignedAndInactive
3. 指定指示词
4. assignedAndOnHold
4. 指定的伦敦霍尔德酒店
5. revoked
5. 撤销的
6. transferPending
6. 转让待定
7. registryLock
7. 注册锁
8. registrarLock
8. 注册锁
9. other
9. 另外
10. unknown
10. 未知的
Zero or one value. The IncludedMalware element allows for the identification and optional inclusion of the actual malware that was part of the lure. The goal of this element is not to detail the characteristics of the malware but rather to allow for a convenient element to link malware to a phishing campaign.
零或一个值。IncludedMalware元素允许识别和可选地包含作为诱饵一部分的实际恶意软件。此元素的目标不是详细说明恶意软件的特征,而是允许使用方便的元素将恶意软件链接到网络钓鱼活动。
+------------------+
| IncludedMalware |
+------------------+
| |<>--(1..*)--[ Name ]
| |<>--(0..1)--[ ds:Reference ]
| |<>--(0..1)--[ Data ]
+------------------+
+------------------+
| IncludedMalware |
+------------------+
| |<>--(1..*)--[ Name ]
| |<>--(0..1)--[ ds:Reference ]
| |<>--(0..1)--[ Data ]
+------------------+
+-----------------------+
| Data |
+-----------------------+
| hexBinary XORPattern |
+-----------------------+
+-----------------------+
| Data |
+-----------------------+
| hexBinary XORPattern |
+-----------------------+
Figure 5.7. The IncludedMalware Element
图5.7。包含的恶意软件元素
REQUIRED. One or more values of iodef:MLStringType. This field is used to identify the lure malware by its known name. Unnamed malware may be identified by a value of "unknown".
必修的。iodef:MLStringType的一个或多个值。此字段用于通过已知名称识别lure恶意软件。未命名恶意软件可通过值“未知”进行识别。
Zero or one value of the Reference. This optional field is used to hold the algorithm identification and value of a hash computed over the malware executable. This entire element is imported from [RFC3275]. Implementations SHOULD support the use of SHA-1 [SHA] as a DigestMethod.
引用的零或一个值。此可选字段用于保存通过恶意软件可执行文件计算的哈希的算法标识和值。整个元素从[RFC3275]导入。实现应该支持使用SHA-1[SHA]作为摘要方法。
Zero or one value. The optional Data element is used to include the lure malware, which is encoded as a hexBinary type and XORed with a pattern to render it harmless.
零或一个值。可选数据元素用于包含lure恶意软件,该软件编码为hexBinary类型,并使用模式XORD使其无害。
One value of hexBinary. The Data element includes a 16-hexadecimal-character XORPattern attribute to support disabling the included malware to bypass anti-virus filters. The default value is 0x55AA55AA55AA55BB, which would be XORed with the malware datastring to recover the actual malware.
十六进制二进制的一个值。数据元素包含一个16个十六进制字符的XORPattern属性,以支持禁用包含的恶意软件以绕过防病毒过滤器。默认值为0x55AA55AA55AA55BB,将与恶意软件数据字符串异或以恢复实际恶意软件。
Zero or one value of a sequence of File elements.
文件元素序列的零或一个值。
+---------------------+
| FilesDownloaded |
+---------------------+
| |<>--(1..*)--[ File ]
+---------------------+
+---------------------+
| FilesDownloaded |
+---------------------+
| |<>--(1..*)--[ File ]
+---------------------+
Figure 5.8. The FilesDownloaded Element
图5.8。已下载的元素
One or more values of iodef:MLStringType. The File element value is the name of a file downloaded by this lure.
iodef:MLStringType的一个或多个值。File元素值是此诱饵下载的文件的名称。
One or more values of the Key sequence. The contents of the WindowsRegistryKeysModified element are sequences of Key elements.
键序列的一个或多个值。WindowsRegistryKeysModified元素的内容是关键元素的序列。
+------------------------------+
| WindowsRegistryKeysModified |
+------------------------------+
| |<>--(1..*)--[ Key ]
+------------------------------+
+------------------------------+
| WindowsRegistryKeysModified |
+------------------------------+
| |<>--(1..*)--[ Key ]
+------------------------------+
+--------------+
| Key |
+--------------+
| |<>-----[ Name ]
| |<>-----[ Value ]
+--------------+
+--------------+
| Key |
+--------------+
| |<>-----[ Name ]
| |<>-----[ Value ]
+--------------+
Figure 5.9. The WindowsRegistryKeysModified Element
图5.9。WindowsRegistryKeysModified元素
One or more sequences. The Key element is a sequence of Name and Value pairs representing an operating system registry key and its value. The key and value are encoded as in Microsoft .reg files [KB310516].
一个或多个序列。Key元素是表示操作系统注册表项及其值的名称和值对序列。密钥和值的编码与Microsoft.reg文件[KB310516]中的编码相同。
One STRING, representing the Windows Operating System Registry Key Name. The value is encoded as in Microsoft .reg files, e.g., [HKEY_LOCAL_MACHINE\Software\Test\KeyName].
一个字符串,表示Windows操作系统注册表项名称。该值按Microsoft.reg文件编码,例如[HKEY\U LOCAL\U MACHINE\Software\Test\KeyName]。
One STRING, representing the value of the associated Key encoded as in Microsoft .reg files, e.g., REG_BINARY:01.
一个字符串,表示在Microsoft.reg文件中编码的相关密钥的值,例如reg_BINARY:01。
REQUIRED. The OriginatingSensor element contains the identification and cognizant data of the network element that detected this fraud activity. Note that the network element does not have to be on the Internet itself (i.e., it may be a local Intrusion Detection System (IDS)), nor is it required to be mechanical (e.g., humans are allowed).
必修的。发起传感器元件包含检测到该欺诈活动的网络元件的识别和识别数据。请注意,网元不必位于互联网本身(即,它可能是本地入侵检测系统(IDS)),也不需要是机械的(例如,允许人类)。
Multiple OriginatingSensor elements are allowed to support detection at multiple locations.
允许多个原始传感器元件支持在多个位置进行检测。
+----------------------------+
| OriginatingSensor |
+----------------------------+
| ENUM OriginatingSensorType |<>------------[ DateFirstSeen ]
| |<>--(1..*)----[ iodef:System ]
+----------------------------+
+----------------------------+
| OriginatingSensor |
+----------------------------+
| ENUM OriginatingSensorType |<>------------[ DateFirstSeen ]
| |<>--(1..*)----[ iodef:System ]
+----------------------------+
Figure 5.10. The OriginatingSensor Element
图5.10。原始传感器元件
The OriginatingSensor requires a type value and identification of the entity that detected this fraudulent event.
发起传感器需要检测到该欺诈事件的实体的类型值和标识。
REQUIRED. ENUM. The value is chosen from the following list, categorizing the function of this sensor:
必修的。枚举。该值从以下列表中选择,对该传感器的功能进行分类:
1. web. A web server or service detected this event.
1. 网状物web服务器或服务检测到此事件。
2. webgateway. A proxy, firewall, or other network gateway detected this event.
2. 网络网关。代理、防火墙或其他网络网关检测到此事件。
3. mailgateway. The event was detected via a mail gateway or filter.
3. 邮件网关。通过邮件网关或筛选器检测到该事件。
4. browser. The event was detected at the user web interface or browser-type element.
4. 浏览器在用户web界面或浏览器类型元素上检测到该事件。
5. ispsensor. The event was detected by an automated system in the network, such as Intrusion Detection System, Intrusion Protection System, or other Internet Service Provider device.
5. ISP传感器。该事件由网络中的自动化系统检测,如入侵检测系统、入侵保护系统或其他互联网服务提供商设备。
6. human. A non-automated system (e.g., a human, manual analysis, etc.) detected this event.
6. 人类非自动系统(如人工、手动分析等)检测到此事件。
7. honeypot. The event was detected by receipt at a decoy device.
7. 蜜罐。该事件是通过接收诱饵设备检测到的。
8. other. The detection was performed via a non-listed method.
8. 另外通过未列出的方法进行检测。
REQUIRED. DATETIME. This is the date and time that this sensor first saw this phishing activity.
必修的。日期时间。这是此传感器首次看到此网络钓鱼活动的日期和时间。
REQUIRED. One or more values of iodef:System. This is identification information (such as the IP version, IP address, etc.) of the entity that detected this event. The ability to identify multiple detectors is supported.
必修的。iodef:System的一个或多个值。这是检测到此事件的实体的标识信息(如IP版本、IP地址等)。支持识别多个探测器的能力。
Zero or more DCSite elements. The DCSite captures the type, identifier, location, and other pertinent information about the credential gathering process, or data collection site, used in the phishing incident. The data collection site is identified by four elements: the type of collector, the network location, information about its DNS domain, and a confidence factor. Further details about the domain, system, or owner of the DCSite can be inserted into the DomainData sub-element.
零个或多个DCSite元素。DCSite捕获钓鱼事件中使用的凭据收集过程或数据收集站点的类型、标识符、位置和其他相关信息。数据收集站点由四个元素标识:收集器的类型、网络位置、有关其DNS域的信息以及置信因子。有关域、系统或DCSite所有者的更多详细信息可以插入到DomainData子元素中。
If the DCSite element is present, a value is required. Multiple DCSite elements are allowed to indicate multiple collection sites for a single collector. Multiple URLs pointing to the same DNS entry can be identified with multiple SiteURL elements.
如果存在DCSite元素,则需要一个值。允许多个DCSite元素为单个收集器指示多个收集站点。可以使用多个SiteURL元素标识指向同一DNS条目的多个URL。
+--------------+
| DCSite |
+--------------+
| ENUM DCType |<>--+--------[ SiteURL ]
| | +--------[ Domain ]
| | +--------[ EmailSite ]
| | +--------[ System ]
| | +--------[ Unknown ]
| |<>--(0..*)---[ iodef:Node ]
| |<>--(0..1)---[ DomainData ]
| |<>--(0..1)---[ iodef:Assessment ]
+--------------+
+--------------+
| DCSite |
+--------------+
| ENUM DCType |<>--+--------[ SiteURL ]
| | +--------[ Domain ]
| | +--------[ EmailSite ]
| | +--------[ System ]
| | +--------[ Unknown ]
| |<>--(0..*)---[ iodef:Node ]
| |<>--(0..1)---[ DomainData ]
| |<>--(0..1)---[ iodef:Assessment ]
+--------------+
Figure 5.11. The DCSite Element
图5.11。DCSite元素
REQUIRED. ENUM. The DCType attribute identifies the method of data collection as determined through the analysis of the victim computer, lure, or malware. This attribute coupled with the DCSite content identifies the data collection site.
必修的。枚举。DCType属性标识通过分析受害者计算机、诱饵或恶意软件确定的数据收集方法。此属性加上DCSite内容可标识数据收集站点。
1. web. The user is redirected to a website to collect the data.
1. 网状物用户被重定向到网站以收集数据。
2. email. The victim sends an email with credentials enclosed.
2. 电子邮件受害者发送一封附有凭据的电子邮件。
3. keylogger. Some form of keylogger is downloaded to the victim.
3. 键盘记录器。某种形式的键盘记录器被下载到受害者身上。
4. automation. Other forms of automatic data collection, such as background Object Linking and Embedding (OLE) automation, are used to capture information on the user's machine.
4. 自动化其他形式的自动数据收集,如后台对象链接和嵌入(OLE)自动化,用于捕获用户机器上的信息。
5. unspecified.
5. 未指明。
REQUIRED. The DCSite element contains the IP address, URL, email site, or other identifier of the credential or data collection site. The Domain choice may be used to identify entire "phishy" domains like those used for the RockPhish and related malware. Each DCSite element also includes a confidence attribute to convey the reporter's assessment of their confidence that this DCSite element is valid and involved with this event. The confidence value is a per-DCSite value, as multiple-site data collectors may have different confidence values.
必修的。DCSite元素包含凭证或数据收集站点的IP地址、URL、电子邮件站点或其他标识符。域选择可用于识别整个“钓鱼”域,如用于RockPhish和相关恶意软件的域。每个DCSite元素还包括一个信心属性,以传达报告者对该DCSite元素有效且与该事件有关的信心的评估。置信值是每个DCSite的值,因为多个站点数据采集器可能具有不同的置信值。
The DCSite element is a choice of:
DCSite元素可以选择:
1. SiteURL. One value of iodef:MLStringType. This choice supports URIs and other web-based identifiers.
1. 站点URL。iodef的一个值:MLStringType。此选项支持URI和其他基于web的标识符。
2. Domain. One value of iodef:MLStringType. This choice allows the entry of a DNS domain name.
2. 领域iodef的一个值:MLStringType。此选项允许输入DNS域名。
3. EmailSite. One value of iodef:MLStringType. This choice includes an email address if the site used email communications.
3. 电子邮件站点。iodef的一个值:MLStringType。如果站点使用电子邮件通信,则此选项包括电子邮件地址。
4. iodef:Address. One value of iodef:Address element. This choice is used to capture the IP address of a site.
4. 地址。iodef的一个值:Address元素。此选项用于捕获站点的IP地址。
5. Unknown. One value of iodef:MLStringType. The unknown entry is used for exceptions to the preceding choices.
5. 未知的iodef的一个值:MLStringType。未知条目用于上述选项的例外情况。
One value of INTEGER. The confidence attribute is a value between 0 and 100, representing the reporter's certainty that this is a genuine phishing site. A value of 0 represents a false positive; a value of 100 signifies that the reporter has independently verified this site.
整数的一个值。信心属性的值介于0和100之间,表示报告者确信这是一个真正的钓鱼网站。值为0表示假阳性;值为100表示报告者已独立验证此网站。
Zero or more values of iodef:Node. This element is used to identify the IP address(es) or DNS names associated with the DCSite element value.
iodef:Node的零个或多个值。此元素用于标识与DCSite元素值关联的IP地址或DNS名称。
Zero or one value of DomainData (Section 5.9.2). This element allows for the identification of data associated with the data collection site.
域数据的零或一个值(第5.9.2节)。此元素允许识别与数据收集站点相关的数据。
Zero or one value of iodef:Assessment. This element is used to designate different confidence levels of multiple-site data collectors.
iodef的零或一个值:评估。此元素用于指定多个站点数据采集器的不同置信水平。
Zero or more TakeDownInfo elements. This element identifies the agent or agency that performed the removal, DNS domain disablement, or ISP-blockage of the phish or fraud collector site. A PhraudReport may have multiple TakeDownInfo elements to support activities where
零个或多个TakeDownInfo元素。此元素标识对phish或欺诈收集器站点执行删除、DNS域禁用或ISP阻止的代理或机构。PhraudReport可能有多个TakeDownInfo元素来支持以下活动:
multiple takedown activities are involved on different dates. Note that the term "agency" is used to identify any party performing the blocking or removal, such as ISPs or private parties, and not just government entities.
在不同的日期涉及多个拆卸活动。请注意,术语“代理”用于识别执行封锁或清除的任何一方,如ISP或私人方,而不仅仅是政府实体。
The TakeDownInfo element allows one date element with multiple TakeDownAgency and Comment elements to support operations using multiple agencies.
TakeDownInfo元素允许一个日期元素和多个TakeDownAgency和Comment元素支持使用多个代理的操作。
+-------------------+
| TakeDownInfo |
+-------------------+
| |<>---(0..1)--[ TakeDownDate ]
| |<>---(0..*)--[ TakeDownAgency ]
| |<>---(0..*)--[ TakeDownComments ]
+-------------------+
+-------------------+
| TakeDownInfo |
+-------------------+
| |<>---(0..1)--[ TakeDownDate ]
| |<>---(0..*)--[ TakeDownAgency ]
| |<>---(0..*)--[ TakeDownComments ]
+-------------------+
Figure 5.12. The TakeDownInfo Element
图5.12。TakeDownInfo元素
Zero or one value of DATETIME. This is the date and time that takedown of the collector site occurred.
DATETIME的零或一个值。这是收集器站点被拆除的日期和时间。
Zero or more iodef:MLStringType elements. This is a free-form string identifying the agency, corporation, or cooperative that performed the takedown.
零个或多个iodef:MLStringType元素。这是一个自由格式字符串,用于标识执行拆卸的机构、公司或合作社。
Zero or more iodef:MLStringType elements. A free-form field to add any additional details of this takedown effort or to identify parties that assisted in the effort at an Internet Service Provider (ISP), Computer Emergency Response Team (CERT), or DNS registry.
零个或多个iodef:MLStringType元素。一个自由格式字段,用于添加此拆除工作的任何其他详细信息,或识别在互联网服务提供商(ISP)、计算机应急响应团队(CERT)或DNS注册中心协助此工作的各方。
Zero or more values of the ArchivedData element are allowed.
允许ArchivedData元素的零个或多个值。
+-------------------+
| ArchivedData |
+-------------------+
| ENUM type |<>---(0..1)--[ URL ]
| |<>---(0..1)--[ Comments ]
| |<>---(0..1)--[ Data ]
+-------------------+
+-------------------+
| ArchivedData |
+-------------------+
| ENUM type |<>---(0..1)--[ URL ]
| |<>---(0..1)--[ Comments ]
| |<>---(0..1)--[ Data ]
+-------------------+
Figure 5.13. The ArchivedData Element
图5.13。ArchivedData元素
The ArchivedData URL element is populated with a pointer to the contents of a data collection site, base camp (i.e., development site), or other site used by a phisher. The ArchivedData Data element may also include a copy of the archived data recovered from a phishing system. This element will be populated when, for example, an ISP takes down a phisher's website and has copied the site data into an archive file.
ArchivedData URL元素由指向数据收集站点、大本营(即开发站点)或钓鱼者使用的其他站点内容的指针填充。ArchivedData数据元素还可以包括从网络钓鱼系统恢复的存档数据的副本。例如,当ISP关闭网络钓鱼者的网站并将网站数据复制到存档文件中时,将填充此元素。
There are four types of archives currently supported, as specified in the type field.
当前支持四种类型的存档,如类型字段中所指定。
REQUIRED. This parameter specifies the type of site data pointed to by the ArchivedData URL element, from the following list:
必修的。此参数从以下列表中指定ArchivedData URL元素指向的站点数据类型:
1. collectionsite. The archive is a set of files from the collection site.
1. 收藏网站。存档是收集站点中的一组文件。
2. basecamp. The contents of a criminal development site are included in the archive.
2. 大本营。犯罪发展网站的内容包含在档案中。
3. sendersite. The archive is a set of files or data from a phishing lure sending site.
3. sendersite。存档是来自钓鱼诱饵发送站点的一组文件或数据。
4. credentialInfo. The included archives are recovered private credentials.
4. 证书信息。包含的存档是恢复的私人凭据。
5. unspecified. The archive contents do not fit into one of the above categories and will be described in the DataComments element.
5. 未指明。归档内容不属于上述类别之一,将在DataComments元素中描述。
Zero or one value of anyURL. As the archive of an entire site can be quite large, the URL element points to an Internet-based server where the actual content of the site archive can be retrieved. Note that this element just points out where the archive is and does not include the entire archive in the report. This is the URL where the archive file is located.
anyURL的零或一个值。由于整个站点的存档可能相当大,URL元素指向一个基于Internet的服务器,在那里可以检索站点存档的实际内容。请注意,此元素仅指出归档所在的位置,不包括报告中的整个归档。这是存档文件所在的URL。
Zero or one value of iodef:MLStringType. This field is a free-form area for comments on the archive and/or URL.
iodef:MLStringType的零或一个值。此字段是存档和/或URL上评论的自由格式区域。
Zero or one value of xs:Base64Binary. This field contains a base64- encoded version of the data described in the comment field above.
xs:Base64Binary的零或一个值。此字段包含上面注释字段中描述的数据的base64编码版本。
Zero or more values of anyURI. This element allows the listing of other websites or net sites that are related to this incident (e.g., victim site, etc.).
anyURI的零个或多个值。此元素允许列出与此事件相关的其他网站或网站(例如,受害者网站等)。
Zero or more values of iodef:MLStringType. Any information that correlates this incident to other incidents can be entered here.
iodef:MLStringType的零个或多个值。可以在此处输入将此事件与其他事件关联的任何信息。
Zero or one value of iodef:MLStringType. This field allows for any comments specific to this PhraudReport that do not fit in any other field.
iodef:MLStringType的零或一个值。此字段允许针对此PhraudReport的任何不适合任何其他字段的注释。
This element supports the inclusion of the actual email message received as a phishing lure. Inclusion of the actual mail message is supported by two methods: either the message may be included as one large string, or the header and body components may be dissected and included as a series of strings.
此元素支持包含作为钓鱼诱饵接收的实际电子邮件。有两种方法支持包含实际邮件消息:要么将消息作为一个大字符串包含,要么将标题和正文组件分解并作为一系列字符串包含。
+--------------------+
| EmailRecord |
+--------------------+
| |<>--------------[ EmailCount ]
| |<>--(0..1)------[ EmailMessage ]
| |<>--(0..1)------[ EmailComments ]
+--------------------+
+--------------------+
| EmailRecord |
+--------------------+
| |<>--------------[ EmailCount ]
| |<>--(0..1)------[ EmailMessage ]
| |<>--(0..1)------[ EmailComments ]
+--------------------+
Figure 5.14. The EmailRecord Element
图5.14。EmailRecord元素
REQUIRED. INTEGER. This field enumerates the number of email messages identified in this record as detected by the reporter.
必修的。整数此字段枚举报告者检测到此记录中标识的电子邮件的数量。
Zero or one value of iodef:MLStringType. The entire SMTP mail message -- rfc822 header followed by body, as specified in [RFC5322] -- should be inserted as one large text string. In some communities, this combination is known as the message contents and full headers.
iodef:MLStringType的零或一个值。按照[RFC5322]中的规定,应将整个SMTP邮件消息(rfc822邮件头后跟正文)作为一个大文本字符串插入。在某些社区中,这种组合称为消息内容和完整标题。
Zero or one value of iodef:MLStringType elements. This field contains comments or relevant data not placed elsewhere about the phishing email.
iodef:MLStringType元素的零或一个值。此字段包含未放置在其他位置的有关网络钓鱼电子邮件的评论或相关数据。
A report about fraud or phishing requires certain identifying information that is contained within the standard IODEF Incident data structure and the PhraudReport extensions. The following table identifies attributes required to be present in a compliant PhraudReport to report phishing or fraud. The required attributes are a combination of those required by the base IODEF element, as shown in Figure 6.1, and those required by this document, shown in Figure 6.2. Attributes identified as required SHALL be populated in conforming phishing activity reports.
关于欺诈或网络钓鱼的报告需要包含在标准IODEF事件数据结构和PhraudReport扩展中的特定识别信息。下表确定了合规PhraudReport中报告钓鱼或欺诈所需的属性。所需属性是基本IODEF元素所需属性(如图6.1所示)和本文档所需属性(如图6.2所示)的组合。按要求确定的属性应填入符合要求的网络钓鱼活动报告中。
A compliant IODEF PhraudReport SHALL contain the following elements and attributes:
符合要求的IODEF PHRAUD报告应包含以下要素和属性:
+--------------+
| Incident |
+--------------+
| ENUM Purpose |---[ IncidentID ]
| |---[ ReportTime ]
| |---[ Assessment ]
| | ---> [ Impact ]
| |---[ Contact ]
| | ---> [ @type ]
| | ---> [ @role ]
| | ---> [ * ]
| |---[ EventData ]
| | ---> [ DetectTime ]
| | ---> [ AdditionalData ]
| | ---> [ PhraudReport ]
+--------------+
+--------------+
| Incident |
+--------------+
| ENUM Purpose |---[ IncidentID ]
| |---[ ReportTime ]
| |---[ Assessment ]
| | ---> [ Impact ]
| |---[ Contact ]
| | ---> [ @type ]
| | ---> [ @role ]
| | ---> [ * ]
| |---[ EventData ]
| | ---> [ DetectTime ]
| | ---> [ AdditionalData ]
| | ---> [ PhraudReport ]
+--------------+
Figure 6.1. IODEF Required Classes for a PhraudReport
图6.1。PhraudReport的IODEF必需类
+----------------+
| PhraudReport |
+----------------+
| ENUM FraudType |---[ LureSource ]
| STRING Version | ---> [ iodef:System ]
| |---[ OriginatingSensor ]
| | --> [ DateFirstSeen ]
| | --> [ iodef:System ]
| | --> [ iodef:Node ]
| |
+----------------+
+----------------+
| PhraudReport |
+----------------+
| ENUM FraudType |---[ LureSource ]
| STRING Version | ---> [ iodef:System ]
| |---[ OriginatingSensor ]
| | --> [ DateFirstSeen ]
| | --> [ iodef:System ]
| | --> [ iodef:Node ]
| |
+----------------+
Figure 6.2. PhraudReport Required Elements
图6.2。PhraudReport必需元素
* Note that the iodef:Contact element is required, but none of its sub-elements are required. For proper XML correctness, one of the sub-elements is required; pick one.
* 请注意,iodef:Contact元素是必需的,但它的任何子元素都不是必需的。为了保证正确的XML,需要一个子元素;挑一个。
It may be apparent that the mandatory attributes for a PhraudReport make for a quite sparse report. As incident forensics and data analysis require detailed information, the originator of a PhraudReport SHOULD include any tidbit of information gleaned from the attack analysis. Information that is considered sensitive can be marked as such using the restriction parameter of each data element.
显然,PhraudReport的强制属性会导致报告非常稀疏。由于事件取证和数据分析需要详细信息,PhraudReport的发起人应包括从攻击分析中收集的任何信息。可以使用每个数据元素的限制参数将被视为敏感的信息标记为敏感信息。
The reporting party is encouraged to provide more than just the minimally required data elements about an event in a PhraudReport. The additional information may be volatile and not recoverable in the future, and may be useful in answering investigation questions or in performing correlation with other reported events.
鼓励报告方在PHRAUD报告中提供有关事件的不只是最低限度要求的数据元素。附加信息可能不稳定且将来无法恢复,并且可能有助于回答调查问题或与其他报告事件进行关联。
This document specifies a format for encoding a particular class of security incidents appropriate for exchange across organizations. As merely a data representation, it does not directly introduce security issues. However, it is guaranteed that parties exchanging instances of this specification will have certain concerns. For this reason, the underlying message format and transport protocol used MUST ensure the appropriate degree of confidentiality, integrity, and authenticity for the specific environment.
本文档指定了一种格式,用于编码适用于跨组织交换的特定类别的安全事件。作为一种数据表示,它不会直接引入安全问题。但是,可以保证,交换本规范实例的各方将有某些顾虑。因此,所使用的底层消息格式和传输协议必须确保特定环境的适当保密性、完整性和真实性。
Organizations that exchange data using this document are URGED to develop operating procedures that document the following areas of concern.
敦促使用本文件交换数据的组织制定操作程序,记录以下关注领域。
The critical security concerns are that phishing activity reports may be falsified or the PhraudReport may become corrupt during transit. In areas where transmission security or secrecy is questionable, the application of a digital signature and/or message encryption on each report will counteract both of these concerns. We expect that each exchanging organization will determine the need, and mechanism, for transport protection.
关键的安全问题是,网络钓鱼活动报告可能是伪造的,或者PhraudReport在传输过程中可能会损坏。在传输安全性或保密性有问题的领域,在每份报告上应用数字签名和/或消息加密将消除这两个问题。我们期望每个交换组织将确定运输保护的需求和机制。
In some instances, data values in particular elements may contain data deemed sensitive by the reporter. Although there are no general-purpose rules on when to mark certain values as "private" or "need-to-know" via the iodef:restriction attribute, the reporter is cautioned not to apply element-level sensitivity markings unless they believe the receiving party (i.e., the party they are exchanging the event report data with) has a mechanism to adequately safeguard and process the data as marked. For example, if the PhraudReport element is marked private and contains a phishing collector URL in the DCSite/SiteURL element, can that URL be included within a block list distributed to other parties? No guidance is provided here except to urge exchanging parties to review the IODEF and PhraudReport documents to decide on common marking rules.
在某些情况下,特定元素中的数据值可能包含报告者认为敏感的数据。虽然没有关于何时通过iodef:restriction属性将某些值标记为“私有”或“需要知道”的通用规则,但提醒报告者不要应用元素级灵敏度标记,除非他们相信接收方(即与他们交换事件报告数据的一方)具有适当保护和处理标记数据的机制。例如,如果PhraudReport元素标记为private,并且在DCSite/SiteURL元素中包含钓鱼收集器URL,那么该URL是否可以包含在分发给其他方的阻止列表中?除敦促交换方审查IODEF和PhraudReport文件以决定通用标记规则外,此处未提供任何指导。
This document uses URNs to describe XML namespaces and XML schemas conforming to a registry mechanism described in [RFC3688].
本文档使用URN来描述符合[RFC3688]中描述的注册表机制的XML名称空间和XML模式。
Registration request for the IODEF phishing namespace:
IODEF网络钓鱼命名空间的注册请求:
URI: urn:ietf:params:xml:ns:iodef-phish-1.0
URI: urn:ietf:params:xml:ns:iodef-phish-1.0
Registrant Contact: See the "Authors' Addresses" section of this document.
注册人联系人:请参阅本文件的“作者地址”部分。
XML: None.
XML:没有。
Registration request for the IODEF phishing extension XML schema:
IODEF仿冒扩展XML架构的注册请求:
URI: urn:ietf:params:xml:schema:iodef-phish-1.0
URI: urn:ietf:params:xml:schema:iodef-phish-1.0
Registrant Contact: See the "Authors' Addresses" section of this document.
注册人联系人:请参阅本文件的“作者地址”部分。
XML: See Appendix A, "Phishing Extensions XML Schema", of this document.
XML:参见本文档的附录A“网络钓鱼扩展XML模式”。
The extensions are an outgrowth of the Anti-Phishing Working Group (APWG) activities in data collection and sharing of phishing and other e-crimeware. (The APWG has no relationship to an IETF working group.)
这些扩展是反网络钓鱼工作组(APWG)在网络钓鱼和其他电子犯罪软件的数据收集和共享方面活动的产物。(APWG与IETF工作组没有任何关系。)
This document has received significant assistance from members of the IETF INCH working group and two groups addressing the phishing problem: members of the APWG and participants in the Financial Services Technology Consortium's Counter-Phishing project. A special thanks goes to the hardy people who supplied valuable feedback after using this format to report phishing.
本文件得到了IETF INCH工作组成员和两个处理网络钓鱼问题的小组的大力协助:APWG成员和金融服务技术联盟反网络钓鱼项目的参与者。特别要感谢那些在使用这种格式报告网络钓鱼后提供了宝贵反馈的顽强的人们。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002.
[RFC3275]Eastlake,D.,Reagle,J.,和D.Solo,“(可扩展标记语言)XML签名语法和处理”,RFC3275,2002年3月。
[RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) Type for the Internet Registry Information Service (IRIS)", RFC 3982, January 2005.
[RFC3982]Newton,A.和M.Sanz,“IRIS:Internet注册表信息服务(IRIS)的域注册表(dreg)类型”,RFC 3982,2005年1月。
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident Object Description Exchange Format", RFC 5070, December 2007.
[RFC5070]Danyliw,R.,Meijer,J.,和Y.Demchenko,“事件对象描述交换格式”,RFC 50702007年12月。
[SHA] National Institute of Standards and Technology, U.S. Department of Commerce, "Secure Hash Standard", FIPS 180-2, August 2002.
[SHA]美国商务部国家标准与技术研究所,“安全哈希标准”,FIPS 180-22002年8月。
[KB310516] Microsoft Corporation, "How to add, modify, or delete registry subkeys and values by using a registration entries (.reg) file", December 2007.
[KB310516]微软公司,“如何使用注册条目(.reg)文件添加、修改或删除注册表子项和值”,2007年12月。
[RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 2004.
[RFC3688]Mealling,M.“IETF XML注册表”,RFC3688,2004年1月。
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 2008.
[RFC5322]Resnick,P.,“互联网信息格式”,RFC5222008年10月。
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema attributeFormDefault="unqualified"
elementFormDefault="qualified"
targetNamespace="urn:ietf:params:xml:ns:iodef-phish-1.0"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:phish="urn:ietf:params:xml:ns:iodef-phish-1.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation=
"http://www.w3.org/TR/2002/REC-xmldsig-core-20020212
/xmldsig-core-schema.xsd"/>
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema attributeFormDefault="unqualified"
elementFormDefault="qualified"
targetNamespace="urn:ietf:params:xml:ns:iodef-phish-1.0"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:phish="urn:ietf:params:xml:ns:iodef-phish-1.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation=
"http://www.w3.org/TR/2002/REC-xmldsig-core-20020212
/xmldsig-core-schema.xsd"/>
<!--
==========================================================
=== Top-Level Class: PhraudReport ===
==========================================================
<!--
==========================================================
=== Top-Level Class: PhraudReport ===
==========================================================
It is incorporated within an IODEF.Incident.EventData.AdditionalData element.
它包含在IODEF.Incident.EventData.AdditionalData元素中。
All the top-level or major elements are defined as xs:types to make future extension easier.
所有顶级或主要元素都被定义为xs:type,以使将来的扩展更容易。
-->
-->
<xs:element name="PhraudReport">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="PhishNameRef"
type="iodef:MLStringType"/>
<xs:element minOccurs="0" name="PhishNameLocalRef"
type="iodef:MLStringType"/>
<xs:element minOccurs="0" name="FraudParameter"
type="iodef:MLStringType"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="FraudedBrandName" type="iodef:MLStringType"/>
<xs:element maxOccurs="unbounded" minOccurs="1"
name="LureSource" type="phish:LureSource.type"/>
<xs:element maxOccurs="unbounded" minOccurs="1"
name="OriginatingSensor"
type="phish:OriginatingSensor.type"/>
<xs:element maxOccurs="1" minOccurs="0" name="EmailRecord"
type="phish:EmailRecord.type"/>
<xs:element name="PhraudReport">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="PhishNameRef"
type="iodef:MLStringType"/>
<xs:element minOccurs="0" name="PhishNameLocalRef"
type="iodef:MLStringType"/>
<xs:element minOccurs="0" name="FraudParameter"
type="iodef:MLStringType"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="FraudedBrandName" type="iodef:MLStringType"/>
<xs:element maxOccurs="unbounded" minOccurs="1"
name="LureSource" type="phish:LureSource.type"/>
<xs:element maxOccurs="unbounded" minOccurs="1"
name="OriginatingSensor"
type="phish:OriginatingSensor.type"/>
<xs:element maxOccurs="1" minOccurs="0" name="EmailRecord"
type="phish:EmailRecord.type"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="DCSite" type="phish:DCSite.type"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
ref="phish:TakeDownInfo"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
ref="phish:ArchivedData"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="RelatedData" type="xs:anyURI"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="CorrelationData" type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0" name="PRComments"
type="iodef:MLStringType"/>
</xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="DCSite" type="phish:DCSite.type"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
ref="phish:TakeDownInfo"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
ref="phish:ArchivedData"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="RelatedData" type="xs:anyURI"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="CorrelationData" type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0" name="PRComments"
type="iodef:MLStringType"/>
</xs:sequence>
<xs:attribute default="1.0" name="Version" use="optional"/>
<xs:attribute default="1.0" name="Version" use="optional"/>
<xs:attribute name="FraudType" type="phish:FraudType.type"
use="required"/>
<xs:attribute name="FraudType" type="phish:FraudType.type"
use="required"/>
<xs:attribute name="ext-value" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:attribute name="ext-value" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="FraudType.type">
<xs:restriction base="xs:string">
<xs:enumeration value="phishing"/>
<xs:enumeration value="recruiting"/>
<xs:enumeration value="malware distribution"/>
<xs:enumeration value="fraudulent site"/>
<xs:enumeration value="dnsspoof"/>
<xs:enumeration value="archive"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="FraudType.type">
<xs:restriction base="xs:string">
<xs:enumeration value="phishing"/>
<xs:enumeration value="recruiting"/>
<xs:enumeration value="malware distribution"/>
<xs:enumeration value="fraudulent site"/>
<xs:enumeration value="dnsspoof"/>
<xs:enumeration value="archive"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
==========================================================
=== End of the Top-Level Element ===
==========================================================
-->
<!--
==========================================================
=== End of the Top-Level Element ===
==========================================================
-->
<!--
==========================================================
=== The LureSource Element ===
==========================================================
-->
<!--
==========================================================
=== The LureSource Element ===
==========================================================
-->
<xs:complexType mixed="false" name="LureSource.type">
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:System"/>
<xs:complexType mixed="false" name="LureSource.type">
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:System"/>
<xs:element minOccurs="0" maxOccurs="unbounded"
ref="phish:DomainData"/>
<xs:element minOccurs="0" maxOccurs="unbounded"
ref="phish:DomainData"/>
<xs:element minOccurs="0" name="IncludedMalware"
type="phish:IncludedMalware.type"/>
<xs:element minOccurs="0" name="IncludedMalware"
type="phish:IncludedMalware.type"/>
<xs:element minOccurs="0" name="FilesDownloaded">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="1" name="File"
type="iodef:MLStringType"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element minOccurs="0" name="FilesDownloaded">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="1" name="File"
type="iodef:MLStringType"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element minOccurs="0" name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Key">
<xs:complexType>
<xs:sequence>
<xs:element name="Name" type="xs:string"/>
<xs:element name="Value" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:element minOccurs="0" name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Key">
<xs:complexType>
<xs:sequence>
<xs:element name="Name" type="xs:string"/>
<xs:element name="Value" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<!--
=== LureSource sub-elements ===
-->
<!--
=== LureSource sub-elements ===
-->
<xs:complexType name="IncludedMalware.type">
<xs:sequence>
<xs:element name="Name"
maxOccurs="unbounded" type="iodef:MLStringType"/>
<xs:element minOccurs="0" ref="ds:Reference"/>
<xs:element minOccurs="0" name="Data">
<xs:complexType >
<xs:simpleContent>
<xs:extension base="xs:hexBinary">
<xs:attribute default="55AA55AA55AA55BB"
name="XORPattern" type="xs:hexBinary"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IncludedMalware.type">
<xs:sequence>
<xs:element name="Name"
maxOccurs="unbounded" type="iodef:MLStringType"/>
<xs:element minOccurs="0" ref="ds:Reference"/>
<xs:element minOccurs="0" name="Data">
<xs:complexType >
<xs:simpleContent>
<xs:extension base="xs:hexBinary">
<xs:attribute default="55AA55AA55AA55BB"
name="XORPattern" type="xs:hexBinary"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<!--
===========================================================
=== The EmailRecord Element ===
===========================================================
-->
<!--
===========================================================
=== The EmailRecord Element ===
===========================================================
-->
<xs:complexType name="EmailRecord.type">
<xs:sequence>
<xs:element name="EmailCount" type="xs:integer"/>
<xs:element maxOccurs="1" minOccurs="0" name="EmailMessage"
type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0" name="EmailComments"
type="iodef:MLStringType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="EmailRecord.type">
<xs:sequence>
<xs:element name="EmailCount" type="xs:integer"/>
<xs:element maxOccurs="1" minOccurs="0" name="EmailMessage"
type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0" name="EmailComments"
type="iodef:MLStringType"/>
</xs:sequence>
</xs:complexType>
<!--
===========================================================
=== The Data Collection Site (DCSite) Info Element ===
===========================================================
-->
<!--
===========================================================
=== The Data Collection Site (DCSite) Info Element ===
===========================================================
-->
<xs:complexType name="DCSite.type">
<xs:sequence>
<xs:choice>
<xs:element name="SiteURL">
<xs:complexType name="DCSite.type">
<xs:sequence>
<xs:choice>
<xs:element name="SiteURL">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute ref="phish:confidence"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute ref="phish:confidence"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Domain">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute ref="phish:confidence"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Domain">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute ref="phish:confidence"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="EmailSite">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute ref="phish:confidence"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="EmailSite">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute ref="phish:confidence"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="System">
<xs:complexType id="SystemType">
<xs:sequence>
<xs:element ref="iodef:Address"/>
</xs:sequence>
<xs:attribute ref="phish:confidence"/>
</xs:complexType>
</xs:element>
<xs:element name="System">
<xs:complexType id="SystemType">
<xs:sequence>
<xs:element ref="iodef:Address"/>
</xs:sequence>
<xs:attribute ref="phish:confidence"/>
</xs:complexType>
</xs:element>
<xs:element name="Unknown">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute ref="phish:confidence"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:choice>
<xs:element name="Unknown">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute ref="phish:confidence"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:choice>
<xs:element ref="iodef:Node" minOccurs="0" maxOccurs="unbounded"/>
<xs:element minOccurs="0" ref="phish:DomainData"/>
<xs:element minOccurs="0" ref="iodef:Assessment"/>
</xs:sequence>
<xs:element ref="iodef:Node" minOccurs="0" maxOccurs="unbounded"/>
<xs:element minOccurs="0" ref="phish:DomainData"/>
<xs:element minOccurs="0" ref="iodef:Assessment"/>
</xs:sequence>
<xs:attribute name="DCType" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="web"/>
<xs:enumeration value="email"/>
<xs:enumeration value="keylogger"/>
<xs:enumeration value="automation"/>
<xs:enumeration value="unspecified"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<xs:attribute name="DCType" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="web"/>
<xs:enumeration value="email"/>
<xs:enumeration value="keylogger"/>
<xs:enumeration value="automation"/>
<xs:enumeration value="unspecified"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<!--
=================================================
==== The Domain Data Element used in System =====
=================================================
-->
<!--
=================================================
==== The Domain Data Element used in System =====
=================================================
-->
<xs:element name="DomainData">
<xs:complexType id="DomainData.type">
<xs:sequence>
<xs:element maxOccurs="1"
name="Name" type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0"
name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element maxOccurs="1" minOccurs="0" name="RegistrationDate"
type="xs:dateTime"/>
<xs:element maxOccurs="1" minOccurs="0" name="ExpirationDate"
type="xs:dateTime"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="Nameservers">
<xs:complexType id="Nameservers.type">
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0">
<xs:element name="SameDomainContact"
type="iodef:MLStringType"/>
<xs:element name="DomainData">
<xs:complexType id="DomainData.type">
<xs:sequence>
<xs:element maxOccurs="1"
name="Name" type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0"
name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element maxOccurs="1" minOccurs="0" name="RegistrationDate"
type="xs:dateTime"/>
<xs:element maxOccurs="1" minOccurs="0" name="ExpirationDate"
type="xs:dateTime"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="Nameservers">
<xs:complexType id="Nameservers.type">
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0">
<xs:element name="SameDomainContact"
type="iodef:MLStringType"/>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:Contact"/>
</xs:sequence>
</xs:choice>
</xs:sequence>
<xs:attribute name="SystemStatus">
<xs:simpleType id="SystemStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:Contact"/>
</xs:sequence>
</xs:choice>
</xs:sequence>
<xs:attribute name="SystemStatus">
<xs:simpleType id="SystemStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="DomainStatus">
<xs:simpleType id="DomainStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:attribute name="DomainStatus">
<xs:simpleType id="DomainStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:simpleType>
<xs:restriction base="xs:nonNegativeInteger">
<xs:minInclusive value="0"/>
<xs:maxInclusive value="100"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="Confidence">
<xs:simpleType>
<xs:restriction base="xs:nonNegativeInteger">
<xs:minInclusive value="0"/>
<xs:maxInclusive value="100"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:attribute name="confidence">
<xs:simpleType>
<xs:restriction base="xs:nonNegativeInteger">
<xs:minInclusive value="0"/>
<xs:maxInclusive value="100"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="confidence">
<xs:simpleType>
<xs:restriction base="xs:nonNegativeInteger">
<xs:minInclusive value="0"/>
<xs:maxInclusive value="100"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<!--
=====================================================================
= ext-role Values for use within the DomainContact Contacts Element =
=====================================================================
-->
<!--
=====================================================================
= ext-role Values for use within the DomainContact Contacts Element =
=====================================================================
-->
<xs:simpleType name="ext-role">
<xs:restriction base="xs:string">
<xs:enumeration value="billingContacts"/>
<xs:enumeration value="technicalContacts"/>
<xs:enumeration value="administrativeContacts"/>
<xs:enumeration value="legalContacts"/>
<xs:enumeration value="zoneContacts"/>
<xs:enumeration value="abuseContacts"/>
<xs:enumeration value="securityContacts"/>
<xs:enumeration value="otherContacts"/>
<xs:enumeration value="hostingProvider"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ext-role">
<xs:restriction base="xs:string">
<xs:enumeration value="billingContacts"/>
<xs:enumeration value="technicalContacts"/>
<xs:enumeration value="administrativeContacts"/>
<xs:enumeration value="legalContacts"/>
<xs:enumeration value="zoneContacts"/>
<xs:enumeration value="abuseContacts"/>
<xs:enumeration value="securityContacts"/>
<xs:enumeration value="otherContacts"/>
<xs:enumeration value="hostingProvider"/>
</xs:restriction>
</xs:simpleType>
<!--
=================================================
=== The OriginatingSensor Data Element ===
=================================================
-->
<!--
=================================================
=== The OriginatingSensor Data Element ===
=================================================
-->
<xs:complexType name="OriginatingSensor.type">
<xs:sequence>
<xs:element name="DateFirstSeen" type="xs:dateTime"/>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:System"/>
</xs:sequence>
<xs:complexType name="OriginatingSensor.type">
<xs:sequence>
<xs:element name="DateFirstSeen" type="xs:dateTime"/>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:System"/>
</xs:sequence>
<xs:attribute name="OriginatingSensorType" use="required">
<xs:simpleType id="OriginatingSensorType.type">
<xs:restriction base="xs:NMTOKENS">
<xs:enumeration value="web"/>
<xs:enumeration value="webgateway"/>
<xs:enumeration value="mailgateway"/>
<xs:attribute name="OriginatingSensorType" use="required">
<xs:simpleType id="OriginatingSensorType.type">
<xs:restriction base="xs:NMTOKENS">
<xs:enumeration value="web"/>
<xs:enumeration value="webgateway"/>
<xs:enumeration value="mailgateway"/>
<xs:enumeration value="browser"/>
<xs:enumeration value="ispsensor"/>
<xs:enumeration value="human"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="other"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<xs:enumeration value="browser"/>
<xs:enumeration value="ispsensor"/>
<xs:enumeration value="human"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="other"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<!--
======================================================
=== The TakeDown Data Structure ===
======================================================
-->
<!--
======================================================
=== The TakeDown Data Structure ===
======================================================
-->
<xs:element name="TakeDownInfo" type="phish:TakeDownInfo.type"/>
<xs:element name="TakeDownInfo" type="phish:TakeDownInfo.type"/>
<xs:complexType name="TakeDownInfo.type">
<xs:sequence>
<xs:element maxOccurs="1" minOccurs="0" name="TakeDownDate"
type="xs:dateTime"/>
<xs:complexType name="TakeDownInfo.type">
<xs:sequence>
<xs:element maxOccurs="1" minOccurs="0" name="TakeDownDate"
type="xs:dateTime"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="TakeDownAgency" type="iodef:MLStringType"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="TakeDownAgency" type="iodef:MLStringType"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="TakeDownComments" type="iodef:MLStringType"/>
</xs:sequence>
</xs:complexType>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="TakeDownComments" type="iodef:MLStringType"/>
</xs:sequence>
</xs:complexType>
<!--
=========================================================
=== The ArchivedData Element ===
=========================================================
-->
<xs:element name="ArchivedData" type="phish:ArchivedData.type"/>
<!--
=========================================================
=== The ArchivedData Element ===
=========================================================
-->
<xs:element name="ArchivedData" type="phish:ArchivedData.type"/>
<xs:complexType name="ArchivedData.type">
<xs:sequence>
<xs:element minOccurs="0" name="URL" type="xs:anyURI"/>
<xs:element minOccurs="0" name="Comments"
type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0" name="Data"
type="xs:base64Binary"/>
</xs:sequence>
<xs:complexType name="ArchivedData.type">
<xs:sequence>
<xs:element minOccurs="0" name="URL" type="xs:anyURI"/>
<xs:element minOccurs="0" name="Comments"
type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0" name="Data"
type="xs:base64Binary"/>
</xs:sequence>
<xs:attribute name="type" use="required">
<xs:simpleType id="ArchivedDataType.type">
<xs:restriction base="xs:NMTOKENS">
<xs:enumeration value="collectionsite"/>
<xs:enumeration value="basecamp"/>
<xs:enumeration value="sendersite"/>
<xs:enumeration value="credentialInfo"/>
<xs:enumeration value="unspecified"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<xs:attribute name="type" use="required">
<xs:simpleType id="ArchivedDataType.type">
<xs:restriction base="xs:NMTOKENS">
<xs:enumeration value="collectionsite"/>
<xs:enumeration value="basecamp"/>
<xs:enumeration value="sendersite"/>
<xs:enumeration value="credentialInfo"/>
<xs:enumeration value="unspecified"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:schema>
</xs:schema>
This section shows a received electronic mail message that included a virus in a zipped attachment and a report that was generated for that message.
本节显示收到的电子邮件,其中包含压缩附件中的病毒,以及为该邮件生成的报告。
From: support@example.com
Sent: Friday, June 10, 2005 3:52 PM
To: someone@example.com
Subject: Account update
From: support@example.com
Sent: Friday, June 10, 2005 3:52 PM
To: someone@example.com
Subject: Account update
To: someone@example.com
Date: Sun, 10 June 2005 3:52:44 +0200
To: someone@example.com
Date: Sun, 10 June 2005 3:52:44 +0200
We would like to inform you that we have released a new version of our Customer Form. This form is required to be completed by all customers.
我们想通知您,我们已经发布了新版本的客户表格。所有客户都必须填写此表格。
Please follow these steps:
请按照以下步骤操作:
1.Open the form at http://www.example.com/customerservice/cform.php <http://www.2.example.com/customerservice/cform.php &email=(someone@example.com)> . 2.Follow given instructions.
1.在http://www.example.com/customerservice/cform.php <http://www.2.example.com/customerservice/cform.php &;电子邮件=(someone@example.com)> . 2.遵循给定的说明。
Thank you, Our Support Team
谢谢你,我们的支持团队
NOTE: Some wrapping and folding liberties have been applied to fit it into the margins.
注意:已应用一些包装和折叠自由度,以便将其装入页边距中。
<?xml version="1.0" encoding="UTF-8"?>
<IODEF-Document lang="en-US"
xmlns:phish="urn:ietf:params:xml:ns:iodef-phish-1.0"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0">
<Incident purpose="reporting" ext-purpose="create">
<IncidentID name="example.com">PAT2005-06</IncidentID>
<ReportTime>2005-06-22T08:30:00-05:00</ReportTime>
<Description>This is a test report from actual data.
</Description>
<Assessment>
<Impact type="social-engineering"/>
<Confidence rating="high"/>
</Assessment>
<Contact role="creator" type="person">
<ContactName>patcain</ContactName>
<Email>pcain@coopercain.com</Email>
</Contact>
<EventData>
<DetectTime>2005-06-21T18:22:02-05:00</DetectTime>
<AdditionalData dtype="xml">
<phish:PhraudReport FraudType="phishing">
<phish:FraudParameter>
Subject: Account Update
</phish:FraudParameter>
<phish:FraudedBrandName>Cooper-Cain
</phish:FraudedBrandName>
<phish:LureSource>
<System category="source">
<Node>
<Address>192.0.2.18</Address>
</Node>
</System>
<phish:IncludedMalware>
<phish:Name>W32.Mytob.EA@mm</phish:Name>
</phish:IncludedMalware>
</phish:LureSource>
<phish:OriginatingSensor OriginatingSensorType="human">
<phish:DateFirstSeen>2005-06-10T15:52:11-05:00
</phish:DateFirstSeen>
<System>
<Node>
<Address>192.0.2.13</Address>
<?xml version="1.0" encoding="UTF-8"?>
<IODEF-Document lang="en-US"
xmlns:phish="urn:ietf:params:xml:ns:iodef-phish-1.0"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0">
<Incident purpose="reporting" ext-purpose="create">
<IncidentID name="example.com">PAT2005-06</IncidentID>
<ReportTime>2005-06-22T08:30:00-05:00</ReportTime>
<Description>This is a test report from actual data.
</Description>
<Assessment>
<Impact type="social-engineering"/>
<Confidence rating="high"/>
</Assessment>
<Contact role="creator" type="person">
<ContactName>patcain</ContactName>
<Email>pcain@coopercain.com</Email>
</Contact>
<EventData>
<DetectTime>2005-06-21T18:22:02-05:00</DetectTime>
<AdditionalData dtype="xml">
<phish:PhraudReport FraudType="phishing">
<phish:FraudParameter>
Subject: Account Update
</phish:FraudParameter>
<phish:FraudedBrandName>Cooper-Cain
</phish:FraudedBrandName>
<phish:LureSource>
<System category="source">
<Node>
<Address>192.0.2.18</Address>
</Node>
</System>
<phish:IncludedMalware>
<phish:Name>W32.Mytob.EA@mm</phish:Name>
</phish:IncludedMalware>
</phish:LureSource>
<phish:OriginatingSensor OriginatingSensorType="human">
<phish:DateFirstSeen>2005-06-10T15:52:11-05:00
</phish:DateFirstSeen>
<System>
<Node>
<Address>192.0.2.13</Address>
</Node>
</System>
</phish:OriginatingSensor>
<phish:EmailRecord>
<phish:EmailCount>1</phish:EmailCount>
<phish:EmailMessage>
Return-path: <support@example.com>
Envelope-to: someone@example.com
Delivery-date: Fri, 10 Jun 2005:52:11-0400
Received: from dsl18-2-0-192.dsl.example.net([192.0.2.18]
helo=example.com) by mail06.example.com esmtp (Exim) id
1DgpXy-0002Ua-IR for someone@example.com;,
10 Jun 2005 15:52:10-0400
From: support@example.com
To: someone@example.com
Subject: Account Update
Date: Fri, 10 Jun 2005 12:52:00 -0700
MIME-Version: 1.0
Content Type: text/plain;
charset="Windows-1251"
X-Priority: 3MSMail-Priority: Normal
X-EN-OrigIP: 192.0.2.18
EN-OrigHost: dsl18-2-0-192.dsl.example.net
Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16)
on.example.net
X-Spam-Level: ***** X-Spam-Status: No,
score=5.6 required=6.0 tests=BAYES_95,CABLEDSL,HTML_20_30,
HTML_MESSAGE,MIME_HTML_ONLY,MISSING_MIMEOLE,
NO_REAL_NAME,
PRIORITY_NO_NAME autolearn=disabled version=3.0.2
</Node>
</System>
</phish:OriginatingSensor>
<phish:EmailRecord>
<phish:EmailCount>1</phish:EmailCount>
<phish:EmailMessage>
Return-path: <support@example.com>
Envelope-to: someone@example.com
Delivery-date: Fri, 10 Jun 2005:52:11-0400
Received: from dsl18-2-0-192.dsl.example.net([192.0.2.18]
helo=example.com) by mail06.example.com esmtp (Exim) id
1DgpXy-0002Ua-IR for someone@example.com;,
10 Jun 2005 15:52:10-0400
From: support@example.com
To: someone@example.com
Subject: Account Update
Date: Fri, 10 Jun 2005 12:52:00 -0700
MIME-Version: 1.0
Content Type: text/plain;
charset="Windows-1251"
X-Priority: 3MSMail-Priority: Normal
X-EN-OrigIP: 192.0.2.18
EN-OrigHost: dsl18-2-0-192.dsl.example.net
Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16)
on.example.net
X-Spam-Level: ***** X-Spam-Status: No,
score=5.6 required=6.0 tests=BAYES_95,CABLEDSL,HTML_20_30,
HTML_MESSAGE,MIME_HTML_ONLY,MISSING_MIMEOLE,
NO_REAL_NAME,
PRIORITY_NO_NAME autolearn=disabled version=3.0.2
From:support@example.com
Sent: Friday, June 10, 2005 3:52 PM
Subject: Account update
From:support@example.com
Sent: Friday, June 10, 2005 3:52 PM
Subject: Account update
To: someone@example.com
Date: Sun, 10 June 2005 3:52:44 +0200
To: someone@example.com
Date: Sun, 10 June 2005 3:52:44 +0200
We would like to inform you that we have released a new version of our Customer Form. This form is required to be completed by all customers.
我们想通知您,我们已经发布了新版本的客户表格。所有客户都必须填写此表格。
Please follow these steps:
请按照以下步骤操作:
1.Open the form at http://www.example.com/customerservice/cform.php <http://www.2.example.com/customerservice/cform.php &email=(someone@example.com)> . 2.Follow given instructions.
1.在http://www.example.com/customerservice/cform.php <;http://www.2.example.com/customerservice/cform.php &;电子邮件=(someone@example.com)> . 2.遵循给定的说明。
Thank you,
Our Support Team
</phish:EmailMessage>
</phish:EmailRecord>
</phish:PhraudReport>
</AdditionalData>
</EventData>
</Incident>
</IODEF-Document>
Thank you,
Our Support Team
</phish:EmailMessage>
</phish:EmailRecord>
</phish:PhraudReport>
</AdditionalData>
</EventData>
</Incident>
</IODEF-Document>
A sample report generated from a received electronic mail phishing message in shown in this section.
本节显示了从中收到的电子邮件钓鱼消息生成的示例报告。
Return-path: <service@example.com>
Envelope-to: pcain@example.com
Delivery-date: Tue, 13 Jun 2006 05:37:22 -0400
Received: from mail15.example.com ([10.1.1.161]
helo=mail15.example.com)
by mailscan38.example.com with esmtp (Exim)
id 1Fq5Kr-0005wU-LT for pcain@example.com; Tue, 13 Jun 2006
05:37:21 -0400
Received: from [192.0.2.61] (helo=TSI)
by mail15.example.com with
esmtp (Exim) id 1Fq5Bj-0006dv-6b
for pcain@example.com; Tue, 13 Jun 2006 05:37:21 -0400
Received: from User ([192.0.2.157]) by TSI with
Microsoft SMTPSVC(5.0.2195.6713);
Tue, 13 Jun 2006 02:24:30 -0400
Reply-To: <nospam@example.org>
From: "company"<service@example.com>
Subject: * * * Update & Verify Your Example Company Account * * *
Date: Tue, 13 Jun 2006 02:36:34 -0400
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <TSIlYbvhBISmT6QcWY90000085f@TSI>
X-OriginalArrivalTime: 13 Jun 2006 06:24:30.0218 (UTC)
FILETIME=[072A66A0:01C68EB2]
X-EN-OrigSender: service@example.com
Return-path: <service@example.com>
Envelope-to: pcain@example.com
Delivery-date: Tue, 13 Jun 2006 05:37:22 -0400
Received: from mail15.example.com ([10.1.1.161]
helo=mail15.example.com)
by mailscan38.example.com with esmtp (Exim)
id 1Fq5Kr-0005wU-LT for pcain@example.com; Tue, 13 Jun 2006
05:37:21 -0400
Received: from [192.0.2.61] (helo=TSI)
by mail15.example.com with
esmtp (Exim) id 1Fq5Bj-0006dv-6b
for pcain@example.com; Tue, 13 Jun 2006 05:37:21 -0400
Received: from User ([192.0.2.157]) by TSI with
Microsoft SMTPSVC(5.0.2195.6713);
Tue, 13 Jun 2006 02:24:30 -0400
Reply-To: <nospam@example.org>
From: "company"<service@example.com>
Subject: * * * Update & Verify Your Example Company Account * * *
Date: Tue, 13 Jun 2006 02:36:34 -0400
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <TSIlYbvhBISmT6QcWY90000085f@TSI>
X-OriginalArrivalTime: 13 Jun 2006 06:24:30.0218 (UTC)
FILETIME=[072A66A0:01C68EB2]
X-EN-OrigSender: service@example.com
X-EN-OrigIP: 192.0.2.1 X-EN-OrigHost: unknown
X-EN-OrigIP:192.0.2.1 X-EN-OrigHost:未知
Company<http://www.example.com/images/company_logo.gif>
<http://www.example.com/images/pixel.gif>
<http://www.example.com/images/pixel.gif>
<http://www.example.com/images/pixel.gif>
Account Update Request
Company<http://www.example.com/images/company_logo.gif>
<http://www.example.com/images/pixel.gif>
<http://www.example.com/images/pixel.gif>
<http://www.example.com/images/pixel.gif>
Account Update Request
Dear Example. member:,
亲爱的例子。成员:,
You are receiving this notification because company is required by law to notify you, that you urgently need to update your online account statement, due to high risks of fraud intentions.
您收到此通知是因为法律要求公司通知您,由于欺诈意图的高风险,您迫切需要更新您的在线账户对账单。
The updating of your example account can be done at any time by
clicking on the link shown below
http://www.example.com/cgi-bin/webscr?cmd=_login-run
<http://192.0.2.41:8080/.cgi-bin/.webscr/.secure-
login/%20/%20/.payp
al.com/index.htm>
The updating of your example account can be done at any time by
clicking on the link shown below
http://www.example.com/cgi-bin/webscr?cmd=_login-run
<http://192.0.2.41:8080/.cgi-bin/.webscr/.secure-
login/%20/%20/.payp
al.com/index.htm>
Once you log in, update your account information. After updating your account, click on the History sub tab of your Account Overview page to see your most recent statement.
登录后,更新您的帐户信息。更新帐户后,单击帐户概览页面的历史记录子选项卡以查看最近的对账单。
If you need help with your password, click the Help link that is at the upper righthand side of the company website. To report errors in your statement or make inquiries, click the Contact Us link in the footer on any page of the company website, call our Customer Service center at (999) 555-0167, or write us at:
如果您需要有关密码的帮助,请单击公司网站右上角的帮助链接。若要报告对账单中的错误或进行查询,请单击公司网站任何页面页脚中的“联系我们”链接,致电(999)555-0167我们的客户服务中心,或写信给我们:
Company, Inc. P.O. Box 0 Anytown, MA 00000
马萨诸塞州安尼敦市邮政信箱0号公司,邮编:00000
Sincerely,
真诚地
Big Example Company
大榜样公司
<http://www.example.com/images/dot_row_long.gif>
<http://www.example.com/images/dot_row_long.gif>
<?xml version="1.0" encoding="UTF-8"?>
<IODEF-Document xmlns:phish="urn:ietf:params:xml:ns:iodef-phish-1.0"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" lang="en-US">
<Incident purpose="mitigation" ext-purpose="create"
restriction="private">
<IncidentID name="example.com">CC200600000002</IncidentID>
<ReportTime>2006-06-13T21:14:56-05:00</ReportTime>
<Description>This is a sample phishing email received report.
The phish was actually received as is.</Description>
<Assessment>
<Impact severity="high" type="social-engineering"/>
<Confidence rating="numeric">85</Confidence>
</Assessment>
<Contact role="creator" type="person">
<ContactName>patcain</ContactName>
<Email>pcain@example.com</Email>
</Contact>
<EventData>
<DetectTime>2006-06-13T05:37:21-04:00</DetectTime>
<AdditionalData dtype="xml">
<phish:PhraudReport FraudType="phishing">
<phish:FraudParameter>
* * * Update & Verify Your Company Account * * *
</phish:FraudParameter>
<phish:FraudedBrandName>company</phish:FraudedBrandName>
<phish:LureSource>
<System category="source">
<Node>
<Address>192.0.2.4</Address>
</Node>
</System>
</phish:LureSource>
<phish:OriginatingSensor OriginatingSensorType="mailgateway">
<phish:DateFirstSeen>
2006-06-13T05:37:22-04:00</phish:DateFirstSeen>
<System>
<Node>
<NodeRole category="mail"/>
</Node>
</System>
</phish:OriginatingSensor>
<?xml version="1.0" encoding="UTF-8"?>
<IODEF-Document xmlns:phish="urn:ietf:params:xml:ns:iodef-phish-1.0"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" lang="en-US">
<Incident purpose="mitigation" ext-purpose="create"
restriction="private">
<IncidentID name="example.com">CC200600000002</IncidentID>
<ReportTime>2006-06-13T21:14:56-05:00</ReportTime>
<Description>This is a sample phishing email received report.
The phish was actually received as is.</Description>
<Assessment>
<Impact severity="high" type="social-engineering"/>
<Confidence rating="numeric">85</Confidence>
</Assessment>
<Contact role="creator" type="person">
<ContactName>patcain</ContactName>
<Email>pcain@example.com</Email>
</Contact>
<EventData>
<DetectTime>2006-06-13T05:37:21-04:00</DetectTime>
<AdditionalData dtype="xml">
<phish:PhraudReport FraudType="phishing">
<phish:FraudParameter>
* * * Update & Verify Your Company Account * * *
</phish:FraudParameter>
<phish:FraudedBrandName>company</phish:FraudedBrandName>
<phish:LureSource>
<System category="source">
<Node>
<Address>192.0.2.4</Address>
</Node>
</System>
</phish:LureSource>
<phish:OriginatingSensor OriginatingSensorType="mailgateway">
<phish:DateFirstSeen>
2006-06-13T05:37:22-04:00</phish:DateFirstSeen>
<System>
<Node>
<NodeRole category="mail"/>
</Node>
</System>
</phish:OriginatingSensor>
<phish:EmailRecord>
<phish:EmailCount>1</phish:EmailCount>
<phish:EmailMessage>
Return-path: <service@example.com>
Envelope-to: pcain@example.com
Delivery-date: Tue, 13 Jun 2006 05:37:22 -0400
Received: from mail15.example.com ([10.1.1.161]
helo=mail15.example.com)
by mailscan38.example.com with esmtp (Exim)
id 1Fq5Kr-0005wU-LT for pcain@example.com; Tue, 13 Jun 2006
05:37:21 -0400
Received: from [192.0.2.61] (helo=TSI)
by mail15.example.com with
esmtp (Exim) id 1Fq5Bj-0006dv-6b
for pcain@example.com; Tue, 13 Jun 2006 05:37:21 -0400
Received: from User ([192.0.2.157]) by TSI with
Microsoft SMTPSVC(5.0.2195.6713);
Tue, 13 Jun 2006 02:24:30 -0400
Reply-To: <nospam@example.org>
From: "company"<service@example.com>
Subject: * * * Update & Verify Your Example Company Account * * *
Date: Tue, 13 Jun 2006 02:36:34 -0400
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <TSIlYbvhBISmT6QcWY90000085f@TSI>
X-OriginalArrivalTime: 13 Jun 2006 06:24:30.0218 (UTC)
FILETIME=[072A66A0:01C68EB2]
X-EN-OrigSender: service@example.com
X-EN-OrigIP: 192.0.2.1
X-EN-OrigHost: unknown
<phish:EmailRecord>
<phish:EmailCount>1</phish:EmailCount>
<phish:EmailMessage>
Return-path: <service@example.com>
Envelope-to: pcain@example.com
Delivery-date: Tue, 13 Jun 2006 05:37:22 -0400
Received: from mail15.example.com ([10.1.1.161]
helo=mail15.example.com)
by mailscan38.example.com with esmtp (Exim)
id 1Fq5Kr-0005wU-LT for pcain@example.com; Tue, 13 Jun 2006
05:37:21 -0400
Received: from [192.0.2.61] (helo=TSI)
by mail15.example.com with
esmtp (Exim) id 1Fq5Bj-0006dv-6b
for pcain@example.com; Tue, 13 Jun 2006 05:37:21 -0400
Received: from User ([192.0.2.157]) by TSI with
Microsoft SMTPSVC(5.0.2195.6713);
Tue, 13 Jun 2006 02:24:30 -0400
Reply-To: <nospam@example.org>
From: "company"<service@example.com>
Subject: * * * Update & Verify Your Example Company Account * * *
Date: Tue, 13 Jun 2006 02:36:34 -0400
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <TSIlYbvhBISmT6QcWY90000085f@TSI>
X-OriginalArrivalTime: 13 Jun 2006 06:24:30.0218 (UTC)
FILETIME=[072A66A0:01C68EB2]
X-EN-OrigSender: service@example.com
X-EN-OrigIP: 192.0.2.1
X-EN-OrigHost: unknown
<img src="http://www.example.com/images/company_logo.gif">
<img src="http://www.example.com/images/pixel.gif">
<img src="http://www.example.com/images/pixel.gif">
<img src="http://www.example.com/im/pixel.gif">
Account Update Request
<img src="http://www.example.com/images/company_logo.gif">
<img src="http://www.example.com/images/pixel.gif">
<img src="http://www.example.com/images/pixel.gif">
<img src="http://www.example.com/im/pixel.gif">
Account Update Request
Dear Example. member:, You are receiving this notification because company is required by law to notify you, that you urgently need to update your online account statement, due to high risks of fraud intentions.
亲爱的例子。会员:,您收到此通知是因为法律要求公司通知您,由于欺诈意图的高风险,您迫切需要更新您的在线账户对账单。
The updating of your example account can be done at any time by
clicking on the link shown below
<a href="http://192.0.2.41:8080/.cgi-bin/.webscr/.secure-
login/%20/%20/.example.com/index.htm">
http://www.example.com/cgi-bin/webscr?cmd=_login-run </a>
The updating of your example account can be done at any time by
clicking on the link shown below
<a href="http://192.0.2.41:8080/.cgi-bin/.webscr/.secure-
login/%20/%20/.example.com/index.htm">
http://www.example.com/cgi-bin/webscr?cmd=_login-run </a>
Once you log in,update your account information. After updating your account click on the History sub tab of your Account Overview page to see your most recent statement.
登录后,更新您的帐户信息。更新帐户后,单击帐户概览页面的历史记录子选项卡以查看您最近的对账单。
If you need help with your password, click the Help link which is at the upper right hand side of the company website. To report errors in your statement or make inquiries, click the Contact Us link in the footer on any page of the company website, call our Customer Service center at (999) 555-0167, or write us at:
如果您需要有关密码的帮助,请单击公司网站右上角的帮助链接。若要报告对账单中的错误或进行查询,请单击公司网站任何页面页脚中的“联系我们”链接,致电(999)555-0167我们的客户服务中心,或写信给我们:
Company, Inc. P.O. Box 0 Anytown, MA 00000
马萨诸塞州安尼敦市邮政信箱0号公司,邮编:00000
Sincerely,
真诚地
Big Example Company
大榜样公司
<img src="http://www.example.com/images/dot_row_long.gif">
</phish:EmailMessage>
</phish:EmailRecord>
<phish:DCSite DCType="web">
<phish:SiteURL>http://190.0.2.41:8080/.cgi-bin/.webscr/.secure-
login/%20%20/.example.com/index.htm</phish:SiteURL>
<phish:DomainData DomainStatus="assignedAndActive"
SystemStatus="unknown">
<phish:Name>bad.example.com</phish:Name>
<phish:DateDomainWasChecked>2006-06-14T13:05:00-05:00
</phish:DateDomainWasChecked>
<phish:RegistrationDate>
2000-12-13T00:00:00</phish:RegistrationDate>
<phish:Nameservers>
<phish:Server>ns1.example.net</phish:Server>
<Address>192.0.2.18</Address>
</phish:Nameservers>
</phish:DomainData>
</phish:DCSite>
</phish:PhraudReport>
</AdditionalData>
</EventData>
</Incident>
</IODEF-Document>
<img src="http://www.example.com/images/dot_row_long.gif">
</phish:EmailMessage>
</phish:EmailRecord>
<phish:DCSite DCType="web">
<phish:SiteURL>http://190.0.2.41:8080/.cgi-bin/.webscr/.secure-
login/%20%20/.example.com/index.htm</phish:SiteURL>
<phish:DomainData DomainStatus="assignedAndActive"
SystemStatus="unknown">
<phish:Name>bad.example.com</phish:Name>
<phish:DateDomainWasChecked>2006-06-14T13:05:00-05:00
</phish:DateDomainWasChecked>
<phish:RegistrationDate>
2000-12-13T00:00:00</phish:RegistrationDate>
<phish:Nameservers>
<phish:Server>ns1.example.net</phish:Server>
<Address>192.0.2.18</Address>
</phish:Nameservers>
</phish:DomainData>
</phish:DCSite>
</phish:PhraudReport>
</AdditionalData>
</EventData>
</Incident>
</IODEF-Document>
Authors' Addresses
作者地址
Patrick Cain The Cooper-Cain Group, Inc. P.O. Box 400992 Cambridge, MA 02140 USA
Patrick Cain The Cooper Cain Group,Inc.美国马萨诸塞州剑桥市邮政信箱400992 02140
EMail: pcain@coopercain.com
EMail: pcain@coopercain.com
David Jevans The Anti-Phishing Working Group 5150 El Camino Real, Suite A20 Los Altos, CA 94022 USA
David Jevans反钓鱼工作组5150 El Camino Real,美国加利福尼亚州洛斯阿尔托斯A20套房,邮编94022
EMail: dave.jevans@antiphishing.org
EMail: dave.jevans@antiphishing.org