Hi, A new phishing detection algo written by me as a part of the Google Summer of Code program is available in the cvs version of clamav.
Documentation on daily.pdb/daily.wdb, is available in docs/phishsigs_howto.pdf Algorithm docs are at: http://wiki.clamav.net/index.php/phishing_design. The phishing module processes pairs of realURL/displayedURL. I) If they match against a whitelist (daily.wdb) the urls are clean. Otherwise further proccessing is done. There are two modes of operation: 1) ---- The phishing detection module matches realURL/displayedURL pairs against daily.pdb. The url is processed further only if it matches. 2) alldomains daily.pdb is ignored and all urls are processed II) It is determined if the realURL/displayedURL is a phishing attempt. III) The returned possible "virus" names begin with Phishing.Email, and are: HexURL, Cloaked.NumericIP, Cloaked.Null,SSL-Spoof, Cloaked.Username. To enable build with ./configure --enable-experimental and use the --phish-scan-alldomains param to clamscan or the PhishingScanAllDomains config option in clamd.conf To disable: use --no-phishing-scan-urls, and the corresponding PhishingScanURLs option in clamd.conf Looking forward for you ideas, comments, results (and bug reports). Best regards, Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
