Hi, I am currently using the latest phishing-scan-urls enabled clamscan (devel-20061002) with a devel version of my procmail anti-virus filter (http://softlabsav.sourceforge.net/). Each incoming mail will first be scanned with the --phish-scan-alldomains option, in order to minimize the number of false-negative phishing mails. When a virus which name begins with "Phishing.Email" has been found, the mail will be re-scanned *without* the --phish-scan-alldomains option. If the result is positive again, the mail will be considered definitly positive and thus removed.
If not, the mail is either a false positive or yet not recognized by the phishing database (daily.pdb file extracted from daily.cvd). It will be moved into a directory called "_Phishing-heuristics_" - where only such heuristically found Phishing mails will reside. This directory wil be scanned regulary via cron job, using the --remove but no --phish-scan-alldomains option, so when daily.pdb gets updated by time, the _Phishing-heuristics_ directory gets more and more cleaned. To get the daily.pdb updated, I review each remaining mail if it is in fact a phish. If so, I would like to add the domain in question to daily.pdb which now leads to my questions: (1) Currently (as of daily.cvd 1990), the daily.pdb consists only of lines like H domain.tld such as H amazon.com H amazon.de H bankofamerica.com H bankofthewest.com H barclays.co.uk [...] Reading phishsigs_howto.pdf from the latest snapshot tarball, it says that each line must consist of *three* fields, in the form Flags RealURL DisplayedURL Is there an updated documentation where the two-fields form will be explained? (2) How can yet undetected phishings be submitted to the project? (3) The phishsigs_howto.pdf states if loading of the whitelist database (daily.wdb) fails, the phishing checks will be disabled entirely. However, there is no .wdb at all in the current .cvd, so how gets the white list really involved? Thanks! -- best regards, rob. _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
