On 10/6/06, Robert Allerstorfer <[EMAIL PROTECTED]> wrote:
On Wed, 4 Oct 2006, 10:59 GMT+03 Török Edvin wrote:
> For now the only change is: The two-field form, is valid only for type
> 'H', and means:
> match the host part of realURL, i.e. displayedURL can be anything.
You seem to mean 'somedomain.tld' of the 2-field-form
H somedomain.tld
is the Host part of DisplayedURL (not RealURL), while RealURL (not
DisplayedURL) can be anything.
Right, sorry for the confusion. Actually the string following 'H'
doesn't have to be of the form 'subdomain.tld', its enough if it is a
substring of DisplayedURL.
>> (2) How can yet undetected phishings be submitted to the project?
> Submit a sample: http://cgi.clamav.net/sendvirus.cgi, following the
> rules on that page.
OK, just submitted 2 raw mails (more than 2 submissions a day are not
allowed according to that page) which should add
H bankofcastile.com
H imglt.com
to 'daily.pdb' (as of 'daily.cvd' version 2000). That decreased the
amount of false-negatives (when '--phish-scan-alldomains' is not
applied) from 88.1 to 59.5% within my real-life test environment of
currently 42 Phishing.Email mails.
If there would also be a way to add Host names of RealURLs, the
percentage decreasing would even be better.
You can use type 'R' entries in the .pdb, where you can specify both
the realURL, and displayedURL with a regex.
However listing a realURL in the .pdb is less effective wrt future
phishes: it will only catch phishes containing that
url/host/subdomain/..., and when somebody uses a new host, it will
won't be picked up anymore.
Also watch out for false positives, when you create regexes: if you
make them too generic you might get more FPs.
Best regards,
Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
