Srinivasan Krishnan wrote: > Thanks for the response! > > I just wanted to identify the cases where paypal.com is the real URL and > yahoo.com is the displayable URL, to be identified as virus. Seems like > clamscan doesn't identify cases where (real_URL != displayable_URL) as virus > automatically (or am I missing something). >
That is correct, it would cause too many false positives to flag all cases where real_URL != displayable_URL as phishing. However you only need to list the domain you wish to protect in daily.pdb, and not each (real_URL, displayable_URL) pair that could cause problems. > >>> Why do you need regular expressions for the domainlist? >>> > My idea of using regular expressions is to match cases where you might have > numbers or some special characters (like hyphens) before a subdomain. When you list a domain, all possible subdomains are included too, so yahoo.com would include mail.yahoo.com, www.yahoo.com, and anything else that ends in .yahoo.com. So listing H:yahoo.com would be equivalent to something like this as a regular expression: ^(.+\.|[^.]+)yahoo\.com([/?].+)?$ I think this is more generic, if you just want to blacklist a certain url combination you can use type 3 signatures (see the Phishing.RB.* signatures). Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
