On 03/09/2010 08:06 PM, Kris Deugau wrote: > Török Edwin wrote: >> It should already be whitelisted: >> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?:17- >> >> X:.+:.+images\.amazon\.com([/?].*)?:17- >> >> What is the domain of the image, and the domain of the href target? >> Can you craft a simple example html mail with just a url, the img url, >> with just the domains? (without the actualy path and query params). > > I checked this out, and it looks like it wasn't one of the link images. > (Although those use amazon.ca -> ssl-images-amazon.com.) > > I then dig out all of the links (~15), and dropped them in a minimal > email one by one. > > I found the one that was triggering the test to look like this: > > [a href="http://www.amazon.ca/"]Amazon.com.ca, Inc.[/a] > > I tried creating a daily.wdb, which seemed to get loaded, but didn't > have any effect: > > X:.+\.amazon.ca.+:.+amazon\.com\.ca.+ > > According to the debug output, it seems libclamav truncated the .com.ca > to just .com: > > LibClamAV debug: Phishcheck:Checking url > http://www.amazon.ca/->Amazon.com.ca, Inc. > LibClamAV debug: Phishcheck:URL after cleanup: > http://www.amazon.ca->amazon.com.ca,inc > LibClamAV debug: Phishing: looking up in whitelist: > http://www.amazon.ca:amazon.com; host-only:0 > LibClamAV debug: Looking up in regex_list: http://www.amazon.ca:amazon.com/ > LibClamAV debug: Lookup result: not in regex list > LibClamAV debug: Phishcheck:host:.amazon.com > LibClamAV debug: Looking up in regex_list: amazon.com/ > LibClamAV debug: calc_pos_with_skip: skip:12, 0 - 10 > "amazon.com","amazon.com/" > LibClamAV debug: calc_pos_with_skip: > LibClamAV debug: Got a match: amazon.com/ with /moc.nozama > LibClamAV debug: Before inserting .: .amazon.com > LibClamAV debug: Lookup result: in regex list > LibClamAV debug: Phishcheck:host:.www.amazon.ca > LibClamAV debug: Phishing: looking up in whitelist: > .www.amazon.ca:.amazon.com; host-only:1 > LibClamAV debug: Looking up in regex_list: www.amazon.ca:amazon.com/ > LibClamAV debug: Lookup result: not in regex list > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too > different > > ... but if that were all, the existing whitelist should have passed it.
The existing whitelist doesn't pass because amazon.com doesn't have anything preceding it. Try this: X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:(.+\.)?amazon\.com([/?].*)?:17- Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
