Thorvald,

ClamAV's Phishing heuristics checks the link URL versus the URL listed in
the link text. Here is a simple example:

    <a href="link">text</a>

If the text is formatted like a URL and it is different from the href link,
then it will be flagged as a phishing attempt. I don't know offhand how
different the link vs the text has to be to get flagged. I do know that if
it looks like the user is being redirected to a completely different domain
then it will be flagged (unless, as Steve pointed out, these domains are in
the daily.wdb whitelist database).

Here is what ClamAV is saying is a phishing attempt.

        www.bankofamerica.co.uk:youraccount.mbna.co.uk/

Here is a WDB whitelist signature that should fix the problem:

        M:www.bankofamerica.co.uk:youraccount.mbna.co.uk

he section of the phishsigs_howto.pdf that will help with this problem is
Section 1.3 WDB format. For this sig, the 'M' is going to be a direct match
for the hostname or subdomain. 'X' can be used for regular expressions that
will match an entire URL. Take a look at the daily.wdb for examples.

Also, if you get a chance, please submit this to the FP list. If I have a
specific example, I'll be able to update the official daily.wdb whitelist.

Hope this has helped. Please let me know if you have any follow-up
questions.

Thanks,
Shaun Hurley










On Tue, Sep 23, 2014 at 8:29 AM, Thorvald Hallvardsson <
thorvald.hallvards...@gmail.com> wrote:

> Hi Steve,
>
> Thank you for your answer. If I would like to build my own database (I have
> read PDF but I don't understand really how it works) what would be the
> syntax for it ?
>
> H:youraccount.mbna.co.uk:mbna.co.uk ??
>
> Regards.
>
> On 23 September 2014 13:08, Steve Basford <steveb_cla...@sanesecurity.com>
> wrote:
>
> >
> > On Tue, September 23, 2014 12:44 pm, Thorvald Hallvardsson wrote:
> >
> > > Anyone would like to point me into the right direction and help me out
> > > with the problems I'm having ?
> >
> > Report as an FPs here:
> >
> > http://cgi.clamav.net/sendvirus.cgi
> >
> > ClamAV team will need to add hosts to the daily.wdb database to
> > whitelist...
> >
> > eg... currently...
> >
> > grep "mbna" daily.wdb
> > M:customerservice.mbna.co.uk:virginmoney.com
> >
> > grep "bankof" daily.wdb
> > M:email.countrywide.com:www.bankofamerica.com
> > M:rc.us-east.srv.overture.com:www.bankofamerica.com
> >
> >
> > Cheers,
> >
> > Steve
> > Sanesecurity.com
> >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to