Hi Shaun, Thank you for your reply. Just for a bit of clarification would actually clamav catch this bit as a phishing:
<a href=3D"http://www.bankofamerica.co.uk/amazon";><img src=3D"http://youraccount.m=bna.co.uk/imgproxy/img/647707065/az_main_logo.png"; width=3D"280" height=3D"= 103" border=3D"0" style=3D"display:block; border:none; outline:none; text-d= ecoration:none;" alt=3D"Amazon.co.uk MasterCard"> So a href is originating from bankofamerica.co.uk but the source image is youraccount.mbna.co.uk ? I'm asking because I cannot find any other relation to bankofamerica.co.uk and youraccount.mbna.co.uk Regards. On 23 September 2014 15:19, Shaun Hurley <shahu...@sourcefire.com> wrote: > Thorvald, > > ClamAV's Phishing heuristics checks the link URL versus the URL listed in > the link text. Here is a simple example: > > <a href="link">text</a> > > If the text is formatted like a URL and it is different from the href link, > then it will be flagged as a phishing attempt. I don't know offhand how > different the link vs the text has to be to get flagged. I do know that if > it looks like the user is being redirected to a completely different domain > then it will be flagged (unless, as Steve pointed out, these domains are in > the daily.wdb whitelist database). > > Here is what ClamAV is saying is a phishing attempt. > > www.bankofamerica.co.uk:youraccount.mbna.co.uk/ > > Here is a WDB whitelist signature that should fix the problem: > > M:www.bankofamerica.co.uk:youraccount.mbna.co.uk > > he section of the phishsigs_howto.pdf that will help with this problem is > Section 1.3 WDB format. For this sig, the 'M' is going to be a direct match > for the hostname or subdomain. 'X' can be used for regular expressions that > will match an entire URL. Take a look at the daily.wdb for examples. > > Also, if you get a chance, please submit this to the FP list. If I have a > specific example, I'll be able to update the official daily.wdb whitelist. > > Hope this has helped. Please let me know if you have any follow-up > questions. > > Thanks, > Shaun Hurley > > > > > > > > > > > On Tue, Sep 23, 2014 at 8:29 AM, Thorvald Hallvardsson < > thorvald.hallvards...@gmail.com> wrote: > > > Hi Steve, > > > > Thank you for your answer. If I would like to build my own database (I > have > > read PDF but I don't understand really how it works) what would be the > > syntax for it ? > > > > H:youraccount.mbna.co.uk:mbna.co.uk ?? > > > > Regards. > > > > On 23 September 2014 13:08, Steve Basford < > steveb_cla...@sanesecurity.com> > > wrote: > > > > > > > > On Tue, September 23, 2014 12:44 pm, Thorvald Hallvardsson wrote: > > > > > > > Anyone would like to point me into the right direction and help me > out > > > > with the problems I'm having ? > > > > > > Report as an FPs here: > > > > > > http://cgi.clamav.net/sendvirus.cgi > > > > > > ClamAV team will need to add hosts to the daily.wdb database to > > > whitelist... > > > > > > eg... currently... > > > > > > grep "mbna" daily.wdb > > > M:customerservice.mbna.co.uk:virginmoney.com > > > > > > grep "bankof" daily.wdb > > > M:email.countrywide.com:www.bankofamerica.com > > > M:rc.us-east.srv.overture.com:www.bankofamerica.com > > > > > > > > > Cheers, > > > > > > Steve > > > Sanesecurity.com > > > > > > _______________________________________________ > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
![http://youraccount.m=bna.co.uk/imgproxy/img/647707065/az_main_logo.png"](http://youraccount.m=bna.co.uk/imgproxy/img/647707065/az_main_logo.png"){kind=link}