Yes, that would trigger it. Shaun
On Tue, Sep 23, 2014 at 11:16 AM, Thorvald Hallvardsson < thorvald.hallvards...@gmail.com> wrote: > Hi Shaun, > > Thank you for your reply. Just for a bit of clarification would actually > clamav catch this bit as a phishing: > > <a href=3D"http://www.bankofamerica.co.uk/amazon";><img > src=3D"http://youraccount.m= > bna.co.uk/imgproxy/img/647707065/az_main_logo.png" > width=3D"280" height=3D"= > 103" border=3D"0" style=3D"display:block; border:none; outline:none; > text-d= > ecoration:none;" alt=3D"Amazon.co.uk MasterCard"> > > So a href is originating from bankofamerica.co.uk but the source image > is youraccount.mbna.co.uk ? > > I'm asking because I cannot find any other relation to > bankofamerica.co.uk and youraccount.mbna.co.uk > > Regards. > > On 23 September 2014 15:19, Shaun Hurley <shahu...@sourcefire.com> wrote: > > > Thorvald, > > > > ClamAV's Phishing heuristics checks the link URL versus the URL listed in > > the link text. Here is a simple example: > > > > <a href="link">text</a> > > > > If the text is formatted like a URL and it is different from the href > link, > > then it will be flagged as a phishing attempt. I don't know offhand how > > different the link vs the text has to be to get flagged. I do know that > if > > it looks like the user is being redirected to a completely different > domain > > then it will be flagged (unless, as Steve pointed out, these domains are > in > > the daily.wdb whitelist database). > > > > Here is what ClamAV is saying is a phishing attempt. > > > > www.bankofamerica.co.uk:youraccount.mbna.co.uk/ > > > > Here is a WDB whitelist signature that should fix the problem: > > > > M:www.bankofamerica.co.uk:youraccount.mbna.co.uk > > > > he section of the phishsigs_howto.pdf that will help with this problem is > > Section 1.3 WDB format. For this sig, the 'M' is going to be a direct > match > > for the hostname or subdomain. 'X' can be used for regular expressions > that > > will match an entire URL. Take a look at the daily.wdb for examples. > > > > Also, if you get a chance, please submit this to the FP list. If I have a > > specific example, I'll be able to update the official daily.wdb > whitelist. > > > > Hope this has helped. Please let me know if you have any follow-up > > questions. > > > > Thanks, > > Shaun Hurley > > > > > > > > > > > > > > > > > > > > > > On Tue, Sep 23, 2014 at 8:29 AM, Thorvald Hallvardsson < > > thorvald.hallvards...@gmail.com> wrote: > > > > > Hi Steve, > > > > > > Thank you for your answer. If I would like to build my own database (I > > have > > > read PDF but I don't understand really how it works) what would be the > > > syntax for it ? > > > > > > H:youraccount.mbna.co.uk:mbna.co.uk ?? > > > > > > Regards. > > > > > > On 23 September 2014 13:08, Steve Basford < > > steveb_cla...@sanesecurity.com> > > > wrote: > > > > > > > > > > > On Tue, September 23, 2014 12:44 pm, Thorvald Hallvardsson wrote: > > > > > > > > > Anyone would like to point me into the right direction and help me > > out > > > > > with the problems I'm having ? > > > > > > > > Report as an FPs here: > > > > > > > > http://cgi.clamav.net/sendvirus.cgi > > > > > > > > ClamAV team will need to add hosts to the daily.wdb database to > > > > whitelist... > > > > > > > > eg... currently... > > > > > > > > grep "mbna" daily.wdb > > > > M:customerservice.mbna.co.uk:virginmoney.com > > > > > > > > grep "bankof" daily.wdb > > > > M:email.countrywide.com:www.bankofamerica.com > > > > M:rc.us-east.srv.overture.com:www.bankofamerica.com > > > > > > > > > > > > Cheers, > > > > > > > > Steve > > > > Sanesecurity.com > > > > > > > > _______________________________________________ > > > > Help us build a comprehensive ClamAV guide: > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > _______________________________________________ > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
