On 10/2/06, Robert Allerstorfer <[EMAIL PROTECTED]> wrote:
Hi,
with the new url-based phishing detection enabled, but without the
'--phish-scan-alldomains' option, some (or most)
"Phishing.Email.HexURL" phishes get through. The corresponding --debug
option says
LibClamAV debug: PH:Checking url
http://0x42ce0397/%60/?Pay.Now.W0QQfromZR4QQscatZ37974QQsocmdZLstngItmLstQQssPageNameZdcpCollectCrdTextNonFeat->Learn
more
Wouldn't it be wiser to always detect mails containg such HexURLs
linking to text or to another URL as phishes? There are no domains in
it that could be looked for in the .pdb, so only detecting it when
enabling '--phish-scan-alldomains' seems a bit odd.
The displayed url is looked up in the .pdb, i.e. "Learn More" in your case.
If that would have been amazon.com, or something else that is in the
.pdb, then it would have been detecteed as phishing.email.hexurl.
Classifying all URLs that have the host part hex-encoded as phishing
doesn't make sense.
It is perfectly legit for somebody to send such a link. It is similar
to the phishing.email.numericIP: nobody should forbid me from sending
mails like this to my friends:
<a href='http://72.14.221.104/";>Check out this site</a>
If you want heuristics, then use the alldomains option, that is why
its there for.
I might consider splitting that option in more suboptions in the
future to have more control over the heuristics, but this is a low
priority issue.
Best regards,
Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
