Begin forwarded message:
Date: Sat, 10 Feb 2007 20:52:01 +0200 From: Török Edwin <[EMAIL PROTECTED]> To: Tomasz Kojm <[EMAIL PROTECTED]> Subject: Re: Fw: [Clamav-devel] Phishcheck module in clamscan 0.90rc3 Tomasz Kojm wrote: > Hi Edwin, > > could you have a look at this, thanks. Sorry for the delay, see below for reply. Please forward reply. > > I have compared clamscan's url-based phishing options of 0.90rc3 with > those of 0.90rc2, and as a result, some things are no longer clear to > me: Looks like I should document the phishingmodule better, at least on the wiki. I'll try to do that in the next few days. > > (1) Has the "Phishing.Email.HexURL" type been dropped in rc3? Not dropped. Its handling changed with images. > > What has been detected as "Phishing.Email.HexURL" in rc2, will now be > detected as just "Phishing.Email": > The test here https://wwws.clamav.net/bugzilla/attachment.cgi?id=141 works. If you could send me the 20061007-042145.696587_Html.mbox, I'll investigate further. My guess is that the hexurl was in an image link. > > (2) The "--phishing-cloak" option does not seem to work: > > clamscan-0.90rc3 --phishing-cloak 20061004-110140.185616_Html.mbox > 20061004-110140.185616_Html.mbox: OK > > However: > clamscan-0.90rc3 --no-phishing-restrictedscan > 20061004-110140.185616_Html.mbox 20061004-110140.185616_Html.mbox: > Phishing.Email.Cloaked.NumericIP FOUND --phishing-cloak is for hexurl, %00, and encoded urls. There is no option to turn on numericip alone, it'll get turned on by the no-phishing-restrictedscan option. > > (3) It seems that the "--phishing-ssl" and "--phishing-cloak" options > are always activated when "--no-phishing-restrictedscan" is given, right? Yes. --no-phishing-restrictedscan activates ALL checks, and checks everything regardless of daily.pdb (.wdb still honored). > > (4) Do you really want to keep the "no-" within > "--no-phishing-restrictedscan"? This must have been a glitch. Want to keep it. * "restrictedscan" means the default behaviour, when only domains listed in daily.pdb are checked. The default is RESTRICTED to *.pdb domains. * no-"restrictedscan" means to check EVERYTHING, regardless of *.pdb . It does more checks, but you're likely to get many false positives. > > (5) Can we expect another release candidate with these Phishcheck > module related issues being fixed before 0.9 final? IMHO only documentation needs to be fixed. But I'll do some tests on the phishing module. > Will > --enable-experimental still be required at compile time? My question too for Tomasz. Best regards, Edwin -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sat Feb 10 21:55:58 CET 2007 _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
