Can someone please tell me how ClamAV goes about phishing detection? I presume
it has something to do with libcurl going out to a web site and some checks
being performed on whatever is returned.
Not normally... most fishing detection is done by matching text/html
that is common, looks odd or bad spelling in the email.
We have had several phishes get through -- most appear to be Google, About, or
Ebay redirects, such as:
href="http://www.google.com/url?sa=U&q=http://81.196.204.130:82/webscr/index.php";
(A PayPal phish.)
Well, the above is just using Google to re-direct to the phishing site.
I think they could on the people hovering the mouse over the link,
seeing Google and then trusting the site, which you normally wouldn't do.
Sites were hot at the time the messages were received, so either my concept of
how ClamAV blocks phishing is wrong or the detection method is not as generic
as I would have thought.
Generic fishing signature can be done... but... they are very difficult
to get right, without any false positives.
Also, I would add that I have submitted a few of these phishes to ClamAV's
virus submission and they all seem to get discarded without comment.
Basically, ClamAV is there to project you from viruses, Trojans and then
fishing attempts (roughly in that order). Signature makers are very
busy doing virus signatures... after all, I'd much prefer to have a
virus stopped than a fishing attempt.
Having said that, I've come up with my own un-official signatures,
designed to catch fishing attempts that ClamAV official signatures let
through. Not everyone will want to use them... after all, do you trust
me to do signatures?
(Just in case this helps... I've been part of the Windows SpamPal
Anti-Spam support team for the last two or three years,
see: http://www.spampal.org/credits.html)
Anyway, to grab the un-official signatures, go the the site here and
download the phish.ndb file and place in the same directory as your
daily.cvd file: http://www.sanesecurity.com/clamav/
There's also a pdf file there, showing how I put a signature together.
For what it's worth, I would certainly still submit your fishing emails
to the ClamAV team and I would also suggest submitting the emails to
this "fishing tracker" site: http://www.dslreports.com/phishtrack
Cheers,
Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
