BitFuzzy wrote:
I decoded the hex string and it actually matches "Dear PayPal Member\n"
(PayPal instead of Paypal)
Yea, I caught that, it doesn't make any difference
Hi,
In your first post you said you'd tried these:
Email.Phishing.Paypal.Test.0227001:0:*:446561722050617950616c204d656d6265720a
Email.Phishing.Paypal.Test.0227001:446561722050617950616c204d656d6265720a
Firstly, make sure you don't use the 2nd one in an ndb file... it will
cause you problems and won't match anything.
In fact, it's a bug in ClamAV. If you add in the 2nd line above...
nothing at all gets detected using any signature,
which is a bit worrying.... so... you've discovered a "feature" ;)
Okay...
Phish text to match: Dear Paypal Members
Some example sigs... Note the case of the text
Sig eg 1:
Html.Phishing.Pay.Gen017.Sanesecurity.06022800:3:*:646561722070617970616c206d656d626572
Note: type 3 is used (HTML) which means the file is normalised
so : 646561722070617970616c206d656d626572 is (dear paypal member)
will match: Dear PayPal Member
and : Dear Paypal member
and : dear paypal member
and : Dear PayPal Members
Sig eg 2:
Html.Phishing.Pay.Gen017.Sanesecurity.06022800:0:*:446561722050617950616c204d656d626572
Note: type 0 is used (ALL) which means the file isn't normalised
so : 446561722050617970616c204d656d626572 is (Dear PayPal Member)
will match: Dear PayPal Member
but not : Dear Paypal member
but not : dear paypal member
will match: Dear PayPal Members
Hope that's right, it's been a long day...
Cheers,
Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
