On Wed, 4 Oct 2006, 10:59 GMT+03 Török Edvin wrote: > On 10/3/06, Robert Allerstorfer wrote:
>> Reading phishsigs_howto.pdf from the latest snapshot tarball, it says >> that each line must consist of *three* fields, in the form >> >> Flags RealURL DisplayedURL >> >> Is there an updated documentation where the two-fields form will be >> explained? > There will be changes to the .pdb/.wdb format, and after that the > documentation will be updated. > For now the only change is: The two-field form, is valid only for type > 'H', and means: > match the host part of realURL, i.e. displayedURL can be anything. You seem to mean 'somedomain.tld' of the 2-field-form H somedomain.tld is the Host part of DisplayedURL (not RealURL), while RealURL (not DisplayedURL) can be anything. >> (2) How can yet undetected phishings be submitted to the project? > Submit a sample: http://cgi.clamav.net/sendvirus.cgi, following the > rules on that page. OK, just submitted 2 raw mails (more than 2 submissions a day are not allowed according to that page) which should add H bankofcastile.com H imglt.com to 'daily.pdb' (as of 'daily.cvd' version 2000). That decreased the amount of false-negatives (when '--phish-scan-alldomains' is not applied) from 88.1 to 59.5% within my real-life test environment of currently 42 Phishing.Email mails. If there would also be a way to add Host names of RealURLs, the percentage decreasing would even be better. Best regards, rob. _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
