Re: [Clamav-users] Amazon.com order confirmation tripped Phishing.Heuristics.Email.SpoofedDomain

Tue, 09 Mar 2010 10:06:47 -0800 

Török Edwin wrote:

It should already be whitelisted:
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?:17-
X:.+:.+images\.amazon\.com([/?].*)?:17-

What is the domain of the image, and the domain of the href target?
Can you craft a simple example html mail with just a url, the img url,
with just the domains? (without the actualy path and query params).
I checked this out, and it looks like it wasn't one of the link images. (Although those use amazon.ca -> ssl-images-amazon.com.)
I then dig out all of the links (~15), and dropped them in a minimal email one by one. 

I found the one that was triggering the test to look like this:

[a href="http://www.amazon.ca/"]Amazon.com.ca, Inc.[/a]
I tried creating a daily.wdb, which seemed to get loaded, but didn't have any effect: 

X:.+\.amazon.ca.+:.+amazon\.com\.ca.+
According to the debug output, it seems libclamav truncated the .com.ca to just .com:
LibClamAV debug: Phishcheck:Checking url http://www.amazon.ca/->Amazon.com.ca, Inc. LibClamAV debug: Phishcheck:URL after cleanup: http://www.amazon.ca->amazon.com.ca,inc LibClamAV debug: Phishing: looking up in whitelist: http://www.amazon.ca:amazon.com; host-only:0 
LibClamAV debug: Looking up in regex_list: http://www.amazon.ca:amazon.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.amazon.com
LibClamAV debug: Looking up in regex_list: amazon.com/
LibClamAV debug: calc_pos_with_skip: skip:12, 0 - 10 "amazon.com","amazon.com/" 
LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: Got a match: amazon.com/ with /moc.nozama
LibClamAV debug: Before inserting .: .amazon.com
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.ca
LibClamAV debug: Phishing: looking up in whitelist: .www.amazon.ca:.amazon.com; host-only:1 
LibClamAV debug: Looking up in regex_list: www.amazon.ca:amazon.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different 

... but if that were all, the existing whitelist should have passed it.

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to