On 04/22/2010 05:26 PM, Kris Deugau wrote: > I've had reports of several FPs due to PhishingScanURLs recently - is > there any way it can be made less aggressive rather than just turning it > off outright?
You could remove domains from daily.pdb/whitelist all mails that contain certain domains. > > The messages triggering it so far have been both outgoing and incoming > mail from our customers: forwarded copies of legitimate Amazon.ca mail > and eBay replies on the outgoing side; a newsletter linking to a bank > website for a contest of some kind on the incoming side. The problem is that amazon/ebay is a very likely target for phishing, so if you remove these domains entirely you will miss some phishing. > > Some customers may not want to send the message in question to our > reporting address due (quite reasonably) to privacy concerns, and it's a > bit hard to create a .wdb entry when a) I don't have an example URL that > triggers the test and b) I'm groping in the dark on exactly how to > correctly format an entry. Here is an example daily.wdb entry (it is a regular expression for the 2 sides of the link): X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:(.+\.)?amazon\.com([/?].*)?:17- And here is another one: M:chase.com:jpmchase.com You can see all the current .wdb entries by downloading daily.cvd, and running sigtool --unpack-current daily. The format of .wdb is documented in docs/phishsigs_howto.pdf You can start by adding just the domain names to the .wdb, i.e.: M:amazon.ca:OTHERDOMAIN where OTHERDOMAIN is the displayed domain name (the part between <a></a>), assuming amazon.ca is the domain in the href. Best regards --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
