Re: [Clamav-devel] New phishing method...doubts
Robert Allerstorfer wrote: Hi, Are there yet any statistics of the amount of false positives caused by --phish-scan-alldomains? You can see http://phishery.internetdefence.net/clamav-test2.html regards rob. ___ http://lurker.clamav.net/list/clamav-devel.html ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
Hi, On Wed, 27 Sep 2006, 22:05 GMT+02 Robert Allerstorfer wrote: > I have now tested another phishing mail using your new code (with the > '--phish-scan-alldomains' option) which did not get detected. It did get detected now with the latest CSV source (devel-20060928) :-) clamscan "C:\path_to\.clamwin\db" --phish-scan-alldomains PHISH_ebay.mbox D:\Mails\spam\PHISH_ebay.mbox: Phishing.Email FOUND I think all found "viruses" which names begin with "Phishing.Email" are detected by the new phishing-scan-urls code, so I can easily identify them and treat them in a special way (keep them for a while instead of removing immediately). Are there yet any statistics of the amount of false positives caused by --phish-scan-alldomains? regards rob. ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
On Wed, 27 Sep 2006, 18:59 GMT+03 Török Edvin wrote: > On 9/27/06, Robert Allerstorfer wrote: >> The output of 'clamscan -h' included >> --no-phishingDisable phishing detection >> --no-phishing-scan-urls Disable url-based phishing detection > --no-phishing means to disable detecting phishing based on signatures > from main.cvd/daily.cvd > --no-phishing-scan-urls means to disable the new phishing code (url-based) yes, thanks, just think the -h output should make that clear, also. Is it true that all names of found "viruses" by the code that can be disabled by '--no-phishing' begin with "HTML.Phishing.", while those found by the new url-based phising code begin with "Phishing.Email."? I need this for my antivirus-filter where I let delete all positive mails. Now, I want to add url-based phishing detection using '--phish-scan-alldomains' but move instead of delete those identified "infected" mails, to manually check for false positives. I have now tested another phishing mail using your new code (with the '--phish-scan-alldomains' option) which did not get detected. The --debug output showed that the phishing code was not even applied (since there are no entries beginning with 'PH:' as in the output where phishing has been found): [...] LibClamAV debug: Exported 15276 bytes using enctype 1 LibClamAV debug: fileblobDestroy: mixedtextportion LibClamAV debug: Now read in part 0 LibClamAV debug: Empty part LibClamAV debug: The message has 1 parts LibClamAV debug: Find out the multipart type (alternative) LibClamAV debug: Multipart alternative handler LibClamAV debug: Mixed message with 1 parts LibClamAV debug: Mixed message part 0 is of type 0 LibClamAV debug: No mime headers found in multipart part 0 LibClamAV debug: No plain text alternative LibClamAV debug: Adding to non mime-part LibClamAV debug: cli_mbox returning 0 LibClamAV debug: Matched signature for file type HTML data at 330 LibClamAV debug: in cli_scanhtml() LibClamAV debug: mmap'ed file D:\Mails\spam\PHISH_ebay.mbox: OK If I should provide somebody with that file please let me know. Thanks rob. ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
Danett song wrote: 1) This module work in windows or linux? or both? The "debug" version at w32.clamav.net works under Windows (best to use Windows XP for it). You'll find the link to the debug version at the bottom of that page. -Nigel ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
On 9/27/06, Robert Allerstorfer <[EMAIL PROTECTED]> wrote: The output of 'clamscan -h' included --no-phishingDisable phishing detection --no-phishing-scan-urls Disable url-based phishing detection --phish-scan-alldomains Enable phishing detection for all domains (might lead to false positives!) (I'm confused because of the two '--no-phishing' options) --no-phishing means to disable detecting phishing based on signatures from main.cvd/daily.cvd --no-phishing-scan-urls means to disable the new phishing code (url-based) Edwin ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
On Wed, 27 Sep 2006, 00:05 GMT+02 GiM wrote: > Danett song in message 'Re: [Clamav-devel] New phishing method...doubts' > wrote: >> I would like to test it, but I only use Windows, is >> there someone created a installer that have this >> module included (and with files pre configured) to use >> in Windows? :) >> > Since it's in clamav it'll be probably included in clamwin, > but I'm not sure, just guessing. Yes, on Windows you can use the latest ClamWin version (currently 0.88.4) and then replace 'clamscan.exe' and 'libclamav.dll' (will be installed into the 'bin' sub directory of the ClamWin's program directory) by Gianluigi Tiesi's latest builds found in http://oss.netfarm.it/clamav/files/clamav-win32-vc6.7z Currently, they seem to have the functionality from CVS version 2006-09-16. "cvs sync, upstream added anti-phishing code (untested)" (However, currently the RAR 3 code is still broken) The output of 'clamscan -h' included --no-phishingDisable phishing detection --no-phishing-scan-urls Disable url-based phishing detection --phish-scan-alldomains Enable phishing detection for all domains (might lead to false positives!) (I'm confused because of the two '--no-phishing' options) It works :-) clamscan "C:\path_to\.clamwin\db" --phish-scan-alldomains PHISH_postcard.mbox D:\Mails\spam\PHISH_postcard.mbox: Phishing.Email.Cloaked.NumericIP FOUND regards, rob. ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
Danett song in message 'Re: [Clamav-devel] New phishing method...doubts' wrote: > > --- Török Edvin <[EMAIL PROTECTED]> escreveu: > > > Linux:yes, tested. Windows: should work, but I > > didn't personally test. > > Without cygwin? > > I would like to test it, but I only use Windows, is > there someone created a installer that have this > module included (and with files pre configured) to use > in Windows? :) > Since it's in clamav it'll be probably included in clamwin, but I'm not sure, just guessing. > > That depends if you have a plugin in your mua, that > > uses/calls clamav. > > Ahhh, so it's a module that is called in the scan > engine to any data (buffer to be checked if have a > virus or not?) passed to it? If yes, how the anti > phishing module detect if it's a HTLM (e-mail content) > to be checked and not a binary for example (causing > false positives) ? > Ouch, iirc phishing module scans html files (they're detected by clamav engine itself). > > > http://someevilurl";>paypal.com > > http://someevilurl - real url > > paypal.com - displayed url > > > > I taked a look at it. How much false positives this > modules are generating? Depend on the configuration? > Someone made a analys of it (maybe Ian Castle)? > This depend on your base. > > You may also find useful the phishsigs_howto.pdf > > inside the docs dir (in the cvs version). > > I don't know how to access the cvs with Windows, is > this CVS viewable via web? :) > There are some cvs tools for windows. -- main(int a[puts("Michał 'GiM' Spadliński")]){} ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
Hi Török, --- Török Edvin <[EMAIL PROTECTED]> escreveu: > Its based on comparing: > - the 'real' URL, i.e. the URL that your browser is > going to load when you click on it > - the 'displayed' URL, i.e. the text that is > underlined, tooltips, etc. Hummm, now I got the idea. > Linux:yes, tested. Windows: should work, but I > didn't personally test. Without cygwin? I would like to test it, but I only use Windows, is there someone created a installer that have this module included (and with files pre configured) to use in Windows? :) > That depends if you have a plugin in your mua, that > uses/calls clamav. Ahhh, so it's a module that is called in the scan engine to any data (buffer to be checked if have a virus or not?) passed to it? If yes, how the anti phishing module detect if it's a HTLM (e-mail content) to be checked and not a binary for example (causing false positives) ? > the phishing module is not meant for scanning > websites, it is meant for scanning emails. Understood. > real means the url that your browser takes you when > you click on it. > For example: > http://someevilurl";>paypal.com > http://someevilurl - real url > paypal.com - displayed url > > For a step-by-step description of the algorithm see: > http://wiki.clamav.net/index.php/phishing_design I taked a look at it. How much false positives this modules are generating? Depend on the configuration? Someone made a analys of it (maybe Ian Castle)? > You may also find useful the phishsigs_howto.pdf > inside the docs dir (in the cvs version). I don't know how to access the cvs with Windows, is this CVS viewable via web? :) > Best regards, > Edwin Thank you again and congratulations for intersting job ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
Török_Edvin wrote: > Linux:yes, tested. Windows: should work, but I didn't personally test. Win32/Cygwin: Works as well. Best regards, Nico -- +--+ Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon? ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] New phishing method...doubts
On 9/26/06, Danett song <[EMAIL PROTECTED]> wrote: This module to detect Phishing attacks are basic based in normalization of url's correct? Its based on comparing: - the 'real' URL, i.e. the URL that your browser is going to load when you click on it - the 'displayed' URL, i.e. the text that is underlined, tooltips, etc. 1) This module work in windows or linux? or both? Linux:yes, tested. Windows: should work, but I didn't personally test. 2) This module analyze the thread when they are received in the mua (firebird, outlook, etc) or That depends if you have a plugin in your mua, that uses/calls clamav. If you do, _and_ you are using the latest cvs version of clamav, then yes your mua will report phishing. See more below browser (Firefox, IE, etc)? the phishing module is not meant for scanning websites, it is meant for scanning emails. 3) If in mua, what are supported? Firebird? Outlook express? As long as you are currently able to use clamav from your mua, then phishing detection will work too. See http://www.clamav.net/3rdparty.html for more info. 4) If in browser, what are supported? Firefox? IE? neither. 5) In some parts of document are used the words "realurl" and "displayurl", what do you want mean with that? See explanation at beginning of this mail. What kind of discrepanced are compared to find a real or displayed (fake) url? real means the url that your browser takes you when you click on it. For example: http://someevilurl";>paypal.com http://someevilurl - real url paypal.com - displayed url For a step-by-step description of the algorithm see: http://wiki.clamav.net/index.php/phishing_design Thank you and sorry for dumb questions, You may also find useful the phishsigs_howto.pdf inside the docs dir (in the cvs version). OBS: Török Edvin the idea of a anti phishing is very good, and the tests made by Ian Castle are very intersting too. thanks Best regards, Edwin ___ http://lurker.clamav.net/list/clamav-devel.html
[Clamav-devel] New phishing method...doubts
Hello, I by accident entered in the archive of clamav-devel and found a message called "New phishing detection algorithm in cvs version of clamav" which I thinked it much intersting, so I solved to subscribe to this mail-list to solve some doubts, if you can clear if for me. :) This module to detect Phishing attacks are basic based in normalization of url's correct? 1) This module work in windows or linux? or both? 2) This module analyze the thread when they are received in the mua (firebird, outlook, etc) or browser (Firefox, IE, etc)? 3) If in mua, what are supported? Firebird? Outlook express? 4) If in browser, what are supported? Firefox? IE? 5) In some parts of document are used the words "realurl" and "displayurl", what do you want mean with that? What kind of discrepanced are compared to find a real or displayed (fake) url? Thank you and sorry for dumb questions, OBS: Török Edvin the idea of a anti phishing is very good, and the tests made by Ian Castle are very intersting too. Cheers ___ O Yahoo! está de cara nova. Venha conferir! http://br.yahoo.com ___ http://lurker.clamav.net/list/clamav-devel.html