clamav-users June 2008 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: [Clamav-users] Creating custom Phish DB signatures

[Clamav-users] Creating custom Phish DB signatures (pdb format)

From: Srinivasan Krishnan <srini.coder_at_nospam>
Date: Mon Jun 23 2008 - 11:09:25 GMT
To: clamav-users@lists.clamav.net


Hi all,

I've been frantically grazing through the ClamAV mail archives and been Googling to find out how to make regex work with pdb (phishing database) files. I'm using ClamAV version 0.93 on Linux platform.

I was reading the phishsigs_howto.pdf included in the ClamAV tarball.

My custom domainlist test.pdb contains:
---

R:.+\.paypal\.com:.+\.yahoo\.com
---

The email file which I need to scan is:
---

Subject: test mail
Content-Type: text/html

<html>
Click here
<a href="paypal.com">yahoo.com</a>
</html>
---

But somehow ClamAV doesn't detect the mail as virus. In contrast, if I use "H:yahoo.com" in test.pdb, the mail is detected as virus under Phishing.SpoofedDomain.

As a sidenote, I've also tried "R .+ .+\.paypal\.com" as an entry in the test.pdb (as the phishsigs_howto.pdf) document says. But it is of no use.

Can someone please enlighten me why this wouldn't work?

Thanks,
Srini



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml