> > > > Can someone please tell me how ClamAV goes about phishing detection? I > > presume it has something to do with libcurl going out to a web site and > > some checks being performed on whatever is returned. > > > Not normally... most fishing detection is done by matching text/html > that is common, looks odd or bad spelling in the email. > > We have had several phishes get through -- most appear to be Google, About, > > or Ebay redirects, such as: > > > > href="http://www.google.com/url?sa=U&q=http://81.196.204.130:82/webscr/index.php" > > (A PayPal phish.) > > > Well, the above is just using Google to re-direct to the phishing site.
Yep - things like that are easily managed with SURBL capability as described at surbl.org. Accounts for more than half the spam blocked here with very low false positives. dp _______________________________________________ http://lurker.clamav.net/list/clamav-users.html