int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs)
{
int i;
struct phishcheck* pchk = (struct phishcheck*) ctx->engine->phishcheck;
/* check for status of whitelist fatal error, etc. */
if(!pchk || pchk->is_disabled)
return CL_CLEAN;
if(!ctx->found_possibly_unwanted)
*ctx->virname=NULL;
for(i=0;i<hrefs->count;i++)
if(hrefs->contents[i]) {
struct url_check urls;
enum phish_status rc;
urls.always_check_flags = DOMAINLIST_REQUIRED;/* required to work correctly */
urls.flags = strncmp((char*)hrefs->tag[i],href_text,href_text_len)? (CL_PHISH_ALL_CHECKS&~CHECK_SSL): CL_PHISH_ALL_CHECKS;
urls.link_type = 0;
if(!strncmp((char*)hrefs->tag[i],src_text,src_text_len)) {
if (!(urls.flags&CHECK_IMG_URL))
continue;
urls.link_type |= LINKTYPE_IMAGE;
}
if (ctx->options&CL_SCAN_PHISHING_DOMAINLIST)
urls.flags |= DOMAINLIST_REQUIRED;
if (ctx->options & CL_SCAN_PHISHING_BLOCKSSL) {
urls.always_check_flags |= CHECK_SSL;
}
if (ctx->options & CL_SCAN_PHISHING_BLOCKCLOAK) {
urls.always_check_flags |= CHECK_CLOAKING;
}
string_init_c(&urls.realLink,(char*)hrefs->value[i]);
string_init_c(&urls.displayLink,(char*)blobGetData(hrefs->contents[i]));
string_init_c(&urls.pre_fixup.pre_displayLink, NULL);
if (urls.displayLink.data[blobGetDataSize(hrefs->contents[i])-1]) {
cli_warnmsg("urls.displayLink.data[...]");
return CL_CLEAN;
}
urls.realLink.refcount=-1;
urls.displayLink.refcount=-1;/*don't free these, caller will free*/
if(strcmp((char*)hrefs->tag[i],"href")) {
char *url;
url = urls.realLink.data;
urls.realLink.data = urls.displayLink.data;
urls.displayLink.data = url;
}
rc = phishingCheck(ctx->engine,&urls);
if(pchk->is_disabled)
return CL_CLEAN;
free_if_needed(&urls);
cli_dbgmsg("Phishcheck: Phishing scan result: %s\n",phishing_ret_toString(rc));
switch(rc)/*TODO: support flags from ctx->options,*/
{
case CL_PHISH_CLEAN:
case CL_PHISH_CLEANUP_OK:
case CL_PHISH_HOST_OK:
case CL_PHISH_DOMAIN_OK:
case CL_PHISH_REDIR_OK:
case CL_PHISH_HOST_REDIR_OK:
case CL_PHISH_DOMAIN_REDIR_OK:
case CL_PHISH_HOST_REVERSE_OK:
case CL_PHISH_DOMAIN_REVERSE_OK:
case CL_PHISH_WHITELISTED:
case CL_PHISH_HOST_WHITELISTED:
case CL_PHISH_MAILTO_OK:
case CL_PHISH_TEXTURL:
case CL_PHISH_HOST_NOT_LISTED:
case CL_PHISH_CLEAN_CID:
continue;
/* break;*/
case CL_PHISH_HEX_URL:
*ctx->virname="Phishing.Heuristics.Email.HexURL";
return found_possibly_unwanted(ctx);
/* break;*/
case CL_PHISH_NUMERIC_IP:
*ctx->virname="Phishing.Heuristics.Email.Cloaked.NumericIP";
return found_possibly_unwanted(ctx);
case CL_PHISH_CLOAKED_NULL:
*ctx->virname="Phishing.Heuristics.Email.Cloaked.Null";/*http://www.real.com%01%[email protected]*/
return found_possibly_unwanted(ctx);
case CL_PHISH_SSL_SPOOF:
*ctx->virname="Phishing.Heuristics.Email.SSL-Spoof";
return found_possibly_unwanted(ctx);
case CL_PHISH_CLOAKED_UIU:
*ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://[email protected]*/
return found_possibly_unwanted(ctx);
case CL_PHISH_NOMATCH:
default:
*ctx->virname="Phishing.Heuristics.Email.SpoofedDomain";
return found_possibly_unwanted(ctx);
}
}
else
if(strcmp((char*)hrefs->tag[i],"href"))
cli_dbgmsg("Phishcheck: href with no contents?\n");
return CL_CLEAN;
}
/* -------end runtime disable---------*/
int phishingScan(cli_ctx* ctx,tag_arguments_t* hrefs)
{
/* TODO: get_host and then apply regex, etc. */
int i;
struct phishcheck* pchk = (struct phishcheck*) ctx->engine->phishcheck;
/* check for status of whitelist fatal error, etc. */
if(!pchk || pchk->is_disabled)
return CL_CLEAN;
if(!ctx->found_possibly_unwanted && !SCAN_ALL)
*ctx->virname=NULL;
#if 0
FILE *f = fopen("/home/edwin/quarantine/urls","r");
if(!f)
abort();
while(!feof(f)) {
struct url_check urls;
char line1[4096];
char line2[4096];
char line3[4096];
fgets(line1, sizeof(line1), f);
fgets(line2, sizeof(line2), f);
fgets(line3, sizeof(line3), f);
if(strcmp(line3, "\n") != 0) {
strcpy(line1, line2);
strcpy(line2, line3);
fgets(line3, sizeof(line3), f);
while(strcmp(line3, "\n") != 0) {
fgets(line3, sizeof(line3),f);
}
}
urls.flags = CL_PHISH_ALL_CHECKS;
urls.link_type = 0;
string_init_c(&urls.realLink, line1);
string_init_c(&urls.displayLink, line2);
string_init_c(&urls.pre_fixup.pre_displayLink, NULL);
urls.realLink.refcount=-1;
urls.displayLink.refcount=-1;
int rc = phishingCheck(ctx->engine, &urls);
}
fclose(f);
return 0;
#endif
for(i=0;i<hrefs->count;i++) {
struct url_check urls;
enum phish_status rc;
urls.flags = strncmp((char*)hrefs->tag[i],href_text,href_text_len)? (CL_PHISH_ALL_CHECKS&~CHECK_SSL): CL_PHISH_ALL_CHECKS;
urls.link_type = 0;
if(!strncmp((char*)hrefs->tag[i],src_text,src_text_len)) {
if (!(urls.flags&CHECK_IMG_URL))
continue;
urls.link_type |= LINKTYPE_IMAGE;
}
urls.always_check_flags = 0;
if (ctx->options & CL_SCAN_PHISHING_BLOCKSSL) {
urls.always_check_flags |= CHECK_SSL;
}
if (ctx->options & CL_SCAN_PHISHING_BLOCKCLOAK) {
urls.always_check_flags |= CHECK_CLOAKING;
}
string_init_c(&urls.realLink,(char*)hrefs->value[i]);
string_init_c(&urls.displayLink, (char*)hrefs->contents[i]);
string_init_c(&urls.pre_fixup.pre_displayLink, NULL);
urls.realLink.refcount=-1;
urls.displayLink.refcount=-1;/*don't free these, caller will free*/
if(strcmp((char*)hrefs->tag[i],"href")) {
char *url;
url = urls.realLink.data;
urls.realLink.data = urls.displayLink.data;
urls.displayLink.data = url;
}
rc = phishingCheck(ctx->engine,&urls);
if(pchk->is_disabled)
return CL_CLEAN;
free_if_needed(&urls);
cli_dbgmsg("Phishcheck: Phishing scan result: %s\n",phishing_ret_toString(rc));
switch(rc)/*TODO: support flags from ctx->options,*/
{
case CL_PHISH_CLEAN:
continue;
case CL_PHISH_NUMERIC_IP:
cli_append_virus(ctx, "Heuristics.Phishing.Email.Cloaked.NumericIP");
break;
case CL_PHISH_CLOAKED_NULL:
cli_append_virus(ctx, "Heuristics.Phishing.Email.Cloaked.Null");/*fakesite%01%[email protected]*/
break;
case CL_PHISH_SSL_SPOOF:
cli_append_virus(ctx, "Heuristics.Phishing.Email.SSL-Spoof");
break;
case CL_PHISH_CLOAKED_UIU:
cli_append_virus(ctx, "Heuristics.Phishing.Email.Cloaked.Username");/*http://[email protected]*/
break;
case CL_PHISH_HASH0:
cli_append_virus(ctx, "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net");
break;
case CL_PHISH_HASH1:
cli_append_virus(ctx, "Heuristics.Phishing.URL.Blacklisted");
break;
case CL_PHISH_HASH2:
cli_append_virus(ctx, "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net");
break;
case CL_PHISH_NOMATCH:
default:
cli_append_virus(ctx, "Heuristics.Phishing.Email.SpoofedDomain");
break;
}
return cli_found_possibly_unwanted(ctx);
}
return CL_CLEAN;
}
