int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs) { int i; struct phishcheck* pchk = (struct phishcheck*) ctx->engine->phishcheck; /* check for status of whitelist fatal error, etc. */ if(!pchk || pchk->is_disabled) return CL_CLEAN; if(!ctx->found_possibly_unwanted) *ctx->virname=NULL; for(i=0;i<hrefs->count;i++) if(hrefs->contents[i]) { struct url_check urls; enum phish_status rc; urls.always_check_flags = DOMAINLIST_REQUIRED;/* required to work correctly */ urls.flags = strncmp((char*)hrefs->tag[i],href_text,href_text_len)? (CL_PHISH_ALL_CHECKS&~CHECK_SSL): CL_PHISH_ALL_CHECKS; urls.link_type = 0; if(!strncmp((char*)hrefs->tag[i],src_text,src_text_len)) { if (!(urls.flags&CHECK_IMG_URL)) continue; urls.link_type |= LINKTYPE_IMAGE; } if (ctx->options&CL_SCAN_PHISHING_DOMAINLIST) urls.flags |= DOMAINLIST_REQUIRED; if (ctx->options & CL_SCAN_PHISHING_BLOCKSSL) { urls.always_check_flags |= CHECK_SSL; } if (ctx->options & CL_SCAN_PHISHING_BLOCKCLOAK) { urls.always_check_flags |= CHECK_CLOAKING; } string_init_c(&urls.realLink,(char*)hrefs->value[i]); string_init_c(&urls.displayLink,(char*)blobGetData(hrefs->contents[i])); string_init_c(&urls.pre_fixup.pre_displayLink, NULL); if (urls.displayLink.data[blobGetDataSize(hrefs->contents[i])-1]) { cli_warnmsg("urls.displayLink.data[...]"); return CL_CLEAN; } urls.realLink.refcount=-1; urls.displayLink.refcount=-1;/*don't free these, caller will free*/ if(strcmp((char*)hrefs->tag[i],"href")) { char *url; url = urls.realLink.data; urls.realLink.data = urls.displayLink.data; urls.displayLink.data = url; } rc = phishingCheck(ctx->engine,&urls); if(pchk->is_disabled) return CL_CLEAN; free_if_needed(&urls); cli_dbgmsg("Phishcheck: Phishing scan result: %s\n",phishing_ret_toString(rc)); switch(rc)/*TODO: support flags from ctx->options,*/ { case CL_PHISH_CLEAN: case CL_PHISH_CLEANUP_OK: case CL_PHISH_HOST_OK: case CL_PHISH_DOMAIN_OK: case CL_PHISH_REDIR_OK: case CL_PHISH_HOST_REDIR_OK: case CL_PHISH_DOMAIN_REDIR_OK: case CL_PHISH_HOST_REVERSE_OK: case CL_PHISH_DOMAIN_REVERSE_OK: case CL_PHISH_WHITELISTED: case CL_PHISH_HOST_WHITELISTED: case CL_PHISH_MAILTO_OK: case CL_PHISH_TEXTURL: case CL_PHISH_HOST_NOT_LISTED: case CL_PHISH_CLEAN_CID: continue; /* break;*/ case CL_PHISH_HEX_URL: *ctx->virname="Phishing.Heuristics.Email.HexURL"; return found_possibly_unwanted(ctx); /* break;*/ case CL_PHISH_NUMERIC_IP: *ctx->virname="Phishing.Heuristics.Email.Cloaked.NumericIP"; return found_possibly_unwanted(ctx); case CL_PHISH_CLOAKED_NULL: *ctx->virname="Phishing.Heuristics.Email.Cloaked.Null";/*http://www.real.com%01%[email protected]*/ return found_possibly_unwanted(ctx); case CL_PHISH_SSL_SPOOF: *ctx->virname="Phishing.Heuristics.Email.SSL-Spoof"; return found_possibly_unwanted(ctx); case CL_PHISH_CLOAKED_UIU: *ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://[email protected]*/ return found_possibly_unwanted(ctx); case CL_PHISH_NOMATCH: default: *ctx->virname="Phishing.Heuristics.Email.SpoofedDomain"; return found_possibly_unwanted(ctx); } } else if(strcmp((char*)hrefs->tag[i],"href")) cli_dbgmsg("Phishcheck: href with no contents?\n"); return CL_CLEAN; }
/* -------end runtime disable---------*/ int phishingScan(cli_ctx* ctx,tag_arguments_t* hrefs) { /* TODO: get_host and then apply regex, etc. */ int i; struct phishcheck* pchk = (struct phishcheck*) ctx->engine->phishcheck; /* check for status of whitelist fatal error, etc. */ if(!pchk || pchk->is_disabled) return CL_CLEAN; if(!ctx->found_possibly_unwanted && !SCAN_ALL) *ctx->virname=NULL; #if 0 FILE *f = fopen("/home/edwin/quarantine/urls","r"); if(!f) abort(); while(!feof(f)) { struct url_check urls; char line1[4096]; char line2[4096]; char line3[4096]; fgets(line1, sizeof(line1), f); fgets(line2, sizeof(line2), f); fgets(line3, sizeof(line3), f); if(strcmp(line3, "\n") != 0) { strcpy(line1, line2); strcpy(line2, line3); fgets(line3, sizeof(line3), f); while(strcmp(line3, "\n") != 0) { fgets(line3, sizeof(line3),f); } } urls.flags = CL_PHISH_ALL_CHECKS; urls.link_type = 0; string_init_c(&urls.realLink, line1); string_init_c(&urls.displayLink, line2); string_init_c(&urls.pre_fixup.pre_displayLink, NULL); urls.realLink.refcount=-1; urls.displayLink.refcount=-1; int rc = phishingCheck(ctx->engine, &urls); } fclose(f); return 0; #endif for(i=0;i<hrefs->count;i++) { struct url_check urls; enum phish_status rc; urls.flags = strncmp((char*)hrefs->tag[i],href_text,href_text_len)? (CL_PHISH_ALL_CHECKS&~CHECK_SSL): CL_PHISH_ALL_CHECKS; urls.link_type = 0; if(!strncmp((char*)hrefs->tag[i],src_text,src_text_len)) { if (!(urls.flags&CHECK_IMG_URL)) continue; urls.link_type |= LINKTYPE_IMAGE; } urls.always_check_flags = 0; if (ctx->options & CL_SCAN_PHISHING_BLOCKSSL) { urls.always_check_flags |= CHECK_SSL; } if (ctx->options & CL_SCAN_PHISHING_BLOCKCLOAK) { urls.always_check_flags |= CHECK_CLOAKING; } string_init_c(&urls.realLink,(char*)hrefs->value[i]); string_init_c(&urls.displayLink, (char*)hrefs->contents[i]); string_init_c(&urls.pre_fixup.pre_displayLink, NULL); urls.realLink.refcount=-1; urls.displayLink.refcount=-1;/*don't free these, caller will free*/ if(strcmp((char*)hrefs->tag[i],"href")) { char *url; url = urls.realLink.data; urls.realLink.data = urls.displayLink.data; urls.displayLink.data = url; } rc = phishingCheck(ctx->engine,&urls); if(pchk->is_disabled) return CL_CLEAN; free_if_needed(&urls); cli_dbgmsg("Phishcheck: Phishing scan result: %s\n",phishing_ret_toString(rc)); switch(rc)/*TODO: support flags from ctx->options,*/ { case CL_PHISH_CLEAN: continue; case CL_PHISH_NUMERIC_IP: cli_append_virus(ctx, "Heuristics.Phishing.Email.Cloaked.NumericIP"); break; case CL_PHISH_CLOAKED_NULL: cli_append_virus(ctx, "Heuristics.Phishing.Email.Cloaked.Null");/*fakesite%01%[email protected]*/ break; case CL_PHISH_SSL_SPOOF: cli_append_virus(ctx, "Heuristics.Phishing.Email.SSL-Spoof"); break; case CL_PHISH_CLOAKED_UIU: cli_append_virus(ctx, "Heuristics.Phishing.Email.Cloaked.Username");/*http://[email protected]*/ break; case CL_PHISH_HASH0: cli_append_virus(ctx, "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net"); break; case CL_PHISH_HASH1: cli_append_virus(ctx, "Heuristics.Phishing.URL.Blacklisted"); break; case CL_PHISH_HASH2: cli_append_virus(ctx, "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net"); break; case CL_PHISH_NOMATCH: default: cli_append_virus(ctx, "Heuristics.Phishing.Email.SpoofedDomain"); break; } return cli_found_possibly_unwanted(ctx); } return CL_CLEAN; }