/* * Returns 0 if the blobs are the same */ int blobcmp(const blob *b1, const blob *b2) { size_t s1, s2; assert(b1 != NULL); assert(b2 != NULL); if(b1 == b2) return 0; s1 = blobGetDataSize(b1); s2 = blobGetDataSize(b2); if(s1 != s2) return 1; if((s1 == 0) && (s2 == 0)) return 0; return memcmp(blobGetData(b1), blobGetData(b2), s1); }
int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs) { int i; struct phishcheck* pchk = (struct phishcheck*) ctx->engine->phishcheck; /* check for status of whitelist fatal error, etc. */ if(!pchk || pchk->is_disabled) return CL_CLEAN; if(!ctx->found_possibly_unwanted) *ctx->virname=NULL; for(i=0;i<hrefs->count;i++) if(hrefs->contents[i]) { struct url_check urls; enum phish_status rc; urls.always_check_flags = DOMAINLIST_REQUIRED;/* required to work correctly */ urls.flags = strncmp((char*)hrefs->tag[i],href_text,href_text_len)? (CL_PHISH_ALL_CHECKS&~CHECK_SSL): CL_PHISH_ALL_CHECKS; urls.link_type = 0; if(!strncmp((char*)hrefs->tag[i],src_text,src_text_len)) { if (!(urls.flags&CHECK_IMG_URL)) continue; urls.link_type |= LINKTYPE_IMAGE; } if (ctx->options&CL_SCAN_PHISHING_DOMAINLIST) urls.flags |= DOMAINLIST_REQUIRED; if (ctx->options & CL_SCAN_PHISHING_BLOCKSSL) { urls.always_check_flags |= CHECK_SSL; } if (ctx->options & CL_SCAN_PHISHING_BLOCKCLOAK) { urls.always_check_flags |= CHECK_CLOAKING; } string_init_c(&urls.realLink,(char*)hrefs->value[i]); string_init_c(&urls.displayLink,(char*)blobGetData(hrefs->contents[i])); string_init_c(&urls.pre_fixup.pre_displayLink, NULL); if (urls.displayLink.data[blobGetDataSize(hrefs->contents[i])-1]) { cli_warnmsg("urls.displayLink.data[...]"); return CL_CLEAN; } urls.realLink.refcount=-1; urls.displayLink.refcount=-1;/*don't free these, caller will free*/ if(strcmp((char*)hrefs->tag[i],"href")) { char *url; url = urls.realLink.data; urls.realLink.data = urls.displayLink.data; urls.displayLink.data = url; } rc = phishingCheck(ctx->engine,&urls); if(pchk->is_disabled) return CL_CLEAN; free_if_needed(&urls); cli_dbgmsg("Phishcheck: Phishing scan result: %s\n",phishing_ret_toString(rc)); switch(rc)/*TODO: support flags from ctx->options,*/ { case CL_PHISH_CLEAN: case CL_PHISH_CLEANUP_OK: case CL_PHISH_HOST_OK: case CL_PHISH_DOMAIN_OK: case CL_PHISH_REDIR_OK: case CL_PHISH_HOST_REDIR_OK: case CL_PHISH_DOMAIN_REDIR_OK: case CL_PHISH_HOST_REVERSE_OK: case CL_PHISH_DOMAIN_REVERSE_OK: case CL_PHISH_WHITELISTED: case CL_PHISH_HOST_WHITELISTED: case CL_PHISH_MAILTO_OK: case CL_PHISH_TEXTURL: case CL_PHISH_HOST_NOT_LISTED: case CL_PHISH_CLEAN_CID: continue; /* break;*/ case CL_PHISH_HEX_URL: *ctx->virname="Phishing.Heuristics.Email.HexURL"; return found_possibly_unwanted(ctx); /* break;*/ case CL_PHISH_NUMERIC_IP: *ctx->virname="Phishing.Heuristics.Email.Cloaked.NumericIP"; return found_possibly_unwanted(ctx); case CL_PHISH_CLOAKED_NULL: *ctx->virname="Phishing.Heuristics.Email.Cloaked.Null";/*http://www.real.com%01%[email protected]*/ return found_possibly_unwanted(ctx); case CL_PHISH_SSL_SPOOF: *ctx->virname="Phishing.Heuristics.Email.SSL-Spoof"; return found_possibly_unwanted(ctx); case CL_PHISH_CLOAKED_UIU: *ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://[email protected]*/ return found_possibly_unwanted(ctx); case CL_PHISH_NOMATCH: default: *ctx->virname="Phishing.Heuristics.Email.SpoofedDomain"; return found_possibly_unwanted(ctx); } } else if(strcmp((char*)hrefs->tag[i],"href")) cli_dbgmsg("Phishcheck: href with no contents?\n"); return CL_CLEAN; }