@@ -47,9 +47,11 @@

 #include "phishcheck.h"

 #include "phish_domaincheck_db.h"

 #include "phish_whitelist.h"

+#include "regex_list.h"

 #include "iana_tld.h"

 #include "iana_cctld.h"

 #include "scanners.h"

+#include "md5.h"

 #define DOMAIN_REAL 1

@@ -737,7 +739,6 @@ int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs)

 	if(!ctx->found_possibly_unwanted)

 		*ctx->virname=NULL;

-#if 0

 	FILE *f = fopen("/home/edwin/quarantine/urls","r");

 	if(!f)

 		abort();

@@ -770,7 +771,6 @@ int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs)

 	}

 	fclose(f);

 	return 0;

-#endif

 	for(i=0;i<hrefs->count;i++)

 		if(hrefs->contents[i]) {

 			struct url_check urls;

@@ -829,6 +829,9 @@ int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs)

 				case CL_PHISH_CLOAKED_UIU:

 					*ctx->virname="Phishing.Heuristics.Email.Cloaked.Username";/*http://www.ebay.com@www.evil.com*/

 					break;

+				case CL_PHISH_HASH:

+					*ctx->virname="Phishing.URL.Blacklisted";

+					break;

 				case CL_PHISH_NOMATCH:

 				default:

 					*ctx->virname="Phishing.Heuristics.Email.SpoofedDomain";

@@ -1177,6 +1180,23 @@ static int whitelist_check(const struct cl_engine* engine,struct url_check* urls

 	return whitelist_match(engine,urls->realLink.data,urls->displayLink.data,hostOnly);

 }

+static int hash_match(const struct regex_matcher *rlist, const char *url, size_t len)

+{

+	unsigned char md5_dig[16];

+	cli_md5_ctx md5;

+

+	if(!rlist->hashes.bm_patterns)

+		return CL_CLEAN;

+

+	cli_md5_init(&md5);

+	cli_md5_update(&md5, url, len);

+	cli_md5_final(md5_dig, &md5);

+	if(cli_bm_scanbuff(md5_dig, 16, NULL, &rlist->hashes,0,0,-1) == CL_VIRUS) {

+		return CL_VIRUS;

+	}

+	return CL_SUCCESS;

+}

+

 /* urls can't contain null pointer, caller must ensure this */

 static enum phish_status phishingCheck(const struct cl_engine* engine,struct url_check* urls)

 {

@@ -1213,6 +1233,10 @@ static enum phish_status phishingCheck(const struct cl_engine* engine,struct url

 	if(whitelist_check(engine, urls, 0))

 		return CL_PHISH_CLEAN;/* if url is whitelisted don't perform further checks */

+	if(hash_match(engine->domainlist_matcher, urls->realLink.data, strlen(urls->realLink.data)) == CL_VIRUS) {

+		cli_dbgmsg("Hash matched for: %s\n", urls->realLink.data);

+		return CL_PHISH_HASH;

+	}

 	url_check_init(&host_url);

 	if((rc = url_get_host(pchk, urls, &host_url, DOMAIN_DISPLAY, &phishy))) {

@@ -26,7 +26,8 @@

 #define CL_PHISH_BASE 100

 enum phish_status {CL_PHISH_NODECISION=0, CL_PHISH_CLEAN=CL_PHISH_BASE,

-	CL_PHISH_CLOAKED_UIU, CL_PHISH_NUMERIC_IP, CL_PHISH_HEX_URL, CL_PHISH_CLOAKED_NULL, CL_PHISH_SSL_SPOOF, CL_PHISH_NOMATCH};

+	CL_PHISH_CLOAKED_UIU, CL_PHISH_NUMERIC_IP, CL_PHISH_HEX_URL, CL_PHISH_CLOAKED_NULL, CL_PHISH_SSL_SPOOF, CL_PHISH_NOMATCH,

+        CL_PHISH_HASH};

 #define CHECK_SSL         1

 #define CHECK_CLOAKING    2

@@ -350,6 +350,9 @@ int init_regex_list(struct regex_matcher* matcher)

 	if((rc = cli_ac_init(&matcher->suffixes, 2, 32))) {

 		return rc;

 	}

+	if(rc = cli_bm_init(&matcher->hashes)) {

+		return rc;

+	}

 	SO_init(&matcher->filter);

 	return CL_SUCCESS;

 }

@@ -394,7 +397,27 @@ static int functionality_level_check(char* line)

 			return CL_EMALFDB;

 		ptmin[-1]='\0';

 		return CL_SUCCESS;

-	}		

+	}

+}

+

+static int add_hash(struct regex_matcher *matcher, char* pattern)

+{

+	int rc;

+	struct cli_bm_patt *pat = cli_calloc(1, sizeof(*pat));

+	if(!pat)

+		return CL_EMEM;

+	pat->pattern = (unsigned char*)cli_hex2str(pattern);

+	if(!pat->pattern)

+		return CL_EMALFDB;

+	pat->length = 16;

+	pat->virname = NULL;

+	if(rc = cli_bm_addpatt(&matcher->hashes, pat)) {

+		cli_errmsg("add_hash: failed to add BM pattern\n");

+		free(pat->pattern);

+		free(pat);

+		return CL_EMALFDB;

+	}

+	return CL_SUCCESS;

 }

@@ -485,8 +508,13 @@ int load_regex_matcher(struct regex_matcher* matcher,FILE* fd,unsigned int optio

 			/*matches displayed host*/

 			if (( rc = add_static_pattern(matcher, pattern) ))

 				return rc==CL_EMEM ? CL_EMEM : CL_EMALFDB;

-		}

-		else {

+		} else if (buffer[0] == 'U' && !is_whitelist) {

+			pattern[pattern_len] = '\0';

+			if (( rc = add_hash(matcher, pattern) )) {

+				cli_errmsg("Error loading at line: %d\n", line);

+				return rc==CL_EMEM ? CL_EMEM : CL_EMALFDB;

+			}

+		} else {

 			return CL_EMALFDB;

 		}

 	}

@@ -545,6 +573,7 @@ void regex_list_done(struct regex_matcher* matcher)

 			free(matcher->all_pregs);

 		}

 		hashtab_free(&matcher->suffix_hash);

+		cli_bm_free(&matcher->hashes);

 		matcher->list_built=0;

 		matcher->list_loaded=0;

 	}

@@ -48,6 +48,7 @@ struct regex_matcher {

 	size_t regex_cnt;

 	regex_t **all_pregs;

 	struct cli_matcher suffixes;

+	struct cli_matcher hashes;

 	struct filter filter;

 	int list_inited:2;

 	int list_loaded:2;