[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

Kris Deugau kdeugau at vianet.ca
Mon Jul 14 11:55:57 EDT 2014


I just came across a FP report for a hit from
Heuristics.Phishing.Email.SpoofedDomain.

On checking the message by hand, it no longer triggers this test, either
on my desktop test/dev system running 0.98.4, or on the production
servers running 0.97.6.

Examining the message by hand, the best guess I can make about the
triggering URL is:

<a href="http://ems1.aeroplan.com/a/l.x?redacted"
style="text-decoration:underline; color:#FF5C00;"><font
color="#FF5C00">tdcanadatrust.com/preauthorizedpayments</font></a>

All of the other links point to the same subdomain/host;  most with
non-URI visible text, and the few that show a domain in the visible text
are all aeroplan.com.

I dug into the upstream signature files to see if I could identify the
whitelist/skip entry that is now allowing this legitimate message
through - the only remotely relevant entry seems to be this:

daily.cld:H:tdcanadatrust.com

(Which I can't quite match to the signature-creating docs - H: entries
seem to require an additional field.)

I also noticed that --debug output from clamscan doesn't even seem to
show *any* checking of URIs in the message.  Rescanning an older FP
whitelisted locally showed quite a few URIs checked, so I don't have
this accidentally disabled.

It's good that this FP is no longer happening but I'd like to know for
sure what it fired on in the first place, and what change from upstream
fixed the FP.

-kgd



More information about the clamav-users mailing list