[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

Al Varnell alvarnell at mac.com
Mon Jul 14 13:03:03 EDT 2014


You have certainly found the correct pair as your message is still showing up immediately as infected here.

Heuristics detections are accomplished by the engine, not a specific signature.  The line you found in daily.hdb identifies this as one of several hundred mostly financial institutions that are analyzed by the heuristics engine for hyperlinks that do not route the user to a web site the same or a specifically associated URL.  In this case tdcanadatrust.com has not been associated with aeroplan.com by using an “M:” whitelist database record.

I’m not sure why a --debug run didn’t show this.  You should see the words "Phishcheck:" and/or "cli_magic_scandesc:” somewhere around those domains, as I always do when I run across such FP’s.


-Al-
-- 
Al Varnell
Mountain View, CA

On Mon, Jul 14, 2014 at 08:55 AM, Kris Deugau wrote:
> 
> I just came across a FP report for a hit from
> Heuristics.Phishing.Email.SpoofedDomain.
> 
> On checking the message by hand, it no longer triggers this test, either
> on my desktop test/dev system running 0.98.4, or on the production
> servers running 0.97.6.
> 
> Examining the message by hand, the best guess I can make about the
> triggering URL is:

<snip>

> All of the other links point to the same subdomain/host;  most with
> non-URI visible text, and the few that show a domain in the visible text
> are all aeroplan.com.
> 
> I dug into the upstream signature files to see if I could identify the
> whitelist/skip entry that is now allowing this legitimate message
> through - the only remotely relevant entry seems to be this:
> 
> daily.cld:H:tdcanadatrust.com
> 
> (Which I can't quite match to the signature-creating docs - H: entries
> seem to require an additional field.)
> 
> I also noticed that --debug output from clamscan doesn't even seem to
> show *any* checking of URIs in the message.  Rescanning an older FP
> whitelisted locally showed quite a few URIs checked, so I don't have
> this accidentally disabled.
> 
> It's good that this FP is no longer happening but I'd like to know for
> sure what it fired on in the first place, and what change from upstream
> fixed the FP.



More information about the clamav-users mailing list