[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

Kris Deugau kdeugau at vianet.ca
Mon Jul 14 14:37:22 EDT 2014


Al Varnell wrote:
> You have certainly found the correct pair as your message is still showing up immediately as infected here.

... and here, too;  I wondered why my message hadn't shown up in my
clamav mail folder...

> Heuristics detections are accomplished by the engine, not a specific signature.

*nod*

>  The line you found in daily.hdb identifies this as one of several hundred mostly financial institutions that are analyzed by the heuristics engine for hyperlinks that do not route the user to a web site the same or a specifically associated URL.

Ah, OK.

> I’m not sure why a --debug run didn’t show this.  You should see the words "Phishcheck:" and/or "cli_magic_scandesc:” somewhere around those domains, as I always do when I run across such FP’s.

*nod* On re-re-rechecking several times (clamscan --debug <messagefile
|grep -i phish), I noticed this:

Phishcheck:Checking url http://www.w3.org/TR/html4/DTD/strict.dtd">->

(which I'm pretty sure wasn't showing the first five or six times I
tried) but no entry for the tdcanadatrust.com link.  Checking again now,
that link is found too.  I'm not sure what changed, other than the fact
that the message file is now in a subdirectory.  O_o

In any case, I've confirmed the FP link and added a daily.wdb:

X:http\://ems1.aeroplan.com:tdcanadatrust.com


-kgd



More information about the clamav-users mailing list