[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

Al Varnell alvarnell at mac.com
Mon Jul 14 14:51:11 EDT 2014


OK, I guess that will work, but I don’t think it’s formatted exactly right and as I said before I think an “M:” whitelist record is more appropriate here.

At any rate, I suggest you upload it to <http://www.clamav.net/sendvirus/> using the "Send a false positive report” form so that other users can benefit from this finding.

-Al-

On Mon, Jul 14, 2014 at 11:37 AM, Kris Deugau wrote:
> 
> Al Varnell wrote:
>> You have certainly found the correct pair as your message is still showing up immediately as infected here.
> 
> ... and here, too;  I wondered why my message hadn't shown up in my
> clamav mail folder...
> 
>> Heuristics detections are accomplished by the engine, not a specific signature.
> 
> *nod*
> 
>> The line you found in daily.hdb identifies this as one of several hundred mostly financial institutions that are analyzed by the heuristics engine for hyperlinks that do not route the user to a web site the same or a specifically associated URL.
> 
> Ah, OK.
> 
>> I’m not sure why a --debug run didn’t show this.  You should see the words "Phishcheck:" and/or "cli_magic_scandesc:” somewhere around those domains, as I always do when I run across such FP’s.
> 
> *nod* On re-re-rechecking several times (clamscan --debug <messagefile
> |grep -i phish), I noticed this:
> 
> Phishcheck:Checking url http://www.w3.org/TR/html4/DTD/strict.dtd">->
> 
> (which I'm pretty sure wasn't showing the first five or six times I
> tried) but no entry for the tdcanadatrust.com link.  Checking again now,
> that link is found too.  I'm not sure what changed, other than the fact
> that the message file is now in a subdirectory.  O_o
> 
> In any case, I've confirmed the FP link and added a daily.wdb:
> 
> X:http\://ems1.aeroplan.com:tdcanadatrust.com

-Al-
-- 
Al Varnell
Mountain View, CA







More information about the clamav-users mailing list