[clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email

Alessandro Vesely vesely at tana.it
Fri Jul 18 11:09:39 EDT 2014

I use libclamav for email filtering, and wonder how to handle these cases.

Although spammy, that newsletter appears to be fully legitimate.  It
originated from sella.it, and contains several links to that bank's
site, as well as links to facebook, twitter, google+, and youtube.

The message has both Heuristics.Phishing.Email.SpoofedDomain and
Heuristics.Phishing.Email.  Upon social links removal, the message is

I could disable loading phishing urls.  (They were enabled in 0.98.4,
weren't they?  Debian issued that upgrade quite recently.)  Or I can
also enable SafeBrowsing in freshmail.conf.  Or are they two totally
unrelated things?

To work around false positives, I can pass (rather than drop) email
messages having only that kind of "virus", and add a suitable field to
their message header; Bounce-Unless-Auth, say.  A downstream filter
would then recognize that header and reject messages unless it finds
an acceptable authentication (SPF, DKIM, or such).  Doing so has to
rely on virus names.  Am I safe using "Heuristics.*" as a wildcard?
Is there any other method to distinguish phishing from traditional,
low-fp viruses?

Any other suggestion?


More information about the clamav-users mailing list