[clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email
smorgan at sourcefire.com
Fri Jul 18 13:00:08 EDT 2014
Also, have a look at the document phishsigs_howto.pdf in the ClamAV docs/
directory. It contains some info on identifying the reason for the phish
detection and on how to write whitelist signatures. You should be able to
create a local whitelist, local.wdb for example, and add that to your
database directory rather than modifying daily.wdb.
Hope it helps,
On Fri, Jul 18, 2014 at 11:09 AM, Alessandro Vesely <vesely at tana.it> wrote:
> I use libclamav for email filtering, and wonder how to handle these cases.
> Although spammy, that newsletter appears to be fully legitimate. It
> originated from sella.it, and contains several links to that bank's
> site, as well as links to facebook, twitter, google+, and youtube.
> The message has both Heuristics.Phishing.Email.SpoofedDomain and
> Heuristics.Phishing.Email. Upon social links removal, the message is
> I could disable loading phishing urls. (They were enabled in 0.98.4,
> weren't they? Debian issued that upgrade quite recently.) Or I can
> also enable SafeBrowsing in freshmail.conf. Or are they two totally
> unrelated things?
> To work around false positives, I can pass (rather than drop) email
> messages having only that kind of "virus", and add a suitable field to
> their message header; Bounce-Unless-Auth, say. A downstream filter
> would then recognize that header and reject messages unless it finds
> an acceptable authentication (SPF, DKIM, or such). Doing so has to
> rely on virus names. Am I safe using "Heuristics.*" as a wildcard?
> Is there any other method to distinguish phishing from traditional,
> low-fp viruses?
> Any other suggestion?
> Help us build a comprehensive ClamAV guide:
More information about the clamav-users