[clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email

Steven Morgan smorgan at sourcefire.com
Fri Jul 18 13:00:08 EDT 2014


Also, have a look at the document phishsigs_howto.pdf in the ClamAV docs/
directory. It contains some info on identifying the reason for the phish
detection and on how to write whitelist signatures. You should be able to
create a local whitelist, local.wdb for example, and add that to your
database directory rather than modifying daily.wdb.

Hope it helps,

On Fri, Jul 18, 2014 at 11:09 AM, Alessandro Vesely <vesely at tana.it> wrote:

> Hi,
> I use libclamav for email filtering, and wonder how to handle these cases.
> Although spammy, that newsletter appears to be fully legitimate.  It
> originated from sella.it, and contains several links to that bank's
> site, as well as links to facebook, twitter, google+, and youtube.
> The message has both Heuristics.Phishing.Email.SpoofedDomain and
> Heuristics.Phishing.Email.  Upon social links removal, the message is
> clean.
> I could disable loading phishing urls.  (They were enabled in 0.98.4,
> weren't they?  Debian issued that upgrade quite recently.)  Or I can
> also enable SafeBrowsing in freshmail.conf.  Or are they two totally
> unrelated things?
> To work around false positives, I can pass (rather than drop) email
> messages having only that kind of "virus", and add a suitable field to
> their message header; Bounce-Unless-Auth, say.  A downstream filter
> would then recognize that header and reject messages unless it finds
> an acceptable authentication (SPF, DKIM, or such).  Doing so has to
> rely on virus names.  Am I safe using "Heuristics.*" as a wildcard?
> Is there any other method to distinguish phishing from traditional,
> low-fp viruses?
> Any other suggestion?
> Ale
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml

More information about the clamav-users mailing list