[clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email
Steven Morgan
smorgan at sourcefire.com
Fri Jul 18 17:00:08 UTC 2014
Alessandro,
Also, have a look at the document phishsigs_howto.pdf in the ClamAV docs/
directory. It contains some info on identifying the reason for the phish
detection and on how to write whitelist signatures. You should be able to
create a local whitelist, local.wdb for example, and add that to your
database directory rather than modifying daily.wdb.
Hope it helps,
Steve
On Fri, Jul 18, 2014 at 11:09 AM, Alessandro Vesely <vesely at tana.it> wrote:
> Hi,
> I use libclamav for email filtering, and wonder how to handle these cases.
>
> Although spammy, that newsletter appears to be fully legitimate. It
> originated from sella.it, and contains several links to that bank's
> site, as well as links to facebook, twitter, google+, and youtube.
>
> The message has both Heuristics.Phishing.Email.SpoofedDomain and
> Heuristics.Phishing.Email. Upon social links removal, the message is
> clean.
>
> I could disable loading phishing urls. (They were enabled in 0.98.4,
> weren't they? Debian issued that upgrade quite recently.) Or I can
> also enable SafeBrowsing in freshmail.conf. Or are they two totally
> unrelated things?
>
> To work around false positives, I can pass (rather than drop) email
> messages having only that kind of "virus", and add a suitable field to
> their message header; Bounce-Unless-Auth, say. A downstream filter
> would then recognize that header and reject messages unless it finds
> an acceptable authentication (SPF, DKIM, or such). Doing so has to
> rely on virus names. Am I safe using "Heuristics.*" as a wildcard?
> Is there any other method to distinguish phishing from traditional,
> low-fp viruses?
>
> Any other suggestion?
>
> TIA
> Ale
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
More information about the clamav-users
mailing list