[clamav-users] False positives phishing sites
Thorvald Hallvardsson
thorvald.hallvardsson at gmail.com
Tue Sep 23 11:44:19 UTC 2014
Hi guys,
I need a bit of help in understanding why ClamAV finds phishing URLs in the
very very legitimate emails.
I have got some customers complaining that some emails from normal retail
shops (newsletters) are marked as phising. Also multiple customers having
issues with receiving emails from Amazon Master Card (Bank of America)
being marked as phishing. We have multiple examples where exact viruses are
not being identified... viruses like 2-3 years old.
I update databases every couple of hours. I know it's hard to keep
signatures up-to-date but there are few cases which I don't understand.
However let's focus on the Amazon email about MasterCard.
The output from clamscan --debug says:
LibClamAV debug: Got a match: youraccount.mbna.co.uk/ with /ku.oc.anbm
LibClamAV debug: Before inserting .: .youraccount.mbna.co.uk
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.www.bankofamerica.co.uk
LibClamAV debug: Phishing: looking up in whitelist:
.www.bankofamerica.co.uk:.youraccount.mbna.co.uk; host-only:1
LibClamAV debug: Looking up in regex_list: www.bankofamerica.co.uk:y
ouraccount.mbna.co.uk/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain
But looking at the emails all links in a href= are the same in between the
tag so they are not different.
Found something on the internet saying that there is a why.py script in the
sources which I couldn't found but I downloaded it from the internet and it
said "Clean" but noticed in the code that it's looking for different things.
Anyone would like to point me into the right direction and help me out with
the problems I'm having ?
Thank you in advance.
Regards.
More information about the clamav-users
mailing list