[clamav-users] Heuristics.Phishing.Email.SpoofedDomain again
Kris Deugau
kdeugau at vianet.ca
Wed Apr 8 20:31:39 UTC 2015
How do I whitelist all combinations of TLD 1 and TLD 2 with/without
subdomains in one entry?
I've just had a series of FP reports, all appear to be triggered by a
Scotiabank internal mail system URL that shows scotiabank.com (with a
host/subdomain in some messages, without in others) and a real link
target of scotiamail.bns (again, may or may not have a host/subdomain).
M:scotiabank.com:scotiamail.bns
works on *some* messages... but not all of them. Apparently the
host/domain isn't consistently cut down to the bare TLD.
I don't want to have to add "many" variant entries, because I don't know
what variations might appear. For the time being I've added 4 entries
that seem to cover the variants I have on hand currently.
-kgd
More information about the clamav-users
mailing list