[clamav-users] Whitelisting whole domains (Re: Heuristics.Phishing.Email.SpoofedDomain again)
Kris Deugau
kdeugau at vianet.ca
Wed Apr 15 20:54:50 UTC 2015
Kris Deugau wrote:
> How do I whitelist all combinations of TLD 1 and TLD 2 with/without
> subdomains in one entry?
>
> I've just had a series of FP reports, all appear to be triggered by a
> Scotiabank internal mail system URL that shows scotiabank.com (with a
> host/subdomain in some messages, without in others) and a real link
> target of scotiamail.bns (again, may or may not have a host/subdomain).
>
> M:scotiabank.com:scotiamail.bns
>
> works on *some* messages... but not all of them. Apparently the
> host/domain isn't consistently cut down to the bare TLD.
>
> I don't want to have to add "many" variant entries, because I don't know
> what variations might appear. For the time being I've added 4 entries
> that seem to cover the variants I have on hand currently.
Anyone?
I've come across another variant; accountonline.com and citibank.com -
both even show the same WHOIS info. I want to whitelist links that show
(or have images originating in) "*.citibank.com", with links whos target
is "*.accountonline.com".
Once again, I don't want to have to enter "many" variant entries,
because I'm certain to miss one.
-kgd
More information about the clamav-users
mailing list