[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Charles Swiger cswiger at mac.com
Tue Aug 25 13:11:47 EDT 2015


On Aug 25, 2015, at 9:41 AM, Alex <mysqlstudent at gmail.com> wrote:
> Thanks very much. I've submitted an fp, but it appears to be the result of this:
> 
> LibClamAV debug: Looking up hash
> 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
> urldefense.
> proofpoint.com/ <http://proofpoint.com/>(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
> LibClamAV debug: Phishcheck:URL after cleanup:
> https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/>>http://www.bankofamerica.com <http://www.bankofamerica.com/>
> LibClamAV debug: Phishing: looking up in whitelist:
> https://urldefense.proofpoint.com:http://www.bankofamerica.co <https://urldefense.proofpoint.com:http://www.bankofamerica.co>
> m; host-only:0
> LibClamAV debug: Phishing: looking up in whitelist:
> .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:.www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1
> LibClamAV debug: Looking up in regex_list:
> urldefense.proofpoint.com:www.bankofamerica.com/
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
> LibClamAV debug: found Possibly Unwanted:
> Heuristics.Phishing.Email.SpoofedDomain
> 
> Looks like the proofpoint "secure URL" product has mangled the URL so
> badly that clamav can't decipher it?

Actually, ClamAV recognized and decoded the URL spoofing just fine.
So they should be able to whitelist it without any special trouble.

> In any case, how would I go about whitelisting either the sender
> and/or the email the next time this happens, so I don't have to wait
> for the sig team to perform an update?

If Bank of America was my bank, I'd contact them and ask them to send
their own emails from their own domain rather than sending emails
which rather precisely resemble email spoofing attempts.

If they declined, I'd find myself another bank who cared enough about email
and online security that they weren't outsourcing it to proofpoint.com <http://proofpoint.com/>.

Regards,
-- 
-Chuck




More information about the clamav-users mailing list