[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Kevin Lin klin at sourcefire.com
Tue Aug 25 13:19:13 EDT 2015


It's not necessary to whitelist the heuristic. If you choose to, you can
whitelist the domain which can be done using a .wdb signature. There is
documentation on how to write an entry in the phishsigs_howto.pdf document.

-Kevin

On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswiger at mac.com> wrote:

> On Aug 25, 2015, at 9:41 AM, Alex <mysqlstudent at gmail.com> wrote:
> > Thanks very much. I've submitted an fp, but it appears to be the result
> of this:
> >
> > LibClamAV debug: Looking up hash
> > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
> > urldefense.
> > proofpoint.com/ <http://proofpoint.com/
> >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
> >
> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
> >
> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
> > LibClamAV debug: Phishcheck:URL after cleanup:
> > https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/
> >>http://www.bankofamerica.com <http://www.bankofamerica.com/>
> > LibClamAV debug: Phishing: looking up in whitelist:
> > https://urldefense.proofpoint.com:http://www.bankofamerica.co
> <https://urldefense.proofpoint.com:http://www.bankofamerica.co>
> > m; host-only:0
> > LibClamAV debug: Phishing: looking up in whitelist:
> > .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:.
> www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1
> > LibClamAV debug: Looking up in regex_list:
> > urldefense.proofpoint.com:www.bankofamerica.com/
> > LibClamAV debug: Lookup result: not in regex list
> > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
> different
> > LibClamAV debug: found Possibly Unwanted:
> > Heuristics.Phishing.Email.SpoofedDomain
> >
> > Looks like the proofpoint "secure URL" product has mangled the URL so
> > badly that clamav can't decipher it?
>
> Actually, ClamAV recognized and decoded the URL spoofing just fine.
> So they should be able to whitelist it without any special trouble.
>
> > In any case, how would I go about whitelisting either the sender
> > and/or the email the next time this happens, so I don't have to wait
> > for the sig team to perform an update?
>
> If Bank of America was my bank, I'd contact them and ask them to send
> their own emails from their own domain rather than sending emails
> which rather precisely resemble email spoofing attempts.
>
> If they declined, I'd find myself another bank who cared enough about email
> and online security that they weren't outsourcing it to proofpoint.com <
> http://proofpoint.com/>.
>
> Regards,
> --
> -Chuck
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list