[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Alex mysqlstudent at gmail.com
Tue Aug 25 17:49:48 EDT 2015


On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswiger at mac.com> wrote:
> On Aug 25, 2015, at 9:41 AM, Alex <mysqlstudent at gmail.com> wrote:
>> Thanks very much. I've submitted an fp, but it appears to be the result of this:
>> LibClamAV debug: Looking up hash
>> 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
>> urldefense.
>> proofpoint.com/ <http://proofpoint.com/>(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
>> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
>> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
>> LibClamAV debug: Phishcheck:URL after cleanup:
>> https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/>>http://www.bankofamerica.com <http://www.bankofamerica.com/>
>> LibClamAV debug: Phishing: looking up in whitelist:
>> https://urldefense.proofpoint.com:http://www.bankofamerica.co <https://urldefense.proofpoint.com:http://www.bankofamerica.co>
>> m; host-only:0
>> LibClamAV debug: Phishing: looking up in whitelist:
>> .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:.www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1
>> LibClamAV debug: Looking up in regex_list:
>> urldefense.proofpoint.com:www.bankofamerica.com/
>> LibClamAV debug: Lookup result: not in regex list
>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
>> LibClamAV debug: found Possibly Unwanted:
>> Heuristics.Phishing.Email.SpoofedDomain
>> Looks like the proofpoint "secure URL" product has mangled the URL so
>> badly that clamav can't decipher it?
> Actually, ClamAV recognized and decoded the URL spoofing just fine.
> So they should be able to whitelist it without any special trouble.

So then where did it become a fp then?

>> In any case, how would I go about whitelisting either the sender
>> and/or the email the next time this happens, so I don't have to wait
>> for the sig team to perform an update?
> If Bank of America was my bank, I'd contact them and ask them to send
> their own emails from their own domain rather than sending emails
> which rather precisely resemble email spoofing attempts.

It's actually not bankofamerica.com that's doing it. It apparently was
the sender that mangled every domain in the email to precede it with
this urldefense crap.


More information about the clamav-users mailing list