[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Alex mysqlstudent at gmail.com
Wed Aug 26 22:16:56 EDT 2015


Hi,

On Tue, Aug 25, 2015 at 1:19 PM, Kevin Lin <klin at sourcefire.com> wrote:
> It's not necessary to whitelist the heuristic. If you choose to, you can
> whitelist the domain which can be done using a .wdb signature. There is
> documentation on how to write an entry in the phishsigs_howto.pdf document.

I think I managed to get it working. Much easier than I expected.

Given this debug output:

LibClamAV debug: Looking up hash 56C3...E7C44D36F0FB9028E16FE for urldefense.
proofpoint.com/(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
....

Then there's this:

LibClamAV debug: Phishing: looking up in whitelist:
https://urldefense.proofpoint.com:http://www.bankofamerica.com;
host-only:0
LibClamAV debug: Looking up in regex_list:
https://urldefense.proofpoint.com:http://www.bankofamerica.com/

I've created a wdb rule that looks like this:

X:.+proofpoint\.com:.+bankofamerica\.com:17-

That appears to have solved the problem. I suppose I could be more
specific with my regex, but I think it's okay for now.

Thanks,
Alex










>
> -Kevin
>
> On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswiger at mac.com> wrote:
>
>> On Aug 25, 2015, at 9:41 AM, Alex <mysqlstudent at gmail.com> wrote:
>> > Thanks very much. I've submitted an fp, but it appears to be the result
>> of this:
>> >
>> > LibClamAV debug: Looking up hash
>> > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
>> > urldefense.
>> > proofpoint.com/ <http://proofpoint.com/
>> >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
>> >
>> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
>> >
>> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
>> > LibClamAV debug: Phishcheck:URL after cleanup:
>> > https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/
>> >>http://www.bankofamerica.com <http://www.bankofamerica.com/>
>> > LibClamAV debug: Phishing: looking up in whitelist:
>> > https://urldefense.proofpoint.com:http://www.bankofamerica.co
>> <https://urldefense.proofpoint.com:http://www.bankofamerica.co>
>> > m; host-only:0
>> > LibClamAV debug: Phishing: looking up in whitelist:
>> > .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:.
>> www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1
>> > LibClamAV debug: Looking up in regex_list:
>> > urldefense.proofpoint.com:www.bankofamerica.com/
>> > LibClamAV debug: Lookup result: not in regex list
>> > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
>> different
>> > LibClamAV debug: found Possibly Unwanted:
>> > Heuristics.Phishing.Email.SpoofedDomain
>> >
>> > Looks like the proofpoint "secure URL" product has mangled the URL so
>> > badly that clamav can't decipher it?
>>
>> Actually, ClamAV recognized and decoded the URL spoofing just fine.
>> So they should be able to whitelist it without any special trouble.
>>
>> > In any case, how would I go about whitelisting either the sender
>> > and/or the email the next time this happens, so I don't have to wait
>> > for the sig team to perform an update?
>>
>> If Bank of America was my bank, I'd contact them and ask them to send
>> their own emails from their own domain rather than sending emails
>> which rather precisely resemble email spoofing attempts.
>>
>> If they declined, I'd find myself another bank who cared enough about email
>> and online security that they weren't outsourcing it to proofpoint.com <
>> http://proofpoint.com/>.
>>
>> Regards,
>> --
>> -Chuck
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list