[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Alex mysqlstudent at gmail.com
Tue Aug 16 12:42:40 EDT 2016

On Tue, Aug 16, 2016 at 12:35 PM, Steve basford
<steveb_clamav at sanesecurity.com> wrote:
> Try clamscan --debug 2>debug.log and I think that should show you a domain.

Ah yes, thanks. It appears it's marked it because the URLs were too different:

LibClamAV debug: Phishing: looking up in whitelist:
.click.capitaloneemail.com:.mi.capitalone.com; host-only:1
LibClamAV debug: Looking up in regex_list:
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different

I'm not sure I'm ready to whitelist the rule just yet, however.


More information about the clamav-users mailing list