[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positives

[Alex]

Hi,

I've noticed a large amount of phishing signature false-positives, and
just want to make sure I understand correctly how they work.

I have HeuristicScanPrecedence disabled and all the phishing settings
left as default.

I'm assuming this rule is known to produce a large amount of false-positives?

It catches legitimate mail from priceline, delta, citibank, homedepot,
and wellsfargo. At the least, I would expect some kind of note in the
config file indicating this?

I've successfully whitelisted quite a few of them, but is this the
best approach? Maybe I'm missing more of the main purpose of this rule
because it does seem so prone to false-positives.

Could I also ask someone to review my whitelist entries? Perhaps they
can be optimized or done more succinctly? The manual refers to a
version number (17-). Is this necessary?

X:http\://e\.delta\.com:www\.americanexpress\.com
X:http\://l\.info4\.citi\.com:citibank\.com
X:http\://l\.info4\.citi\.com:citi\.com
X:http\://l\.info4\.citi\.com:http\://i\..+\.citi\.com
X:http\://l\.info4\.citi\.com:http\://namwpm\.eccmp\.com
X:http\://l\.info4\.citi\.com:http\://snamwpm\.eccmp\.com
X:http\://l\.info4\.citi\.com:http\://www\.movable-ink-.+\.com
X:http\://l\.info4\.citi\.com:thankyou\.com
X:http\://l\.info6\.accountonline\.com:bestbuy\.accountonline\.com
X:http\://l\.info6\.accountonline\.com:citibank\.com
X:http\://l\.info6\.accountonline\.com:homedepot\.com
X:http\://l\.info6\.accountonline\.com:http\://namwpm\.eccmp\.com
X:http\://links\.e\.mycustomemail\.com:wellsfargo\.com
X:http\://links\.mkt3772\.com:https\://cdn2\.bondbrandloyalty\.com
X:http\://links\.mkt3772\.com:https\://equitybar\.scene\.ca
X:http\://links\.mkt3772\.com:scene\.ca
X:http\://links\.mkt3772\.com:scotiabank\.com
X:\.links\.mkt3772\.com:\.scotiabank\.com
X:http\://mercedes-benz\.r\.delivery\.net:amextravel\.com
X:http\://mercedes-benz\.r\.delivery\.net:http\://sarankco-preview\.com
X:http\://mercedes-benz\.r\.delivery\.net:membershiprewards\.com
X:http\://mercedes-benz\.r\.delivery\.net:www\.americanexpress\.com
X:http\://mercedes-benz\.r\.delivery\.net:www\.membershiprewards\.com
X:https\://epl\.paypal-communication\.com:https\://pp\.images\.harmony\.epsilon\.com
X:https\://epl\.paypal-communication\.com:www\.paypal\.com
X:https\://t\.co:amazon\.de
X:https\://twitter\.com:https\://ea\.twimg\.com
X:https\://twitter\.com:https\://pbs\.twimg\.com
X:https\://usa\.visa\.com:http\://images\.globalclient\.visa\.com
X:.+arizonafederal\.org:arizonafederal\.org
X:.+\.facebook\.com:https\://www\.arizonafederal\.org
X:http\://www\.wiredbusinessconference\.com:http\://images\.globalclient\.visa\.com
X:\.l\.info4\.citi\.com:\.citibank\.com
X:\.l\.info6\.accountonline\.com:\.citibank\.com
X:\.links\.e\.mycustomemail\.com:\.wellsfargo\.com
X:\.mercedes-benz\.r\.delivery\.net:\.www\.americanexpress\.com
X:\.t\.co:\.amazon\.de