[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positives

Al Varnell alvarnell at mac.com
Mon Jun 12 08:38:44 UTC 2017 

On Jun 9, 2017, at 1:40 PM, Alex wrote:
> Hi,
> 
> I've noticed a large amount of phishing signature false-positives, and
> just want to make sure I understand correctly how they work.
> 
> I have HeuristicScanPrecedence disabled and all the phishing settings
> left as default.
> 
> I'm assuming this rule is known to produce a large amount of false-positives?
> 
> It catches legitimate mail from priceline, delta, citibank, homedepot,
> and wellsfargo. At the least, I would expect some kind of note in the
> config file indicating this?
> 
> I've successfully whitelisted quite a few of them, but is this the
> best approach? Maybe I'm missing more of the main purpose of this rule
> because it does seem so prone to false-positives.
> 
> Could I also ask someone to review my whitelist entries? Perhaps they
> can be optimized or done more succinctly? The manual refers to a
> version number (17-). Is this necessary?
> 
> X:http\://e\.delta\.com:www\.americanexpress\.com
> X:http\://l\.info4\.citi\.com:citibank\.com
> X:http\://l\.info4\.citi\.com:citi\.com
> X:http\://l\.info4\.citi\.com:http\://i\..+\.citi\.com
> X:http\://l\.info4\.citi\.com:http\://namwpm\.eccmp\.com
> X:http\://l\.info4\.citi\.com:http\://snamwpm\.eccmp\.com
> X:http\://l\.info4\.citi\.com:http\://www\.movable-ink-.+\.com
> X:http\://l\.info4\.citi\.com:thankyou\.com
> X:http\://l\.info6\.accountonline\.com:bestbuy\.accountonline\.com
> X:http\://l\.info6\.accountonline\.com:citibank\.com
> X:http\://l\.info6\.accountonline\.com:homedepot\.com
> X:http\://l\.info6\.accountonline\.com:http\://namwpm\.eccmp\.com
> X:http\://links\.e\.mycustomemail\.com:wellsfargo\.com
> X:http\://links\.mkt3772\.com:https\://cdn2\.bondbrandloyalty\.com
> X:http\://links\.mkt3772\.com:https\://equitybar\.scene\.ca
> X:http\://links\.mkt3772\.com:scene\.ca
> X:http\://links\.mkt3772\.com:scotiabank\.com
> X:\.links\.mkt3772\.com:\.scotiabank\.com
> X:http\://mercedes-benz\.r\.delivery\.net:amextravel\.com
> X:http\://mercedes-benz\.r\.delivery\.net:http\://sarankco-preview\.com
> X:http\://mercedes-benz\.r\.delivery\.net:membershiprewards\.com
> X:http\://mercedes-benz\.r\.delivery\.net:www\.americanexpress\.com
> X:http\://mercedes-benz\.r\.delivery\.net:www\.membershiprewards\.com
> X:https\://epl\.paypal-communication\.com:https\://pp\.images\.harmony\.epsilon\.com
> X:https\://epl\.paypal-communication\.com:www\.paypal\.com
> X:https\://t\.co:amazon\.de
> X:https\://twitter\.com:https\://ea\.twimg\.com
> X:https\://twitter\.com:https\://pbs\.twimg\.com
> X:https\://usa\.visa\.com:http\://images\.globalclient\.visa\.com
> X:.+arizonafederal\.org:arizonafederal\.org
> X:.+\.facebook\.com:https\://www\.arizonafederal\.org
> X:http\://www\.wiredbusinessconference\.com:http\://images\.globalclient\.visa\.com
> X:\.l\.info4\.citi\.com:\.citibank\.com
> X:\.l\.info6\.accountonline\.com:\.citibank\.com
> X:\.links\.e\.mycustomemail\.com:\.wellsfargo\.com
> X:\.mercedes-benz\.r\.delivery\.net:\.www\.americanexpress\.com
> X:\.t\.co:\.amazon\.de

I was hoping that somebody more knowledgable than I would respond here.

I can confirm that allowing Heuristic Phishing detections is quite likely to result in quite a few False Positives these days, but I'm not sure what else you want to know about it. I've been told that if you disable PhishingScanURLs and use the safebrowsing database, it will also disable that.

The primary reason is that these institutions are using formats that are exactly the same ones used by phishers, and shouldn't be doing so. I guess they think it's less confusing to show users that they can click a link that will take them to a Wells Fargo site when it actually takes you to one of their contractor sites. It would be much smarter to have it first go to Wells Fargo and then be told that they are be redirected to a trusted partner site.

I certainly don't have time or perfect knowledge with regard to your Regex whitelist entries, but it does seem to me that it would be more appropriate to use "M:" records for these since you are using a separate record for each pairing.

-Al-
-- 
Al Varnell
Mountain View, CA

More information about the clamav-users mailing list