[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon
Hajo Locke
Hajo.Locke at gmx.de
Tue Nov 14 09:48:56 UTC 2017
Hello,
Am 14.11.2017 um 10:44 schrieb Al Varnell:
> I'm not very good at regex, but I'm surprised that this current X record doesn't already take care of this:
>
> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?
me too. in which file is this regex located?
>
> -Al-
>
> On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:
>> Hello List,
>>
>> i think i found an fp in incoming mail. I cant submit mail as FP on website, because it contains private data.
>> I can provide debug output which leads to match:
>>
>> LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- <https://sellercentral-europe.amazon.com-/>>http://www.amazon.de <http://www.amazon.de/>
>> LibClamAV debug: Phishing: looking up in whitelist: https://sellercentral-europe.amazon.com:http://www.amazon.de <https://sellercentral-europe.amazon.com:http://www.amazon.de>; host-only:0
>> LibClamAV debug: Looking up in regex_list: https://sellercentral-europe.amazon.com:http://www.amazon.de/ <https://sellercentral-europe.amazon.com:http://www.amazon.de/>
>> LibClamAV debug: Lookup result: not in regex list
>> LibClamAV debug: Phishcheck:host:.www.amazon.de <http://www.amazon.de/>
>> LibClamAV debug: Looking up in regex_list: www.amazon.de/ <http://www.amazon.de/>
>> LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de <http://www.amazon.de/>","www.amazon.de/ <http://www.amazon.de/>"
>> LibClamAV debug: calc_pos_with_skip:
>> LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de <http://www.amazon.de/>","www.amazon.de/ <http://www.amazon.de/>"
>> LibClamAV debug: calc_pos_with_skip:amazon.de <http://amazon.de/>
>> LibClamAV debug: Got a match: www.amazon.de/ <http://www.amazon.de/> with /ed.nozama
>> LibClamAV debug: Before inserting .: .www.amazon.de <http://www.amazon.de/>
>> LibClamAV debug: Lookup result: in regex list
>> LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/>
>> LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/>:.www.amazon.de <http://www.amazon.de/>; host-only:1
>> LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/>:www.amazon.de/ <http://www.amazon.de/>
>> LibClamAV debug: Lookup result: not in regex list
>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
>> LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
>>
>> Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect <https://sellercentral-europe.amazon.com/nms/redirect>..... which redirects to http://www.amazon.de/gp/help/survey?p <http://www.amazon.de/gp/help/survey?p>....
>> These are default links from amazon to rate seller/product and should be an allowed combination of redirects.
>> It is possible to do a global update of this combination within heuristics?
>> Otherwise i had to whitelist by wdb file:
>>
>> X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
>>
>> Thanks,
>> Hajo
>>
>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list