[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon
Al Varnell
alvarnell at mac.com
Tue Nov 14 09:50:20 UTC 2017
On Tue, Nov 14, 2017 at 01:48 AM, Hajo Locke wrote:
> Hello,
>
>
> Am 14.11.2017 um 10:44 schrieb Al Varnell:
>> I'm not very good at regex, but I'm surprised that this current X record doesn't already take care of this:
>>
>> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?
> me too. in which file is this regex located?
daily.cld / .cvd
-Al-
>>
>> -Al-
>>
>> On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:
>>> Hello List,
>>>
>>> i think i found an fp in incoming mail. I cant submit mail as FP on website, because it contains private data.
>>> I can provide debug output which leads to match:
>>>
>>> LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- <https://sellercentral-europe.amazon.com-/> <https://sellercentral-europe.amazon.com-/ <https://sellercentral-europe.amazon.com-/>>>http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
>>> LibClamAV debug: Phishing: looking up in whitelist: https://sellercentral-europe.amazon.com:http://www.amazon.de <https://sellercentral-europe.amazon.com:http://www.amazon.de> <https://sellercentral-europe.amazon.com:http://www.amazon.de <https://sellercentral-europe.amazon.com:http://www.amazon.de>>; host-only:0
>>> LibClamAV debug: Looking up in regex_list: https://sellercentral-europe.amazon.com:http://www.amazon.de/ <https://sellercentral-europe.amazon.com:http://www.amazon.de/> <https://sellercentral-europe.amazon.com:http://www.amazon.de/ <https://sellercentral-europe.amazon.com:http://www.amazon.de/>>
>>> LibClamAV debug: Lookup result: not in regex list
>>> LibClamAV debug: Phishcheck:host:.www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
>>> LibClamAV debug: Looking up in regex_list: www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
>>> LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>","www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>"
>>> LibClamAV debug: calc_pos_with_skip:
>>> LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>","www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>"
>>> LibClamAV debug: calc_pos_with_skip:amazon.de <http://amazon.de/> <http://amazon.de/ <http://amazon.de/>>
>>> LibClamAV debug: Got a match: www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>> with /ed.nozama
>>> LibClamAV debug: Before inserting .: .www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
>>> LibClamAV debug: Lookup result: in regex list
>>> LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>
>>> LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>:.www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>; host-only:1
>>> LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>:www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
>>> LibClamAV debug: Lookup result: not in regex list
>>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
>>> LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
>>>
>>> Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect <https://sellercentral-europe.amazon.com/nms/redirect> <https://sellercentral-europe.amazon.com/nms/redirect <https://sellercentral-europe.amazon.com/nms/redirect>>..... which redirects to http://www.amazon.de/gp/help/survey?p <http://www.amazon.de/gp/help/survey?p> <http://www.amazon.de/gp/help/survey?p <http://www.amazon.de/gp/help/survey?p>>....
>>> These are default links from amazon to rate seller/product and should be an allowed combination of redirects.
>>> It is possible to do a global update of this combination within heuristics?
>>> Otherwise i had to whitelist by wdb file:
>>>
>>> X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
>>>
>>> Thanks,
>>> Hajo
>>>
>>>
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171114/119cac8e/attachment.bin>
More information about the clamav-users
mailing list