[clamav-users] Heuristics.Phishing.Email.SpoofedDomain
micah anderson
micah at riseup.net
Wed Nov 15 17:45:46 UTC 2017
Hi,
I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that
the reason this is happening is because of Outlook's "advanced threat
protection" which wraps urls in a "safelink" url, all the details of
this monstrosity are here:
https://blog.tylerbickford.com/2016/06/16/microsoft-advanced-threat-protection-is-a-disaster/
Leave it to microsoft to implement something so ass-backwards that it
actually does the opposite thing they are trying to achieve and instead
breaks things in an attempt to fix them. Safelinks generates URLs that
are 100% bonafide red-alert, kalxon-sounding phishing. Cut some heads
off of chickens, because its time to run in circles!
I really didn't want to do this, but I followed
https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf
and I added the following to local.wdb (is this still the right place?!)
to "whitelist" safebrowsing:
X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17
but people are still complaining. Did I do this wrong? Looking again at
the documentation, it appears that it should be '17-' instead of '17',
but I'm not sure that matters.
Is there some better way to deal with this? I do not want to turn off
phishing protection in general.
Thanks for any help you can provide,
micah
More information about the clamav-users
mailing list