[clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive
Al Varnell
alvarnell at mac.com
Fri Aug 17 05:19:25 UTC 2018
It's my experience that Heuristics.Phishing.Email.SpoofedDomain engine checks URL's to make sure the hyperlink actually takes you to a site related to what the text shows. I'm not aware of any public information on whitelisting these, but do know it can be done by adding and x- or m- entry in the database which is something that the ClamAV signature team should probably do for everybody rather than providing a local whitelist.
Or are you seeing something else in these messages that causes an FP?
-Al-
On Thu, Aug 16, 2018 at 07:40 PM, Tristan Goguen wrote:
> Hi,
>
> We are looking for documentation that will help us "whitelist" a sender's email. Thank you for any suggestions.
>
> Wed Aug 8 07:37:00 2018 -> Message w78BaxBt005717 from <Sender at domain.com <mailto:Sender at domain.com>> to <<Recipient at domain.com <mailto:Recipient at domain.com>>> with subject 'RE: ' message-id '<8q3v8vqrv8bva5u46f6qy0mf.1533728212327 at email.android.com <mailto:8q3v8vqrv8bva5u46f6qy0mf.1533728212327 at email.android.com>>' date 'Wed, 8 Aug 2018 11:36:54 +0000' infected by Heuristics.Phishing.Email.SpoofedDomain
>
>
>
> Tristan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180816/12284541/attachment.htm>
More information about the clamav-users
mailing list