[clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive
lukn
lukn555 at gmail.com
Fri Aug 17 06:15:23 UTC 2018
Hi
You cannot whitelist a sender in ClamAV. Whitelisting happens in the
software that calls ClamAV.
The alternative is to disable spoofing checks in ClamAV configuration.
They're not enabled by default, so if your ClamAV checks spoofing, then
someone enabled it on purpose.
As Al already pointed out you can whitelist the offending link
construct. To identify the offending link in the mail you need to
perform a bit of analysis:
clamscan /path/to/mailfile.eml --debug 2>&1 | less
I don't have a working example at hand, so here's a little outline from
my memory:
search in less output for the word "different"
nearby that match (a few lines above, iirc) you'll find the offending
value looking something like
yada yada yaday amazon.com:amazon.de yada yada yada
(using amazon just as an example)
In your clamav signature directory you then create a file called
spoofing.wdb with this content:
X:amazon\.com:amazon\.de
(copy the hit from clamav debug output, prepend X: and escape all regex
specials)
Alternatively have the sender fix the broken link you identified above.
HTH
More information about the clamav-users
mailing list