[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon
Marcus Schopen
lists at localguru.de
Thu Aug 23 18:08:14 UTC 2018
Hi,
Am Dienstag, den 14.11.2017, 11:20 +0100 schrieb Hajo Locke:
> Hello,
>
> based on my working whitelist regex i would say the 2nd part should
> not
> look only for amazon\.com
>
>
> If i understood it the correct way it should be something like:
>
> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(c
> om|de)([/?].*)?
>
> Using this regex shows a clean mail. May be more extensions are
> needed
> on right side, dependent on amazon changes/uses on different domains.
Anything new on this? Is above rule still working? Some of my amazon
mails are blocked by "Phishing.Email.SpoofedDomain" too, e.g.:
http://www.adobe.com/de/products/acrobat/readstep2.html
-> https://sellercentral-europe.amazon.com/...
or
Amazon.de
-> https://sellercentral-europe.amazon.com/...
Cheers
m
More information about the clamav-users
mailing list